Re: [Forum] Re: [Forum] Opsætning af net -IPCHAINS-

From: Esben Nielsen <simlo@ifa.au.dk>
Date: Tue Apr 09 2002 - 23:37:10 CEST

Hvis du mangler et firewall script med forwarding på en 2.4.x kerne (eth0
er udaftil og eth1 er intranet. Kun port 22 og 4000 er åben udaftil.):

#!/bin/sh
echo -e "\n\nIPMASQ *TEST* rc.firewall ruleset - v0.60\n"
#The location of the iptables program
IPTABLES=/sbin/iptables
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
echo "- Enabling packet fowarding in the kernel"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " - Enabling dynamic addressing measures"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "-Resetting the firewall andsetting the default FORWARD policy to
DROP"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT

$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --dport 4000 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 --dport ! 22 -j REJECT
$IPTABLES -A INPUT -p ! tcp -i eth0 -j REJECT

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
#You must change eth0 to ppp0 if you are using a modem or change eth0 and
#eth1 to another network device if that is not what you are using.

echo " - FWD: Allow all connections OUT andonly existing and related ones
IN"
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
-j ACC
EPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "- Enabling SNAT (MASQUERADE) funtionality on eth0"
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -e "\nDone.\n"

Mvh.,
Esben

On Tue, 9 Apr 2002, Bjarke Johannesen wrote:

> On 09-04-2002 at 22:15 Bo Bjerre wrote:
>
> >Hej,
> >
> >Jer er ved at opsætte en maskine med 3 netforbindelser som router med
> >Redhat 7.2. Når jeg manuelt giver den kommandoen
> >
> >IPCHAINS -F input
> >
> >svarer den igen med
> >
> >ipchains: Protocol not available
>
> Det er fordi du har netfilter kørende. Den skal du fjerne med rmmod.
>
> Du skal fjerne modulet med navnet ip_tables (rmmod ip_tables)
>
>
> Mvh Bjarke
>
>
>
>
>
>
>
> --
> AaLUG Forum liste - Forum@aalug.dk
> http://www.aalug.dk/mailman/listinfo/forum
>
Received on Tue Apr 09 23:37:10 2002

This archive was generated by hypermail 2.1.8 : Tue Jul 19 2005 - 16:03:36 CEST