Re: Neostrada plus
On 9/9/02 11:51 AM, Grzegorz Kusnierz wrote:
> Podeślij jeszcze swoje regułki itptables, a jeśli nie wiesz
>
Byłem, zobaczyłem i poległem na całej lini...
Wysyłam rules tworzone przez ipmasq (są zmieniane po każdorazowym
podniesieniu ppp) i wynik iptables -L (z góry przepraszam).
Kombinacje z ttl'em nie przyniosły rezultatu, tak samo jak obniżanie
mtu ppp i karty wyjściowej aż do 1000 (w różnych kombinacjach).
Zaobserwowałem za to inną nieprzyjemną właściwość: otóż po wysłaniu
pakietu icmp (tylko icmp sprawdzałem) większego niż 1024 łącze pada
i pppd musi je na nowo podnosić.
Doszło do tego, że działa tam squid, proxy pop3 i exim jako smarthost
a mnie prawie piana na usta wyskoczyła...
Gdyby kogoś oświeciła jakaś nagła idea to będę bardzo wdzięczny
JA
#: Interfaces found:
#: ppp0 80.50.45.171/255.255.255.255
#: ppp0 80.50.45.171/255.255.255.255
#: eth1 10.0.0.1/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#: Forward packets among internal networks
#: Accept all packets coming in from the loopback interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a 127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32
#: Accept packets from internal networks on internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 10.0.0.1/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! tcp
#: Disallow and log packets trying to come in over external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i ppp0 -s 10.0.0.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i ppp0 -s 10.0.0.1/255.255.255.0
#: Accept dumb broadcast packets on external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 255.255.255.255/32
#: Accept incoming packets from external networks on external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i ppp0 -d 80.50.45.171/32
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o ppp0 -s 10.0.0.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -o eth1 -i ppp0 -d 10.0.0.1/255.255.255.0 -j ACCEPT
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32
#: Allow packets for internal hosts to be delivered using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 10.0.0.1/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 224.0.0.0/4 -p ! tcp
#: Deny and log packets attempting to leave over external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o ppp0 -d 10.0.0.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o ppp0 -d 10.0.0.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o ppp0 -d 10.0.0.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o ppp0 -d 10.0.0.1/255.255.255.0
#: Allow dumb broadcast packets to leave on external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -d 255.255.255.255/32
#: Allow packets for external networks leave over external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o ppp0 -s 80.50.45.171/32
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#: 2 hrs for TCP
#: 10 sec for TCP after FIN has been sent
#: 160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- 10.0.0.0/24 anywhere LOG level warning
DROP all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere pn171.neoplus.adsl.tpnet.pl
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere 10.0.0.0/24
LOG all -- anywhere 10.0.0.0/24 LOG level warning
DROP all -- anywhere 10.0.0.0/24
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere 10.0.0.0/24
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- anywhere 10.0.0.0/24 LOG level warning
DROP all -- anywhere 10.0.0.0/24
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- pn171.neoplus.adsl.tpnet.pl anywhere
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Reply to: