From: hüseyin özbey (huseyin_ozbey@evkur.com.tr)
Date: Sat 24 Sep 2005 - 21:31:00 EEST
Huzeyfe Bey
iptables -L ciktim su sekilde.
Saygilarimla
Huseyin A. Ozbey
[root@papatya ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- papatya.evkuronline.com anywhere
ACCEPT all -- merkez.evkur.com.tr anywhere
ACCEPT all -- 212.212.212.2 anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere 212.212.212.2 state RELATED,ESTABLISHED
tcp_packets tcp -- anywhere anywhere
udp_packets udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
bad_tcp_packets tcp -- anywhere anywhere
ACCEPT all -- papatya.evkuronline.com anywhere
ACCEPT all -- merkez.evkur.com.tr anywhere
ACCEPT all -- 212.212.212.2 anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
Chain allowed (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere
Chain bad_tcp_packets (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
LOG tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn:'
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain tcp_packets (1 references)
target prot opt source destination
allowed tcp -- anywhere anywhere tcp dpt:2222
allowed tcp -- anywhere anywhere tcp dpt:http
Chain udp_packets (1 references)
target prot opt source destination
-----Original Message-----
From: linux-guvenlik-bounces@liste.linux.org.tr [mailto:linux-guvenlik-bounces@liste.linux.org.tr] On Behalf Of Huzeyfe Onal
Sent: Saturday, September 24, 2005 9:10 PM
To: linux-guvenlik@liste.linux.org.tr
Subject: Re: [Linux-guvenlik] iptables tutorial 'daki calisan script simdiniye calismaz?
iptables -L ciktisi daha yardimci olur.
24.09.2005 tarihinde hüseyin özbey <huseyin_ozbey@evkur.com.tr> yazmış:
>
>
> Merhaba
>
> RedHat Enterprise Edition 4.0 kullaniyorum. Eth0 internet interface'i eth1
> ise local interface. Ama internet ve local interface'lerin ip'lerini
> tanimladiktan sonra calisan iptables tutorial'daki rc.firewall.txt ki on bin
> milyon defa problemsiz calismisti, simdi devreye girince 80. portu ve ping
> paketlerini blokluyor.
>
>
>
> Halbuki ekteki script'te tcp 80 ve icmp paketlerine izin verilmis durumda.
>
> tcp_packets ve icmp_packets isminde zincirler olusturulmus durumda ve
>
>
>
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
>
> ve
>
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
>
>
> satirlari var.
>
>
>
> Input zincirindede tcp ve icmp paketleri Tcp_packets ve icmp_packets
> zincirlerine yonlendiriliyor.
>
> $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
>
> $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
>
>
>
> Hersey normal gozukuyor.
>
>
>
> Bunun sebebi hakkinda sizin bir yorumunuz olabilirmi?
>
>
>
> Saygilarimla
>
>
>
> Huseyin A. Ozbey
>
>
> _______________________________________________
> Linux-guvenlik mailing list
> Linux-guvenlik@liste.linux.org.tr
> http://liste.linux.org.tr/mailman/listinfo/linux-guvenlik
>
>
>
>
-- Huzeyfe ÖNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/ _______________________________________________ Linux-guvenlik mailing list Linux-guvenlik@liste.linux.org.tr http://liste.linux.org.tr/mailman/listinfo/linux-guvenlik