|
|
ВНИМАНИЕ: Използвайте форумите на сайта за дa зададете вашите въпроси.
Въпрос |
От: НЕзнаещ |
Дата: 04/02/2003 |
Iskam da polzvam MAC adresite na lankartite.
Naprimer za ograni4avane na dostupa do Internet.
Kak da go polzvam s ipchains?
Imam fail vav /etc/eth0 koito e slednia:
##################################
# eth0 by ISP
192.168.0.10 00:40:F4:27:79:65
192.168.0.11 00:40:F4:27:73:7D
192.168.0.12 00:10:DC:23:6C:EE
192.168.0.13 00:40:F4:31:94:12
192.168.0.14 00:40:F4:27:73:14
192.168.0.14 0f:0f:0f:0f:0f:0f
# end eth0
Vav
/etc/rc.d/rc.firewall
imam slednoto
/sbin/arp -f /etc/eth0
kak da izpolzvam taka zadadenite MAC za ograni4avane ili
sazdavane na log-file.
Mersi predvaritelno
|
Отговор #1 |
От: devane |
Дата: 04/03/2003 |
neshto ne razbrah kakvo tochno iskash da napravish
static mac li da zadavash?
arp -s ip mac
za spirane na neta
arp -s ip 00:00:00:00:00:00
|
Отговор #2 |
От: JavoR (linuxadmin (a) abv __точка__ bg) |
Дата: 04/03/2003 |
mozhesh da polzvash i sledniq nachin:
---------------------------------------------------
iptables -A FORWARD -s 192.168.0.14 -m mac --mac-source
XX:XX:XX:XX:XX:XX -j ACCEPT
....
i taka za wsichki potrebiteli koito imash.
nakraq davash:
iptables -A FORWARD -s 192.168.0.0/24 -j DROP
towa e obshto wzeto =)
|
Отговор #3 |
От: НЕзнаещ |
Дата: 04/03/2003 |
Ne da go promeniam.
Imam opisani MAC vav faila eth0.
Sled kato sam gi opisal spiraneto na neta za host-a
naprimer
192.168.0.12 00:10:DC:23:6C:EE
avtomati4no li se polu4ava ili triabva ne6to da napravia v
niakoi script.
Ne moga da ustanovia kak ipchains-a go priema, dali stava.
kernela mi e 2.2.19 i ne vijdam razlika sas i bez ARP-to.
Dali 6te ima MAC ili ne kam IP-to, ne raboti. Usera si
smeniava IP-to i pak ima Internet.
|
Отговор #4 |
От: fallen |
Дата: 04/03/2003 |
napishi svoite iptables/ipchains pravila za da se orientirat horata tuk.
|
Отговор #5 |
От: НЕзнаещ |
Дата: 04/03/2003 |
Eto tova imam kato ipchains.
~~~~~~~~~~~~~~~~~~
target prot opt source destination ports
ACCEPT all ------ 192.168.0.0/24 anywhere n/a
REJECT all ----l- 192.168.0.0/24 anywhere n/a
ACCEPT all ------ anywhere server1.isp.com
n/a
ACCEPT all ------ anywhere anywhere n/a
REJECT all ----l- anywhere anywhere n/a
DENY tcp ------ anywhere anywhere any
-> netbios-ns:netbios-ssn
DENY udp ------ anywhere anywhere any
-> netbios-ns:netbios-ssn
Chain forward (policy DENY):
target prot opt source destination
ports
DENY all ------ 192.168.0.23 anywhere n/a
DENY all ------ 192.168.0.22 anywhere n/a
MASQ all ------ 192.168.0.0/24 anywhere n/a
REJECT all ----l- anywhere anywhere n/a
Chain output (policy REJECT):
target prot opt source destination ports
ACCEPT all ------ anywhere 192.168.0.0/24
n/a
REJECT all ----l- anywhere 192.168.0.0/24
n/a
REJECT all ----l- 192.168.0.0/24 anywhere
n/a
ACCEPT all ------ server1.isp.com anywhere
n/a
ACCEPT all ------ anywhere anywhere
n/a
REJECT all ----l- anywhere anywhere
n/a
DENY tcp ------ anywhere anywhere any
-> netbios-ns:netbios-ssn
DENY udp ------ anywhere anywhere any
-> netbios-ns:netbios-ssn
A iptables niamam ni6to.
|
Отговор #6 |
От: fallen |
Дата: 04/03/2003 |
sega shte se opitam da obqsnq kakvoto znaq za ARP.
vidqh ti ipchains rules i sega shte ti kaza kakvo e moeto
vizdane.
tozi file deto go imash /etc/eth0 sys IP i syotvetniq MAC
addr.Toi trqbva da se activira s
#/sbin/arp -f /etc/eth0
Tazi command-a "nabiva" vsichki MAC addressi v ARP cache-a
ti.Mozesh da gi proverish s
#arp
shte ti izleze tablitza za ARP cache-a.Ako "ping"-nesh drug
host deto go nqma v /etc/eth0 opisan i pak izpylnish
komandata
#arp
shte vidish razlikata v edin FLAG M, koito pokazva che za
tva IP ARP cache-a nqma da se promenq.Tova te predpazva samo
ot slednoto: za dadeno IP ti garantira MAC.
Ne te predpazva obache ot smqna na IP-to na drugo deto go
nqma v cache-a.T.e ako daden potrebitel si slozi IP
razlichno ot opisanite v /etc/eth0 shte ima Inet poneze si
route-ral kum vsichki s 192.168.0.XX /mislq che ne se
byrkam/.
T.e. trqbva s ipchains da opishesh che za dadeno IP MAC
address-a s rule pootdelno.
Ne sum zapoznat s ipchains, taka che ostavqm na drugite da
ti pishat kak stava konkretno.
Mislq che ti obqsnih razlikata.Nadqvam se da sum bil useful
;-)
|
Отговор #7 |
От: НЕзнаещ |
Дата: 04/03/2003 |
10-x fallen.
vav /etc/rc.d/rc.firewall imam slednia red
#########################
#
# Privarzvane na IP sys MAC na LANcartite
# ARP from My
/sbin/arp -f /etc/eth0
# tozi fail se zarejda pri reboot na PC-to
#
# end ARP
##########################
v rezultat na koeto pri reboot na ma6inata se zarejda faila
~./eth0
Pri izpulnenie na arp -a mi izliza slednoto:
root@linuxserver1:~# arp -a
? (192.168.0.127) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.51) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.23) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.50) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.22) at 00:40:F4:27:73:14 [ether] PERM on eth1
? (192.168.0.21) at 00:40:F4:31:94:12 [ether] PERM on eth1
? (192.168.0.20) at 00:40:F4:31:8F:3B [ether] PERM on eth1
? (192.168.0.26) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.24) at 52:54:05:C5:2C:7D [ether] PERM on eth1
? (192.168.0.30) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
? (192.168.0.30) at 0F:0F:0F:0F:0F:0F [ether] PERM on eth1
Do tuka O.K.
|
Отговор #8 |
От: НЕзнаещ |
Дата: 04/03/2003 |
Vav /etc/rc.d/rc.firewall imam slednoto za Forwarding-a
ipchains -F forward
ipchains -P forward DENY
# Masquerade from local net on local interface to anywhere.
#
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j
MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
Dali ne mi pre4i tova:
ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j
MASQ
|
Отговор #9 |
От: fallen |
Дата: 04/04/2003 |
Spored men trqbva da spresh route-raneto do vsichko host-ve
ot mrezata si i da zadadesh pravila samo na IP address-ite
deto sa ti zapisani v /etc/eth0 i spored men trqbva da
prochetesh kakvo sa ti napisali predi tva v otgovorite za
iptables i da minesh kum tqh ako ne moze da se filtrira
IP+MAC v ipchains.
Po printzip kakto ti kazah trqbva da imash pravilo v
iptables / chains za da se ogranichi route-raneto po MAC i
IP.
Procheti kak stava s ipchains/ako stava/ ili mini na
iptables i politikata ti trqbva da e takava che da imash
zapisi za route-rane samo za vyvedenite ti host-ove, a ne za
tzqla mreza (primerno 192.168.48.0/16 dava vsichki host-ve s
IP ta ot 192.168.48.1-192.168.48.255).
Uspehi
|
<< tarsq rakovodstvo za gimp (4
) | sendmail + apache (0
) >>
|
|
|
|
|