[linux-l] IPTables & IRC (DCC) mit NAT

dmcleod at gmx.net dmcleod at gmx.net
Di Feb 26 10:24:03 CET 2002 

Hi allerseits,

ziemlich vergeblich versuche ich meinen Router dazu zu überreden doch
DCC SEND von meinem internen Netz aus zu ermöglichen, daher hier meine
Firewall Regeln, vielleicht sieht ja jemand den Fehler ... In den logs
steht jedenfalls nix ...

    FW=/sbin/iptables
    iptables -F

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_conntrack_irc
    modprobe ip_nat_ftp
    modprobe ip_nat_irc

    $FW -P INPUT DROP
    $FW -P OUTPUT DROP
    $FW -P FORWARD ACCEPT

    $FW -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    # Disable SynCookies
    /bin/echo "0" > /proc/sys/net/ipv4/tcp_syncookies
    # Disable response to ping
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
    # Disable response to broadcasts
    /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    # Log spoofed packets, source routed packets, redirect packets
    /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
    # Make sure that IP forwarding is turned on
    /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
    # Set enough to DCC
    /bin/echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

# Erlaube internal und local 
    $FW -A INPUT   -j ACCEPT -p all -d 192.168.10.0/0 -i eth0
    $FW -A OUTPUT  -j ACCEPT -p all -d 192.168.10.0/0 -o eth0
    $FW -A INPUT  -j ACCEPT -i lo
    $FW -A OUTPUT -j ACCEPT -o lo

# Alles an connections
    $FW -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $FW -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
   $FW -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping sollte auch tun
    $FW -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    $FW -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# DNS allowed to the whole world
   $FW -A OUTPUT -p udp --sport 1024:65535 -d 0/0 --destination-port domain
-j ACCEPT
   $FW -A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --destination-port domain
-j ACCEPT
# SSH/D allowed
    $FW -A INPUT  -j ACCEPT -p tcp -s 0/0 -d 0/0 --destination-port ssh
    $FW -A OUTPUT -j ACCEPT -p tcp -s 0/0 --source-port ssh
    $FW -A OUTPUT -j ACCEPT -p tcp -s 0/0 --destination-port ssh

# Log
    $FW -A INPUT  -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
    $FW -A OUTPUT -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
    $FW -A INPUT  -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
    $FW -A OUTPUT -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
    $FW -A INPUT  -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
    $FW -A OUTPUT -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
    $FW -A INPUT  -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
    $FW -A OUTPUT -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "

Danke ...

Ciao, Duncan

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Mehr Informationen über die Mailingliste linux-l