Re: lug-bg: rp-ppoe
- Subject: Re: lug-bg: rp-ppoe
- From: qsin@xxxxxxxxxxxx (Qsin)
- Date: Fri, 8 Mar 2002 08:21:44 +0200
Tova dostatuchno li e kato NAT?
Yavor Atanasov
# Generated by iptables-save v1.2.2 on Fri Feb 8 19:06:19 2002
*nat
:PREROUTING ACCEPT [5:630]
:POSTROUTING ACCEPT [6:569]
:OUTPUT ACCEPT [5:521]
[0:0] -A POSTROUTING -s 192.168.XXX.168 -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.XXX.125 -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.XXX.241 -o eth1 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.XXX.243 -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Feb 8 19:06:19 2002
# Generated by iptables-save v1.2.2 on Fri Feb 8 19:06:19 2002
*mangle
:PREROUTING ACCEPT [141:9258]
:OUTPUT ACCEPT [99:16786]
COMMIT
# Completed on Fri Feb 8 19:06:19 2002
# Generated by iptables-save v1.2.2 on Fri Feb 8 19:06:19 2002
*filter
:INPUT DROP [2:88]
:FORWARD DROP [3:160]
:OUTPUT DROP [8:1344]
:CHECKBADFLAG - [0:0]
:ICMPINBOUND - [0:0]
:ICMPOUTBOUND - [0:0]
:LBADFLAG - [0:0]
:LDROP - [0:0]
:LINVALID - [0:0]
:LPINGFLOOD - [0:0]
:LREJECT - [0:0]
:LSPECIALPORT - [0:0]
:LSYNFLOOD - [0:0]
:SMB - [0:0]
:SPECIALPORTS - [0:0]
:TCPACCEPT - [0:0]
[0:0] -A INPUT -m state --state INVALID -j LINVALID
[16:913] -A INPUT -p tcp -j CHECKBADFLAG
[2:238] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -d 127.0.0.0/255.0.0.0 -j LREJECT
[16:913] -A INPUT -s 192.168.XXX.0/255.255.255.0 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 192.168.XXX.0/255.255.255.0 -j LREJECT
[0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND
[0:0] -A INPUT -p udp -m udp --dport 33434:33523 -j LDROP
[0:0] -A INPUT -i eth1 -j SMB
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 113 -j REJECT --reject-with
tcp-reset
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 110 -j TCPACCEPT
[0:0] -A INPUT -i eth1 -j SPECIALPORTS
[0:0] -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
[0:0] -A INPUT -j LDROP
[0:0] -A FORWARD -m state --state INVALID -j LINVALID
[6:320] -A FORWARD -p tcp -j CHECKBADFLAG
[3:155] -A FORWARD -o eth1 -j SMB
[3:155] -A FORWARD -s 192.168.XXX.0/255.255.255.0 -i eth0 -o eth1 -p tcp -m
tcp --sport 1024:65535 -j ACCEPT
[0:0] -A FORWARD -s 192.168.XXX.0/255.255.255.0 -i eth0 -o eth1 -p udp -m
udp --sport 1024:65535 -j ACCEPT
[0:0] -A FORWARD -s 192.168.XXX.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j
ACCEPT
[3:165] -A FORWARD -i eth1 -j SMB
[3:165] -A FORWARD -i eth1 -m state --state ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --dport 1024:65535 -m state --state
RELATED -j TCPACCEPT
[0:0] -A FORWARD -i eth1 -p udp -m udp --dport 1024:65535 -m state --state
RELATED -j ACCEPT
[0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT
[0:0] -A FORWARD -j LDROP
[2:238] -A OUTPUT -o lo -j ACCEPT
[14:1620] -A OUTPUT -d 192.168.XXX.0/255.255.255.0 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND
[0:0] -A OUTPUT -o eth1 -j SMB
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 113 -j REJECT --reject-with
tcp-reset
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --sport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 443 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --sport 110 -m state --state
ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -s 212.XXX.XXX.YYY -o eth1 -p tcp -m tcp --sport
1024:65535 -j ACCEPT
[0:0] -A OUTPUT -s 212.XXX.XXX.YYY -o eth1 -p udp -m udp --sport
1024:65535 -j ACCEPT
[0:0] -A OUTPUT -j LDROP
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j LBADFLAG
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j LBADFLAG
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LBADFLAG
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -j LBADFLAG
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
[0:0] -A CHECKBADFLAG -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LBADFLAG
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit
5/sec --limit-burst 10 -j ACCEPT
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -j ACCEPT
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT
[0:0] -A LBADFLAG -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=BADFLAG:1 a=DROP "
[0:0] -A LBADFLAG -j DROP
[0:0] -A LDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=TCP:1 a=DROP "
[0:0] -A LDROP -p udp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=UDP:2 a=DROP "
[0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=DROP "
[0:0] -A LDROP -f -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
[0:0] -A LDROP -j DROP
[0:0] -A LINVALID -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=INVALID:1 a=DROP "
[0:0] -A LINVALID -j DROP
[0:0] -A LPINGFLOOD -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
[0:0] -A LPINGFLOOD -j DROP
[0:0] -A LREJECT -p tcp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=TCP:1 a=REJECT "
[0:0] -A LREJECT -p udp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=UDP:2 a=REJECT "
[0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=REJECT "
[0:0] -A LREJECT -f -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
[0:0] -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LSPECIALPORT -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
[0:0] -A LSPECIALPORT -j DROP
[0:0] -A LSYNFLOOD -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
[0:0] -A LSYNFLOOD -j DROP
[0:0] -A SMB -p tcp -m tcp --dport 137 -j DROP
[0:0] -A SMB -p tcp -m tcp --dport 138 -j DROP
[0:0] -A SMB -p tcp -m tcp --dport 139 -j DROP
[0:0] -A SMB -p tcp -m tcp --dport 445 -j DROP
[0:0] -A SMB -p udp -m udp --dport 137 -j DROP
[0:0] -A SMB -p udp -m udp --dport 138 -j DROP
[0:0] -A SMB -p udp -m udp --dport 139 -j DROP
[0:0] -A SMB -p udp -m udp --dport 445 -j DROP
[0:0] -A SMB -p tcp -m tcp --sport 137 -j DROP
[0:0] -A SMB -p tcp -m tcp --sport 138 -j DROP
[0:0] -A SMB -p tcp -m tcp --sport 139 -j DROP
[0:0] -A SMB -p tcp -m tcp --sport 445 -j DROP
[0:0] -A SMB -p udp -m udp --sport 137 -j DROP
[0:0] -A SMB -p udp -m udp --sport 138 -j DROP
[0:0] -A SMB -p udp -m udp --sport 139 -j DROP
[0:0] -A SMB -p udp -m udp --sport 445 -j DROP
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 6670 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 1243 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p udp -m udp --dport 1243 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 27374 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p udp -m udp --dport 27374 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 6711:6713 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 12345:12346 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 20034 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p udp -m udp --dport 31337:31338 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p tcp -m tcp --dport 6000:6063 -j LSPECIALPORT
[0:0] -A SPECIALPORTS -p udp -m udp --dport 28431 -j LSPECIALPORT
[0:0] -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m
limit --limit 5/sec --limit-burst 10 -j ACCEPT
[0:0] -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LSYNFLOOD
[0:0] -A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
COMMIT
# Completed on Fri Feb 8 19:06:19 2002
----- Original Message -----
From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Thursday, March 07, 2002 10:37 PM
Subject: RE: lug-bg: rp-ppoe
> i moje bi malko NAT ;-)
>
> BR,
> Boyan
>
> > -----Original Message-----
> > From: Georgi Iliev [mailto:gecata@xxxxxxxxx]
> > Sent: Thursday, March 07, 2002 4:50 PM
> > To: lug-bg@xxxxxxxxxxxxxxxxxx
> > Subject: Re: lug-bg: rp-ppoe
> >
> >
> > Moje by si zbravil :
> > echo 1 /proc/sys/net/ipv4/ip_forward
> >
> >
> >
> > > Pusnah rp-pppoe i veche moga da se vruzvam ot Lan-a kum
> > nego,
> > > no neshto ne moga da izlezna prez naetata linija (xDSL).
> > > Yavno neshto gresha s opciite:
> > > -I
> > > -L
> > > -R
> > > za -I polzvam eth0 koeto e lan-a za vutreshnata mrezha
> > > za -L polzvam IP-to na eth0
> > > za -R polzvam edno IP koeto sum pusnal prez masquerading-a
> > na Linux-a
> > > No ne stava
> > > Javno neshto ne sum razbral
> > >
> > > Njkoj mozhe li da pomogne?
> > >
> > > Yavor Atanasov
> >
> >
> >
> >
> > ==============================================================
> > =============
> > A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> > http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd.
> > - Stara Zagora
> >
> >
>
===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara
Zagora
>
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|