Проблема с iptables

sergleo · Отправлено: **14:07, 14-11-2005** | #5

Это точно лучше в

Цитата:

Всё это тоже пофикшено в sysctl.conf

Согласен..

Цитата:

В скрипте используються параметры:
echo "1" /proc/sys/net/ipv4/ip_forward
echo "1" /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" /proc/sys/net/ipv4/ip_dynaddr

НУ например так

Код:

#------------------------------------------------------------------
# Default
*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

#------------------------------------------------------------
# Unlimited traffic on the loopback interface
-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#------------------------------------------------------------
# Stealth Scans and TCP State Flags

# All of the bits are cleared
-A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

и далее так:

Код:

#------------------------------------------------------------
# Disallowing Connections to Common TCP Unprivileged Server Ports

# X Window connection establishment
-A OUTPUT -o eth1 -p tcp --syn --destination-port 6000:6063 -j REJECT
# X Window: incoming connection attempt
-A INPUT  -i eth1 -p tcp --syn --destination-port 6000:6063 -j DROP

# Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
-A OUTPUT -o eth1 -p tcp -m multiport --destination-port 2049,2000,1080,3128,8080 --syn -j REJECT
-A INPUT  -i eth1 -p tcp -m multiport --destination-port 2049,2000,1080,3128,8080 --syn -j DROP

#------------------------------------------------------------
# Disallowing Connections to Common UDP Unprivileged Server Ports
# NFS and lockd
-A OUTPUT -o eth1 -p udp -m multiport --destination-port 2049,4045 -j REJECT
-A INPUT  -i eth1 -p udp -m multiport --destination-port 2049,4045 -j DROP

#------------------------------------------------------------
# DNS Name Server
# DNS Fowarding Name Server or client requests
-A OUTPUT -o eth1 -p udp -s 1.2.3.4 --sport 1024:65535 -d 1.2.3.4 --dport domain -j ACCEPT
-A INPUT  -i eth1 -p udp -s 1.2.3.4  --sport domain -d 1.2.3.4 --dport 1024:65535 -j ACCEPT

Дерзайте...