[zorp-hu] iptables, nem ertem
Kosa Attila
zorp-hu@lists.balabit.hu
Sat, 15 Mar 2003 21:42:20 +0100
Hello!
Adott a kovetkezo iptables konfig:
*tproxy
:PREROUTING ACCEPT
:OUTPUT ACCEPT
:PRintra -
-A PREROUTING -i GOODIF -j PRintra
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:spoof -
:noise -
:icmpk -
:tproxy -
:LOintra -
:LOinter -
:DROPINVALID -
-A INPUT -i lo -j ACCEPT
-A INPUT -j spoof
-A INPUT -j noise
-A INPUT -p icmp -j icmpk
-A INPUT -m tproxy -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROPINVALID
-A INPUT -m state --state NEW -p tcp ! --syn -j DROPINVALID
-A INPUT -i GOODIF -j LOintra
-A INPUT -i BADIF -j LOinter
-A INPUT -j LOG --log-prefix "INPUT DROP: "
-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
-A spoof -j RETURN
-A noise -j RETURN
-A icmpk -p icmp --icmp-type echo-request -j ACCEPT
-A icmpk -p icmp --icmp-type echo-reply -j ACCEPT
-A icmpk -j LOG --log-prefix "Icmpk DROP: "
-A icmpk -j DROP
-A LOintra -j LOG --log-prefix "LOintra DROP: "
-A LOintra -j DROP
-A LOinter -j LOG --log-prefix "LOinter DROP: "
-A LOinter -j DROP
-A DROPINVALID -j LOG --log-prefix "INVALID packet: "
-A DROPINVALID -j DROP
COMMIT
Miert nem tudom megpingetni (egyik labrol sem) a gepet? A belso labarol
pingetve a "LOintra DROP: " szoveg kerul a syslog-ba... Az az erdekes,
hogy a spoof es a noise chain-be belemennek a csomagok, de az icmpk
nevube nem. Mit nem veszek eszre?
--
Udvozlettel
Zsiga