Ýêñïåðèìåíòåã.

**Speedy Gonzalez** · 21-10-2006, 13:57

Code:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 85.x.x.x -j VSERVER
-A PREROUTING -d 172.x.x.x -j VSERVER
-A VSERVER -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.1.55:4662
-A VSERVER -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.1.55:4672
-A VSERVER -p tcp -m tcp --dport 11223 -j DNAT --to-destination 192.168.1.55:11223
-A VSERVER -p udp -m udp --dport 12223 -j DNAT --to-destination 192.168.1.55:12223
-A VSERVER -p tcp -m tcp --dport 14104 -j DNAT --to-destination 192.168.1.76:14104
-A VSERVER -p udp -m udp --dport 18872 -j DNAT --to-destination 192.168.1.76:18872
-A VSERVER -p tcp -m tcp --dport 33312 -j DNAT --to-destination 192.168.1.55:33312
-A POSTROUTING -o ppp0 ! -s 85.x.x.x -j MASQUERADE
-A POSTROUTING -o vlan1 ! -s 172.x.x.x -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j logdrop
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 515 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3838 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o ppp0 ! -i br0 -j logdrop
-A FORWARD -o vlan1 ! -i br0 -j logdrop
-A FORWARD ! -i br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j logdrop
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

Íåêîòîðûå ïîÿñíåíèÿ:
85.x.x.x - ìîé ðåàëüíûé IP àäðåñ
172.x.x.x - âíóòðèñåòåâîé àäðåñ â ìîåé äîìàøíåé ñåòè
Âñå DC++ õàáû íàõîäÿòñÿ â ëîêàëêå.
DC++ êëèåíò â àêòèâíîì ðåæèìå (ñïîêîéíî ïîäêëþ÷àþñü è ê àêòèâíûì è ê ïàññèâíûì ïîëüçîâàòåëÿì è îò íèõ âñ¸ îòëè÷íî êà÷àåòñÿ)
À âîò ñòîèò òîëüêî èñïîëüçîâàòü ïîèñê (äëÿ òåñòà ââîæó ÷òî-íèáóäü ðàñïðîñòðàííåíîå, íàïð. "avi"), òî âûäà¸ò âñåãî 10-20 íàéäåííûõ ôàéëîâ (ëîãèêó ÿ òàê è íå ïîíÿë) è êó÷ó äðîïîâ â ëîãå, î êîòîðûõ ÿ ïèñàë âûøå.
Âêëþ÷àþ â îïöèÿõ "ïîèñê â ïàññèâíîì ðåæèìå" - âñ¸ îê - ïàðó òûñÿ÷ íàéäåíûõ ôàéëîâ, êàê è äîëæíî áûòü.
Ñ ïðåäûäóùåé ïðîøèâêîé âñ¸ áûëî îê.

**vsu** · 21-10-2006, 15:23

Originally Posted by Speedy Gonzalez

Âêëþ÷àþ â îïöèÿõ "ïîèñê â ïàññèâíîì ðåæèìå" - âñ¸ îê - ïàðó òûñÿ÷ íàéäåíûõ ôàéëîâ, êàê è äîëæíî áûòü.

Âîçìîæíî, â äàííîì ñëó÷àå ìåøàåò îãðàíè÷åíèå íà èíòåíñèâíîñòü óñòàíîâëåíèÿ íîâûõ ñîåäèíåíèé. Ïðàâèëà â öåïî÷êå SECURITY óñòàíàâëèâàþò îãðàíè÷åíèÿ: íå áîëåå 1 âõîäÿùåãî ñîåäèíåíèÿ TCP è íå áîëåå 5 âõîäÿùèõ ñîåäèíåíèé UDP â ñåêóíäó ("ñîåäèíåíèåì" ïî udp ñ÷èòàåòñÿ îáìåí ìåæäó ïàðîé ïîðòîâ ñ îáåèõ ñòîðîí - ïåðâûé ïàêåò ïîëó÷àåò ñòàòóñ NEW è ïîïàäàåò â öåïî÷êó SECURITY, ïîñëåäóþùèå ïàêåòû ñ òåìè æå àäðåñàìè è íîìåðàìè ïîðòîâ óæå íå ïîïàäàþò â SECURITY, ïîêà òàêîå "ñîåäèíåíèå" íå óäàëèòñÿ èç òàáëèöû conntrack ïî òàéìàóòó).

Ìîæíî ïðîâåðèòü, ÷òî ïðîèñõîäèò, åñëè ïîñìîòðåòü âûâîä êîìàíäû iptables -L -nv; ýòà êîìàíäà âûâåäåò ñ÷¸ò÷èêè ïàêåòîâ è áàéòîâ äëÿ êàæäîãî ïðàâèëà, è ìîæíî áóäåò ïîíÿòü, îòêóäà èìåííî ïàêåòû ñâàëèâàþòñÿ â logdrop. Åñëè äåëî â ïðàâèëàõ èç SECURITY, ìîæíî èõ ìîäèôèöèðîâàòü â post-firewall.

**Oleg** · 21-10-2006, 17:15

Originally Posted by vsu

Âîçìîæíî, â äàííîì ñëó÷àå ìåøàåò îãðàíè÷åíèå íà èíòåíñèâíîñòü óñòàíîâëåíèÿ íîâûõ ñîåäèíåíèé. Ïðàâèëà â öåïî÷êå SECURITY óñòàíàâëèâàþò îãðàíè÷åíèÿ: íå áîëåå 1 âõîäÿùåãî ñîåäèíåíèÿ TCP è íå áîëåå 5 âõîäÿùèõ ñîåäèíåíèé UDP â ñåêóíäó ("ñîåäèíåíèåì" ïî udp ñ÷èòàåòñÿ îáìåí ìåæäó ïàðîé ïîðòîâ ñ îáåèõ ñòîðîí - ïåðâûé ïàêåò ïîëó÷àåò ñòàòóñ NEW è ïîïàäàåò â öåïî÷êó SECURITY, ïîñëåäóþùèå ïàêåòû ñ òåìè æå àäðåñàìè è íîìåðàìè ïîðòîâ óæå íå ïîïàäàþò â SECURITY, ïîêà òàêîå "ñîåäèíåíèå" íå óäàëèòñÿ èç òàáëèöû conntrack ïî òàéìàóòó).

Ìîæíî ïðîâåðèòü, ÷òî ïðîèñõîäèò, åñëè ïîñìîòðåòü âûâîä êîìàíäû iptables -L -nv; ýòà êîìàíäà âûâåäåò ñ÷¸ò÷èêè ïàêåòîâ è áàéòîâ äëÿ êàæäîãî ïðàâèëà, è ìîæíî áóäåò ïîíÿòü, îòêóäà èìåííî ïàêåòû ñâàëèâàþòñÿ â logdrop. Åñëè äåëî â ïðàâèëàõ èç SECURITY, ìîæíî èõ ìîäèôèöèðîâàòü â post-firewall.

Äà, âïîëíå ìîæåò áûòü. Ïîïðîáóéòå ñêàçàòü iptables -F SECURITY

**Speedy Gonzalez** · 21-10-2006, 18:55

Äà, óâàæàåìûå ãóðó, âñ¸ òàê è åñòü. Ñïàñèáî çà ïîäñêàçêó (à òî ÿ ïîêà òÿæåëîâàòî îðèåíòèðóþñü â íåêîòîðûõ íàñòðîéêàõ)
â post-firewall âïèñàë ñòðîêó
iptables -I SECURITY -p udp --dport 12223 -j RETURN
Ðàáîòàåò. Ò.å. ýòîò UDP ïîðò íå ëèìèòèðóåòñÿ, à íà äðóãèå ïî-ïðåæíåìó íå áîëåå 5 ñîåäèíåíèé â ñåê.
Ïðàâèëüíî ÿ ñäåëàë? Èëè åñòü áîëåå ãðàìîòíîå ðåøåíèå? Ìîæåò â INPUT ëó÷øå ÷òî-íèáóäü ïðîïèñàòü?

**Oleg** · 21-10-2006, 19:09

Ïðàâèëüíî.

**FilimoniC** · 24-10-2006, 20:59

Âîïðîñ: ìîæíî ëè çàêðûòüñÿ ñðåäñòâàìè web-èíòåðôåéñà?
Ìîæíî ëè íåáîëüøóþ ÷àéíèêîâóþ èíñòðóêöèþ äëÿ ïîëüçîâàòåëåé ëîêàëüíûõ ñåòåé?
Èçâèíèòå çà íàãëîñòü..êàê ïðîöåññ? äâèæåòñÿ? (â ïëàíå íîâîé ïðîøèâêè)

**Lesnix** · 24-10-2006, 22:12

Originally Posted by FilimoniC

Èçâèíèòå çà íàãëîñòü..êàê ïðîöåññ? äâèæåòñÿ? (â ïëàíå íîâîé ïðîøèâêè)

Êà÷àåøü ïðîøèâêó pre8
Ñòàâèøü wan to lan filter, drop. è ïî áîëüøåé ÷àñòè âñå îêåé.

**Plimouthrock** · 20-11-2006, 20:28

À åñëè ó ìåíÿ:

Code:

[admin@my sbin]$ iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state NEW
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     udp  --  anywhere             anywhere           udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere           state INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           ctstate DNAT
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (2 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-opti
ons prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-opti
ons prefix `DROP '
DROP       all  --  anywhere             anywhere

Ýòî ïðàâèëüíî èëè âñå-òàêè ÷òî-òî íå òàê? Ìåíÿ íåñêîëüêî íàïðÿãàþò anywhere âåçäå...

**Oleg** · 20-11-2006, 20:45

äîáàâüòå êëþ÷èêè -vn - óâèäèòå ìíîãî èíòåðåñíîãî.

**Plimouthrock** · 20-11-2006, 20:55

Âàó...

Thread: Ýêñïåðèìåíòåã.

Thread Tools

Display

Ñêàæèòå òîâàðèùè...

Tags for this Thread

Posting Permissions