RE: Firewalové pravidlo pro MS Terminal server
Dejma
dejma na volny.cz
Pondělí Květen 17 11:25:56 CEST 2004
> Mate povoleni tez v chainu FORWARD tedy neco jako iptables -I
> FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -m
tcp --dport 3389 -j ACCEPT
>
> M.
Dost dobře nevím, jak to zjistit :(. Zkousel jsem iptables -h a
shorewall v shelu - nic rozumného (pro mě)
Mám na to klikadlo přes www rozhraní (jsem s ním spokojen), ale nic
podobného jsem tam nenašel.
Je tam SNAT, ale tam zase nemůžu zadat číslo portu.
Jaká je cesta k povolení takového pravidla
Díky, Dejma
Možná pomůže machrům výpis IPTABLES -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
eth2_in all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:INPUT:
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:FORWAR
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
fw2lan all -- anywhere anywhere
fw2dmz all -- anywhere anywhere
fw2wan all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:OUTPUT
reject all -- anywhere anywhere
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:all2al
reject all -- anywhere anywhere
Chain common (8 references)
target prot opt source destination
icmpdef icmp -- anywhere anywhere
DROP tcp -- anywhere anywhere state
INVALID
REJECT udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp
dpt:microsoft-ds reject-with icmp-port-unreachable
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
reject tcp -- anywhere anywhere tcp dpt:auth
ACCEPT tcp -- anywhere anywhere tcp
flags:ACK/ACK
ACCEPT tcp -- anywhere anywhere tcp
flags:RST/RST
DROP all -- anywhere 195.122.195.255
DROP all -- anywhere 192.168.1.255
DROP all -- anywhere 192.168.2.255
Chain dmz2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:dmz2al
reject all -- anywhere anywhere
Chain dmz2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
dmz2all all -- anywhere anywhere
Chain dmz2lan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
dmz2all all -- anywhere anywhere
Chain dmz2wan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
dmz2all all -- anywhere anywhere
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
wan2lan all -- anywhere anywhere
wan2all all -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
echo-request
wan2fw all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
lan2all all -- anywhere anywhere
lan2wan all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
echo-request
lan2fw all -- anywhere anywhere
Chain eth2_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp
echo-request
dmz2fw all -- anywhere anywhere
Chain fw2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:fw2all
reject all -- anywhere anywhere
Chain fw2dmz (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
fw2all all -- anywhere anywhere
Chain fw2lan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp
echo-request
fw2all all -- anywhere anywhere
Chain fw2wan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp
fw2all all -- anywhere anywhere
Chain icmpdef (1 references)
target prot opt source destination
Chain lan2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:lan2al
reject all -- anywhere anywhere
Chain lan2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:8443
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
lan2all all -- anywhere anywhere
Chain lan2wan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW
udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT tcp -- anywhere anywhere state NEW
tcp
ACCEPT udp -- anywhere anywhere state NEW
udp
lan2all all -- anywhere anywhere
Chain reject (10 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain shorewall (0 references)
target prot opt source destination
Chain wan2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
common all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
10/hour burst 5 LOG level info prefix `Shorewall:wan2al
DROP all -- anywhere anywhere
Chain wan2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
reject tcp -- anywhere anywhere state NEW
tcp dpt:auth
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ftp-data
ACCEPT icmp -- anywhere anywhere icmp
echo-request
wan2all all -- anywhere anywhere
Chain wan2lan (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere intranet state NEW
tcp dpt:http
ACCEPT tcp -- anywhere intranet state NEW
tcp dpt:ftp
ACCEPT tcp -- anywhere www.e-snet.cz state NEW
tcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.1.5 state NEW
tcp dpt:666
ACCEPT udp -- anywhere 192.168.1.5 state NEW
udp dpt:666
ACCEPT tcp -- anywhere 192.168.1.250 state NEW
tcp dpt:3389
ACCEPT udp -- anywhere 192.168.1.250 state NEW
udp dpt:3389
ACCEPT tcp -- anywhere intranet state NEW
tcp dpt:https
wan2all all -- anywhere anywhere
Další informace o konferenci Linux