iptables

Mon Nov 19 23:01:01 EET 2001

Kat' arxin thanks pou asxolithikes me to problima mou.
Kati pou prepei na po mipos exei sxesi, einai oti h eth1 einai i karta pou
einai sindemeni katefthian me DSL. Tora skeftomai mipos

"Kostas Liakakis" <kostas at skiathos.physics.auth.gr> wrote in message
news:9stcj5$pvh$1 at nic.grnet.gr...
> De mou les omos ti 0es na kaneis...
> Blepontas to scriptaki, manteuo oti 0es na afhseis na mpainoun se www
server
> kai smtp server
> Epishs mallon 0es na mporei o smtp server sou na stelnei mail. Opos kai na
> mporeis na kaneis ftp. Sosta?
>
> Auto me to "domain" sto UDP den to katalaba... To icmp logiko.
>
> H proth antirhsh 0a htan sth xrhsh tou DROP. Einai protimotero to REJECT,
to
> opoio stelnei piso la0os. Isos autos na einai kai o logos pou to programma
> gia ta ports sou bgazei portes anoixtes. Alla3e to kai des.
>
> Tora an 0es as kanoume kai koubentoula :-) Loipon:
>
> "Dimitrios Tsimbidis" <dtsimbid at otenet.gr> wrote
> > OURNET="192.168.1.0/24"
> > OURDEV="eth0"
> > WORLDADDR="0/0"
> > WORLDDEV="eth1"
> > TCPIN="smtp,www"
> > TCPOUT="smtp,www,ftp,ftp-data"
> > #  Rules
> > $IPTABLES -F FORWARD -v
> > $IPTABLES -P FORWARD DROP -v
>
> Default action DROP.
>
> > $IPTABLES -A INPUT -i $WORLDDEV -j DROP -v
>
> Rixneis oti mpainei ap'e3o ston idio ton router. Sosta.
>
> > $IPTABLES -A FORWARD -s $OURNET -i $WORLDDEV -j DROP -v
>
> Petas kai oti erxetai ap'e3o me diko sou IP. Sosta.
>
> > #SMURF
> > $IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET -j DROP -v
>
> Petas _ola_ ta icmp pou sou erxontai... xmmm... Xmm.. giati? afou kaneis
> kalyterh dialogh argotera sto telos...
>
> > $IPTABLES -A FORWARD -f -j ACCEPT -v
>
> Dexesai ta fragments...  Nomizo pos apo tote pou to IP_ALWAYS_DEFRAG efyge
> apo compile option, to na energopoieis to ip_forward automata kanei kai
> defragmentation prin perasei to paketo sto netfilter... alla pali den
eimai
> entelos sigouros... Xrhstoooooo...
>
> > $IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dport $TCPIN
> > ! --tcp-flags SYN,ACK ACK -j ACCEPT -v
>
> Dexesai ta  SYN kai SYNACK pros ton www kai smtp server sou.
>
> > $IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sport $TCPIN
> > ! --tcp-flags SYN,ACK ACK -j ACCEPT -v
>
> Stelneis pros ta e3o oti erxetai apo ton www/smtp  server sou kai einai
SYN
> `h SYNACK. Hmm....
>
> > $IPTABLES -A FORWARD -m multiport -p tcp -i $WORLDDEV -d $OURNET --dport
> > $TCPIN --syn -j ACCEPT -v
>
> Dexesai oti exei SYN kai paei pros www/smtp (3ana...)
>
> > $IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d
$WORLDADDR --dport
> > $TCPOUT --syn -j ACCEPT -v
>
> Kai stelneis pros ta e3o oti einai SYN kai paei pros ftp, ftp-data, smtp,
> www
>
> Telika 0a tous afhseis na steiloun data? Mono syn packets afhneis na
pernane
> apo to router...
> Nomizo pos kapou emple3es. Mhpos gi' auto den mporeis na deis ton e3o
kosmo
> telika? Mhpos 0a htan kalytera na:
>
> $IPTABLES -A FORWARD -m multiport -p tcp -i $WORLDDEV --dport $TCPIN -j
> ACCEPT -v
> $IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV --sport $TCPOUT -j
> ACCEPT -v
>
> Ektos ki an zhtas kati diaforetiko pou den to epiasa....
>
> -K.
>
>