| View previous topic :: View next topic |
| Author |
Message |
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
 Posted: Sat Dec 25, 2004 11:29 am Post subject: script gestibile per iptables + regole x Amule [risolto] |
 |
|
Ho trovato questo script che mi sembra abbastanza fatto bene (è una versione leggermente modificata presa da http://gentoo-wiki.com/HOWTO_Iptables_for_newbies ), ma ho qualche domanda a riguardo:
* Come posso aggiungerci le regole per Amule?
* Perché quando lo attivo, non riesco più ad accedere a 127.0.0.1 porta 80? 
Grazie a tutti
| Code: |
# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
#export LC_ALL="en"
# External interface
EXTIF=ppp0
# Internal interface
INTIF1=eth0
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
# Last but not least, the users
#TERESA=192.168.2.77
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# Deny than accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
#non va
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will server the same purpose
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
#$IPT -A INPUT -i $INTIF1 -j AMULE
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp --dport $i -j DROPl
$IPT -A OUTPUT -p tcp --dport $i -j DROPl
$IPT -A FORWARD -p tcp --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp --dport $i -j DROPl
$IPT -A OUTPUT -p udp --dport $i -j DROPl
$IPT -A FORWARD -p udp --dport $i -j DROPl
done
echo ""
# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
#MSN=1863
ICQ=5190
#NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
# All services ports are read from /etc/services
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver" UDPSERV="domain time"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT
done
echo ""
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# block and log what me may have forgot
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A FORWARD -j DROPl
|
_________________
Blog
E8400, 4850, P5q
Last edited by assente on Sun Dec 26, 2004 3:40 pm; edited 2 times in total |
|
| Back to top |
|
 |
FonderiaDigitale
Veteran
Joined: 06 Nov 2003
Posts: 1710
Location: Rome, Italy
|
| Posted: Sat Dec 25, 2004 2:17 pm Post subject: Re: script gestibile per iptables + regole x Amule |
|
|
| assente wrote: |
* Come posso aggiungerci le regole per Amule?
* Perché quando lo attivo, non riesco più ad accedere a 127.0.0.1 porta 80?
|
aggiungi queste due righe in cima allo script, prima del resto:
| Code: | $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
$IPT -A INPUT -i $INTIF1 -j AMULE |
dopodiche crei o rimuovi le regole nella catena AMULE invece che in INPUT.
_________________
Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica 
|
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Sat Dec 25, 2004 2:26 pm Post subject: |
|
|
potresti provare ad usare shorewall (www.shorewall.net) per scrivere le iptables in maniera più semplice
sul sito che ti ho indicato trovi ottima documentazione per la configurazione |
|
| Back to top |
|
|
FonderiaDigitale
Veteran
Joined: 06 Nov 2003
Posts: 1710
Location: Rome, Italy
|
| Posted: Sat Dec 25, 2004 2:39 pm Post subject: |
|
|
| drakkan wrote: | potresti provare ad usare shorewall (www.shorewall.net) per scrivere le iptables in maniera più semplice
sul sito che ti ho indicato trovi ottima documentazione per la configurazione |
non credo sia molto pertinente.
_________________
Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica
|
|
| Back to top |
|
|
drakkan
Apprentice
Joined: 21 Jun 2004
Posts: 232
|
| Posted: Sat Dec 25, 2004 4:10 pm Post subject: |
|
|
| volevo solo indicare un modo alternativo e secondo me più semplice per configurare le iptables, comunque hai ragione non è una risposta al problema specifico |
|
| Back to top |
|
|
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
| Posted: Sat Dec 25, 2004 5:01 pm Post subject: |
|
|
Prima usavo Firestarter(una GUI per shorewall), ma mi sembra troppo limitante.. quindi è arrivato il momento di spoercarsi le mani 
Ho inserito
| Code: | | $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT |
in cima, ma sembra non cambiare nulla; ho provato a metterla anche dopo l'inzializzazione delle variabili.
_________________
Blog
E8400, 4850, P5q |
|
| Back to top |
|
|
stuart
Guru
Joined: 27 Apr 2003
Posts: 552
|
| Posted: Sat Dec 25, 2004 7:42 pm Post subject: |
|
|
io per overnet utilizzo questo:
| Code: |
#allow overnet
iptables -I INPUT -p tcp --dport 6666 -j ACCEPT
iptables -I INPUT -p udp --dport 6667 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 6666 -j ACCEPT
iptables -I OUTPUT -p udp --sport 6667 -j ACCEPT
|
cambia le porte tcp e udp con quelle che vuoi
questo invece è generato da guarddog per amule:
| Code: |
# Allow 'edonkey2000'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 4661:4661 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 4662:4662 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 1024:5999 --dport 4665:4665 -j ACCEPT
iptables -A f1to0 -p udp --sport 1024:5999 --dport 4666:4666 -j ACCEPT
iptables -A f0to1 -p udp --sport 1024:65535 --dport 4666:4666 -j ACCEPT
|
era questo che chiedevi, o no?
_________________
Pochissime persone crescono. La maggior parte della gente invecchia. |
|
| Back to top |
|
|
FonderiaDigitale
Veteran
Joined: 06 Nov 2003
Posts: 1710
Location: Rome, Italy
|
| Posted: Sat Dec 25, 2004 9:38 pm Post subject: |
|
|
| assente wrote: | Prima usavo Firestarter(una GUI per shorewall), ma mi sembra troppo limitante.. quindi è arrivato il momento di spoercarsi le mani
Ho inserito
| Code: | | $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT |
in cima, ma sembra non cambiare nulla; ho provato a metterla anche dopo l'inzializzazione delle variabili. |
se davvero quella e' la prima regola nella catena di iptables nel tuo sistema, e non cambia nulla, allora il problema lo devi cercare in qualcos'altro, presumibilmente nella configurazione di httpd.
_________________
Come disse un amico, i sistemisti sono un po' come gli artigiani per l'informatica
|
|
| Back to top |
|
|
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
| Posted: Sun Dec 26, 2004 12:01 am Post subject: |
|
|
Ho provato ad aggiyngerlo dopo le inizialliazioni delle variabili, tra l'altro mi aveva copiato male il codice dello script(adesso è corretto).
Mi piacerebbe farlo funzionare anche con le regole per Amule e localhost 80.
| Code: |
REJECTl:IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=63448 DF PROTO=TCP SPT=32896 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
|
Uffi mi rifiuta sempre questo traffico!!
_________________
Blog
E8400, 4850, P5q |
|
| Back to top |
|
|
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
|
| Back to top |
|
|
rota
l33t
Joined: 13 Aug 2003
Posts: 960
|
| Posted: Sun Dec 26, 2004 3:20 am Post subject: |
|
|
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 4662 -j DNAT --to-destination 192.168.0.1:4662
iptables -t nat -A PREROUTING -p udp -i eth1 --dport 4672 -j DNAT --to-destination 192.168.0.1:4672
queste 2 regole son sufficenti per usare amule ...  |
|
| Back to top |
|
|
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
| Posted: Sun Dec 26, 2004 3:40 pm Post subject: |
|
|
ho risolto con questo:
| Code: |
#!/bin/sh
## script to enable masquerading
## must be run as root after the DSL connection is up
## usage: sh nat.sh
#
# bring up alias interface eth0:0 :
#ifconfig eth0:1 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255 up
#N.B. To load this script at boot put "sh /path/to/scrip/firewall.sh" at the bottom of /etc/rc.local
######### RESET IPTABLES
echo -n "Cleaning Tables... "
#
# reset the default policies in the filter table.
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
#
# flush all the rules in the filter and nat tables.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
iptables -X
iptables -t nat -X
iptables -t mangle -X
######### RESET DONE
echo "done!"
######### BRING UP FIREWALL
echo "Bringing Up Firewall... "
# Determine the external IP automatically:
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# if u want to share your internet securely. u must do that by FORWARD chain.
iptables -P FORWARD DROP # assing the default policy to drop for FORWARD chain
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT # accept all which come from your net and go to other net (like internet)
#iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all established related packets.
#now your local networks behind your firewall is in secure enough.
#and if u wanna secure your gateway linux, u must do that by INPUT chain:
iptables -P INPUT DROP
#iptables -A INPUT -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s $EXTIP -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#open port:
#rule: iptables -A INPUT -i ppp0 -p (protocol) --dport (port_no) -j ACCEPT
#FTP
#iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
#SSH
#iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
#SMTP
#iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
#HTTP and HTTPS
#iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#POP3
#iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT
#NTP
#iptables -A INPUT -i ppp0 -p tcp --dport 123 -j ACCEPT
#GAIM and C. on M$N
iptables -A INPUT -i ppp0 -p tcp --dport 1863 -j ACCEPT
#eDonkey-aMule
iptables -A INPUT -i ppp0 -p tcp --dport 4661 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4664 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT
#edonkey webserber
#iptables -A INPUT -i ppp0 -p tcp --dport 4711 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 4712 -j ACCEPT
#Webmin
#iptables -A INPUT -i ppp0 -p tcp --dport 10000 -j ACCEPT
#FreeDB and CDDB
#iptables -A INPUT -i ppp0 -p tcp --dport 888 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 8880 -j ACCEPT
#Nicotine/Soulseek
#iptables -A INPUT -i ppp0 -p tcp --dport 2234 -j ACCEPT
#DNS
#iptables -A INPUT -i ppp0 -p tcp --dport 53 -j ACCEPT
#PING (now disabled)
iptables -A INPUT -i ppp0 -p ICMP -j ACCEPT
#Mute port
#iptables -A INPUT -i ppp0 -p tcp --dport 4900 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 4901 -j ACCEPT
echo "Paranoid rules..."
# Deny and log (option -l) spoofed packets from external network (eth0) which mimic internal IP addresses
iptables -A INPUT -s 192.168.0.0/24 -i ppp0 -j REJECT
iptables -A INPUT -s 127.0.0.1/8 -i ppp0 -j DROP
#
# Per sicurezza imposto una regola di log finale ed una regola di drop come ultima risorsa
#
iptables -A INPUT -i ppp0 -j LOG --log-prefix "Default drop:"
iptables -A INPUT -i ppp0 -j DROP
######### FIREWALL DONE
echo "Firewall done!"
######### MASQUERADING AND IP FORWARDING
echo -n "Enable Masquerading... "
# Next, an iptables rule to enable masquerading:
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
# Finally, enable ip forwarding (already active by default in my conf):
echo 1 > /proc/sys/net/ipv4/ip_forward
######### MASQUERADING AND IP FORWARDING DONE
echo "done!"
#save iptables
#iptables-save >/etc/sysconfig/iptables
echo "All done!"
|
_________________
Blog
E8400, 4850, P5q |
|
| Back to top |
|
|
rota
l33t
Joined: 13 Aug 2003
Posts: 960
|
| Posted: Mon Jan 03, 2005 3:46 am Post subject: |
|
|
m...non riesco a capire che regole ai usato ???
|
|
| Back to top |
|
|
assente
Guru
Joined: 12 Apr 2004
Posts: 570
Location: Torino, italia, New Europe
|
| Posted: Mon Jan 03, 2005 11:25 am Post subject: |
|
|
riguardo amule? questo:
| Code: | #eDonkey-aMule
iptables -A INPUT -i ppp0 -p tcp --dport 4661 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4664 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT |
_________________
Blog
E8400, 4850, P5q |
|
| Back to top |
|
|
|
Forum italiano (Italian)
