[tanya-jawab] [nanya]rule iptables ku kok ga bisa bikin client connect???

indra irawan Thu, 07 Jun 2007 08:26:56 -0700

Mo nanya rules tentang IPTABLES, aku bikin rule spt
ini:

----------------- code --------------------


#!/bin/bash

######################################################
#       Variable for Firewall                        #
######################################################

IPT="/sbin/iptables"                    # Program iptables
MPROBE="/sbin/modprobe"                 # Program modprobe
INTERNET="eth0"                         # Interface ke Internet
LAN="eth1"                              # Interface ke LAN
LOOPBACK_INTERFACE="lo"                 # Loopback interface
LOOPBACK="127.0.0.0/8"                  # Loopback address
CLASS_A="10.0.0/8"                      # Class A Private Network
CLASS_B="172.16.0.0/12"                 # Class B Private Network
CLASS_C="192.168.0.0/16"                # Class C Private Network
CLASS_D_MULTICAST="224.0.0.0/4"         # Class D Multicast
Address
CLASS_E_RESERVERD_NET="240.0.0.0/5"     # Class E reserved
address
BROADCAST_SRC="0.0.0.0"                 # Broadcast source address
BROADCAST_DEST="255.255.255.255"        # Broadcast
Destination address
PRIVPORTS="0:1023"                      # Private ports
UNPRIVPORTS="1024:65535"                # Unprivate ports

#######################################################
#       Daftar User dan Mac Address                   #
#######################################################

USER1="192.168.1.10"                    # PC1
MAC_USER1="0A:50:FC:3A:83:D1"

USER2="192.168.1.11"                    # PC2
MAC_USER2="00:52:FC:3A:83:D2"

USER3="192.168.1.12"                    # PC3
MAC_USER3="00:44:FC:3A:83:D3"

USER4="192.168.1.13"                    # PC4
MAC_USER4="00:1A:FC:3A:83:D4"


##############################################################
#       LOAD ADITIONAL MODULE FOR NAT & CONNTRACK            #
##############################################################

$MPROBE ip_conntrack
$MPROBE ip_conntrack_ftp
$MPROBE ip_nat_ftp
$MPROBE ip_nat_irc

###########################################################
#       GENERAL KERNEL CONFIGURATION                      #
###########################################################



# IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable broadcast echo Protection 
# (Drop ICMP echo-request messages sent to broadcast
or multicast addresses)
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable TCP SYN Cookie Protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###############################################################
#       IPTABLES DEFAULT POLICY --> DROP ALL RULES            #
###############################################################

# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Reset the default policy
$IPT --policy INPUT   ACCEPT
$IPT --policy OUTPUT  ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING  ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT

# Set the default policy to drop
$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING  DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP

# Unlimited traffic on the loopback interface
$IPT -A INPUT  -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT


################################################################
#               NETWORK ADDRESS TRANSLATION & MASQUEARDE CLIENT#
################################################################

# NAT for User
###############################################
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER1 -j
MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER2 -j
MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER3 -j
MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -s $USER4 -j
MASQUERADE

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER1 -m mac
--mac-source $MAC_USER1 -j ACCEPT
$IPT -t nat -A PREROUTING -s $USER1 -p tcp --dport 80
-j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP
$$IPT -A FORWARD -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER1 -j DROP

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER2 -m mac
--mac-source $MAC_USER2 -j ACCEPT
$IPT -t nat -A PREROUTING -s $USER2 -p tcp --dport 80
-j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP
$$IPT -A FORWARD -i $LAN -s ! $USER2 -m mac
--mac-source $MAC_USER2 -j DROP

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER3 -m mac
--mac-source $MAC_USER3 -j ACCEPT
$IPT -t nat -A PREROUTING -s $USER3 -p tcp --dport 80
-j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER1 -m mac
--mac-source $MAC_USER3 -j DROP
$$IPT -A FORWARD -i $LAN -s ! $USER3 -m mac
--mac-source $MAC_USER3 -j DROP

#### USER 1
$IPT -A PREROUTING -t nat -i $LAN -s $USER4 -m mac
--mac-source $MAC_USER4 -j ACCEPT
$IPT -t nat -A PREROUTING -s $USER4 -p tcp --dport 80
-j REDIRECT --to-port 3128
$IPT -A PREROUTING -t nat -i $LAN -s ! $USER4 -m mac
--mac-source $MAC_USER4 -j DROP
$$IPT -A FORWARD -i $LAN -s ! $USER4 -m mac
--mac-source $MAC_USER1 -j DROP

---------------- end of code -----------------------


klo settingan diatas client nya ga bisa ngeping alias
ga bisa browsing sama sekali, nslookup aja ga bisa
tapi klo policy DROP ga gw pake, client bisa ping &
browsing (lancar deh pokok nya)

--------------- code ------------------
# Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy OUTPUT DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t mangle --policy PREROUTING DROP
$IPT -t mangle --policy OUTPUT DROP
----------------- end of code ---------------

kok bisa gitu ya?? padahal dibawah udah gw defenisiin
ip client yang bisa connect, tapi klo policy DROP nya
gw aktifin kok client nya ga bisa connect sama sekali
ya??

gw pengen nya default nya DROP dan hanya ngizinin IP
tertentu aja buat bisa akses,
kira2 rule iptables gw salah nya dimana sih??

thanks...


       
____________________________________________________________________________________
Boardwalk for $500? In 2007? Ha! Play Monopoly Here
and Now (it's updated for today's economy) at Yahoo!
Games.
http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow
 


       
____________________________________________________________________________________
Need a vacation? Get great deals
to amazing places on Yahoo! Travel.
http://travel.yahoo.com/

-- 
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke [EMAIL PROTECTED]
Arsip dan info milis selengkapnya di http://linux.or.id/milis

[tanya-jawab] [nanya]rule iptables ku kok ga bisa bikin client connect???

Kirim email ke