|
|
VNIMANIE: Izpolzvaite forumite na saita za da zadadete vashite vuprosi.
Vupros |
Ot: na4inae6t (ispa (a) dir[ tochka ]bg) |
Data: 02/13/2003 |
Imam pitane. Imam 2 Linux servera.Imam 15-20 PC-ta v LAN-a.
Ediniat e s 2 mrejovi karti. eth0 e kam ISP, a eth1 kam
switch-a na Ethernet-a mi. Eto gi:
*****************
root@myhost:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:40:F4:27:79:65
inet addr:XXX.72.223.28 Bcast:XXX.72.223.63
Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:491006 errors:0 dropped:0 overruns:0
frame:0
TX packets:301033 errors:0 dropped:0 overruns:0
carrier:0
collisions:1810 txqueuelen:100
RX bytes:354876106 (338.4 Mb) TX bytes:59391671
(56.6 Mb)
Interrupt:12 Base address:0xd800
eth1 Link encap:Ethernet HWaddr 00:40:F4:27:73:7D
inet addr:192.168.0.10 Bcast:192.168.0.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1
RX packets:337435 errors:0 dropped:0 overruns:0
frame:0
TX packets:324919 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:100
RX bytes:66709324 (63.6 Mb) TX bytes:348704748
(332.5 Mb)
Interrupt:10 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:187 errors:0 dropped:0 overruns:0
frame:0
TX packets:187 errors:0 dropped:0 overruns:0
carrier:0
collisions:0 txqueuelen:0
RX bytes:20251 (19.7 Kb) TX bytes:20251 (19.7
Kb)
*****************
A tova imam kato ipchains:
**************************
root@myhost:~# ipchains -L
Chain input (policy REJECT):
target prot opt source destination
ports
ACCEPT all ------ 192.168.0.0/24 anywhere
n/a
REJECT all ----l- 192.168.0.0/24 anywhere
n/a
ACCEPT all ------ anywhere
myhost.xxxxx.com n/a
ACCEPT all ------ anywhere anywhere
n/a
REJECT all ----l- anywhere anywhere
n/a
DENY tcp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
DENY udp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
DENY icmp ------ localhost anywhere
any -> any
Chain forward (policy DENY):
target prot opt source destination
ports
MASQ all ------ 192.168.0.0/24 anywhere
n/a
REJECT all ----l- anywhere anywhere
n/a
Chain output (policy REJECT):
target prot opt source destination
ports
ACCEPT all ------ anywhere 192.168.0.0/24
n/a
REJECT all ----l- anywhere 192.168.0.0/24
n/a
REJECT all ----l- 192.168.0.0/24 anywhere
n/a
ACCEPT all ------ conet1.pirin.com anywhere
n/a
ACCEPT all ------ anywhere anywhere
n/a
REJECT all ----l- anywhere anywhere
n/a
DENY tcp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
DENY udp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
*****************
Kak s ipchains da ograni4a niakoi ot ma6inite mi v mrejata
da niamat dostap do internet. Opitah niakoi komandi no ne
stana. Naprimer probvah slednoto. Iskam ma6inata s IP
192.168.0.21 da ne moje da vliza v Internet. Pravia
slednoto:
root@myhost:~# ipchains -A input -s 192.168.0.21 -p tcp -j
DENY
root@myhost:~# ipchains -A output -s 192.168.0.21 -p tcp -j
DENY
No ne stava??? Niakoi ako moje da mi kaje kade barkam.
|
Otgovor #1 |
Ot: ivan |
Data: 02/13/2003 |
naj verojatno predi da izpalnish tezi dve komandi, si zadal
ACCEPT za vsichki. Izpalnjava se vinagi parvoto
saotvetstvasto pravilo.
Naj dobre si napravi edin shell script, v kojto parvo
iztrivash vsichki pravila, posle davash vsichki ACCEPT
pravila i nakraja DROP na vsichki. Ima v internet kupista
primerni scriptove.
Uspeh
|
Otgovor #2 |
Ot: hipodilski (root< at >pcfreak__dot__cc) |
Data: 02/13/2003 |
heh vizhdash li gi tezi redove iztrii si
redovete koito ti rejectvat packeti na tcp i udp
anywhere i ste se opravi
predlagam ti ipchains -F
i da si napravish firewall-a nanovo ili get-ni gotov i go
portni kato za tebe si ...
a
n/a
ACCEPT all ------ conet1.pirin.com anywhere
n/a
ACCEPT all ------ anywhere anywhere
n/a
REJECT all ----l- anywhere anywhere
n/a
DENY tcp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
DENY udp ------ anywhere anywhere
any -> netbios-ns:netbios-ssn
all the best fuck the rest
-====www.pcfreak.cc====- -- Fuck Microsoft
- Stay Free !
|
Otgovor #3 |
Ot: Sudo |
Data: 02/14/2003 |
Ne e nikak slozhen ipchains, ima dve prosti pravila koito
triabva da se znaiat predi da pochnesh da pishesh kakvito i da
bilo firewall-rules.
1. Paketite koito sa ot vutreshnata mrezha i sa za Internet se
obrabotvat ot forward policy, input e za paketite koito sa
za tvoiata mashina, output - ot tvoiata mashina za niakude si.
2. Paketite se obrabotvat po reda vuv verigata kakto e
pokazana ot ipchains -L i pri suvpadenie NE se obrabotvat
poveche, ako ne otgovariat na nito edno uslovie togava se
izpulniava default policy na verigata, t.e.:
root@boza:~# ipchains -L
Chain forward (policy DENY):
target prot opt source destination
MASQ all ------ 192.168.0.0/24 anywhere
REJECT all ------ 192.168.0.0/24 anywhere
vtoriia red NISHTO ne pravi tui kato paket sus source address
192.168.0.X e minal po purviia red i e zaminal.
3. Komandata -A dobavia nakraia na verigata pravilo, a -I
dobavia v nachaloto na verigata t.e. pak gorniia primer:
root@boza:ipchains -A forward -s 192.168.0.0/24 -d any/0 -j
MASQ
root@boza:ipchains -A forward -s 192.168.0.1 -d any/0 -j
DENY
poluchava se :
MASQ all ------ 192.168.0.0/24 anywhere
REJECT all ------ 192.168.0.1 anywhere
vtoriia red pak nishto ne pravi, shtoto paketa sus source address
192.168.0.1 e minal po purviia red i e zaminal.
Ta da doidem i do otgovora na pitaneto, komandata koiato ti
triabva e:
ipchains -I forward -s 192.168.0.1 -d any/0 -j DENY
Uspeh
Btw. naistina imash mnogo pravila za 2 interfeisa, az za 5
imam pochti tolkova :)))
|
Otgovor #4 |
Ot: na4inae6t |
Data: 02/15/2003 |
Mersi mnogo Sudo pomogna mi na pitaneto.
Stana rabotata. Po-natatuk shte probvam da go napravia da e v
niakoi skript, da ne go pravia vinagi pri rastart na
mashinata.
-:))
10-H Sudo...
|
<< SPESHNO:problem s apache (1
) | Ima trafik samo w ednata posoka (3
) >>
|
|
|
|
|