|
RE: lug-bg: IPTABLES i ethernet [2]
- Subject: RE: lug-bg: IPTABLES i ethernet [2]
- From: bkrosnov@xxxxxxxx (Boyan Krosnov)
- Date: Sat, 22 Jun 2002 23:36:18 +0300
Dwa komentara imam po sluchaq :) :
pyrwo:
Zashtitata po MAC adresi e nedostatychna.
Prawilnata zashtita e s user/pass. Naj-chesto se realizira s
izpolzwaneto na tehnologii kato pptp i pppoe.
www.poptop.org
wtoro:
Ako wse pak dyrjish da prawish prowerkata dali usera ima prawo na
internet na bazata na source MAC...
Ne moje da se razchita na kernela che shte filtrira pristigashtite
adresi na bazata na PERM redowete ot ARP tablicata i source mac adresite
na frame-owete.
Naj-lesniq nachin da e siguren chowek kakwo tochno stawa e (iljustrirano
s bash/iptables)
eth1 e wytreshnata karta
eth0 e wynshnata
#!/bin/bash
iptables -F
iptables -X
for i in eth0_in eth0_out eth1_in eth1_out internet_user; do
iptables -N $i
done
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j eth0_in
iptables -A INPUT -i eth1 -j eth1_in
iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -j eth0_out
iptables -A OUTPUT -o eth1 -j eth1_out
iptables -A eth1_in ... razni prawila koito premitwat lokalni servici
kato web syrwyr, samba, etc.. -j ACCEPT
iptables -A eth1_in ... razni drugi prawila, koito zabranqwat dostypa do
drugi lokalni uslugi... -j REJECT
iptables -A eth1_in -s x.x.x.x/24 -d ! server.ip.address -j
internet_user; # ako stigne do twa prawilo znachi e paket za internet i
trqbwa da prowerim dali usera ima prawo
# zabeleji che ako imash proxy na mashinata trqbwa da prowerqwash i
dostypa do proxy-to.
iptables -A internet_user -s user1.ip.address -m mac --mac-source
mac:address:na:usera -j ACCEPT
...
...
iptables -t nat -A POSTROUTING -s x.x.x.x/24 -o eth0 -j MASQUERADE
-----------------------------
i twa e wsichko.
Razbira se e redno da postawish antispoof filtri pone na wynshniq si
interface.
Syshto taka e redno da postawish filtri koito ogranichawat twoqta
mashina da ne moje da prashta sys source adres razlichen ot alokiraniq
ot dostawchika ti.
Mojesh da si naprawish i host-based firewall kakto e opisano w
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.h
tml
i sypytstwashtoto go packet-filtering howto.
BR,
Boyan
> -----Original Message-----
> From: Atanas Mavrov [mailto:bugar@xxxxxxx]
> Sent: Saturday, June 22, 2002 11:07 PM
> To: lug-bg@xxxxxxxxxxxxxxxxxx
> Subject: lug-bg: IPTABLES i ethernet [2]
>
>
> Toe blizko do uma che towa deto sym go napisal s hw adresite
> e typo ...
> zasahtoto loopback nqma takyw adres, a eth0 nqma da stane
> zashtoto trafika ne
> minawa prez neq /ili pone taka misq/. Tyi che towa e glupawo
> ama se setih
> malko kysno. Ostawa wyprosa dali shte stane taka:
> iptables -A INPUT -s x.x.x.x -m mac --mac-source y.y.y.y.y.y -j DROP
> ............. i tyi wsichki koito shte polzwat net
> iptables -A INPUT -j DROP
> iptables -t nat -P POSTROUTING DROP
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> A kakwo trqbwada se sydyrva w /etc/ethers zashtoto takyw file
> nqmam :-)))
> Blagodarq
> ==============================================================
> ==============
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd.
> - Stara Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> ==============================================================
> ==============
>
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|
|
|