The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  ВХОД  слежка  RSS
"iptable клиентбанк(свой прокси)"
Вариант для распечатки  
Пред. тема | След. тема 
Форумы OpenNET: Виртуальная конференция (Public)
Изначальное сообщение [Проследить за развитием треда]

"iptable клиентбанк(свой прокси)"  
Сообщение от vvlasub email(??) on 17-Май-06, 09:10 
добрый день
проблема
есть локалка 192.168.1.0/255
есть шлюз в инет floppyfirewall http://www.zelow.no/floppyfw/
конфиг по умолчанию тот кот был в дистрибутиве
работает nat
все хорошо
но приобрели программу клиентбанк
программа хитирая в качестве шифрования висит программа
( а ля прокси) и потом интренет ехплорер соединяется с этой прогой
127.0.0.1 и эта прога делает редирект на указанный в ее настройках адрес
в поддержке сказали что ей нужен открытый 1400 порт
пожалуйста помогите

конфиг по умолчанию тот кот был в дистрибутиве
#!/bin/sh

# $Id: firewall.ini,v 1.3 2005/03/28 09:43:01 thomasez Exp $

# If you want the box to just act as a router, uncomment the 2 lines below
#echo 1 > /proc/sys/net/ipv4/ip_forward
#exit 0

#
# Firewall setup.
#

. /etc/config


#
# Do you want to do port forwaring to an internal server?
# Set the server IP here and sort out the port stuff later in this file.
#
SERVER_IP=10.42.42.42

#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
echo "0" > /proc/sys/net/ipv4/ip_forward

#
# Overriding the /etc/config and adding additional information.
#
. /etc/outside.info
. /etc/inside.info

#
# Brad suggested this:
# And he suggested to check and maybe change the formatting.
# We'll do that later.
#
echo "Starting firewall with the following config:"
printf "\t\t   Inside\t\tOutside
Physical device:  %-15s\t%-15s
  Logical device:  %-15s\t%-15s
\t Network:  %-15s\t%-15s
      IP Address:  %-15s\t%-15s
\t Netmask:  %-15s\t%-15s
       Broadcast:  %-15s\t%-15s
\t Gateway:  %-15s\t%-15s\n"    $INSIDE_DEV        $OUTSIDE_DEV \
                $INSIDE_DEVICE        $OUTSIDE_DEVICE \
                $INSIDE_NETWORK     $OUTSIDE_NETWORK \
                $INSIDE_IP        $OUTSIDE_IP \
                $INSIDE_NETMASK        $OUTSIDE_NETMASK \
                $INSIDE_BROADCAST    $OUTSIDE_BROADCAST \
                "[None Set]"        $OUTSIDE_GATEWAY

#
# Flushing the chains.
#

iptables -F
iptables -X
iptables -Z
for i in `cat /proc/net/ip_tables_names`
  do
   iptables -F -t $i
   iptables -X -t $i
   iptables -Z -t $i
done


#
# Policy for chains DROP everything
#

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# SYN-Flooding protection
# Looks good and nicked from a firewall script mentioned on floppyfw.something.
# Didn't work that well..
#
iptables -N syn-flood
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP


#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE

#
# Forwarding outside ports to an internal server.
# This used to be the ipchains / ipmasqadm portfw commad.
#
# SSH:

#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 22 -j DNAT --to ${SERVER_IP}:22
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 22 -o ${INSIDE_DEVICE} -j ACCEPT


# Web:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my web server from the inside" problem.
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}

# FTP:

#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT

# SMTP (Internal mail server):
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 25 -j DNAT --to ${SERVER_IP}:25
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 25 -o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my server from the inside" problem.
#iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 25 -s ${INSIDE_NETWORK} -j SNAT --to ${OUTSIDE_IP}

#
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP

#
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP


#
# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT  -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A OUTPUT -o ${INSIDE_DEVICE} -j ACCEPT
# And also accept talking to ourself.
iptables -A INPUT -i lo -j ACCEPT

#
# If the user wants to have the fake identd running, the identd has to
# be able to answer.
#
if [ ${FAKEIDENT} ]
then
  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT
else
  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT --reject-with tcp-reset
fi

#
# This will also help:
# It does look weird but it is explained here:
# http://lartc.org/howto/lartc.qdisc.classless.html
#
# The "240Kbit" rate should be set at "a tad less than the speedn you have"
# 240Kbit is for my 256Kbit "upload"-link.
#
# tc qdisc add dev $OUTSIDE_DEVICE root tbf rate 240kbit latency 50ms burst 1540

# Or maybe you chose to use Wondershaper?
if [ $WONDER_SHAPER = "y" ]
then
  /sbin/wshaper.htb
else
  #
  # And, some attempt to get interactive sesions a bit more interactive
  # under load:
  #
  iptables -A PREROUTING -t mangle -p tcp --sport ssh  -j TOS --set-tos Minimize-Delay
  iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
  # iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

fi

#
# DMZ Stuff goes here:
#

if [ -f /etc/dmz.info ];
then
  echo "Setting up DMZ."
  . /etc/dmz.info
  iptables -N dmz
  if [ "$DMZ_USE_NAT" = "y" ]
   then
    iptables -t nat -A POSTROUTING -s ${DMZ_NETWORK}/${DMZ_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
  fi
  

fi


#
# Finally, list what we have
#
#
iptables -L

# If broken DNS:
#iptables -L -n

#
#  The insert stuff into the kernel (ipsysctl) - section:
#
# Some of there goes under the "Better safe than sorry" - banner.
#


#
# This enables dynamic IP address following
#
echo 7 > /proc/sys/net/ipv4/ip_dynaddr

#
# trying to stop some smurf attacks.
#
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#
# Don't accept source routed packets.
#
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

#
# Syncookies (if they are really needed any more?)
#
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#
# We don't like IP spoofing,
#
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]
then
  # These two are redundant but I'll kepp'em here for now.
  # Will remind me that I can add the first one somewhere smart later.
  echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#   while read filter
#    do
#     echo "1" > $filter
#   done < `find /proc/sys/net/ipv4/conf -name rp_filter -print`
else
  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
fi

#
# nor ICMP redirect,
#

if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]
then
  echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

  # while read accr
  #  do
  #   echo -n "fil"
  #   echo $accr
  #   echo "fil2"
  #   echo "0" > $accr
  # done < `find /proc/sys/net/ipv4/conf -name accept_redirects -print`

else
  echo "Anti spoofing is not available, the author of this floppy spoofed, mail him."
fi

#
# Enable bad error message protection.
#
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Maximum limit of ip_conntrack
# This is RAM dependant so be careful with this.
# The max, which is the valuehere, needs around 32M RAM to work properly.
# echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max

#
# This is commented out and will be an option when we have a "LOG_STUFF"
# config option.
# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#
# Rules set, we can enable forwarding in the kernel.
#
echo "Enabling IP forwarding."

echo "1" > /proc/sys/net/ipv4/ip_forward

Правка | Высказать мнение | Ответить | Cообщить модератору | Наверх

 Оглавление

Сообщения по теме [Сортировка по времени, UBB]


1. "iptable клиентбанк(свой прокси)"  
Сообщение от melnik email(ok) on 19-Май-06, 12:10 
в поддержке сказали что ей нужен открытый 1400 порт? в этом что ли проблема?
Правка | Высказать мнение | Ответить | Cообщить модератору | Наверх

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема
Оцените тред (1=ужас, 5=супер)? [ 1 | 2 | 3 | 4 | 5 ] [Рекомендовать для помещения в FAQ]




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру