* Pawel M. wrote:
> Druga sprawa to jak zrobic maskarade (iptables) zeby wszystkie pakiety
> przechodzily bez oporu w jedna i 2 strone (iptables) -bez zadnego firewalla
Spróbuj tak:
#!/bin/sh
IPTB=/sbin/iptables
echo "Starting iptables filters"
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_limit
modprobe ipt_REJECT
modprobe ipt_LOG
modprobe ipt_state
modprobe ip_conntrack_ftp
echo " chains: flush"
${IPTB} -F
${IPTB} -X
echo " chain: log-drop"
${IPTB} -N log-drop
${IPTB} -A log-drop -j LOG
${IPTB} -A log-drop -j DROP
echo "GLOBAL:"
echo " admin-all"
${IPTB} -A INPUT -s twoj.system.zawiadowczy/32 -j ACCEPT
# bad guys
${IPTB} -A INPUT -s ci.ktorych.nie.lubisz/32 -j DROP
echo " policy: DENY"
${IPTB} -P INPUT DROP
${IPTB} -P FORWARD DROP
echo " no-invalid-packets"
${IPTB} -A INPUT -m state --state INVALID -j log-drop
echo " established+related-ok"
${IPTB} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTB} -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " no-rfc1918-input"
${IPTB} -A INPUT -s 10.0.0.0/8 -j DROP
${IPTB} -A INPUT -s 172.16.0.0/12 -j DROP
${IPTB} -A INPUT -s 192.168.0.0/16 -j DROP
echo " public-services"
${IPTB} -A INPUT -p tcp --destination-port 113 -j ACCEPT
${IPTB} -A INPUT -p tcp --destination-port 80 -j ACCEPT
${IPTB} -A INPUT -p tcp --destination-port 110 -j ACCEPT
${IPTB} -A INPUT -p tcp --destination-port 21 -j ACCEPT
${IPTB} -A INPUT -p tcp --destination-port 20 -j ACCEPT
echo "ICMP:"
echo " icmp-ok-except-ping"
${IPTB} -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j DROP
${IPTB} -A INPUT -p icmp -s 0/0 -j ACCEPT
--
__________________________________________________________________________
rafal wiosna * TDC Internet Polska S.A. * Polbox * In ARP we trust * AR164
RAFD-RIPE * PGP nyckeln finns tillgänglig pĺ www.se.pgp.net (ID: 3CDCB7A9)
