Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

RE: lug-bg: iptables


  • Subject: RE: lug-bg: iptables
  • From: larry@xxxxxxxxxxxxxxxxxxxx (Kostadin Karaivanov)
  • Date: Wed, 3 Jul 2002 10:44:57 +0300



wij po-dolu no problema spored mene e 4e zabranqwash icmp type timestamp
timestamp-replay syotvetno type 13 i 14

Kostadin Karaivanov
Senior System Administrator @ Ministry Of Finace
tel: +359 2 98592062
larry@xxxxxxxxxxxxxxxxxxxx

-----Original Message-----
From: owner-lug-bg@xxxxxxxxxxxxxxxxxx
[mailto:owner-lug-bg@xxxxxxxxxxxxxxxxxx]On Behalf Of Qsin
Sent: Wednesday, July 03, 2002 08:52
To: lug-bg@xxxxxxxxxxxxxxxxxx
Subject: Re: lug-bg: iptables

Za suzhalenie i az kato Ivan Dobrinov ne sum mnogo najsno s
iptables, zatova mozhe moja vupros sushto da izglezhda mngo laishki
za koeto predvaritelno se izvinjvam, NO:

Pri opit da sverja chasovnika pod Windows XP Pro v log-a se pojavjava
slednoto:

Jul  3 08:43:51 firewall kernel: fp=UDP:2 a=DROP IN=eth0 OUT=eth1
SRC=192.168.xxx.yyy DST=129.6.15.28 LEN=76 TOS=0x00 PREC=0x00 TTL=127
ID=60553 PROTO=UDP SPT=123 DPT=123 LEN=56

i chasovnika ne se sverjava.

V iptables otnosno ICMP ima slednite neshta:

[0:0] -A INPUT -s 192.168.xxx.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport
41031:41900 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A INPUT -i eth1 -p icmp -j ICMPINBOUND
[0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -d !
192.168.xxx.0/255.255.255.0 -p tcp -m tcp --dport 41031:41900 -j
REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -s 192.168.xxx.0/255.255.255.0 -i eth0 -o eth1 -p icmp -j
ACCEPT
[0:0] -A FORWARD -i eth1 -p icmp -m state --state RELATED -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p icmp -j ICMPOUTBOUND
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -m limit --limit
5/sec --limit-burst 10 -j ACCEPT
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 8 -j LPINGFLOOD
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 13 -j LDROP -> mahni toq
red

^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 14 -j LDROP -> mahni i toq

^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPINBOUND -p icmp -j ACCEPT
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 5 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/0 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 11/1 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 12 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 13 -j LDROP -> toq toje

^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 14 -j LDROP -> otnovo go
mahni:-)))

^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 17 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -m icmp --icmp-type 18 -j LDROP
[0:0] -A ICMPOUTBOUND -p icmp -j ACCEPT
[0:0] -A LDROP -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=DROP "
[0:0] -A LREJECT -p icmp -m limit --limit 2/sec --limit-burst 10 -j
LOG --log-prefix "fp=ICMP:3 a=REJECT "
[0:0] -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A LREJECT -j REJECT --reject-with icmp-port-unreachable

Zadadoh vuprosa na choveka kojto e napravil nastrojkite, no toj ne mozha da
mi otgovori
koe spira sverjavaneto na chasovnika. Chetejki po-dolu posochenata stranica
(ne che shvanah neshto:)
se zamislih dali imenno filtracijata na ICMP ne e vinovna za tozi problem.
Znam che RTFM e zlatno pravilo
no chestno kazano v momenta sum malko orjazan otkum vreme zatova i zadavam
vuprosa.

Ako vuprosa e mnogo tup ili vi drazni - prosto ne otgovarjajte za da ne
suzdavame izlishen i
bezmislen trafik.

Yavor Atanasov

P.S. Che sum tup si go znam i bez da mi kazvate :))))

----- Original Message -----
From: "Boyan Krosnov" <bkrosnov@xxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Wednesday, July 03, 2002 1:29 AM
Subject: RE: lug-bg: iptables

> > Hmm, dosta e glupavo da zabraniavash ICMP paketite, tui kato te
> > nosiat mnogo cenna informacia. No ponezhe v dobrite unix tradicii
> > horata ti davat dostatychno vyzhe za da se zastreliash v kraka
> > probvai tova:
> mnogo dobre go kaza. Ne nablegna spored men dostatychno na fakta che
> _NE_ trqbwa da se filtrirat wsichki ICMP-ta po nikakyv powod.
> http://boyan.ludost.net/papers/pmtu.html za poweche informaciq.
>
> BR,
> Boyan

============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================

============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================



 

наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.