From: Erhan KILIC (erhan.kilic@ammsav.com)
Date: Sun 12 Feb 2006 - 23:49:19 EET
bu betigi calıstırdıgımda hata veriyor nedendir acaba ?
#firewall gateway system ip adress is 10.0.0.1 using ethernet device eth0
#Private network adress is 192.168.0.0 using Ethernet device eth1
#Web site adress is 10.0.0.2
#modprobe iptable_filter
#turn off ip forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
#Flush chain rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
#Set default (policy) rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#IP spoofing, deny any packets on the internal network that has an external source adress
iptables -A INPUT -j LOG -i eth1 \! -s 192.168.0.0/24
iptables -A INPUT -j DROP -i eth1 \! -s 192.168.0.0/24
iptables -A INPUT -j FORWARD -i eth1 \! -s 192.168.0.0/24
#IP spoofing, deny any OUTSIDE packets (any not on eth1) that has an external source adress of the internal network
iptables -A INPUT -j DROP \! -i eth1 -s 192.168.0.0/24
iptables -A INPUT -j FORWARD \! -i eth1 -s 192.168.0.0/24
#IP spoofing, deny any outside packets with localhost adress
#(packets not on the lo interface ( any on eth0 or eth1 ) that have the source adress of localhost)
iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
#Allow all incoming messages for users on your firewall system
iptables -A INPUT -j ACCEPT -i lo
#Allow comminication to the web server (address 10.0.0.2), port www
iptables -A INPUT -j ACCEPT -p tcp -i eth0 --dport www -s 10.0.0.2
#Allow established connections from web servers to internal network
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport www -s 10.0.0.2 -d 192.168.0.0/24 -j ACCEPT
#Prevent new connections from web servers to internal network
iptables -A OUTPUT -m state --state NEW -o eth0 -p tcp --sport www -d 192.168.0.0/24 -j DROP
#Allow established and related outside comminication to your system
#Allow outside comminication to the firewall, except for ICMP packets
iptables -A INPUT -m state --state ESTABLISHED.RELATED -i eth0 -p \! icmp -j ACCEPT
#Prevent OUTSIDE initiated connections
iptables -A INPUT -m state --state NEW -i eth0 -j DROP
iptables A FORWARD -m state --state NEW -i eth0 -j DROP
#Allow all local comminication to and from the firewall on eth1 from the local network
iptables -A INPUT -j ACCEPT -p all -s 192.168.0.0/24
#Set up masquerading to allow internal machines access to outside network
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Accept ICMP ping (0-8) and destination unreachable (3) messages
#Others will be rejected by INPUT and OUTPUT DROP policy
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-reply -d 10.0.0.1
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type echo-request -d 10.0.0.1
iptables -A INPUT -j ACCEPT -p icmp -i eth0 --icmp-type destination-unreachable -d 10.0.0.1
#Turn on IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag