Kontrola firewallu - iptables
Petr Horacek
petr.horacek na koop.cz
Pátek Září 10 09:18:39 CEST 2004
Dobry den preji
muzu vas pozadat o zbeznou kontrolu tohoto firewallu postavenem na iptables, jestli tam neni nejaka zavazna chyba nebo jestli tam neco nechybi? Eth0 - internet, eth1 - LAN, zvenku pristupny web server a SMTP pro qmail, z LAN HTTP pres Squid.
Diky za pomoc
Petr
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp --dport 80 -i eth1 -j REDIRECT --to-ports 3128
[0:0] -A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -i eth1 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
[0:0] -A INPUT -i eth0 -p tcp --syn -m limit --limit 1/s --limit-burst 1 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth1 -p tcp -j ACCEPT
[0:0] -A OUTPUT -s 192.168.1.1 -j ACCEPT
[0:0] -A OUTPUT -s 127.0.0.1 -j ACCEPT
[0:0] -A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
Další informace o konferenci Linux