> > > ----------------------------------- cut ------------------------------------ > #!/bin/sh > > # enable ip forwarding > echo "1" > /proc/sys/net/ipv4/ip_forward > # setup the basic here, all denied except > # the traffic on the loopback interface... > $IPCHAINS -A input -i lo -j ACCEPT > $IPCHAINS -A output -i ! lo -j ACCEPT > $IPCHAINS -A forward -j DENY se metti a deny il forward la rete interna non puo' uscire la devi mettere a masq ti metto di seguito le regole che uso io in ditta gli ip sono fittizi, per comodita' usai all'epoca gfcc #!/bin/sh # Generated by Gtk+ firewall control center IPCHAINS=/sbin/ipchains localnet="192.168.2.0/24" firewallhost="192.168.2.241/32" Any="0.0.0.0/0" localhost_localdomain="127.0.0.1/32" firewall="222.82.20.198/32" firewall="192.168.2.241/32" $IPCHAINS -P input ACCEPT $IPCHAINS -P forward MASQ $IPCHAINS -P output ACCEPT $IPCHAINS -F $IPCHAINS -X # input rules $IPCHAINS -A input -p icmp -s $Any 8 -d $Any -i eth0 -j REJECT -l $IPCHAINS -A input -p icmp -s $Any 8 -d $Any -i eth0 -j DENY -l $IPCHAINS -A input -p tcp -s 141.202.215.12/32 ftp -d 192.168.2.0/24 ftp -i eth0 -j ACCEPT $IPCHAINS -A input -p tcp -s 141.202.215.12/32 ftp-data -d 192.168.2.0/24 ftp-data -i eth0 -j ACCEPT $IPCHAINS -A input -s 192.168.2.0/24 -d 192.168.2.0/24 -i eth0 -j DENY $IPCHAINS -A input -s 10.0.0.0/32 -d 192.168.2.0/24 -i eth0 -j DENY $IPCHAINS -A input -p tcp -s 197.150.234.98/32 -d $firewall ssh -i eth0 -j ACCEPT $IPCHAINS -A input -p tcp -s $Any tcpmux:chargen -d firewall -i eth0 -j DENY $IPCHAINS -A input -p tcp -s $Any 26:finger -d firewall -i eth0 -j DENY $IPCHAINS -A input -p tcp -s $Any 81:pop2 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p tcp -s $Any sunrpc:118 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p tcp -s $Any 120:6666 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p tcp -s $Any 6668:65535 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p udp -s $Any 1:51 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p udp -s $Any 54:65535 -d firewall -i eth0 -j DENY $IPCHAINS -A input -p icmp -s $Any 1:65535 -d firewall -i eth0 -j DENY # forward rules $IPCHAINS -A forward -s 192.168.2.0/24 -d $Any -i eth1 -j MASQ # output rules $IPCHAINS -A output -s 192.168.2.0/24 -d $Any -i eth1 -j ACCEPT con queste semplici stringhe noi in ditta lavoriamo bene pero' per essere sicuro se chiedi a Diaolin, Ghilardini e Ianez che sono quelli che mi insegnarono all'epoca sicuramente sapranno darti spiegazioni chiare ed esaurienti molto meglio di quanto mai possa fare io. cordialita' -- Mario Vittorio Guenzi Zincometal S.p.A. c.so Europa Str.prov 34 20010-Inveruno (MI) tel: 02-979661 fax: 02-97966351 E-mail jclark@xxxxxxxxxxxxx http://www.zincometal.com Si vis pacem, para bellum -- PROSSIMA ASSEMBLEA: lunedi 29 Aprile 2002 ore 20:45 Per iscriversi (o disiscriversi), basta spedire un messaggio con SOGGETTO "subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxxxxxx