From: cem es (cem_es@hotmail.com)
Date: Mon 18 Oct 2004 - 14:09:21 EEST
Merhabalar
Iptables ile Dmz'li bir firewall olusturdum internet paylasimi ve disardan
erisim istedigim gibi calisiyor tek sorunum transparent proxy, squid tek
basina sorunsuz calisiyor ama asagidaki kodda en alt satırdaki 80 portuna
gelen istekleri 3128 portuna yönlendirdigimde istemciler web sayfalarina
ulasamiyor.
INPUT kuralini ACCEPT yaptigimda ise transparent proxy calismaya basliyor
benim anladigim INPUT kurali ile ilgili bir sorun var ama 80 portu zaten
acik. Yardimci olursaniz sevinirim
# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
DMZ_IP_NET='192.168.2.1/24'
DMZ_NIC='eth0'
LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth2'
# load some modules (if needed)
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
# Flush
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
#iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s $DMZ_IP_NET -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $DMZ_NIC -s $DMZ_IP_NET
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
#HTTP
iptables -A INPUT -j ACCEPT -p tcp --dport 3389 #TS
iptables -A INPUT -j ACCEPT -p tcp --dport 21 #FTP
iptables -A INPUT -j ACCEPT -p tcp --dport 22 #SSH
# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open ports to server on DMZ
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -A FORWARD -j ACCEPT -p tcp --dport 3389
iptables -A FORWARD -j ACCEPT -p tcp --dport 21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
192.168.2.200:80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to
192.168.2.200:3389
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to
192.168.2.200:21
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to
3128
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.com/
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag