Автор Тема: arno-iptables-firewall (Прочитано 4947 раз)

SpNaz · « : 19 Мая 2008, 13:08:06 »

вообщем есть локалка(win) ходят в инет ч/з squid + надо еще забирать почту с yandex
а для настройки iptables пользовался arno-iptables-firewall

вопрос: какую строчку конфига нужно править для того чтоб почта пошла по NAT?
p.s. вот чот кажет iptables -L

root@ubuntu:/etc# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED tcp dpts:1024:65535
ACCEPT udp -- anywhere anywhere state RELATED udp dpts:1024:65535
ACCEPT icmp -- anywhere anywhere state RELATED
HOST_BLOCK 0 -- anywhere anywhere
MAC_FILTER 0 -- anywhere anywhere
SPOOF_CHK 0 -- anywhere anywhere
VALID_CHK 0 -- anywhere anywhere
EXT_INPUT_CHAIN !icmp -- anywhere anywhere state NEW
EXT_INPUT_CHAIN icmp -- anywhere anywhere state NEW limit: avg 20/sec burst 100
EXT_ICMP_CHAIN icmp -- anywhere anywhere state NEW
LAN_INPUT_CHAIN 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
DROP 0 -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED tcp dpts:1024:65535
ACCEPT udp -- anywhere anywhere state RELATED udp dpts:1024:65535
ACCEPT icmp -- anywhere anywhere state RELATED
HOST_BLOCK 0 -- anywhere anywhere
MAC_FILTER 0 -- anywhere anywhere
SPOOF_CHK 0 -- anywhere anywhere
VALID_CHK 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
LAN_INET_FORWARD_CHAIN 0 -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
LOG 0 -- anywhere anywhere limit: avg 1/min burst 3 LOG level info prefix `Dropped FORWARD packet: '
DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere state ESTABLISHED
LOG 0 -f anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
DROP 0 -f anywhere anywhere
EXT_OUTPUT_CHAIN 0 -- anywhere anywhere

Chain EXT_ICMP_CHAIN (1 references)
target prot opt source destination
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP-request(ping) flood: '
LOG icmp -- anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable flood: '
LOG icmp -- anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench flood: '
LOG icmp -- anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded flood: '
LOG icmp -- anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem flood: '
DROP icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere icmp source-quench
DROP icmp -- anywhere anywhere icmp time-exceeded
DROP icmp -- anywhere anywhere icmp parameter-problem
LOG icmp -- anywhere anywhere limit: avg 12/hour burst 1 LOG level info prefix `ICMP(other) flood: '
DROP icmp -- anywhere anywhere

Chain EXT_INPUT_CHAIN (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `TCP port 0 OS fingerprint: '
LOG udp -- anywhere anywhere udp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `UDP port 0 OS fingerprint: '
DROP tcp -- anywhere anywhere tcp dpt:0
DROP udp -- anywhere anywhere udp dpt:0
LOG tcp -- anywhere anywhere tcp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `TCP source port 0: '
LOG udp -- anywhere anywhere udp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `UDP source port 0: '
DROP tcp -- anywhere anywhere tcp spt:0
DROP udp -- anywhere anywhere udp spt:0
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
LOG icmp -- anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable: '
LOG icmp -- anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench: '
LOG icmp -- anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded: '
LOG icmp -- anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem: '
LOG tcp -- anywhere anywhere tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (UNPRIV)?: '
LOG tcp -- anywhere anywhere tcp dpts:0:1023 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (PRIV)?: '
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
LOG udp -- anywhere anywhere udp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
LOG tcp -- anywhere anywhere tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
LOG udp -- anywhere anywhere udp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
DROP tcp -- anywhere anywhere
DROP udp -- anywhere anywhere
DROP icmp -- anywhere anywhere
LOG 0 -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
DROP 0 -- anywhere anywhere

Chain EXT_OUTPUT_CHAIN (1 references)
target prot opt source destination

Chain HOST_BLOCK (2 references)
target prot opt source destination

Chain LAN_INET_FORWARD_CHAIN (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 20/sec burst 100
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT 0 -- anywhere anywhere

Chain LAN_INPUT_CHAIN (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 20/sec burst 100
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT 0 -- anywhere anywhere

Chain MAC_FILTER (2 references)
target prot opt source destination

Chain RESERVED_NET_CHK (0 references)
target prot opt source destination
LOG 0 -- 10.0.0.0/8 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class A address: '
LOG 0 -- 172.16.0.0/12 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class B address: '
LOG 0 -- 192.168.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class C address: '
LOG 0 -- link-local/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class M$ address: '
DROP 0 -- 10.0.0.0/8 anywhere
DROP 0 -- 172.16.0.0/12 anywhere
DROP 0 -- 192.168.0.0/16 anywhere
DROP 0 -- link-local/16 anywhere

Chain SPOOF_CHK (2 references)
target prot opt source destination
RETURN 0 -- 10.10.1.0/24 anywhere
LOG 0 -- 10.10.1.0/24 anywhere limit: avg 3/min burst 5 LOG level info prefix `Spoofed packet: '
DROP 0 -- 10.10.1.0/24 anywhere
RETURN 0 -- anywhere anywhere

Chain VALID_CHK (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS scan: '
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-PSH scan: '
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level info prefix `Stealth FIN scan: '
LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/RST scan: '
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/FIN scan(?): '
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level info prefix `Stealth Null scan: '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcp option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(64): '
LOG tcp -- anywhere anywhere tcp option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(128): '
DROP tcp -- anywhere anywhere tcp option=64
DROP tcp -- anywhere anywhere tcp option=128
DROP 0 -- anywhere anywhere state INVALID
LOG 0 -f anywhere anywhere limit: avg 3/min burst 1 LOG level warning prefix `Fragmented packet: '
DROP 0 -f anywhere anywhere
root@ubuntu:/etc#

SpNaz · « **Ответ #1 :** 20 Мая 2008, 07:51:23 »

Господа ни каких предложений нет чтоль? ну очень срочно надо а читать настройку iptables врем нет(банк-клиент надо запускать)
Подскажите что нить

Maxv34 · « **Ответ #2 :** 20 Мая 2008, 10:59:14 »

Чтобы сказать что править, люди должны увидеть, что там у тебя уже есть, в конфиге.

SpNaz · « **Ответ #3 :** 20 Мая 2008, 11:08:52 »

ВОТ debcong.cfg
#######################################################################
# Feel free to edit this file. However, be aware that debconf writes #
# to (and reads from) this file too. In case of doubt, only use #
# 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file. #
# If you really don't want to use debconf, or if you have specific #
# needs, you're likely better off using #
# /etc/arno-iptables-firewall/custom-rules. Also see README.Debian. #
#######################################################################
DC_EXT_IF="ppp0"
DC_EXT_IF_DHCP_IP=1
DC_OPEN_TCP=""
DC_OPEN_UDP=""
DC_INT_IF="eth0"
DC_NAT=1
DC_INTERNAL_NET="10.10.1.0/24"
DC_NAT_INTERNAL_NET="10.10.1.0/24"
DC_OPEN_ICMP=0

SpNaz · « **Ответ #4 :** 20 Мая 2008, 11:34:46 »

настраивал по http://homenet.corbina.net/index.php?showtopic=165674

Форум русскоязычного сообщества Ubuntu

Автор Тема: arno-iptables-firewall (Прочитано 4947 раз)

SpNaz

arno-iptables-firewall

SpNaz

Re: arno-iptables-firewall

Maxv34

Re: arno-iptables-firewall

SpNaz

Re: arno-iptables-firewall

SpNaz

Re: arno-iptables-firewall