[ protech_v2 @ 29.11.2005. 23:07 ] @
Imam linux RH9 koji je preko iptables i quicktables skripte podesen da bude firewall za LAN mrezu. eth0 mu je interfejs za LAN, a ppp0 za spolja, IP adresu dobija dinamicki (wireless). Ja bih samo hteo da otvorim 2 tcp/udp porta za azureus i emule. pokusavao sam po nekoliko tutoriala sa neta i po sticky temi na ovom forumu, ali ne ide, pa molim da mi kazete sta propustam: ovo je sadrzaj /etc/sysconfig/iptables: Code: # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6881 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT a ovo je quicktables config iz /usr/local/sbin/rc.firewall : Code: #!/bin/sh # # generated by ./quicktables-2.3 on 2005.11.30.54 # # set a few variables echo "" echo " setting global variables" echo "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin iptables="/sbin/iptables" # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi # load some modules if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi # flush any existing chains and set default policies $iptables -F INPUT $iptables -F OUTPUT $iptables -P INPUT DROP $iptables -P OUTPUT ACCEPT # setup nat echo " applying nat rules" echo "" $iptables -F FORWARD $iptables -F -t nat $iptables -P FORWARD DROP $iptables -A FORWARD -i eth0 -j ACCEPT $iptables -A INPUT -i eth0 -j ACCEPT $iptables -A OUTPUT -o eth0 -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE # allow all packets on the loopback interface# Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6881 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT # allow established and related packets back in $iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # blocking reserved private networks incoming from the internet echo " applying incoming internet blocking of reserved private networks" echo "" $iptables -I INPUT -i ppp0 -s 10.0.0.0/8 -j DROP $iptables -I INPUT -i ppp0 -s 172.16.0.0/12 -j DROP $iptables -I INPUT -i ppp0 -s 192.168.0.0/16 -j DROP $iptables -I INPUT -i ppp0 -s 127.0.0.0/8 -j DROP $iptables -I FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP $iptables -I FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP $iptables -I FORWARD -i ppp0 -s 192.168.0.0/16 -j DROP $iptables -I FORWARD -i ppp0 -s 127.0.0.0/8 -j DROP # icmp echo " applying icmp rules" echo "" $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i ppp0 -j ACCEPT # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $iptables -I INPUT -p icmp --icmp-type redirect -j DROP $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP # open ports to the firewall echo " applying the open port(s) to the firewall rules" echo "" $iptables -A INPUT -p tcp --dport 6881 -j ACCEPT $iptables -A INPUT -p tcp --dport 4881 -j ACCEPT $iptables -A INPUT -p tcp --dport 8080 -j ACCEPT $iptables -A INPUT -p tcp --dport 52525 -j ACCEPT $iptables -A INPUT -p udp --dport 6881 -j ACCEPT $iptables -A INPUT -p udp --dport 4881 -j ACCEPT $iptables -A INPUT -p udp --dport 8080 -j ACCEPT $iptables -A INPUT -p udp --dport 52525 -j ACCEPT # open and forward ports to the internal machine(s) echo " applying port forwarding rules" echo "" $iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 52525 -j DNAT --to 192.168.0.30:52525 $iptables -A FORWARD -i ppp0 -p tcp -d 192.168.0.30 --dport 52525 -j ACCEPT $iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 52525 -j DNAT --to 192.168.0.30:52525 $iptables -A FORWARD -i ppp0 -p udp -d 192.168.0.30 --dport 52525 -j ACCEPT # drop all other packets echo " applying default drop policies" echo "" $iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP $iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP echo "### quicktables is loaded ###" echo "" Sta ne valja? Hvala puno! [Ovu poruku je menjao protech_v2 dana 30.11.2005. u 00:08 GMT+1] |