forum.opennet.ru

Составление сообщения

Исходное сообщение

"iptables"
Отправлено dbelokursky, 26-Авг-10 10:44

>>>все правильно там написано и даже рассказано какое правило для чего нужно,
>>>но DMZ было бы лучше.
>>
>>Наверно правильно. Но к сожалению у меня не работает.
>
>когда что-то не работает, то правила уменьшают до минимума и добиваются работы,
>а потом уже начинают добавлять понемногу правил и проверять.
>
>в приведенном виде смотреть правила что-то тосклива, покажите вывод iptables-save
Спасибо. Вот результат iptables-save:
:jmpim - [0:0]
:jmpp3scan - [0:0]
:jmpsip - [0:0]
:jmpsquid - [0:0]
:p3scan - [0:0]
:portfw - [0:0]
:sip - [0:0]
:squid - [0:0]
-A PREROUTING -j portfw
-A PREROUTING -i eth0 -j jmpsquid
-A PREROUTING -i eth0 -j jmpim
-A PREROUTING -i eth0 -j jmpp3scan
-A PREROUTING -i eth0 -j jmpsip
-A PREROUTING -i ppp0 -j MINIUPNPD
-A PREROUTING -i ippp0 -j MINIUPNPD
-A PREROUTING -i eth1 -j MINIUPNPD
-A PREROUTING -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.11
-A PREROUTING -d 192.168.1.200 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.11
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ippp0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -d 192.168.1.11 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.200
-A POSTROUTING -p tcp
-A POSTROUTING -p tcp
-A MINIUPNPD -p tcp -m tcp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137
-A MINIUPNPD -p udp -m udp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137
-A MINIUPNPD -p tcp -m tcp --dport 2534 -j DNAT --to-destination 192.168.1.51:7734
-A jmpim -d 10.0.0.0/255.0.0.0 -j RETURN
-A jmpim -d 172.16.0.0/255.240.0.0 -j RETURN
-A jmpim -d 192.168.0.0/255.255.0.0 -j RETURN
-A jmpim -d 169.254.0.0/255.255.0.0 -j RETURN
-A jmpim -j im
-A jmpp3scan -d 10.0.0.0/255.0.0.0 -j RETURN
-A jmpp3scan -d 172.16.0.0/255.240.0.0 -j RETURN
-A jmpp3scan -d 192.168.0.0/255.255.0.0 -j RETURN
-A jmpp3scan -d 169.254.0.0/255.255.0.0 -j RETURN
-A jmpp3scan -j p3scan
-A jmpsip -d 10.0.0.0/255.0.0.0 -j RETURN
-A jmpsip -d 172.16.0.0/255.240.0.0 -j RETURN
-A jmpsip -d 192.168.0.0/255.255.0.0 -j RETURN
-A jmpsip -d 169.254.0.0/255.255.0.0 -j RETURN
-A jmpsip -j sip
-A jmpsquid -d 10.0.0.0/255.0.0.0 -j RETURN
-A jmpsquid -d 172.16.0.0/255.240.0.0 -j RETURN
-A jmpsquid -d 192.168.0.0/255.255.0.0 -j RETURN
-A jmpsquid -d 169.254.0.0/255.255.0.0 -j RETURN
-A jmpsquid -j squid
-A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137
-A portfw -d xx.xx.105.6 -p udp -m udp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137
-A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.112:5901
-A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.112:80
-A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.11:80
-A squid -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 800
COMMIT
# Completed on Thu Aug 26 10:40:40 2010
# Generated by iptables-save v1.3.7 on Thu Aug 26 10:40:40 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7583567:5415769679]
:MINIUPNPD - [0:0]
:advnet - [0:0]
:allows - [0:0]
:badtraffic - [0:0]
:block - [0:0]
:dmzholes - [0:0]
:ipblock - [0:0]
:ipsec - [0:0]
:outbound - [0:0]
:outgreen - [0:0]
:outorange - [0:0]
:outpurple - [0:0]
:portfwf - [0:0]
:secin - [0:0]
:secout - [0:0]
:siprtpports - [0:0]
:spoof - [0:0]
:timedaccess - [0:0]
:timedaction - [0:0]
:xtaccess - [0:0]
-A INPUT -i ppp0 -j ipblock
-A INPUT -i ippp0 -j ipblock
-A INPUT -i eth1 -j ipblock
-A INPUT -j timedaccess
-A INPUT -i ppp0 -j advnet
-A INPUT -i ippp0 -j advnet
-A INPUT -i eth1 -j advnet
-A INPUT -i ppp0 -j spoof
-A INPUT -i ippp0 -j spoof
-A INPUT -i eth1 -j spoof
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j secin
-A INPUT -j block
-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i ppp0 -j ipblock
-A FORWARD -i ippp0 -j ipblock
-A FORWARD -i eth1 -j ipblock
-A FORWARD -j timedaccess
-A FORWARD -j secout
-A FORWARD -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o ppp0 -m state --state NEW -j outbound
-A FORWARD -o ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o ippp0 -m state --state NEW -j outbound
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state NEW -j outbound
-A FORWARD -i ppp0 -j portfwf
-A FORWARD -i ippp0 -j portfwf
-A FORWARD -i eth1 -j portfwf
-A FORWARD -m mark --mark 0x1 -j portfwf
-A FORWARD -i eth0 -o ipsec0 -j ACCEPT
-A FORWARD -i ipsec0 -o eth0 -j ACCEPT
-A FORWARD -i ppp0 -o ! ppp0 -j MINIUPNPD
-A FORWARD -i ippp0 -o ! ippp0 -j MINIUPNPD
-A FORWARD -i eth1 -o ! eth1 -j MINIUPNPD
-A FORWARD -j LOG
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A MINIUPNPD -d 192.168.1.128 -p tcp -m tcp --dport 53137 -j ACCEPT
-A MINIUPNPD -d 192.168.1.128 -p udp -m udp --dport 53137 -j ACCEPT
-A MINIUPNPD -d 192.168.1.51 -p tcp -m tcp --dport 7734 -j ACCEPT
-A allows -s 192.168.1.115 -j ACCEPT
-A allows -s 192.168.1.130 -j ACCEPT
-A allows -s 192.168.1.132 -j ACCEPT
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i eth0 -j ACCEPT
-A block -j xtaccess
-A block -i ppp0 -j ipsec
-A block -i ippp0 -j ipsec
-A block -i eth1 -j ipsec
-A block -i ppp0 -j siprtpports
-A block -i ippp0 -j siprtpports
-A block -i eth1 -j siprtpports
-A block -i ppp0 -p icmp -j ACCEPT
-A block -i ippp0 -p icmp -j ACCEPT
-A block -i eth1 -p icmp -j ACCEPT
-A block -j badtraffic
-A ipsec -p udp -m udp --dport 500 -j ACCEPT
-A ipsec -p udp -m udp --dport 4500 -j ACCEPT
-A ipsec -p esp -j ACCEPT
-A ipsec -p ah -j ACCEPT
-A outbound -p icmp -j ACCEPT
-A outbound -j allows
-A outbound -i eth0 -j outgreen
-A outgreen -p tcp -m tcp --dport 22 -j ACCEPT
-A outgreen -p udp -m udp --dport 22 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 23 -j ACCEPT
-A outgreen -p udp -m udp --dport 23 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 5631 -j ACCEPT
-A outgreen -p udp -m udp --dport 5631 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 21 -j ACCEPT
-A outgreen -p udp -m udp --dport 21 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 115 -j ACCEPT
-A outgreen -p udp -m udp --dport 115 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 25 -j ACCEPT
-A outgreen -p udp -m udp --dport 25 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 109 -j ACCEPT
-A outgreen -p udp -m udp --dport 109 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 110 -j ACCEPT
-A outgreen -p udp -m udp --dport 110 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 143 -j ACCEPT
-A outgreen -p udp -m udp --dport 143 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 465 -j ACCEPT
-A outgreen -p udp -m udp --dport 465 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 995 -j ACCEPT
-A outgreen -p udp -m udp --dport 995 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 993 -j ACCEPT
-A outgreen -p udp -m udp --dport 993 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 119 -j ACCEPT
-A outgreen -p udp -m udp --dport 119 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 563 -j ACCEPT
-A outgreen -p udp -m udp --dport 563 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 1863 -j ACCEPT
-A outgreen -p udp -m udp --dport 1863 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 4000 -j ACCEPT
-A outgreen -p udp -m udp --dport 4000 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 5190 -j ACCEPT
-A outgreen -p udp -m udp --dport 5190 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 6667:7000 -j ACCEPT
-A outgreen -p udp -m udp --dport 6667:7000 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 5050 -j ACCEPT
-A outgreen -p udp -m udp --dport 5050 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 7070 -j ACCEPT
-A outgreen -p udp -m udp --dport 7070 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 47624 -j ACCEPT
-A outgreen -p udp -m udp --dport 47624 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 80 -j ACCEPT
-A outgreen -p udp -m udp --dport 80 -j ACCEPT
-A outgreen -p tcp -m tcp --dport 443 -j ACCEPT
-A outgreen -p udp -m udp --dport 443 -j ACCEPT
-A outorange -j ACCEPT
-A outpurple -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 23 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 5631 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 5631 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 21 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 115 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 115 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 25 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 109 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 109 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 110 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 143 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 465 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 465 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 995 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 993 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 119 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 119 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 563 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 563 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 1863 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 4000 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 4000 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 5190 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 5190 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 5050 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 5050 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 7070 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 7070 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p tcp -m tcp --dport 47624 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -p udp -m udp --dport 47624 -j REJECT --reject-with icmp-port-unreachable
-A outpurple -j ACCEPT
-A portfwf -d 192.168.1.128 -p tcp -m state --state NEW -m tcp --dport 53137 -j ACCEPT
-A portfwf -d 192.168.1.128 -p udp -m state --state NEW -m udp --dport 53137 -j ACCEPT
-A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
-A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A portfwf -d 192.168.1.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A secin -i ipsec0 -j ACCEPT
-A secout -i ipsec0 -j ACCEPT
-A spoof -s 192.168.1.0/255.255.255.0 -j DROP
-A timedaction -j LOG --log-prefix "Denied-by-Timed-Access:-"
-A timedaction -j REJECT --reject-with icmp-port-unreachable
-A xtaccess -i ppp0 -p tcp -m tcp --dport 113 -j ACCEPT
-A xtaccess -i ippp0 -p tcp -m tcp --dport 113 -j ACCEPT
-A xtaccess -i ppp0 -p tcp -m tcp --dport 441 -j ACCEPT
-A xtaccess -i ippp0 -p tcp -m tcp --dport 441 -j ACCEPT
-A xtaccess -i ppp0 -p tcp -m tcp --dport 222 -j ACCEPT
-A xtaccess -i ippp0 -p tcp -m tcp --dport 222 -j ACCEPT
COMMIT

Исходное сообщение
"iptables" Отправлено dbelokursky, 26-Авг-10 10:44
>>>все правильно там написано и даже рассказано какое правило для чего нужно, >>>но DMZ было бы лучше. >> >>Наверно правильно. Но к сожалению у меня не работает. > >когда что-то не работает, то правила уменьшают до минимума и добиваются работы, >а потом уже начинают добавлять понемногу правил и проверять. > >в приведенном виде смотреть правила что-то тосклива, покажите вывод iptables-save Спасибо. Вот результат iptables-save: :jmpim - [0:0] :jmpp3scan - [0:0] :jmpsip - [0:0] :jmpsquid - [0:0] :p3scan - [0:0] :portfw - [0:0] :sip - [0:0] :squid - [0:0] -A PREROUTING -j portfw -A PREROUTING -i eth0 -j jmpsquid -A PREROUTING -i eth0 -j jmpim -A PREROUTING -i eth0 -j jmpp3scan -A PREROUTING -i eth0 -j jmpsip -A PREROUTING -i ppp0 -j MINIUPNPD -A PREROUTING -i ippp0 -j MINIUPNPD -A PREROUTING -i eth1 -j MINIUPNPD -A PREROUTING -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.11 -A PREROUTING -d 192.168.1.200 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.11 -A POSTROUTING -o ppp0 -j MASQUERADE -A POSTROUTING -o ippp0 -j MASQUERADE -A POSTROUTING -o eth1 -j MASQUERADE -A POSTROUTING -d 192.168.1.11 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.1.200 -A POSTROUTING -p tcp -A POSTROUTING -p tcp -A MINIUPNPD -p tcp -m tcp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 -A MINIUPNPD -p udp -m udp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 -A MINIUPNPD -p tcp -m tcp --dport 2534 -j DNAT --to-destination 192.168.1.51:7734 -A jmpim -d 10.0.0.0/255.0.0.0 -j RETURN -A jmpim -d 172.16.0.0/255.240.0.0 -j RETURN -A jmpim -d 192.168.0.0/255.255.0.0 -j RETURN -A jmpim -d 169.254.0.0/255.255.0.0 -j RETURN -A jmpim -j im -A jmpp3scan -d 10.0.0.0/255.0.0.0 -j RETURN -A jmpp3scan -d 172.16.0.0/255.240.0.0 -j RETURN -A jmpp3scan -d 192.168.0.0/255.255.0.0 -j RETURN -A jmpp3scan -d 169.254.0.0/255.255.0.0 -j RETURN -A jmpp3scan -j p3scan -A jmpsip -d 10.0.0.0/255.0.0.0 -j RETURN -A jmpsip -d 172.16.0.0/255.240.0.0 -j RETURN -A jmpsip -d 192.168.0.0/255.255.0.0 -j RETURN -A jmpsip -d 169.254.0.0/255.255.0.0 -j RETURN -A jmpsip -j sip -A jmpsquid -d 10.0.0.0/255.0.0.0 -j RETURN -A jmpsquid -d 172.16.0.0/255.240.0.0 -j RETURN -A jmpsquid -d 192.168.0.0/255.255.0.0 -j RETURN -A jmpsquid -d 169.254.0.0/255.255.0.0 -j RETURN -A jmpsquid -j squid -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 -A portfw -d xx.xx.105.6 -p udp -m udp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 5901 -j DNAT --to-destination 192.168.1.112:5901 -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.1.112:80 -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.11:80 -A squid -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 800 COMMIT # Completed on Thu Aug 26 10:40:40 2010 # Generated by iptables-save v1.3.7 on Thu Aug 26 10:40:40 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [7583567:5415769679] :MINIUPNPD - [0:0] :advnet - [0:0] :allows - [0:0] :badtraffic - [0:0] :block - [0:0] :dmzholes - [0:0] :ipblock - [0:0] :ipsec - [0:0] :outbound - [0:0] :outgreen - [0:0] :outorange - [0:0] :outpurple - [0:0] :portfwf - [0:0] :secin - [0:0] :secout - [0:0] :siprtpports - [0:0] :spoof - [0:0] :timedaccess - [0:0] :timedaction - [0:0] :xtaccess - [0:0] -A INPUT -i ppp0 -j ipblock -A INPUT -i ippp0 -j ipblock -A INPUT -i eth1 -j ipblock -A INPUT -j timedaccess -A INPUT -i ppp0 -j advnet -A INPUT -i ippp0 -j advnet -A INPUT -i eth1 -j advnet -A INPUT -i ppp0 -j spoof -A INPUT -i ippp0 -j spoof -A INPUT -i eth1 -j spoof -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -j secin -A INPUT -j block -A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i ppp0 -j ipblock -A FORWARD -i ippp0 -j ipblock -A FORWARD -i eth1 -j ipblock -A FORWARD -j timedaccess -A FORWARD -j secout -A FORWARD -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o ppp0 -m state --state NEW -j outbound -A FORWARD -o ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o ippp0 -m state --state NEW -j outbound -A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o eth1 -m state --state NEW -j outbound -A FORWARD -i ppp0 -j portfwf -A FORWARD -i ippp0 -j portfwf -A FORWARD -i eth1 -j portfwf -A FORWARD -m mark --mark 0x1 -j portfwf -A FORWARD -i eth0 -o ipsec0 -j ACCEPT -A FORWARD -i ipsec0 -o eth0 -j ACCEPT -A FORWARD -i ppp0 -o ! ppp0 -j MINIUPNPD -A FORWARD -i ippp0 -o ! ippp0 -j MINIUPNPD -A FORWARD -i eth1 -o ! eth1 -j MINIUPNPD -A FORWARD -j LOG -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A MINIUPNPD -d 192.168.1.128 -p tcp -m tcp --dport 53137 -j ACCEPT -A MINIUPNPD -d 192.168.1.128 -p udp -m udp --dport 53137 -j ACCEPT -A MINIUPNPD -d 192.168.1.51 -p tcp -m tcp --dport 7734 -j ACCEPT -A allows -s 192.168.1.115 -j ACCEPT -A allows -s 192.168.1.130 -j ACCEPT -A allows -s 192.168.1.132 -j ACCEPT -A block -m state --state RELATED,ESTABLISHED -j ACCEPT -A block -i eth0 -j ACCEPT -A block -j xtaccess -A block -i ppp0 -j ipsec -A block -i ippp0 -j ipsec -A block -i eth1 -j ipsec -A block -i ppp0 -j siprtpports -A block -i ippp0 -j siprtpports -A block -i eth1 -j siprtpports -A block -i ppp0 -p icmp -j ACCEPT -A block -i ippp0 -p icmp -j ACCEPT -A block -i eth1 -p icmp -j ACCEPT -A block -j badtraffic -A ipsec -p udp -m udp --dport 500 -j ACCEPT -A ipsec -p udp -m udp --dport 4500 -j ACCEPT -A ipsec -p esp -j ACCEPT -A ipsec -p ah -j ACCEPT -A outbound -p icmp -j ACCEPT -A outbound -j allows -A outbound -i eth0 -j outgreen -A outgreen -p tcp -m tcp --dport 22 -j ACCEPT -A outgreen -p udp -m udp --dport 22 -j ACCEPT -A outgreen -p tcp -m tcp --dport 23 -j ACCEPT -A outgreen -p udp -m udp --dport 23 -j ACCEPT -A outgreen -p tcp -m tcp --dport 5631 -j ACCEPT -A outgreen -p udp -m udp --dport 5631 -j ACCEPT -A outgreen -p tcp -m tcp --dport 21 -j ACCEPT -A outgreen -p udp -m udp --dport 21 -j ACCEPT -A outgreen -p tcp -m tcp --dport 115 -j ACCEPT -A outgreen -p udp -m udp --dport 115 -j ACCEPT -A outgreen -p tcp -m tcp --dport 25 -j ACCEPT -A outgreen -p udp -m udp --dport 25 -j ACCEPT -A outgreen -p tcp -m tcp --dport 109 -j ACCEPT -A outgreen -p udp -m udp --dport 109 -j ACCEPT -A outgreen -p tcp -m tcp --dport 110 -j ACCEPT -A outgreen -p udp -m udp --dport 110 -j ACCEPT -A outgreen -p tcp -m tcp --dport 143 -j ACCEPT -A outgreen -p udp -m udp --dport 143 -j ACCEPT -A outgreen -p tcp -m tcp --dport 465 -j ACCEPT -A outgreen -p udp -m udp --dport 465 -j ACCEPT -A outgreen -p tcp -m tcp --dport 995 -j ACCEPT -A outgreen -p udp -m udp --dport 995 -j ACCEPT -A outgreen -p tcp -m tcp --dport 993 -j ACCEPT -A outgreen -p udp -m udp --dport 993 -j ACCEPT -A outgreen -p tcp -m tcp --dport 119 -j ACCEPT -A outgreen -p udp -m udp --dport 119 -j ACCEPT -A outgreen -p tcp -m tcp --dport 563 -j ACCEPT -A outgreen -p udp -m udp --dport 563 -j ACCEPT -A outgreen -p tcp -m tcp --dport 1863 -j ACCEPT -A outgreen -p udp -m udp --dport 1863 -j ACCEPT -A outgreen -p tcp -m tcp --dport 4000 -j ACCEPT -A outgreen -p udp -m udp --dport 4000 -j ACCEPT -A outgreen -p tcp -m tcp --dport 5190 -j ACCEPT -A outgreen -p udp -m udp --dport 5190 -j ACCEPT -A outgreen -p tcp -m tcp --dport 6667:7000 -j ACCEPT -A outgreen -p udp -m udp --dport 6667:7000 -j ACCEPT -A outgreen -p tcp -m tcp --dport 5050 -j ACCEPT -A outgreen -p udp -m udp --dport 5050 -j ACCEPT -A outgreen -p tcp -m tcp --dport 7070 -j ACCEPT -A outgreen -p udp -m udp --dport 7070 -j ACCEPT -A outgreen -p tcp -m tcp --dport 47624 -j ACCEPT -A outgreen -p udp -m udp --dport 47624 -j ACCEPT -A outgreen -p tcp -m tcp --dport 80 -j ACCEPT -A outgreen -p udp -m udp --dport 80 -j ACCEPT -A outgreen -p tcp -m tcp --dport 443 -j ACCEPT -A outgreen -p udp -m udp --dport 443 -j ACCEPT -A outorange -j ACCEPT -A outpurple -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 22 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 23 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 5631 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 5631 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 21 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 115 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 115 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 109 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 109 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 110 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 143 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 465 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 465 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 995 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 993 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 119 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 119 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 563 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 563 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 1863 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 4000 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 4000 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 5190 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 5190 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 5050 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 5050 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 7070 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 7070 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p tcp -m tcp --dport 47624 -j REJECT --reject-with icmp-port-unreachable -A outpurple -p udp -m udp --dport 47624 -j REJECT --reject-with icmp-port-unreachable -A outpurple -j ACCEPT -A portfwf -d 192.168.1.128 -p tcp -m state --state NEW -m tcp --dport 53137 -j ACCEPT -A portfwf -d 192.168.1.128 -p udp -m state --state NEW -m udp --dport 53137 -j ACCEPT -A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT -A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A portfwf -d 192.168.1.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A secin -i ipsec0 -j ACCEPT -A secout -i ipsec0 -j ACCEPT -A spoof -s 192.168.1.0/255.255.255.0 -j DROP -A timedaction -j LOG --log-prefix "Denied-by-Timed-Access:-" -A timedaction -j REJECT --reject-with icmp-port-unreachable -A xtaccess -i ppp0 -p tcp -m tcp --dport 113 -j ACCEPT -A xtaccess -i ippp0 -p tcp -m tcp --dport 113 -j ACCEPT -A xtaccess -i ppp0 -p tcp -m tcp --dport 441 -j ACCEPT -A xtaccess -i ippp0 -p tcp -m tcp --dport 441 -j ACCEPT -A xtaccess -i ppp0 -p tcp -m tcp --dport 222 -j ACCEPT -A xtaccess -i ippp0 -p tcp -m tcp --dport 222 -j ACCEPT COMMIT

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

>>>>все правильно там написано и даже рассказано какое правило для чего нужно, 
>>>>но DMZ было бы лучше.
>>> 
>>>Наверно правильно. Но к сожалению у меня не работает.
>> 
>>когда что-то не работает, то правила уменьшают до минимума и добиваются работы, 
>>а потом уже начинают добавлять понемногу правил и проверять.
>> 
>>в приведенном виде смотреть правила что-то тосклива, покажите вывод iptables-save

> Спасибо. Вот результат iptables-save:

> :jmpim - [0:0] 
> :jmpp3scan - [0:0] 
> :jmpsip - [0:0] 
> :jmpsquid - [0:0] 
> :p3scan - [0:0] 
> :portfw - [0:0] 
> :sip - [0:0] 
> :squid - [0:0] 
> -A PREROUTING -j portfw 
> -A PREROUTING -i eth0 -j jmpsquid 
> -A PREROUTING -i eth0 -j jmpim 
> -A PREROUTING -i eth0 -j jmpp3scan 
> -A PREROUTING -i eth0 -j jmpsip 
> -A PREROUTING -i ppp0 -j MINIUPNPD 
> -A PREROUTING -i ippp0 -j MINIUPNPD 
> -A PREROUTING -i eth1 -j MINIUPNPD 
> -A PREROUTING -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT 
> --to-destination 192.168.1.11 
> -A PREROUTING -d 192.168.1.200 -p tcp -m tcp --dport 80 -j DNAT 
> --to-destination 192.168.1.11 
> -A POSTROUTING -o ppp0 -j MASQUERADE 
> -A POSTROUTING -o ippp0 -j MASQUERADE 
> -A POSTROUTING -o eth1 -j MASQUERADE 
> -A POSTROUTING -d 192.168.1.11 -p tcp -m tcp --dport 80 -j SNAT 
> --to-source 192.168.1.200 
> -A POSTROUTING -p tcp 
> -A POSTROUTING -p tcp 
> -A MINIUPNPD -p tcp -m tcp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 
 
> -A MINIUPNPD -p udp -m udp --dport 53137 -j DNAT --to-destination 192.168.1.128:53137 
 
> -A MINIUPNPD -p tcp -m tcp --dport 2534 -j DNAT --to-destination 192.168.1.51:7734 
 
> -A jmpim -d 10.0.0.0/255.0.0.0 -j RETURN 
> -A jmpim -d 172.16.0.0/255.240.0.0 -j RETURN 
> -A jmpim -d 192.168.0.0/255.255.0.0 -j RETURN 
> -A jmpim -d 169.254.0.0/255.255.0.0 -j RETURN 
> -A jmpim -j im 
> -A jmpp3scan -d 10.0.0.0/255.0.0.0 -j RETURN 
> -A jmpp3scan -d 172.16.0.0/255.240.0.0 -j RETURN 
> -A jmpp3scan -d 192.168.0.0/255.255.0.0 -j RETURN 
> -A jmpp3scan -d 169.254.0.0/255.255.0.0 -j RETURN 
> -A jmpp3scan -j p3scan 
> -A jmpsip -d 10.0.0.0/255.0.0.0 -j RETURN 
> -A jmpsip -d 172.16.0.0/255.240.0.0 -j RETURN 
> -A jmpsip -d 192.168.0.0/255.255.0.0 -j RETURN 
> -A jmpsip -d 169.254.0.0/255.255.0.0 -j RETURN 
> -A jmpsip -j sip 
> -A jmpsquid -d 10.0.0.0/255.0.0.0 -j RETURN 
> -A jmpsquid -d 172.16.0.0/255.240.0.0 -j RETURN 
> -A jmpsquid -d 192.168.0.0/255.255.0.0 -j RETURN 
> -A jmpsquid -d 169.254.0.0/255.255.0.0 -j RETURN 
> -A jmpsquid -j squid 
> -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 53137 -j DNAT 
> --to-destination 192.168.1.128:53137 
> -A portfw -d xx.xx.105.6 -p udp -m udp --dport 53137 -j DNAT 
> --to-destination 192.168.1.128:53137 
> -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 5901 -j DNAT 
> --to-destination 192.168.1.112:5901 
> -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8081 -j DNAT 
> --to-destination 192.168.1.112:80 
> -A portfw -d xx.xx.105.6 -p tcp -m tcp --dport 8080 -j DNAT 
> --to-destination 192.168.1.11:80 
> -A squid -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 800 
 
> COMMIT 
> # Completed on Thu Aug 26 10:40:40 2010 
> # Generated by iptables-save v1.3.7 on Thu Aug 26 10:40:40 2010 
> *filter 
> :INPUT DROP [0:0] 
> :FORWARD DROP [0:0] 
> :OUTPUT ACCEPT [7583567:5415769679] 
> :MINIUPNPD - [0:0] 
> :advnet - [0:0] 
> :allows - [0:0] 
> :badtraffic - [0:0] 
> :block - [0:0] 
> :dmzholes - [0:0] 
> :ipblock - [0:0] 
> :ipsec - [0:0] 
> :outbound - [0:0] 
> :outgreen - [0:0] 
> :outorange - [0:0] 
> :outpurple - [0:0] 
> :portfwf - [0:0] 
> :secin - [0:0] 
> :secout - [0:0] 
> :siprtpports - [0:0] 
> :spoof - [0:0] 
> :timedaccess - [0:0] 
> :timedaction - [0:0] 
> :xtaccess - [0:0] 
> -A INPUT -i ppp0 -j ipblock 
> -A INPUT -i ippp0 -j ipblock 
> -A INPUT -i eth1 -j ipblock 
> -A INPUT -j timedaccess 
> -A INPUT -i ppp0 -j advnet 
> -A INPUT -i ippp0 -j advnet 
> -A INPUT -i eth1 -j advnet 
> -A INPUT -i ppp0 -j spoof 
> -A INPUT -i ippp0 -j spoof 
> -A INPUT -i eth1 -j spoof 
> -A INPUT -i lo -j ACCEPT 
> -A INPUT -i eth0 -j ACCEPT 
> -A INPUT -j secin 
> -A INPUT -j block 
> -A INPUT -j LOG 
> -A INPUT -j REJECT --reject-with icmp-port-unreachable 
> -A FORWARD -i ppp0 -j ipblock 
> -A FORWARD -i ippp0 -j ipblock 
> -A FORWARD -i eth1 -j ipblock 
> -A FORWARD -j timedaccess 
> -A FORWARD -j secout 
> -A FORWARD -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -o ppp0 -m state --state NEW -j outbound 
> -A FORWARD -o ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -i ippp0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -o ippp0 -m state --state NEW -j outbound 
> -A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A FORWARD -o eth1 -m state --state NEW -j outbound 
> -A FORWARD -i ppp0 -j portfwf 
> -A FORWARD -i ippp0 -j portfwf 
> -A FORWARD -i eth1 -j portfwf 
> -A FORWARD -m mark --mark 0x1 -j portfwf 
> -A FORWARD -i eth0 -o ipsec0 -j ACCEPT 
> -A FORWARD -i ipsec0 -o eth0 -j ACCEPT 
> -A FORWARD -i ppp0 -o ! ppp0 -j MINIUPNPD 
> -A FORWARD -i ippp0 -o ! ippp0 -j MINIUPNPD 
> -A FORWARD -i eth1 -o ! eth1 -j MINIUPNPD 
> -A FORWARD -j LOG 
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable 
> -A MINIUPNPD -d 192.168.1.128 -p tcp -m tcp --dport 53137 -j ACCEPT 
 
> -A MINIUPNPD -d 192.168.1.128 -p udp -m udp --dport 53137 -j ACCEPT 
 
> -A MINIUPNPD -d 192.168.1.51 -p tcp -m tcp --dport 7734 -j ACCEPT 
 
> -A allows -s 192.168.1.115 -j ACCEPT 
> -A allows -s 192.168.1.130 -j ACCEPT 
> -A allows -s 192.168.1.132 -j ACCEPT 
> -A block -m state --state RELATED,ESTABLISHED -j ACCEPT 
> -A block -i eth0 -j ACCEPT 
> -A block -j xtaccess 
> -A block -i ppp0 -j ipsec 
> -A block -i ippp0 -j ipsec 
> -A block -i eth1 -j ipsec 
> -A block -i ppp0 -j siprtpports 
> -A block -i ippp0 -j siprtpports 
> -A block -i eth1 -j siprtpports 
> -A block -i ppp0 -p icmp -j ACCEPT 
> -A block -i ippp0 -p icmp -j ACCEPT 
> -A block -i eth1 -p icmp -j ACCEPT 
> -A block -j badtraffic 
> -A ipsec -p udp -m udp --dport 500 -j ACCEPT 
> -A ipsec -p udp -m udp --dport 4500 -j ACCEPT 
> -A ipsec -p esp -j ACCEPT 
> -A ipsec -p ah -j ACCEPT 
> -A outbound -p icmp -j ACCEPT 
> -A outbound -j allows 
> -A outbound -i eth0 -j outgreen 
> -A outgreen -p tcp -m tcp --dport 22 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 22 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 23 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 23 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 5631 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 5631 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 21 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 21 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 115 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 115 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 25 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 25 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 109 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 109 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 110 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 110 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 143 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 143 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 465 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 465 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 995 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 995 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 993 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 993 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 119 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 119 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 563 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 563 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 1863 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 1863 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 4000 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 4000 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 5190 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 5190 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 6667:7000 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 6667:7000 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 5050 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 5050 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 7070 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 7070 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 47624 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 47624 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 80 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 80 -j ACCEPT 
> -A outgreen -p tcp -m tcp --dport 443 -j ACCEPT 
> -A outgreen -p udp -m udp --dport 443 -j ACCEPT 
> -A outorange -j ACCEPT 
> -A outpurple -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 22 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 23 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 23 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 5631 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 5631 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 443 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 21 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 115 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 115 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 25 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 109 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 109 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 110 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 110 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 143 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 143 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 465 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 465 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 995 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 995 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 993 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 993 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 119 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 119 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 563 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 563 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 1863 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 1863 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 4000 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 4000 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 5190 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 5190 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 6667:7000 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 5050 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 5050 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 7070 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 7070 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p tcp -m tcp --dport 47624 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -p udp -m udp --dport 47624 -j REJECT --reject-with icmp-port-unreachable 
 
> -A outpurple -j ACCEPT 
> -A portfwf -d 192.168.1.128 -p tcp -m state --state NEW -m tcp 
> --dport 53137 -j ACCEPT 
> -A portfwf -d 192.168.1.128 -p udp -m state --state NEW -m udp 
> --dport 53137 -j ACCEPT 
> -A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp 
> --dport 5901 -j ACCEPT 
> -A portfwf -d 192.168.1.112 -p tcp -m state --state NEW -m tcp 
> --dport 80 -j ACCEPT 
> -A portfwf -d 192.168.1.11 -p tcp -m state --state NEW -m tcp 
> --dport 80 -j ACCEPT 
> -A secin -i ipsec0 -j ACCEPT 
> -A secout -i ipsec0 -j ACCEPT 
> -A spoof -s 192.168.1.0/255.255.255.0 -j DROP 
> -A timedaction -j LOG --log-prefix "Denied-by-Timed-Access:-" 
> -A timedaction -j REJECT --reject-with icmp-port-unreachable 
> -A xtaccess -i ppp0 -p tcp -m tcp --dport 113 -j ACCEPT 
 
> -A xtaccess -i ippp0 -p tcp -m tcp --dport 113 -j ACCEPT 
 
> -A xtaccess -i ppp0 -p tcp -m tcp --dport 441 -j ACCEPT 
 
> -A xtaccess -i ippp0 -p tcp -m tcp --dport 441 -j ACCEPT 
 
> -A xtaccess -i ppp0 -p tcp -m tcp --dport 222 -j ACCEPT 
 
> -A xtaccess -i ippp0 -p tcp -m tcp --dport 222 -j ACCEPT 
 
> COMMIT

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру