IP_masquerading
Daniel Di Stasio
daniel.di.stasio a lugbs.linux.it
Mer 13 Nov 2002 04:11:16 UTC
Ti ringriazio moltissimo... proverò con questo..
Taluego
Daniel
Il mar, 2002-11-12 alle 16:55, Luciano Colosio ha scritto:
>
> Il mer, 2002-11-13 alle 03:49, Daniel Di Stasio ha scritto:
> >secondo me da quanto
> > appare all'avvio, ipchains è in esecuzione...
> dai log che hai postato si direbbe di si
>
> > Sicuramente sto dicendo delle barbarità...
> Nono =)
>
> > Ma, come faccio a sapere se ipchains è in esecuzione (ho provato ps
> > aux)?
> su
> /etc/init.d/ipchains status
>
> > Come faccio a disattivarlo per lanciare iptables?
> su
> /etc/init.d/ipchains stop
> /etc/init.d/iptables start
>
> ovviamente poi dovrai "correggere" i servizi in boot:
> su
> chkconfig ipchains off //disattivi ipchains al boot
> chkconfig iptables on // attivi iptables al boot
> chkconfig --list e controlli che i servizi siano rispettivamente spenti
> ed accesi nei runlevel 3 4 5
>
> Questo se vuoi usare a tutti i costi iptables
> Se invece ti accontenti di ipchains (che per un piccola rete locale va
> benone) mi permetto di pastarti un semplice scriptino che ho realizzato
> per la mia LAN di casa, nulla di pretenzioso, chiude tutto meno: DNS,
> HTTP, SSH, FTP(aperto per permettere ai clients di usare tale servizio,
> indi spegni eventuali servers o aggiungi una chain che discrimini ;D) e
> tutte le client ports.
>
>
> Questo e' lo script per bash (hemm prob dovrai rimetterlo apposto causa
> mail =P):
>
> #-----------Snip from here to use it-----------------------------------
>
> #!/bin/bash
>
> ##############################################################################
> # ipchains gateway roules By Lucio
> #
> #This script consists just in simples chians for setting up an
> IP-masquerande
> #connection shering for small Home-LANs. It was designed on an ADSL
> connection
> #but it should work pretty good even on dial-up once.
> #
> #It closes all ports about DNS, HTTP, SSH, FTP and alla the CLIENT-PORTS
> #
> #please remember to change the following sets to match with yours.
> #############################################################################
>
>
> dns1=159.149.70.1 # Your Primary DNS server
> dns2=195.206.0.11 # Your Secondary DNS Server
> lo=127.0.0.1/255.255.255.255 # LoopBack interface !!!PLEASE
> don't change this!!!
> net=10.0.0.0/255.255.255.0 # Your net falmily and
> subnet-mask, you probably want to change those to match yours
>
> #--------------------------Chains Flush-------------------------------
> echo "Flushing all chains"
> ipchains --flush
>
> #--------------------------Input Chains-------------------------------
> echo "Setting Input chains"
> ipchains -P input DENY
> echo "Allowing DNS port"
> ipchains -A input -p udp --source-port 53 -j ACCEPT
> ipchains -A input -i eth0 -p udp -s $dns1 --source-port 53 -j ACCEPT
> ipchains -A input -i eth0 -p udp -s $dns2 --source-port 53 -j ACCEPT
> echo "Allowing FTP data port"
> ipchains -A input -p tcp --destination-port 20 -j ACCEPT
> echo "Allowing FTP server port"
> ipchains -A input -p tcp --destination-port 21 -j ACCEPT
> echo "Allowing SSH server port"
> ipchains -A input -p tcp --destination-port 22 -j ACCEPT
> echo "Allowing HTTP port"
> ipchains -A input -p tcp --destination-port 80 -j ACCEPT
> echo "Allowing TCP-CLIENT ports"
> ipchains -A input -p tcp --destination-port 1024:65535 -j ACCEPT
> echo "Allowing UDP-CLIENT ports"
> ipchains -A input -p udp --destination-port 1024:65535 -j ACCEPT
> echo "Allowing ICMP-CLIENT ports"
> ipchains -A input -p icmp -j ACCEPT
> echo "Allowing LocalHost for everything"
> ipchains -A input -p tcp -s $lo -j ACCEPT
> ipchains -A input -p udp -s $lo -j ACCEPT
> ipchains -A input -p icmp -s $lo -j ACCEPT
> echo "Allowing LocalDomain for everything"
> ipchains -A input -p tcp -s $net -j ACCEPT
> ipchains -A input -p udp -s $net -j ACCEPT
> ipchains -A input -p icmp -s $net -j ACCEP
>
> echo "Closing all ports"
> ipchains -A input -j DENY
>
> #--------------------------Forward Chains----------------------------
> echo "Setting Forward chains"
> ipchains -P forward DENY
> echo "Setting IP Masq chain"
> ipchains -A forward -j MASQ
>
> #--------------------------Output Chains-------------------------------
> echo "Setting Output chains"
> ipchains -P output ACCEPT
> echo "Allowing FTP data port"
> ipchains -A output -p tcp --source-port 20 -j ACCEPT
> echo "Allowing FTP server port"
> ipchains -A output -p tcp --source-port 21 -j ACCEPT
> echo "Allowing SSH server port"
> ipchains -A output -p tcp --source-port 22 -j ACCEPT
> echo "Allowing HTTP port"
> ipchains -A output -p tcp --source-port 80 -j ACCEPT
> echo "Allowing TCP-CLIENT ports"
> ipchains -A output -p tcp --source-port 1024:65535 -j ACCEPT
> echo "Allowing UDP-CLIENT ports"
> ipchains -A output -p udp --source-port 1024:65535 -j ACCEPT
> echo "Allowing ICMP-CLIENT ports"
> ipchains -A output -p icmp -j ACCEPT
> echo "Allowing LocalHost for everything"
> ipchains -A output -p tcp -s $lo -j ACCEPT
> ipchains -A output -p udp -s $lo -j ACCEPT
> ipchains -A output -p icmp -s $lo -j ACCEPT
> echo "Allowing LocalDomain for everything"
> ipchains -A output -p tcp -s $net -j ACCEPT
> ipchains -A output -p udp -s $net -j ACCEPT
> ipchains -A output -p icmp -s $net -j ACCEPT
>
> #--------Stop Snipping ;D-----------------------------------------------
>
>
>
> E questo e' quello che fa:
> -----------------Shell Dump--------------------------------------------
> [root a Sauron root]# ipchains -L
> Chain input (policy DENY):
> target prot opt source destination
> ports
> ACCEPT udp ------ anywhere anywhere
> domain -> any
> ACCEPT udp ------ giove.crema.unimi.it anywhere
> domain -> any
> ACCEPT udp ------ dns.spidernet.it anywhere
> domain -> any
> ACCEPT tcp ------ anywhere anywhere any
> -> ftp-data
> ACCEPT tcp ------ anywhere anywhere any
> -> ftp
> ACCEPT tcp ------ anywhere anywhere any
> -> ssh
> ACCEPT tcp ------ anywhere anywhere any
> -> http
> ACCEPT tcp ------ anywhere anywhere any
> -> 1024:65535
> ACCEPT udp ------ anywhere anywhere any
> -> 1024:65535
> ACCEPT icmp ------ anywhere anywhere any
> -> any
> ACCEPT tcp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT udp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT icmp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT tcp ------ 10.0.0.0/24 anywhere any
> -> any
> ACCEPT udp ------ 10.0.0.0/24 anywhere any
> -> any
> ACCEPT icmp ------ 10.0.0.0/24 anywhere any
> -> any
> DENY all ------ anywhere anywhere n/a
> Chain forward (policy DENY):
> target prot opt source destination
> ports
> MASQ all ------ anywhere anywhere n/a
> Chain output (policy ACCEPT):
> target prot opt source destination
> ports
> ACCEPT tcp ------ anywhere anywhere
> ftp-data -> any
> ACCEPT tcp ------ anywhere anywhere ftp
> -> any
> ACCEPT tcp ------ anywhere anywhere ssh
> -> any
> ACCEPT tcp ------ anywhere anywhere http
> -> any
> ACCEPT tcp ------ anywhere anywhere
> 1024:65535 -> any
> ACCEPT udp ------ anywhere anywhere
> 1024:65535 -> any
> ACCEPT icmp ------ anywhere anywhere any
> -> any
> ACCEPT tcp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT udp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT icmp ------ localhost.localdomain anywhere any
> -> any
> ACCEPT tcp ------ 10.0.0.0/24 anywhere any
> -> any
> ACCEPT udp ------ 10.0.0.0/24 anywhere any
> -> any
> ACCEPT icmp ------ 10.0.0.0/24 anywhere any
> -> any
> -----------------------/Shell Dump--------------------------------------
>
>
> Se decidi di usare questa soluzione e vedi che lo script calza alla tua
> situazione, dopo averlo fatto girare per salvare le modifiche e renderle
> attive ad ogni boot fai:
> su
> /etc/init.d/ipchains save
>
>
> Bhe spero di essere stato esauriente
>
> ciaps&ciapets
>
>
> PS: Ti consiglio di attivare anche un DHCP server per comodita' di
> configurazione =).
>
> --
> "You're about to enter a place where nothing is what it seems...
> Will you handle it??? Welcome into My World"
> ~...Mirfak... UIN:31015940~
>
Maggiori informazioni sulla lista
Lug
|
