ipchains

Zdenek Masek sediss na seznam.cz
Neděle Únor 23 12:26:09 CET 2003 

No, to Vam vyvetlit neumim, k cemu je takovy firewall, mozna by mohl autor
skriptu:

http://linux.melzer.cz/nat.html

Prava jsem mel nasledujici: rwxr--r-- a pokousel jsem se to spustit jako
root. Root byl i vlastnikem souboru. Take jsem chtel aby se skript spoustel
pri startu systemu, ulozil jsem ho do /etc/rc.d/init.d, ale system si ho ani
nevsiml. To se asi musi nejak aktivovat, ze? Nakonec jsem ta pravidla ulozil
do ipchains rucne, potom jsem dal "/etc/rc.d/init.d/ipchains save" a nyni
mam takovyto vypis "/sbin/ipchains -L":

Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     icmp ------  anywhere             anywhere              any ->
any
ACCEPT     tcp  ------  anywhere             anywhere              domain ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
domain
ACCEPT     tcp  ------  anywhere             anywhere              any ->
domain
ACCEPT     udp  ------  anywhere             anywhere              domain ->
any
ACCEPT     udp  ------  anywhere             anywhere              any ->
domain
ACCEPT     tcp  ------  anywhere             anywhere              www ->
any
ACCEPT     tcp  ------  anywhere             anywhere
             webcache -> any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
www
ACCEPT     tcp  ------  anywhere             anywhere              ftp ->
any
ACCEPT     tcp  ------  anywhere             anywhere
             ftp-data -> any
ACCEPT     tcp  ------  anywhere             anywhere              ssh ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
sshin
ACCEPT     tcp  ------  anywhere             anywhere              www ->
any
ACCEPT     tcp  ------  anywhere             anywhere
             webcache -> any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
www
ACCEPT     tcp  ------  anywhere             anywhere              ftp ->
any
ACCEPT     tcp  ------  anywhere             anywhere
             ftp-data -> any
ACCEPT     tcp  ------  anywhere             anywhere              ssh ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
ssh
ACCEPT     tcp  ------  anywhere             anywhere              smtp ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
smtp
ACCEPT     tcp  ------  anywhere             anywhere              any ->
smtp
ACCEPT     tcp  ------  anywhere             anywhere              pop3 ->
any
ACCEPT     tcp  ------  anywhere             anywhere              any ->
pop3
DENY       all  ------  anywhere             anywhere              n/a
DENY       tcp  ------  anywhere             anywhere              any ->
squid
DENY       tcp  ------  anywhere             anywhere              any ->
squid
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.1.0/24       anywhere              n/a
Chain output (policy ACCEPT):

A takovy je obsah souboru /etc/sysconfig/ipchains:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth1 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 8080:8080 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 22:22 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 25:25 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 110:110 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110:110 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3128:3128 -i eth1 -p 6 -j
DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3128:3128 -i eth1 -p 6 -j
DENY
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ

A nejde mi ted Win Messenger a NNTP news z win pc, kterym se pres lin pc
pripojuji k internetu. Na to mi asi chybi pravidla? Pokud jde o problemy se
soubory, tak to se mi stalo vickrat. Na win pc si napisu nejaky soubor, na
diskete ho prenesu (nemam jeste v provozu prenos souboru po ethernetu) na
lin pc, tam mu nastavim rwxr--r--, pripadne rw-r--r--, kdyz nevim tak to
udelam podle ostatnich souboru v adresari. Vse delam jako root. A kdyz pak
chci napriklad takovy skript enterem v mc nebo kliknutim spustit, system
rekne ze ten a ten neni souborem ani adresarem :-(

Zdenek Masek

Další informace o konferenci Linux