From: mesut guler (mesut@egemenyazilim.com)
Date: Sat 06 Nov 2004 - 14:46:23 EET
serkansoker wrote:
> Merhaba ;
>
> Basit bir iptables kodu yazdım. Lokaldaki pclerde dns
> cözümlitemiyorum. ( ip bazlı sitele gidebiliyorum )
> ne yapmam gerekir ?
>
> tesekkurler
> Serkan
>
>
> **************************************************************************************
> # Tum gelen ve yonlendirilen paketler ontanimli olarak reddediliyor.
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> # Loopback aygiti icin kurallari ontanimli kabul olarak ayarlanmasi.
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
>
> # Belirli portlara yonlendirme
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 53 -j MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -p udp --dport 53 -j MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 110 -j MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
> /sbin/iptables -A FORWARD -p tcp -m state --state NEW,ESTABLISHED -j
> ACCEPT
> *************************************************************************************************
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Linux-ag mailing list
>Linux-ag@liste.linux.org.tr
>http://liste.linux.org.tr/mailman/listinfo/linux-ag
>
>
yasaklama amaciyla, port bazinda MASQUERADE uygulamak bence pek mantikli
degil. onun yerine yerel agdan gelen ve internete giden isteklerein
hepsine MASQUERADE uygulayin. FORWARD den ise sadece gecisini
istediginiz dns,smtp,pop3,http gibi portlara izin verin. boylece sadece
bu istekler haricindekiler forward zincirinde postrouting e erisemeden
bloklanacaktir.
sorununuzu ise clientlara domain adi cozumlemesi icin dns olarak ISP nin
dns serverlarinin ipsini verin.
ornek olarak su kurallari kullanabilirsiniz:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m
multiport --dports smtp,domain,http,https,pop3 -j ACCEPT
[0:0] -A FORWARD -i eth0 -s 192.168.0.0/255.255.255.0 -p tcp -m udp
--dport domain -j ACCEPT
COMMIT
burda:
yerel ag: 192.168.0.0/24
yerel aga bagli ethernet: eth0
kolay gelsin.
-- Mesut Guler Egemen Yazilim
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag