|
|
VNIMANIE: Izpolzvaite forumite na saita za da zadadete vashite vuprosi.
Vupros |
Ot: f0x |
Data: 06/09/2005 |
Iskam da popitam neshto svurzano s iptables, v bloka si imame
mrezha sega dokarvam internet s antena i linuks,(nashata mrezha
e 172.168.6.0/24, iskam da spra net-a na tsialata mrezha s
iptables i suotvetno da pozvolia samo na 172.168.6.2,
172.168.63, .... taka do 6.10. Niakoi ima li ideia kak shte
stane tova ?
|
Otgovor #1 |
Ot: f0x |
Data: 06/09/2005 |
iptables -I FORWARD -s 172.168.6.0/24 -j DROP
iptables -I FORWARD -s 172.168.6.2 -j ACCEPT
iptables -I FORWARD -s 172.168.6.3 -j ACCEPT
ako go napravia taka dali shte raboti korektno ?
|
Otgovor #2 |
Ot: ivan |
Data: 06/09/2005 |
man iptables
...
...
A firewall rule specifies criteria for a packet, and a
target. If the packet does not match, the next rule in the
chain
is examined; if it does match, then the next rule
is specified by the value of the target, which can be the
name of a
user-defined chain or one of the special values
ACCEPT, DROP, QUEUE, or RETURN.
...
...
|
Otgovor #3 |
Ot: f0x |
Data: 06/09/2005 |
vizh be chovek ne razbiram angliiski za tova pitam tuk, ako
mozheh da si preveda help-a , niamashe da vi zanimavam.
|
Otgovor #4 |
Ot: orfey (orfeybg< at >abv< dot >bg) |
Data: 06/09/2005 |
arp -s IP MAC
tezi koito ne iskash da imat net pishesh
arp -s IP 00:11:22:33:44:55 primerno
|
Otgovor #5 |
Ot: ivan |
Data: 06/09/2005 |
slozhi dropa sled acceptite
|
Otgovor #6 |
Ot: Ipolit |
Data: 06/09/2005 |
okaza se che tui kato napraish pak ne stava. I az si vadih
dushat dva dena dokat se setia che niama da FORWARD-va paketite
ot ISP-to
zarad tui triaba da turish i oshte edno neshto
nachi politikata e
iptables -P FORWARD DROP - tui furlia sichko deto e za
preprashtane
iptables -A FORWARD -s 172.168.6.2 -j ACCEPT - tui preprashta
toia, obache ne preprashta ot ISP kum nego
iptables -A FORWARD -m state --state ESTABLISHED -s 0/0 -j
ACCEPT - tui preprashta vsichko koeto e initsiiral toia s
172.168.6.2
|
Otgovor #7 |
Ot: Vatkov |
Data: 06/09/2005 |
Tova ste ti svarshi rabota s sigurnost. Idejta v iptables e
da razreshish parvo adresite i posle zabranjvash vsicki
ostanali.
iptables -A FORWARD -s 172.168.6.2 -j ACCEPT
iptables -A FORWARD -s 172.168.6.3 -j ACCEPT
iptables -A FORWARD -s 172.168.6.4 -j ACCEPT
iptables -A FORWARD -s 172.168.6.0/24 -j DROP
|
Otgovor #8 |
Ot: N. Antonov (nikola __@__ linux-bg[ tochka ]org) |
Data: 06/11/2005 |
Obiknoveno se pravi taka:
1. Zadavash podrazbirashta se politika DROP.
2. Razreshavash s otdelni pravila samo tova, koeto ti triabva.
S edna duma:
iptables -P FORWARD DROP
iptables -A FORWARD -s 172.168.6.2 -j ACCEPT
iptables -A FORWARD -s 172.168.6.3 -j ACCEPT
...
|
Otgovor #9 |
Ot: onpoint (onpoint __@__ abv[ tochka ]bg) |
Data: 06/17/2005 |
ostava samo da gi pusne6 i v obratnata posoka:
#adresite koito iskash da imat internet
iptables -A FORWARD -s 172.168.6.2 -j ACCEPT
iptables -A FORWARD -d 172.168.6.2 -j ACCEPT
iptables -A FORWARD -s 172.168.6.3 -j ACCEPT
iptables -A FORWARD -d 172.168.6.3 -j ACCEPT
.....
iptables -A FORWARD -s 172.168.6.10 -j ACCEPT
iptables -A FORWARD -d 172.168.6.10 -j ACCEPT
#zabraniavash vsichki ostanali
iptables -A FORWARD -j DROP
|
<< ttl (3
) | Qmail vupros? (4
) >>
|
|
|
|
|