Ne faut-il pas tout bonnement faire de la traduction d'adresses (NAT)
avec Iptables (Linux2.4.x) ou Ipchains (Linux2.2.x) ?
Suis sur 2.2.19. J'avoue ne pas tres bien connaitre ipchains. Est-ce qu'il
faut introduire une commande dans la chaine forward? Pour l'instant, la
securite du cluster consiste a n'accepter que le proptocole ssh depuis
l'exterieur, mais ipchains n'est pas encore configure correctement. J'ai
aussi active les tcpwrappers, meme si je sais qu'ils sont moins performants
et moins surs. Est-ce que qqun connait une page web ou on peux facilement
apprendre a utiliser les ipchains?
Google ipchains howto m'a donné :
http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html
En pièce jointe, à titre d'exemple, un script de configuration de firewall
utilisant ipchains.
Vous devez pouvoir trouver plein d'autres exemples sur le Web.
--
Eric
#!/bin/sh
#
# /etc/rc.d/rc.firewall: An example of a Semi-Strong IPCHAINS firewall ruleset.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Load all required IP MASQ modules
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules
# are shown below but are commented from loading.
# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe -k ip_masq_ftp
# Supports the masquerading of RealAudio over UDP. Without this module,
# RealAudio WILL function but in TCP mode. This can cause a reduction
# in sound quality
#
# /sbin/modprobe ip_masq_raudio
# Supports the masquerading of IRC DCC file transfers
#
#/sbin/modprobe ip_masq_irc
# Supports the masquerading of Quake and QuakeWorld by default. This modules is
# for for multiple users behind the Linux MASQ server. If you are going to
# play Quake I, II, and III, use the second example.
#
# NOTE: If you get ERRORs loading the QUAKE module, you are running an old
# - kernel that has bugs in it. Please upgrade to the newest kernel.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme
#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
# linuxconf fait deja ca
echo 1 /proc/sys/net/ipv4/ip_forward
#CRITICAL: Enable automatic IP defragmenting since it is disabled by default
# in 2.2.x kernels
#
# This used to be a compile-time option but the behavior was changed
# in 2.2.12. It should also be noted that some distributions have
# removed this option from the /proc table. If this entry isn't
# present in your /proc, don't worry about it.
#
echo 1 /proc/sys/net/ipv4/ip_always_defrag
echo 1 /proc/sys/net/ipv4/ip_dynaddr
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# following option. This enables dynamic-ip address hacking in IP MASQ,
# making the life with Diald and similar programs much easier.
#
# echo 1 /proc/sys/net/ipv4/ip_dynaddr
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the # character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
# echo 1 /proc/sys/net/ipv4/ip_masq_udp_dloose
# Specify your Static IP address here.
#
# If you have a DYNAMIC IP address, you need to make this ruleset understand
# your IP address everytime you get a new IP. To do this, enable the
# following one-line script. (Please note that the different single and
# double quote characters MATTER).
#
#
# DHCP users:
# ---
# If you get your TCP/IP address via DHCP, **you will need ** to enable the
# #ed out command below underneath the PPP section AND replace the word
# ppp0 with the name of your EXTERNAL Internet connection (eth0, eth1, etc)
# on the lines for ppp-ip and extip. It should be also noted that the
# DHCP server can change IP addresses on you. To fix this, users should
# configure their DHCP client to re-run the firewall ruleset everytime the
# DHCP lease is renewed.
#
# NOTE #1: Some DHCP clients like the original pump (the newer
# versions have been fixed) did NOT have the ability to run
# scripts after a lease-renew. Because