IP_masquerading
Luciano Colosio
ciano a borgosatollo.it
Mar 12 Nov 2002 21:55:27 UTC
Il mer, 2002-11-13 alle 03:49, Daniel Di Stasio ha scritto:
>secondo me da quanto
> appare all'avvio, ipchains è in esecuzione...
dai log che hai postato si direbbe di si
> Sicuramente sto dicendo delle barbarità...
Nono =)
> Ma, come faccio a sapere se ipchains è in esecuzione (ho provato ps
> aux)?
su
/etc/init.d/ipchains status
> Come faccio a disattivarlo per lanciare iptables?
su
/etc/init.d/ipchains stop
/etc/init.d/iptables start
ovviamente poi dovrai "correggere" i servizi in boot:
su
chkconfig ipchains off //disattivi ipchains al boot
chkconfig iptables on // attivi iptables al boot
chkconfig --list e controlli che i servizi siano rispettivamente spenti
ed accesi nei runlevel 3 4 5
Questo se vuoi usare a tutti i costi iptables
Se invece ti accontenti di ipchains (che per un piccola rete locale va
benone) mi permetto di pastarti un semplice scriptino che ho realizzato
per la mia LAN di casa, nulla di pretenzioso, chiude tutto meno: DNS,
HTTP, SSH, FTP(aperto per permettere ai clients di usare tale servizio,
indi spegni eventuali servers o aggiungi una chain che discrimini ;D) e
tutte le client ports.
Questo e' lo script per bash (hemm prob dovrai rimetterlo apposto causa
mail =P):
#-----------Snip from here to use it-----------------------------------
#!/bin/bash
##############################################################################
# ipchains gateway roules By Lucio
#
#This script consists just in simples chians for setting up an
IP-masquerande
#connection shering for small Home-LANs. It was designed on an ADSL
connection
#but it should work pretty good even on dial-up once.
#
#It closes all ports about DNS, HTTP, SSH, FTP and alla the CLIENT-PORTS
#
#please remember to change the following sets to match with yours.
#############################################################################
dns1=159.149.70.1 # Your Primary DNS server
dns2=195.206.0.11 # Your Secondary DNS Server
lo=127.0.0.1/255.255.255.255 # LoopBack interface !!!PLEASE
don't change this!!!
net=10.0.0.0/255.255.255.0 # Your net falmily and
subnet-mask, you probably want to change those to match yours
#--------------------------Chains Flush-------------------------------
echo "Flushing all chains"
ipchains --flush
#--------------------------Input Chains-------------------------------
echo "Setting Input chains"
ipchains -P input DENY
echo "Allowing DNS port"
ipchains -A input -p udp --source-port 53 -j ACCEPT
ipchains -A input -i eth0 -p udp -s $dns1 --source-port 53 -j ACCEPT
ipchains -A input -i eth0 -p udp -s $dns2 --source-port 53 -j ACCEPT
echo "Allowing FTP data port"
ipchains -A input -p tcp --destination-port 20 -j ACCEPT
echo "Allowing FTP server port"
ipchains -A input -p tcp --destination-port 21 -j ACCEPT
echo "Allowing SSH server port"
ipchains -A input -p tcp --destination-port 22 -j ACCEPT
echo "Allowing HTTP port"
ipchains -A input -p tcp --destination-port 80 -j ACCEPT
echo "Allowing TCP-CLIENT ports"
ipchains -A input -p tcp --destination-port 1024:65535 -j ACCEPT
echo "Allowing UDP-CLIENT ports"
ipchains -A input -p udp --destination-port 1024:65535 -j ACCEPT
echo "Allowing ICMP-CLIENT ports"
ipchains -A input -p icmp -j ACCEPT
echo "Allowing LocalHost for everything"
ipchains -A input -p tcp -s $lo -j ACCEPT
ipchains -A input -p udp -s $lo -j ACCEPT
ipchains -A input -p icmp -s $lo -j ACCEPT
echo "Allowing LocalDomain for everything"
ipchains -A input -p tcp -s $net -j ACCEPT
ipchains -A input -p udp -s $net -j ACCEPT
ipchains -A input -p icmp -s $net -j ACCEP
echo "Closing all ports"
ipchains -A input -j DENY
#--------------------------Forward Chains----------------------------
echo "Setting Forward chains"
ipchains -P forward DENY
echo "Setting IP Masq chain"
ipchains -A forward -j MASQ
#--------------------------Output Chains-------------------------------
echo "Setting Output chains"
ipchains -P output ACCEPT
echo "Allowing FTP data port"
ipchains -A output -p tcp --source-port 20 -j ACCEPT
echo "Allowing FTP server port"
ipchains -A output -p tcp --source-port 21 -j ACCEPT
echo "Allowing SSH server port"
ipchains -A output -p tcp --source-port 22 -j ACCEPT
echo "Allowing HTTP port"
ipchains -A output -p tcp --source-port 80 -j ACCEPT
echo "Allowing TCP-CLIENT ports"
ipchains -A output -p tcp --source-port 1024:65535 -j ACCEPT
echo "Allowing UDP-CLIENT ports"
ipchains -A output -p udp --source-port 1024:65535 -j ACCEPT
echo "Allowing ICMP-CLIENT ports"
ipchains -A output -p icmp -j ACCEPT
echo "Allowing LocalHost for everything"
ipchains -A output -p tcp -s $lo -j ACCEPT
ipchains -A output -p udp -s $lo -j ACCEPT
ipchains -A output -p icmp -s $lo -j ACCEPT
echo "Allowing LocalDomain for everything"
ipchains -A output -p tcp -s $net -j ACCEPT
ipchains -A output -p udp -s $net -j ACCEPT
ipchains -A output -p icmp -s $net -j ACCEPT
#--------Stop Snipping ;D-----------------------------------------------
E questo e' quello che fa:
-----------------Shell Dump--------------------------------------------
[root a Sauron root]# ipchains -L
Chain input (policy DENY):
target prot opt source destination
ports
ACCEPT udp ------ anywhere anywhere
domain -> any
ACCEPT udp ------ giove.crema.unimi.it anywhere
domain -> any
ACCEPT udp ------ dns.spidernet.it anywhere
domain -> any
ACCEPT tcp ------ anywhere anywhere any
-> ftp-data
ACCEPT tcp ------ anywhere anywhere any
-> ftp
ACCEPT tcp ------ anywhere anywhere any
-> ssh
ACCEPT tcp ------ anywhere anywhere any
-> http
ACCEPT tcp ------ anywhere anywhere any
-> 1024:65535
ACCEPT udp ------ anywhere anywhere any
-> 1024:65535
ACCEPT icmp ------ anywhere anywhere any
-> any
ACCEPT tcp ------ localhost.localdomain anywhere any
-> any
ACCEPT udp ------ localhost.localdomain anywhere any
-> any
ACCEPT icmp ------ localhost.localdomain anywhere any
-> any
ACCEPT tcp ------ 10.0.0.0/24 anywhere any
-> any
ACCEPT udp ------ 10.0.0.0/24 anywhere any
-> any
ACCEPT icmp ------ 10.0.0.0/24 anywhere any
-> any
DENY all ------ anywhere anywhere n/a
Chain forward (policy DENY):
target prot opt source destination
ports
MASQ all ------ anywhere anywhere n/a
Chain output (policy ACCEPT):
target prot opt source destination
ports
ACCEPT tcp ------ anywhere anywhere
ftp-data -> any
ACCEPT tcp ------ anywhere anywhere ftp
-> any
ACCEPT tcp ------ anywhere anywhere ssh
-> any
ACCEPT tcp ------ anywhere anywhere http
-> any
ACCEPT tcp ------ anywhere anywhere
1024:65535 -> any
ACCEPT udp ------ anywhere anywhere
1024:65535 -> any
ACCEPT icmp ------ anywhere anywhere any
-> any
ACCEPT tcp ------ localhost.localdomain anywhere any
-> any
ACCEPT udp ------ localhost.localdomain anywhere any
-> any
ACCEPT icmp ------ localhost.localdomain anywhere any
-> any
ACCEPT tcp ------ 10.0.0.0/24 anywhere any
-> any
ACCEPT udp ------ 10.0.0.0/24 anywhere any
-> any
ACCEPT icmp ------ 10.0.0.0/24 anywhere any
-> any
-----------------------/Shell Dump--------------------------------------
Se decidi di usare questa soluzione e vedi che lo script calza alla tua
situazione, dopo averlo fatto girare per salvare le modifiche e renderle
attive ad ogni boot fai:
su
/etc/init.d/ipchains save
Bhe spero di essere stato esauriente
ciaps&ciapets
PS: Ti consiglio di attivare anche un DHCP server per comodita' di
configurazione =).
--
"You're about to enter a place where nothing is what it seems...
Will you handle it??? Welcome into My World"
~...Mirfak... UIN:31015940~
Maggiori informazioni sulla lista
Lug
|