[ LUGOS ] Sorry

Andrej Presern andrejp na luz.fe.uni-lj.si
Sob Okt 2 21:09:09 CEST 1999 

On Fri, 01 Oct 1999, jernej horvat wrote:
>Se oproscam za prejsnje sporocilo. Tipki X in C sta TAKO blizu. ;->
>
>PS: bi pa imel vprasanje za pozarni zid z ipchains:
>
>torej:
>
>navznoter dovolimo
>25 - SMTP
>22 - SSH
>53 - Bind (eeeee?)
>20/21 - FTP
>
>Priklop na Internet gre preko ppp0, lokalno omrezje (192.168.101.*) pa na
>eth0.
>
>Skripta bi potem morala zgledati nekako tako:
>/etc/rc.d/rc.firewall
>
>#!/bin/sh
>echo "*************"
>echo "* Running $0"
>echo "*************"
>
>/bin/echo "1" >/proc/sys/net/ipv4/ip_forward
>
>/bin/echo "1" >/proc/sys/net/ipv4/conf/all/rp_filter
>#/bin/echo "1" >/proc/sys/net/ipv4/ip_dynaddr
>/bin/echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
># flush policy
>/sbin/ipchains -F
>/sbin/ipchains -F input
>/sbin/ipchains -F forward
>/sbin/ipchains -F output
>
># default policy deny
>/sbin/ipchains -P input DENY
>/sbin/ipchains -P forward DENY
>/sbin/ipchains -P output ACCEPT
>
># ssh
>/sbin/ipchains -A input -i ippp0 -p tcp --dport 22 -j ACCEPT
># smtp
>/sbin/ipchains -A input -i ppp0 -p tcp --dport 25 -j ACCEPT
>
># ftp
>/sbin/ipchains -A input -i ppp0 -p tcp --dport  20 -j ACCEPT
>/sbin/ipchains -A input -i ppp0 -p tcp --dport  21 -j ACCEPT
># dns
>/sbin/ipchains -A input -i ppp0 -p tcp --dport 53 -j ACCEPT
>/sbin/ipchains -A input -i ppp0 -p udp --dport 53 -j ACCEPT
># http
>/sbin/ipchains -A input -i ppp0 -p tcp --dport 80 -j ACCEPT
># ident
>/sbin/ipchains -A input -i ppp0 -p tcp --dport 113 -j ACCEPT
>
>/sbin/ipchains -A input -i ppp0 -p tcp --dport 1022:65535 -j ACCEPT
>/sbin/ipchains -A input -i ppp0 -p udp --dport 1022:65535 -j ACCEPT
>
>/sbin/ipchains -A input -i lo   -p all -s 127.0.0.1/32     -j ACCEPT
>/sbin/ipchains -A input -i eth0 -p all -s 192.168.101.0/24 -j ACCEPT
>
># NAT
>/sbin/ipchains -M -S 7200 10 60
>/sbin/ipchains -A forward -i ppp0 -p all -s 192.168.101.0/24 -j MASQ
>
># NAT moduli
>/sbin/modprobe ip_masq_ftp
>/sbin/modprobe ip_masq_raudio
>/sbin/modprobe ip_masq_irc
>/sbin/modprobe ip_masq_vdolive
>/sbin/modprobe ip_masq_quake
>/sbin/modprobe ip_masq_cuseeme
>
>
>/sbin/ipchains -L -n
>
>
>Je tako?

Pa, po moje bo najbolje, da pozenes to na masini, pa bos videl..;) Ce si pa ze
pognal in ugotovil, da ni tako, pa povej, kaj te matra oz. ti ne dela.

Andrej

--
Andrej Presern, andrejp na luz.fe.uni-lj.si

Dodatne informacije o seznamu Starilist