Re: lug-bg: IPTABLES i ethernet
- Subject: Re: lug-bg: IPTABLES i ethernet
- From: mano@xxxxxxxxxxxxx (Marian Popov)
- Date: Sat, 22 Jun 2002 23:20:23 +0300
Az syshto polzvam takova ogranichenie i eto kak sym go napravil:
Imam si edin script v koito si opisvam ip adresite ot localnata mreja koito
shte
imat internet chrez MASQ. Davam ti primer s MASQ zashtoto vijdam che ti
takova
iskash da polzvash.
Eto go i scripta.
#!/bin/bash
ipt="/usr/sbin/iptables"
echo -en "Loading iptable_filter, \n"
/sbin/modprobe iptable_filter
echo -en "Loading ipt_REDIRECT, \n"
/sbin/modprobe ipt_REDIRECT
echo -en "Loading iptable_nat, \n"
/sbin/modprobe iptable_nat
echo -en "Loading ip_conntrack, \n"
/sbin/modprobe ip_conntrack
echo -en "Loading ip_conntrack_ftp, \n"
/sbin/modprobe ip_conntrack_ftp
echo -en "Loading ip_conntrack_irc, \n"
/sbin/modprobe ip_conntrack_irc
echo -en "Loading ip_nat_ftp, \n"
/sbin/modprobe ip_nat_ftp
echo -en "Loading iptable_mangle, \n"
/sbin/modprobe iptable_mangle
echo -en "Loading ip_tables, \n"
/sbin/modprobe ip_tables
echo -en "Loading ipt_state, \n"
/sbin/modprobe ipt_state
echo -en "Loading ipt_limit, \n"
/sbin/modprobe ipt_limit
echo -en "Loading ipt_LOG, \n"
/sbin/modprobe ipt_LOG
echo -en "Loading ipt_REJECT. \n"
/sbin/modprobe ipt_REJECT
echo -en "Finifhed loading modules. \n"
# Flush and Delete
$ipt -F; $ipt -X
$ipt -t nat -F; $ipt -t nat -X
# SNAT fake nets
fake_nets="10.0.0.10 10.0.0.20 10.0.0.30 10.0.0.31 10.0.0.55 10.0.0.100
10.0.0.101 10.0.0.120 10.0.0.121 10.0.0.122 10.0.0.123 10.0.0.124
10.0.0.125"
for fake_net in $fake_nets; do
$ipt -t nat -A POSTROUTING -s $fake_net -j SNAT --to-source 212.116.159.97
done;
.
.
.
I taka nadolu prodyljava s razni drugi neshta no na teb shte ti triabva samo
tova.
Moje i da ne zarejdash vsichkite tia moduli tova e po tvoe jelanie.
Az gi zarejdam zashtoto gi izpolzvam.
Eto kakvo stava fakticheski:
Ako imash razdadeni 250 adresa ot mrejata 10.0.0.0/24 to samo tezi koito
opishesh
v gornite redove shte imat internet.
Do tuk s maskiraneto.
Sega da vidim fix-vaneto po MAC address
Znachi pravish si edin file niakyde naprimer s /etc/rc.d/rc.fixmac da
rechem,
v koito si opisvash MAC adresite na vsichki razdadeni ip adresi. Naprimer:
#!/bin/bash
arp="/sbin/arp -s"
$arp 10.0.0.10 00:60:1D:20:FB:58
$arp 10.0.0.20 00:02:2D:19:0D:06
.
.
.
# I stigame do tia deto ne iskame da imat net
$arp 10.0.0.3 44:44:44:44:44:44
$arp 10.0.0.200 44:44:44:44:44:44
Pravish faila izpylnim i go startirash.
Posle pishesh niakyde v console arp -n i shte vidish vsichkite si opisani
MAC adresi s flagove CM
a tia deto ne si gi opisal sa samo s flag C
Nadiavam se che pomognah ako ima neshto neiasno pishi.
mano
----- Original Message -----
From: "Atanas Mavrov" <bugar@xxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Saturday, June 22, 2002 10:31 PM
Subject: lug-bg: IPTABLES i ethernet
> Zdraweite
> Tozi wypros mislq che be zadawan, no ne movah da go namerq. Zatowa wi molq
da
> pomognete.
> Znachi imame slednata situaciq slack 8.0, kernel 2.4.5 - towa e mashina
> opredelena za serwer. Imame edna mreva w koqto edni mashini trqbwa da imat
> dostyp do internet, a drugi ne. Znachi trqbwa da ogranicha mashinite po ip
i
> po mac adres /ne che e mnogo sigrno, no po dobro ne mi idwa na um/.
> Ako priemem che imame mshina koqto trqbwa da ima internet s ip x.x.x.x i
mac
> adrex y.y.y.y.y.y, to reshih da naprawq slednoto
> iptables -t nat -A POSTROUTING -s x.x.x.x -m mac --mac-source
y.y.y.y.y.y -j
> MASQUERADE
> no kakto se okaza mac i POSTROUTING ne mogat da se izpolzwat zaedno.
> Reshih da naprawq slednoto, makar che neznam do kolko e prawilno w moq
> sluchai /ekserimentirah s loopback adresa/:
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -j DROP
> i tyi probwah telnet 127.0.0.1 - raboti. Reshih sled towa da izchistq
> prawilata i da probwam slednoto
> iptables -A INPUT -s 127.0.0.1 -m mac --mac-source y.y.y.y.y.y -j ACCEPT
> iptables -A INPUT -j DROP
> no rezultata beshe che nqmam wryzka kym 127.0.0.1.
> reshih da probwam i po drug nachin
> iptables -A INPUT -m mac mac-source -j ACCEPT
> iptabels -A INPUT -j DROP
> otnowo nqmashe ochakwaniq rezultat.
>
> Zatowa ako nqkoi ima velanie da pomogne neka kave kyde byrkam i kak move
da
> stane towa ogranichawane
> Blagodarq
>
============================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara
Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
>
============================================================================
>
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|