[linux] Re: Ipchains incompatible Mandrake 8.0

Benjamin Michotte Sun, 26 Aug 2001 23:38:49 +0200

On Sun, Aug 26, 2001 at 11:19:47PM, D. Taupin (wanadoo-lps) wrote:
> 
> Oui: j'ai 2.4.3
> 
> Le pb est de trouver l'équivalent des commandes de ipchains.
en attachement, mon fichier pour iptables qui permet le forwarding et
bloque 2-3 trucs


>
---end quoted text---

@+,
binny

-- 

L'erreur est humaine mais un veritable desastre necessite un ordinateur.
        -- Unknown

Un coup de chaleur ? Passez sur La Banquise... 
http://www.labanquise.org

       Benjamin Michotte        <[EMAIL PROTECTED]>
  °v°  web      : http://www.baby-linux.net
  _o_  homepage : http://www.baby-linux.net/binny
       slaktool : http://slaktool.sourceforge.net
       icq uin  : 99745024

#!/bin/sh
# rc.firewall-2.4

IPTABLES=/usr/local/sbin/iptables

IF=ppp0
INIF=eth1
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK

INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4`
INNET=$INIP/$INMASK

#Delete user made chains. Flush and zero the chains.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t mangle -F
$IPTABLES -t nat -F

TOSOPT=8

#Allow all traffic on the loopback interface
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

#Allow all traffic on output
$IPTABLES -A OUTPUT -o ppp0 -s 0/0 -d 0/0 -j ACCEPT

#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
  for f in /proc/sys/net/ipv4/conf/*/rp_filter
  do
   echo 2 > $f
  done
fi

#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

#ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

#ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

#Turn off dynamic TCP/IP address hacking
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
  echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi

#Doubling current limit for ip_conntrack
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
  echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
fi

#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]
 then
  echo 1 > /proc/sys/net/ipv4/ip_forward
fi

#Forward Int/Ext & Ext/Int Traffic before Masquerading
$IPTABLES -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT
$IPTABLES -A FORWARD -d $INNET -j ACCEPT
#Masquerade outgoing traffic
$IPTABLES -t nat -A POSTROUTING -o $IF -j MASQUERADE

#Don't masq external interface traffic
$IPTABLES -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT

#Allow traffic from internal network going anywhere
$IPTABLES -A INPUT -s $INNET -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -s $INNET -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT

#Setting default forwarding rule
$IPTABLES -P FORWARD DROP

#FTP
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 20  ! --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT

#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 22 -j ACCEPT

#Telnet (refuse telnet)
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 23 -j DROP

#DNS
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT

#HTTP
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 80 -j ACCEPT

#Deny everything not let through earlier
#$IPTABLES -A INPUT -j REJECT

[linux] Re: Ipchains incompatible Mandrake 8.0

Répondre à