[LUGOS] iptables in ip forward
Blaz Podrzaj
b at thz.net
Thu Jan 10 10:26:40 CET 2008
Pri preroutingu v nat tabeli uporabi:
-j DNAT --to-destination 192.168.0.10:22
...pri forwardingu v filter tabeli pa:
-d 192.168.0.10 -p tcp -m tcp --dport 22 -j ACCEPT
...v kolikor imas forwarding kakor koli onemogocen.
lp,B
Quoting Bostjan Jerko <mlist at japina.eu>:
>
> On Jan 8, 2008, at 10:54 PM, Rok Poto?nik wrote:
>>
>> ja... al -A al pa se raje -I, ce mas pol kak restriktivn rule k
>> onemogoci da pride sploh kak paket do njega v tem chainu... lahk
>> posljes
>> izpisesk iptables-save (magar privat) pa da vidmo kaj se da narest.
>> Drgac pa potrebujes sledece pogoje...
>> - ip_forward na 1
>> - rule z DNAT-om
>> - ce mas v filter tabeli v forward chainu kje kak DROP, mors se to
>> omogocit
>>
>> naceloma bi moralo delati sledece:
>>
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> iptables -t nat -I PREROUTING -p tcp --dport 1025 -j DNAT \
>> --to-destination 192.168.0.10
>>
>> iptables -I FORWARD -p tcp --dport 1025 -j ACCEPT
>>
>
> Ostala pravila so:
>
> iptables -A INPUT -j DROP -p tcp --destination-port domain
> iptables -A INPUT -j DROP -p tcp --destination-port smtp
> iptables -A INPUT -j DROP -p tcp --destination-port 139
> iptables -A INPUT -j DROP -p tcp --destination-port 250
>
> Ampak jaz potrebujem redirect s porta 1025 na port 22.
>
> LP,
>
> Bo?tjan
>
> _______________________________________________
> lugos-list mailing list
> lugos-list at lugos.si
> http://liste2.lugos.si/cgi-bin/mailman/listinfo/lugos-list
>
More information about the lugos-list
mailing list