Ten firewall dzialal mi na mandrake'u 9.1 p przejsciu na Slackware 10 sa niedociagniecia...#! /bin/sh
# sciezka do
PATH="/sbin"
echo "startuje firewalla..."
eth0ip="**.**.***.***"
luka5z="192.168.0.2"
# Uruchomienie przekazywania pakietow
echo "1" > /proc/sys/net/ipv4/ip_forward
# Czyszczenie tablic iptables (NAT i Filtrowanie)
iptables -F
iptables -F -t nat
iptables -X -t nat
iptables -F -t filter
iptables -X -t filter
# Odrzucenie i brak zezwolenia na forwardowanie pakietow
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -s 192.168.0.2 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.2 -j ACCEPT
#limit ilosci polaczen
iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-mask 8 --iplimit-above 4 -j REJECT
iptables -t filter -A FORWARD -s 192.168.0.3 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.3 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.4 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.4 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.5 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.5 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.6 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.6 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.7 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.7 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.8 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.8 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.9 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.9 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.10 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.10 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.11 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.11 -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.0.12 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.12 -j ACCEPT
# Udostepanianie Internetu przez Maskarade
#iptables -t nat -A POSTROUTING -s 192.168.12.0 -d 0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.2 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.3 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.4 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.5 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.6 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.7 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.8 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.9 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.10 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.11 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.12 -d 0/0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.0.13 -d 0/0 -j MASQUERADE
# Wpuszczamy wszystko z lan
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j ACCEPT
# Moduly do FTP i IRCa
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
# Przepuszczamy juz aktywne polaczenia
iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p udp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state RELATED
#SSH
iptables -A INPUT -p tcp -d 0/0 --dport 22 -j ACCEPT
#domain
iptables -A INPUT -p tcp -d 0/0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d 0/0 --dport 53 -j ACCEPT
#emule
iptables -A INPUT -p tcp -d 0/0 --dport 4662 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $eth0ip --dport 4662 -j DNAT --to-destination 192.168.0.2:4662
iptables -A INPUT -p udp -d 0/0 --dport 4672 -j ACCEPT
iptables -A PREROUTING -t nat -p udp -d $eth0ip --dport 4672 -j DNAT --to-destination 192.168.0.2:4672
#torrent azerus
iptables -A INPUT -p tcp -d 0/0 --dport 6881 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $eth0ip --dport 6881 -j DNAT --to-destination 192.168.0.2:6881
# Blokujemy reszte pakietow
iptables -A INPUT -j DROP -m unclean
#iptables -A INPUT -j DROP
Wywala:
Gdy usune poczatkowe linie wywala:startuje firewalla...
./rc.fire: line 13: iptables: command not found
./rc.fire: line 14: iptables: command not found
./rc.fire: line 15: iptables: command not found
./rc.fire: line 16: iptables: command not found
./rc.fire: line 17: iptables: command not found
./rc.fire: line 20: iptables: command not found
./rc.fire: line 26: iptables: command not found
./rc.fire: line 27: iptables: command not found
...
O co tu idzie ?iptables v1.2.10: Couldn't load match `iplimit':/usr/lib/iptables/libipt_iplimit.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.