Новый участник
Сообщения: 6
Благодарности: 0
|
Профиль
|
Отправить PM
| Цитировать
Я юзаю IPTABLES со следуюющим конфигом
========= RC.FIREWALL =============
#!/bin/sh
#
# Automatically generated by drakgw
#[ -x /etc/rc.d/rc.firewall.inet_sharing ] && /etc/rc.d/rc.firewall.inet_sharing
#
# This is my part (trying)
#Enabe forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Inserrt IPtables module
insmod ip_tables
# Load NAT module
modprobe iptable_nat
# Load FTP nat module
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Create new chain to block acces to firewall
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! eth1 -j ACCEPT
/sbin/iptables -A block -p tcp --dport 23 -j ACCEPT
/sbin/iptables -A blick -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A block -p udp --dport 22 -j ACCEPT
/sbin/iptables -A block -j DROP
# doing nating
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
=========== rc.firewall.inet_sharing ============
#!/bin/sh
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -eq 2 ]; then
[ -x /etc/rc.d/rc.firewall.inet_sharing-2.2 ] && /etc/rc.d/rc.firewall.inet_sharing-2.2
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -eq 4 ]; then
[ -x /etc/rc.d/rc.firewall.inet_sharing-2.4 ] && /etc/rc.d/rc.firewall.inet_sharing-2.4
fi
=========== rc.firewall.inet_sharing-2.4 ============
#!/bin/sh
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# In the NAT table (-t nat), Append a rule (-A) after routing (POSTROUTING)
# which says to MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
# Allows forwarding specifically to our LAN
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
# Allows related trafic to be forward
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow dhcp requests
/sbin/iptables -A INPUT -i eth1 -p udp --sport bootpc --dport bootps -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --sport bootpc --dport bootps -j ACCEPT
#/sbin/iptables -A INPUT -i eth0 -p udp --sport bootps --dport bootpc -j ACCEPT
#/sbin/iptables -A INPUT -i eth0 -p tcp --sport bootps --dport bootpc -j ACCEPT
# Allow dns requests
/sbin/iptables -A INPUT -i eth0 -p udp --dport domain -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport domain -j ACCEPT
|
Отправлено: 14:31, 12-03-2003
| #6
|
