From: Fatih Dirol (fdirollists@gmail.com)
Date: Fri 15 Jul 2005 - 09:26:15 EEST
Selamlar, ilginize teşekkürler,
1. Web Server'a redirection mi yapilacak ( HAYIR )
2. Herhangi bir firewall kisitlamasi varmi varsa nedir. Eger yoksa zaten
herhangi bir eklenti yapmadan calisiyor olmasi lazim. ( Dışardan
sadece kurulu bağlantılara erişim izni var, diğer bağlantılara yok)
3. Web server, ftp, mail v.s bunlar localde baksa bir serverda mi? Yoksa
Masquerade yaptiginiz makinadami calisiyor olacak. ( local de olacak,
dmz vs yok )
Sadece istediğim www,ftp,mail ve dahada önemlisi SSH yi dış erişime açmak..
halihazirdaki dosya şöyle ve fedora3 de çalışmakta;
#!/bin/sh
# rc.firewall
FWVER=0.1
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
AWK=/bin/awk
IFCONFIG=/sbin/ifconfig
EXTIF="ppp0"
INTIF="eth1"
EXTIP="`$IFCONFIG $EXTIF | $AWK
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print
a[1];exit}'`"
UNIVERSE="0.0.0.0/0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " External IP: $EXTIP"
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en "ip_tables, "
$MODPROBE ip_tables
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
echo -en "iptable_nat, "
$MODPROBE iptable_nat
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
echo -e "ip_nat_irc"
$MODPROBE ip_nat_irc
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A INPUT -i lo -d $UNIVERSE -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s 192.168.0.0/24 -d $UNIVERSE -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -p tcp -m multiport --dports 25,80,110
-o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -p tcp -m multiport --dports 25,80,110
-o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A PREROUTING -i lo -p tcp --dport http -j REDIRECT
--to-port 3128
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport http -j
REDIRECT --to-port 3128
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
_______________________________________________
Linux-sunucu mailing list
Linux-sunucu@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-sunucu