[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux] Re: Ipchains incompatible Mandrake 8.0
On Sun, Aug 26, 2001 at 11:19:47PM, D. Taupin (wanadoo-lps) wrote:
>
> Oui: j'ai 2.4.3
>
> Le pb est de trouver l'équivalent des commandes de ipchains.
en attachement, mon fichier pour iptables qui permet le forwarding et
bloque 2-3 trucs
>
---end quoted text---
@+,
binny
--
L'erreur est humaine mais un veritable desastre necessite un ordinateur.
-- Unknown
Un coup de chaleur ? Passez sur La Banquise...
http://www.labanquise.org
Benjamin Michotte <binny@baby-linux.net>
°v° web : http://www.baby-linux.net
_o_ homepage : http://www.baby-linux.net/binny
slaktool : http://slaktool.sourceforge.net
icq uin : 99745024
#!/bin/sh
# rc.firewall-2.4
IPTABLES=/usr/local/sbin/iptables
IF=ppp0
INIF=eth1
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
NET=$IP/$MASK
INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4`
INNET=$INIP/$INMASK
#Delete user made chains. Flush and zero the chains.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
TOSOPT=8
#Allow all traffic on the loopback interface
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
#Allow all traffic on output
$IPTABLES -A OUTPUT -o ppp0 -s 0/0 -d 0/0 -j ACCEPT
#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 2 > $f
done
fi
#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#ICMP Dead Error Messages protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
#ICMP Broadcasting protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
#Turn off dynamic TCP/IP address hacking
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
fi
#Doubling current limit for ip_conntrack
if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
fi
#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]
then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
#Forward Int/Ext & Ext/Int Traffic before Masquerading
$IPTABLES -A FORWARD -d 0/0 -s $INNET -o $IF -j ACCEPT
$IPTABLES -A FORWARD -d $INNET -j ACCEPT
#Masquerade outgoing traffic
$IPTABLES -t nat -A POSTROUTING -o $IF -j MASQUERADE
#Don't masq external interface traffic
$IPTABLES -t nat -A POSTROUTING -s $NET -d 0/0 -j ACCEPT
#Allow traffic from internal network going anywhere
$IPTABLES -A INPUT -s $INNET -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -s $INNET -d 0/0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -s $INNET -d 0/0 -j ACCEPT
#Setting default forwarding rule
$IPTABLES -P FORWARD DROP
#FTP
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 20 ! --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT
#SSH
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 22 -j ACCEPT
#Telnet (refuse telnet)
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 23 -j DROP
#DNS
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 0/0 -d $NET --dport 53 -j ACCEPT
#HTTP
$IPTABLES -A INPUT -p tcp -s 0/0 -d $NET --dport 80 -j ACCEPT
#Deny everything not let through earlier
#$IPTABLES -A INPUT -j REJECT