ipchains
Zdenek Masek
sediss na seznam.cz
Neděle Únor 23 12:26:09 CET 2003
No, to Vam vyvetlit neumim, k cemu je takovy firewall, mozna by mohl autor
skriptu:
http://linux.melzer.cz/nat.html
Prava jsem mel nasledujici: rwxr--r-- a pokousel jsem se to spustit jako
root. Root byl i vlastnikem souboru. Take jsem chtel aby se skript spoustel
pri startu systemu, ulozil jsem ho do /etc/rc.d/init.d, ale system si ho ani
nevsiml. To se asi musi nejak aktivovat, ze? Nakonec jsem ta pravidla ulozil
do ipchains rucne, potom jsem dal "/etc/rc.d/init.d/ipchains save" a nyni
mam takovyto vypis "/sbin/ipchains -L":
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT icmp ------ anywhere anywhere any ->
any
ACCEPT tcp ------ anywhere anywhere domain ->
any
ACCEPT tcp ------ anywhere anywhere any ->
domain
ACCEPT tcp ------ anywhere anywhere any ->
domain
ACCEPT udp ------ anywhere anywhere domain ->
any
ACCEPT udp ------ anywhere anywhere any ->
domain
ACCEPT tcp ------ anywhere anywhere www ->
any
ACCEPT tcp ------ anywhere anywhere
webcache -> any
ACCEPT tcp ------ anywhere anywhere any ->
www
ACCEPT tcp ------ anywhere anywhere ftp ->
any
ACCEPT tcp ------ anywhere anywhere
ftp-data -> any
ACCEPT tcp ------ anywhere anywhere ssh ->
any
ACCEPT tcp ------ anywhere anywhere any ->
sshin
ACCEPT tcp ------ anywhere anywhere www ->
any
ACCEPT tcp ------ anywhere anywhere
webcache -> any
ACCEPT tcp ------ anywhere anywhere any ->
www
ACCEPT tcp ------ anywhere anywhere ftp ->
any
ACCEPT tcp ------ anywhere anywhere
ftp-data -> any
ACCEPT tcp ------ anywhere anywhere ssh ->
any
ACCEPT tcp ------ anywhere anywhere any ->
ssh
ACCEPT tcp ------ anywhere anywhere smtp ->
any
ACCEPT tcp ------ anywhere anywhere any ->
smtp
ACCEPT tcp ------ anywhere anywhere any ->
smtp
ACCEPT tcp ------ anywhere anywhere pop3 ->
any
ACCEPT tcp ------ anywhere anywhere any ->
pop3
DENY all ------ anywhere anywhere n/a
DENY tcp ------ anywhere anywhere any ->
squid
DENY tcp ------ anywhere anywhere any ->
squid
Chain forward (policy ACCEPT):
target prot opt source destination ports
MASQ all ------ 192.168.1.0/24 anywhere n/a
Chain output (policy ACCEPT):
A takovy je obsah souboru /etc/sysconfig/ipchains:
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -p 1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -i eth1 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth1 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 8080:8080 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 20:20 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 22:22 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 25:25 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth1 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 110:110 -d 0.0.0.0/0.0.0.0 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 110:110 -i eth1 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3128:3128 -i eth1 -p 6 -j
DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 3128:3128 -i eth1 -p 6 -j
DENY
-A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
A nejde mi ted Win Messenger a NNTP news z win pc, kterym se pres lin pc
pripojuji k internetu. Na to mi asi chybi pravidla? Pokud jde o problemy se
soubory, tak to se mi stalo vickrat. Na win pc si napisu nejaky soubor, na
diskete ho prenesu (nemam jeste v provozu prenos souboru po ethernetu) na
lin pc, tam mu nastavim rwxr--r--, pripadne rw-r--r--, kdyz nevim tak to
udelam podle ostatnich souboru v adresari. Vse delam jako root. A kdyz pak
chci napriklad takovy skript enterem v mc nebo kliknutim spustit, system
rekne ze ten a ten neni souborem ani adresarem :-(
Zdenek Masek
Další informace o konferenci Linux