Router-firewall problem
Petr Hřebíček
petr.hrebicek na ceistat.com
Čtvrtek Prosinec 19 16:37:19 CET 2002
> > Ne, NAT nepouzivam.
> > PC v LAN maji verejne adresy.
> > Petr
>
> Poslete vypis iptables -n -L; iptables -t nat -n -L; iptables
> -t mangle -n
> -L a pak uvidime :-) I kdyz to bude mozna dlouhe.
>
> --
> Bc. Zdenek Kaminski <xkaminsk at fi.muni.cz>
>
Ok, tady to je:
adresa .131 je eht0 - Internet
adresa .225 je eth1 - LAN
LAN je podsit 62.168.40.224/255.255.255.224
iptables -n -L :
Chain INPUT (policy DROP)
target prot opt source destination
bad_packets tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 9
LOG flags 0 level 4 prefix ` _! ICMP Type 9,REJECT: '
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 9
reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 62.168.40.131 state
RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:113
LOG flags 0 level 4 prefix ` _! AUTH na .131,RJ: '
REJECT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:113
reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 127.0.0.1
ACCEPT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:25
ACCEPT udp -- 0.0.0.0/0 62.168.40.131 udp dpt:25
ACCEPT tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 62.168.40.131 udp dpt:53
LOG tcp -- 195.122.215.0/24 62.168.40.131 tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_MP na .131,AC: '
ACCEPT tcp -- 195.122.215.0/24 62.168.40.131 tcp dpt:110
LOG tcp -- 62.177.103.0/24 62.168.40.131 tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_MP na .131,AC: '
ACCEPT tcp -- 62.177.103.0/24 62.168.40.131 tcp dpt:110
LOG tcp -- 160.218.14.0/24 62.168.40.131 tcp dpt:110
LOG flags 0 level 4 prefix `_! POP3_Por na .131,AC: '
ACCEPT tcp -- 160.218.14.0/24 62.168.40.131 tcp dpt:110
LOG tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:110
LOG flags 0 level 4 prefix ` _! POP3 na .131,DROP: '
DROP tcp -- 0.0.0.0/0 62.168.40.131 tcp dpt:110
ACCEPT icmp -- 62.168.40.224/27 62.168.40.225
ACCEPT tcp -- 62.168.40.227 62.168.40.225 tcp dpt:80
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:443
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:21
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:22
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:25
ACCEPT udp -- 62.168.40.224/27 62.168.40.225 udp dpt:25
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:53
ACCEPT udp -- 62.168.40.224/27 62.168.40.225 udp dpt:53
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:113
ACCEPT udp -- 62.168.40.224/27 62.168.40.225 udp dpt:113
LOG tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:20
LOG flags 0 level 4 prefix ` _! FTP-DATA z LAN: '
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:20
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:110
ACCEPT tcp -- 62.168.40.224/27 62.168.40.225 tcp dpt:995
Chain FORWARD (policy DROP)
target prot opt source destination
bad_packets tcp -- 0.0.0.0/0 62.168.40.224/27
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 62.168.40.227 0.0.0.0/0 tcp dpt:80
REJECT tcp -- 62.168.40.224/27 0.0.0.0/0 tcp dpt:80
reject-with icmp-port-unreachable
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 9
LOG flags 0 level 4 prefix ` _! ICMP Type 9: '
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 9
reject-with icmp-port-unreachable
ACCEPT all -- 62.168.40.224/27 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 62.168.40.224/27
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain bad_packets (2 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn,DROP:
'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
iptables -t nat -n -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t mangle -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
---
Odchozí zpráva neobsahuje viry.
Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz).
Verze: 6.0.427 / Virová báze: 240 - datum vydání: 6.12.2002
Další informace o konferenci Linux