Mo nanya rules tentang IPTABLES, aku bikin rule spt ini: ----------------- code --------------------
#!/bin/bash ###################################################### # Variable for Firewall # ###################################################### IPT="/sbin/iptables" # Program iptables MPROBE="/sbin/modprobe" # Program modprobe INTERNET="eth0" # Interface ke Internet LAN="eth1" # Interface ke LAN LOOPBACK_INTERFACE="lo" # Loopback interface LOOPBACK="127.0.0.0/8" # Loopback address CLASS_A="10.0.0/8" # Class A Private Network CLASS_B="172.16.0.0/12" # Class B Private Network CLASS_C="192.168.0.0/16" # Class C Private Network CLASS_D_MULTICAST="224.0.0.0/4" # Class D Multicast Address CLASS_E_RESERVERD_NET="240.0.0.0/5" # Class E reserved address BROADCAST_SRC="0.0.0.0" # Broadcast source address BROADCAST_DEST="255.255.255.255" # Broadcast Destination address PRIVPORTS="0:1023" # Private ports UNPRIVPORTS="1024:65535" # Unprivate ports ####################################################### # Daftar User dan Mac Address # ####################################################### USER1="192.168.1.10" # PC1 MAC_USER1="0A:50:FC:3A:83:D1" USER2="192.168.1.11" # PC2 MAC_USER2="00:52:FC:3A:83:D2" USER3="192.168.1.12" # PC3 MAC_USER3="00:44:FC:3A:83:D3" USER4="192.168.1.13" # PC4 MAC_USER4="00:1A:FC:3A:83:D4" ############################################################## # LOAD ADITIONAL MODULE FOR NAT & CONNTRACK # ############################################################## $MPROBE ip_conntrack $MPROBE ip_conntrack_ftp $MPROBE ip_nat_ftp $MPROBE ip_nat_irc ########################################################### # GENERAL KERNEL CONFIGURATION # ########################################################### # IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable broadcast echo Protection # (Drop ICMP echo-request messages sent to broadcast or multicast addresses) echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable TCP SYN Cookie Protection from SYN floods echo 1 > /proc/sys/net/ipv4/tcp_syncookies ############################################################### # IPTABLES DEFAULT POLICY --> DROP ALL RULES # ############################################################### # Remove any existing rules from all chains $IPT --flush $IPT -t nat --flush $IPT -t mangle --flush $IPT -X $IPT -t nat -X $IPT -t mangle -X # Reset the default policy $IPT --policy INPUT ACCEPT $IPT --policy OUTPUT ACCEPT $IPT --policy FORWARD ACCEPT $IPT -t nat --policy PREROUTING ACCEPT $IPT -t nat --policy OUTPUT ACCEPT $IPT -t nat --policy POSTROUTING ACCEPT $IPT -t mangle --policy PREROUTING ACCEPT $IPT -t mangle --policy OUTPUT ACCEPT # Set the default policy to drop $IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP $IPT -t nat --policy PREROUTING DROP $IPT -t nat --policy OUTPUT DROP $IPT -t nat --policy POSTROUTING DROP $IPT -t mangle --policy PREROUTING DROP $IPT -t mangle --policy OUTPUT DROP # Unlimited traffic on the loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT ################################################################ # NETWORK ADDRESS TRANSLATION & MASQUEARDE CLIENT# ################################################################ # NAT for User ############################################### $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER1 -j MASQUERADE $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER2 -j MASQUERADE $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER3 -j MASQUERADE $IPT -t nat -A POSTROUTING -o $INTERNET -s $USER4 -j MASQUERADE #### USER 1 $IPT -A PREROUTING -t nat -i $LAN -s $USER1 -m mac --mac-source $MAC_USER1 -j ACCEPT $IPT -t nat -A PREROUTING -s $USER1 -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac --mac-source $MAC_USER1 -j DROP $$IPT -A FORWARD -i $LAN -s ! $USER1 -m mac --mac-source $MAC_USER1 -j DROP #### USER 1 $IPT -A PREROUTING -t nat -i $LAN -s $USER2 -m mac --mac-source $MAC_USER2 -j ACCEPT $IPT -t nat -A PREROUTING -s $USER2 -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPT -A PREROUTING -t nat -i $LAN -s ! $USER2 -m mac --mac-source $MAC_USER2 -j DROP $$IPT -A FORWARD -i $LAN -s ! $USER2 -m mac --mac-source $MAC_USER2 -j DROP #### USER 1 $IPT -A PREROUTING -t nat -i $LAN -s $USER3 -m mac --mac-source $MAC_USER3 -j ACCEPT $IPT -t nat -A PREROUTING -s $USER3 -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac --mac-source $MAC_USER3 -j DROP $$IPT -A FORWARD -i $LAN -s ! $USER3 -m mac --mac-source $MAC_USER3 -j DROP #### USER 1 $IPT -A PREROUTING -t nat -i $LAN -s $USER4 -m mac --mac-source $MAC_USER4 -j ACCEPT $IPT -t nat -A PREROUTING -s $USER4 -p tcp --dport 80 -j REDIRECT --to-port 3128 $IPT -A PREROUTING -t nat -i $LAN -s ! $USER4 -m mac --mac-source $MAC_USER4 -j DROP $$IPT -A FORWARD -i $LAN -s ! $USER4 -m mac --mac-source $MAC_USER1 -j DROP ---------------- end of code ----------------------- klo settingan diatas client nya ga bisa ngeping alias ga bisa browsing sama sekali, nslookup aja ga bisa tapi klo policy DROP ga gw pake, client bisa ping & browsing (lancar deh pokok nya) --------------- code ------------------ # Set the default policy to drop $IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP $IPT -t nat --policy PREROUTING DROP $IPT -t nat --policy OUTPUT DROP $IPT -t nat --policy POSTROUTING DROP $IPT -t mangle --policy PREROUTING DROP $IPT -t mangle --policy OUTPUT DROP ----------------- end of code --------------- kok bisa gitu ya?? padahal dibawah udah gw defenisiin ip client yang bisa connect, tapi klo policy DROP nya gw aktifin kok client nya ga bisa connect sama sekali ya?? gw pengen nya default nya DROP dan hanya ngizinin IP tertentu aja buat bisa akses, kira2 rule iptables gw salah nya dimana sih?? thanks... ____________________________________________________________________________________ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ____________________________________________________________________________________ Need a vacation? Get great deals to amazing places on Yahoo! Travel. http://travel.yahoo.com/ -- FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab Unsubscribe: kirim email ke [EMAIL PROTECTED] Arsip dan info milis selengkapnya di http://linux.or.id/milis