On Sun, Aug 26, 2001 at 11:19:47PM, D. Taupin (wanadoo-lps) wrote: > > Oui: j'ai 2.4.3 > > Le pb est de trouver l'équivalent des commandes de ipchains. en attachement, mon fichier pour iptables qui permet le forwarding et bloque 2-3 trucs
> ---end quoted text--- @+, binny -- L'erreur est humaine mais un veritable desastre necessite un ordinateur. -- Unknown Un coup de chaleur ? Passez sur La Banquise... http://www.labanquise.org Benjamin Michotte <[EMAIL PROTECTED]> °v° web : http://www.baby-linux.net _o_ homepage : http://www.baby-linux.net/binny slaktool : http://slaktool.sourceforge.net icq uin : 99745024
#!/bin/sh # rc.firewall-2.4 IPTABLES=/usr/local/sbin/iptables IF=ppp0 INIF=eth1 IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1` MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4` NET=$IP/$MASK INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4` INNET=$INIP/$INMASK #Delete user made chains. Flush and zero the chains. $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t mangle -F $IPTABLES -t nat -F TOSOPT=8 #Allow all traffic on the loopback interface $IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT $IPTABLES -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT #Allow all traffic on output $IPTABLES -A OUTPUT -o ppp0 -s 0/0 -d 0/0 -j ACCEPT #Turn on source address verification in kernel if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 2 > $f done fi #Turn on syn cookies protection in kernel if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi #ICMP Dead Error Messages protection if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi #ICMP Broadcasting protection if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi #Turn off dynamic TCP/IP address hacking if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then echo 0 > /proc/sys/net/ipv4/ip_dynaddr fi #Doubling current limit for ip_conntrack if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max fi #Turn on IP forwarding if [ -e /proc/sys/net/ipv4/ip_forward ] then echo 1 > /proc/sys/net/ipv4/ip_forward fi #Forward Int/Ext & Ext/Int Traffic before Masquerading $IPTABLES -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT $IPTABLES -A FORWARD -d $INNET -j ACCEPT #Masquerade outgoing traffic $IPTABLES -t nat -A POSTROUTING -o $IF -j MASQUERADE #Don't masq external interface traffic $IPTABLES -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT #Allow traffic from internal network going anywhere $IPTABLES -A INPUT -s $INNET -d 0/0 -j ACCEPT $IPTABLES -A OUTPUT -s $INNET -d 0/0 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT #Setting default forwarding rule $IPTABLES -P FORWARD DROP #FTP $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 20 ! --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT #SSH $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 22 -j ACCEPT #Telnet (refuse telnet) $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 23 -j DROP #DNS $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 53 -j ACCEPT $IPTABLES -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT #HTTP $IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 80 -j ACCEPT #Deny everything not let through earlier #$IPTABLES -A INPUT -j REJECT