IPTABLES!!! RULES, Разгавор о iptables

sergleo · Отправлено: **11:56, 24-02-2006** | #11

Код:

#------------------------------------------------------------
# ICMP Control and Status Messages
# Log and drop initial ICMP fragments
-A INPUT   -i eth1 --fragment -p icmp -j LOG --log-prefix "Fragmented incoming ICMP: " 
-A INPUT   -i eth1 --fragment -p icmp -j DROP
-A OUTPUT  -o eth1 --fragment -p icmp -j LOG  --log-prefix "Fragmented outgoing ICMP: " 
-A OUTPUT  -o eth1 --fragment -p icmp -j DROP
-A FORWARD -o eth1 --fragment -p icmp -j LOG --log-prefix "Fragmented forwarded ICMP: "
-A FORWARD -o eth1 --fragment -p icmp -j DROP

-A INPUT   -i eth1 -p icmp --icmp-type source-quench -d x.x.x.x -j ACCEPT
-A OUTPUT  -o eth1 -p icmp --icmp-type source-quench -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type source-quench -j ACCEPT

-A INPUT   -i eth1 -p icmp --icmp-type parameter-problem -d x.x.x.x -j ACCEPT
-A OUTPUT  -o eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type parameter-problem -j ACCEPT

-A INPUT  -i eth1 -p icmp --icmp-type destination-unreachable -j ACCEPT

#Use $LAN_INTERFACE = eth0 $LAN_ADDRESSES = 10.10.10.0/25
-A OUTPUT  -o eth0 -p icmp --icmp-type destination-unreachable -d 10.10.10.0/25 -j ACCEPT
-A FORWARD -o eth0 -p icmp --icmp-type destination-unreachable -d 10.10.10.0/25 -j ACCEPT

-A OUTPUT  -o eth1 -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A FORWARD -o eth1 -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Dont log dropped outgoing ICMP error messages
-A OUTPUT  -o eth1 -p icmp --icmp-type destination-unreachable -j DROP
-A FORWARD -o eth1 -p icmp --icmp-type destination-unreachable -j DROP

# Intermediate traceroute responses
-A INPUT   -i eth1 -p icmp --icmp-type time-exceeded -d x.x.x.x -j ACCEPT

#Use $LAN_INTERFACE = eth0 $LAN_ADDRESSES = 10.10.10.0/25
-A OUTPUT  -o eth0 -p icmp --icmp-type time-exceeded -d 10.10.10.0/25 -j ACCEPT
-A FORWARD -o eth0 -p icmp --icmp-type time-exceeded -d 10.10.10.0/25 -j ACCEPT

# allow outgoing pings to anywhere
-A OUTPUT -o eth1 -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT  -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT

#-A FORWARD -o $DMZ_INTERFACE -p icmp --icmp-type echo-request -s $LAN_ADDRESSES -j ACCEPT

# allow incoming pings from trusted hosts
# Use $MY_ISP = any/0
-A INPUT  -i eth1 -p icmp -s any/0 --icmp-type echo-request -d x.x.x.x -j ACCEPT
-A OUTPUT -o eth1 -p icmp -s x.x.x.x --icmp-type echo-reply -d any/0 -j ACCEPT

#-A INPUT  -i $LAN_INTERFACE -p icmp -s $LAN_ADDRESSES --icmp-type echo-request -d $LAN_IPADDR -j ACCEPT

#------------------------------------------------------------
# Logging Dropped Packets

# Don't log dropped incoming echo-requests
-A INPUT -i eth1 -p icmp --icmp-type ! 8 -d x.x.x.x -j LOG
#
-A INPUT -i eth1 -p tcp -d x.x.x.x -j LOG
#
-A OUTPUT -o eth1 -j LOG