[MDK9.2] ping local

Le MNF (Multi Network Firewall) est un des produits pare-feu les plus richement pourvus en fonctionnalités du marché. Il est basé sur un kernel Linux 2.4 sécurisé. Ce forum est également destiné à accueillir tous les posts concernants les distributions Mandriva (anciennement Mandrake)

Modérateur: modos Ixus

Messagepar chaba » 23 Déc 2003 12:58

Bonjour, <BR>Je viens d'installer une Mandrake 9.2 et j'ai quelques soucis. <BR>cette Mdk tourne sur mon serveur et connecte a internet. <BR>Le partage de connection marche et le client et un windows XP. <BR>Le probleme, c'est que je ne peux pas pinger depuis mon client, mon serveur avec une ip 192.168.1.2. <BR>Le client est en DHCP. <BR>Par contre le ping vers une adresse internet marche bien. <BR>J'ai arrete les services du firewall, autorise les echos ICMP, rien de mieux. <BR>Je pense qu'il y a un probleme de routage mais ??? <BR>Si quelqu'un a une idee. <BR> <BR>Autre chose, dans mon fichier /etc/resolv.conf, je retrouve une ligne: <BR>nameserver 212.27.39.1 #ppp entry temp <BR> <BR>qui ne correspond a rien puisque mes serveurs de DNS sont 217.27.32.176 et 217.27.32.177 <BR> <BR>Elle revient sans arret meme si je l'enleve. <BR>J'ai tout reconfiguré, connection internet, partage, dhcp mais toujours pareil. <BR> <BR>Merci ..
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar tomtom » 23 Déc 2003 13:20

Il n'y a pas de problème de routage puisque la connexion marche ! <BR>Je pense que le icmp doit etre bloqué au niveau reseau par la mandrake, à verifier... <BR> <BR>Pour ce qui est du serveur dns, il est fourni par le distant lors de la fourniture de l'ip par dhcp. C'ets lors de la configuration du tunnel ppp que cela se met. Si ton fai te fournit, ne le touches pas.. Ca ne devrait pas poser de probleme... <BR> <BR>t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris

Messagepar chaba » 23 Déc 2003 13:41

Merci, <BR> <BR>pour ce qui est des echos iCMP, je les ai bloques a oui via le centre de controle (onglet options reseaux). <BR>Ca na rien fait. <BR>En fait je souhaite prendre la main depuis mon xp par une console graphique puisque je n´ai pas d´ecran sur mon serveur. <BR>En telnet, rlogin et vnc la connection ewst impossible. <BR>J´en avais fais la conclusion que le probleme pouvait venir de la puisque je n´arrive pas a pinger mon serveur. <BR> <BR>
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar tomtom » 23 Déc 2003 13:45

Que te donnes iptables -L -v ? <BR> <BR>t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris

Messagepar chaba » 23 Déc 2003 13:56

pas mal de lignes... <BR>Mais je ne ais pas ce qu´il faut que je cherche ? <BR>Merci
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar tomtom » 23 Déc 2003 13:59

S'il y a pas mal de lignes, le firewall n'est pas desactivé ! <BR> <BR>ALors donne moi toutes les lignes avec input stp ! <BR> <BR>t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris

Messagepar chaba » 23 Déc 2003 14:02

Voila <BR> <BR>Chain INPUT (policy DROP 0 packets, 0 bytes) <BR> pkts bytes target prot opt in out source destination <BR> 30 2740 ACCEPT all -- lo any anywhere anywhere <BR> 0 0 DROP !icmp -- any any anywhere anywhere state INVALID <BR> 2531 712K ppp_in all -- ppp+ any anywhere anywhere <BR> 222 29298 eth0_in all -- eth0 any anywhere anywhere <BR> 0 0 eth1_in all -- eth1 any anywhere anywhere <BR> 0 0 common all -- any any anywhere anywhere <BR> 0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:' <BR> 0 0 reject all -- any any anywhere anywhere <BR> <BR>Je peux te mettre le reste si ca t´interesse aussi
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar tomtom » 23 Déc 2003 14:05

oui, mets tout ! <BR> <BR>t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris

Messagepar chaba » 23 Déc 2003 14:05

le service iptables est bien arrete. <BR>est-ce que le firewall marche dans ce cas la ?
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar chaba » 23 Déc 2003 14:06

Chain INPUT (policy DROP 0 packets, 0 bytes) <BR> pkts bytes target prot opt in out source destination <BR> 30 2740 ACCEPT all -- lo any anywhere anywhere <BR> 0 0 DROP !icmp -- any any anywhere anywhere state INVALID <BR> 2531 712K ppp_in all -- ppp+ any anywhere anywhere <BR> 222 29298 eth0_in all -- eth0 any anywhere anywhere <BR> 0 0 eth1_in all -- eth1 any anywhere anywhere <BR> 0 0 common all -- any any anywhere anywhere <BR> 0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:' <BR> 0 0 reject all -- any any anywhere anywhere <BR> <BR>Chain FORWARD (policy DROP 0 packets, 0 bytes) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 DROP !icmp -- any any anywhere anywhere state INVALID <BR> 4946 2284K ppp_fwd all -- ppp+ any anywhere anywhere <BR> 4692 637K eth0_fwd all -- eth0 any anywhere anywhere <BR> 0 0 eth1_fwd all -- eth1 any anywhere anywhere <BR> 0 0 common all -- any any anywhere anywhere <BR> 0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:' <BR> 0 0 reject all -- any any anywhere anywhere <BR> <BR>Chain OUTPUT (policy DROP 0 packets, 0 bytes) <BR> pkts bytes target prot opt in out source destination <BR> 30 2740 ACCEPT all -- any lo anywhere anywhere <BR> 0 0 DROP !icmp -- any any anywhere anywhere state INVALID <BR> 1834 272K fw2net all -- any ppp+ anywhere anywhere <BR> 36 3524 fw2masq all -- any eth0 anywhere anywhere <BR> 0 0 all2all all -- any eth1 anywhere anywhere <BR> 0 0 common all -- any any anywhere anywhere <BR> 0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:' <BR> 0 0 reject all -- any any anywhere anywhere <BR> <BR>Chain all2all (6 references) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 236 28482 common all -- any any anywhere anywhere <BR> 34 2532 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:' <BR> 34 2532 reject all -- any any anywhere anywhere <BR> <BR>Chain common (5 references) <BR> pkts bytes target prot opt in out source destination <BR> 63 5104 icmpdef icmp -- any any anywhere anywhere <BR> 6 2576 reject udp -- any any anywhere anywhere udp dpt:135 <BR> 247 29460 reject udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn <BR> 0 0 reject udp -- any any anywhere anywhere udp dpt:microsoft-ds <BR> 0 0 reject tcp -- any any anywhere anywhere tcp dpt:netbios-ssn <BR> 6 288 reject tcp -- any any anywhere anywhere tcp dpt:microsoft-ds <BR> 180 8664 reject tcp -- any any anywhere anywhere tcp dpt:135 <BR> 0 0 DROP udp -- any any anywhere anywhere udp dpt:1900 <BR> 0 0 DROP all -- any any anywhere 255.255.255.255 <BR> 0 0 DROP all -- any any anywhere BASE-ADDRESS.MCAST.NET/4 <BR> 0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth <BR> 0 0 DROP udp -- any any anywhere anywhere udp spt:domain state NEW <BR> 0 0 DROP all -- any any anywhere 192.168.1.255 <BR> 0 0 DROP all -- any any anywhere 192.168.60.255 <BR> <BR>Chain dynamic (6 references) <BR> pkts bytes target prot opt in out source destination <BR> <BR>Chain eth0_fwd (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 4692 637K dynamic all -- any any anywhere anywhere <BR> 4692 637K masq2net all -- any ppp+ anywhere anywhere <BR> 0 0 all2all all -- any eth1 anywhere anywhere <BR> <BR>Chain eth0_in (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 222 29298 dynamic all -- any any anywhere anywhere <BR> 222 29298 masq2fw all -- any any anywhere anywhere <BR> <BR>Chain eth1_fwd (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 dynamic all -- any any anywhere anywhere <BR> 0 0 loc2net all -- any ppp+ anywhere anywhere <BR> 0 0 all2all all -- any eth0 anywhere anywhere <BR> <BR>Chain eth1_in (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 dynamic all -- any any anywhere anywhere <BR> 0 0 all2all all -- any any anywhere anywhere <BR> <BR>Chain fw2masq (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 14 1712 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports ipp,printer,netbios-ns,netbios-dgm,netbios-ssn state NEW <BR> 0 0 ACCEPT udp -- any any anywhere anywhere multiport dports ipp,printer,netbios-ns,netbios-dgm,netbios-ssn state NEW <BR> 22 1812 all2all all -- any any anywhere anywhere <BR> <BR>Chain fw2net (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 1566 256K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 268 16244 ACCEPT all -- any any anywhere anywhere <BR> <BR>Chain icmpdef (1 references) <BR> pkts bytes target prot opt in out source destination <BR> <BR>Chain loc2net (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 0 0 ACCEPT all -- any any anywhere anywhere <BR> <BR>Chain masq2fw (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports domain,bootps,http,https,ipp,imap,pop3,smtp,nntp,ntp state NEW <BR> 8 2628 ACCEPT udp -- any any anywhere anywhere multiport dports domain,bootps,http,https,ipp,imap,pop3,smtp,nntp,ntp state NEW <BR> 214 26670 all2all all -- any any anywhere anywhere <BR> <BR>Chain masq2net (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 3955 601K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 0 0 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 737 35569 ACCEPT all -- any any anywhere anywhere <BR> <BR>Chain net2all (3 references) <BR> pkts bytes target prot opt in out source destination <BR> 6445 2939K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED <BR> 138 5548 newnotsyn tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN <BR> 894 51036 common all -- any any anywhere anywhere <BR> 657 35998 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:' <BR> 657 35998 DROP all -- any any anywhere anywhere <BR> <BR>Chain newnotsyn (7 references) <BR> pkts bytes target prot opt in out source destination <BR> 138 5548 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:newnotsyn:DROP:' <BR> 138 5548 DROP all -- any any anywhere anywhere <BR> <BR>Chain ppp_fwd (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 4946 2284K dynamic all -- any any anywhere anywhere <BR> 4946 2284K net2all all -- any eth0 anywhere anywhere <BR> 0 0 net2all all -- any eth1 anywhere anywhere <BR> <BR>Chain ppp_in (1 references) <BR> pkts bytes target prot opt in out source destination <BR> 2531 712K dynamic all -- any any anywhere anywhere <BR> 2531 712K net2all all -- any any anywhere anywhere <BR> <BR>Chain reject (11 references) <BR> pkts bytes target prot opt in out source destination <BR> 186 8952 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset <BR> 253 32036 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable <BR> 34 2532 REJECT icmp -- any any anywhere anywhere reject-with icmp-host-unreachable <BR> 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited <BR> <BR>Chain shorewall (0 references) <BR> pkts bytes target prot opt in out source destination <BR>
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar tomtom » 23 Déc 2003 14:18

Ha oui la je peux te dire que ton firewlal est actif <IMG SRC="images/smiles/icon_lol.gif"> <BR> <BR>Et puis avec quoi tu as fait ton partage de connexion ??? c'est dement le nombre de regles... <IMG SRC="images/smiles/icon_rolleyes.gif"> <BR> <BR>Bon, pour te debloquer temporairement : <BR>tapes dans une ligne de commande en root : <BR> <BR>iptables -I INPUT -i eth0 -j ACCEPT <BR> <BR>(si eth0 est bien la carte connectée au lan, sinon adaptes). <BR> <BR>Mais au prochain demarrage, ca ne marchera plus, il faudrait savoir avec quoi est fait ton script de partage de connexion etc... pour le modifier definitivement. <BR> <BR>t.
One hundred thousand lemmings can't be wrong...
Avatar de l’utilisateur
tomtom
Amiral
Amiral
 
Messages: 6035
Inscrit le: 26 Avr 2002 00:00
Localisation: Paris

Messagepar chaba » 23 Déc 2003 14:26

le partage de connection a ete gere en automatique par les utilitaires de la Mandrake. <BR> <BR>C´est ok pour le ping NICKEL. <BR>MERCI <BR> <BR>Comment puis-je faire pour desactiver completemet le firewall et repartir de zero ? <BR> <BR> <BR> <BR>Je n´arrive toujours pas a acceder par un telnet ou vnc...
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Messagepar marlone41 » 23 Déc 2003 14:31

salut, <BR>tous d'abord va dans etc/shorewall et dis moi ce qu'il y a dans les files shorewall ,tcrules ,rules et rfc1918et je pourrais t'en dire un peu plus <BR>sinon dans tes paramètres réseau xp <BR>mets une adresse ip fixe du meme ordre que ton serveur <BR>genre 192.168.1.1 pour ta passerelle mandrake <BR> <BR>ip 192.168.1.2 pour xp <BR>masque est 255.255.255.0 <BR>passerelle 192.168.1.1 <BR>serveur dns192.168.1.1 <BR> <BR> <BR> <BR>mais j'attends que tu m'envoye le contenu des fichiers <BR> <BR>voila <BR> <BR>BIG <BR> <IMG SRC="images/smiles/icon_up.gif">
et Dieux créa linux !!!!!!
Alias
JODALTTON
ADMIN SITE Serveurlinux
www.serveurlinux.fr.st
Avatar de l’utilisateur
marlone41
Aspirant
Aspirant
 
Messages: 118
Inscrit le: 08 Oct 2003 00:00
Localisation: paname

Messagepar marlone41 » 23 Déc 2003 14:36

en reponse à <BR> <BR> <BR> <BR> <BR>Comment puis-je faire pour desactiver completemet le firewall et repartir de zero ? <BR> <BR> <BR> <BR>-------------------------------------- <BR> <BR>ce n'est pas une très bonne idée et le désactiver va te faire galérer encore plus <BR>par contre comme je le disais envoie moi tes fichiers de conf de shorewall <BR> <BR> <BR>exemple: <BR>tcrules ,rules et rfc1918et je pourrais t'en dire un peu plus <BR> <BR> <BR>A+ <BR> <BR>
et Dieux créa linux !!!!!!
Alias
JODALTTON
ADMIN SITE Serveurlinux
www.serveurlinux.fr.st
Avatar de l’utilisateur
marlone41
Aspirant
Aspirant
 
Messages: 118
Inscrit le: 08 Oct 2003 00:00
Localisation: paname

Messagepar chaba » 23 Déc 2003 14:41

Salut, <BR>Pour l´ip fixe, deja essaye ca n´a rien change. <BR>Voici les contenus des fichiers <BR> <BR>SHOREWALL n´existe pas mais il y a un SHOREWALL.conf <BR> <BR>RULES: <BR># <BR># Shorewall version 1.4 - Rules File <BR># <BR># /etc/shorewall/rules <BR># <BR># Rules in this file govern connection establishment. Requests and <BR># responses are automatically allowed using connection tracking. <BR># <BR># In most places where an IP address or subnet is allowed, you <BR># can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to <BR># indicate that the rule matches all addresses except the address/subnet <BR># given. Notice that no white space is permitted between "!" and the <BR># address/subnet. <BR># <BR># Columns are: <BR># <BR># <BR># ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE <BR># or LOG. <BR># <BR># ACCEPT -- allow the connection request <BR># DROP -- ignore the request <BR># REJECT -- disallow the request and return an <BR># icmp-unreachable or an RST packet. <BR># DNAT -- Forward the request to another <BR># system (and optionally another <BR># port). <BR># DNAT- -- Advanced users only. <BR># Like DNAT but only generates the <BR># DNAT iptables rule and not <BR># the companion ACCEPT rule. <BR># REDIRECT -- Redirect the request to a local <BR># port on the firewall. <BR># REDIRECT- <BR># -- Advanced users only. <BR># Like REDIRET but only generates the <BR># REDIRECT iptables rule and not <BR># the companion ACCEPT rule. <BR># CONTINUE -- (For experts only). Do not process <BR># any of the following rules for this <BR># (source zone,destination zone). If <BR># The source and/or destination IP <BR># address falls into a zone defined <BR># later in /etc/shorewall/zones, this <BR># connection request will be passed <BR># to the rules defined for that <BR># (those) zone(s). <BR># LOG -- Simply log the packet and continue. <BR># <BR># May optionally be followed by ":" and a syslog log <BR># level (e.g, REJECT:info). This causes the packet to be <BR># logged at the specified level. <BR># <BR># You may also specify ULOG (must be in upper case) as a <BR># log level.This will log to the ULOG target for routing <BR># to a separate log through use of ulogd <BR># (http://www.gnumonks.org/projects/ulogd). <BR># <BR># SOURCE Source hosts to which the rule applies. May be a zone <BR># defined in /etc/shorewall/zones, $FW to indicate the <BR># firewall itself, or "all" If the ACTION is DNAT or <BR># REDIRECT, sub-zones of the specified zone may be <BR># excluded from the rule by following the zone name with <BR># "!' and a comma-separated list of sub-zone names. <BR># <BR># Except when "all" is specified, clients may be further <BR># restricted to a list of subnets and/or hosts by <BR># appending ":" and a comma-separated list of subnets <BR># and/or hosts. Hosts may be specified by IP or MAC <BR># address; mac addresses must begin with "~" and must use <BR># "-" as a separator. <BR># <BR># dmz:192.168.2.2 Host 192.168.2.2 in the DMZ <BR># <BR># net:155.186.235.0/24 Subnet 155.186.235.0/24 on the <BR># Internet <BR># <BR># loc:192.168.1.1,192.168.1.2 <BR># Hosts 192.168.1.1 and <BR># 192.168.1.2 in the local zone. <BR># loc:~00-A0-C9-15-39-78 Host in the local zone with <BR># MAC address 00:A0:C9:15:39:78. <BR># <BR># Alternatively, clients may be specified by interface <BR># by appending ":" to the zone name followed by the <BR># interface name. For example, loc:eth1 specifies a <BR># client that communicates with the firewall system <BR># through eth1. This may be optionally followed by <BR># another colon (":") and an IP/MAC/subnet address <BR># as described above (e.g., loc:eth1:192.168.1.5). <BR># <BR># DEST Location of Server. May be a zone defined in <BR># /etc/shorewall/zones, $FW to indicate the firewall <BR># itself or "all" <BR># <BR># Except when "all" is specified, the server may be <BR># further restricted to a particular subnet, host or <BR># interface by appending ":" and the subnet, host or <BR># interface. See above. <BR># <BR># Restrictions: <BR># <BR># 1. MAC addresses are not allowed. <BR># 2. In DNAT rules, only IP addresses are <BR># allowed; no FQDNs or subnet addresses <BR># are permitted. <BR># 3. You may not specify both an interface and <BR># an address. <BR># <BR># Unlike in the SOURCE column, you may specify a range of <BR># up to 256 IP addresses using the syntax <BR># <first ip>-<last ip>. When the ACTION is DNAT or DNAT-, <BR># the connections will be assigned to addresses in the <BR># range in a round-robin fashion. <BR># <BR># The port that the server is listening on may be <BR># included and separated from the server's IP address by <BR># ":". If omitted, the firewall will not modifiy the <BR># destination port. A destination port may only be <BR># included if the ACTION is DNAT or REDIRECT. <BR># <BR># Example: loc:192.168.1.3:3128 specifies a local <BR># server at IP address 192.168.1.3 and listening on port <BR># 3128. The port number MUST be specified as an integer <BR># and not as a name from /etc/services. <BR># <BR># if the ACTION is REDIRECT, this column needs only to <BR># contain the port number on the firewall that the <BR># request should be redirected to. <BR># <BR># PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or <BR># "all". <BR># <BR># DEST PORT(S) Destination Ports. A comma-separated list of Port <BR># names (from /etc/services), port numbers or port <BR># ranges; if the protocol is "icmp", this column is <BR># interpreted as the destination icmp-type(s). <BR># <BR># A port range is expressed as <low port>:<high port>. <BR># <BR># This column is ignored if PROTOCOL = all but must be <BR># entered if any of the following ields are supplied. <BR># In that case, it is suggested that this field contain <BR># "-" <BR># <BR># If your kernel contains multi-port match support, then <BR># only a single Netfilter rule will be generated if in <BR># this list and the CLIENT PORT(S) list below: <BR># 1. There are 15 or less ports listed. <BR># 2. No port ranges are included. <BR># Otherwise, a separate rule will be generated for each <BR># port. <BR># <BR># CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, <BR># any source port is acceptable. Specified as a comma- <BR># separated list of port names, port numbers or port <BR># ranges. <BR># <BR># If you don't want to restrict client ports but need to <BR># specify an ADDRESS in the next column, then place "-" <BR># in this column. <BR># <BR># If your kernel contains multi-port match support, then <BR># only a single Netfilter rule will be generated if in <BR># this list and the DEST PORT(S) list above: <BR># 1. There are 15 or less ports listed. <BR># 2. No port ranges are included. <BR># Otherwise, a separate rule will be generated for each <BR># port. <BR># <BR># ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or <BR># REDIRECT[-]) If included and different from the IP <BR># address given in the SERVER column, this is an address <BR># on some interface on the firewall and connections to <BR># that address will be forwarded to the IP and port <BR># specified in the DEST column. <BR># <BR># A comma-separated list of addresses may also be used. <BR># This is usually most useful with the REDIRECT target <BR># where you want to redirect traffic destined for <BR># particular set of hosts. <BR># <BR># Finally, if the list of addresses begins with "!" then <BR># the rule will be followed only if the original <BR># destination address in the connection request does not <BR># match any of the addresses listed. <BR># <BR># The address (list) may optionally be followed by <BR># a colon (":") and a second IP address. This causes <BR># Shorewall to use the second IP address as the source <BR># address in forwarded packets. See the Shorewall <BR># documentation for restrictions concerning this feature. <BR># If no source IP address is given, the original source <BR># address is not altered. <BR># <BR># Example: Accept SMTP requests from the DMZ to the internet <BR># <BR># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># # PORT PORT(S) DEST <BR># ACCEPT dmz net tcp smtp <BR># <BR># Example: Forward all ssh and http connection requests from the internet <BR># to local system 192.168.1.3 <BR># <BR># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># # PORT PORT(S) DEST <BR># DNAT net loc:192.168.1.3 tcp ssh,http <BR># <BR># Example: Redirect all locally-originating www connection requests to <BR># port 3128 on the firewall (Squid running on the firewall <BR># system) except when the destination address is 192.168.2.2 <BR># <BR># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># # PORT PORT(S) DEST <BR># REDIRECT loc 3128 tcp www - !192.168.2.2 <BR># <BR># Example: All http requests from the internet to address <BR># 130.252.100.69 are to be forwarded to 192.168.1.3 <BR># <BR># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># # PORT PORT(S) DEST <BR># DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 <BR># <BR># Example: You want to accept SSH connections to your firewall only <BR># from internet IP addresses 130.252.100.69 and 130.252.100.70 <BR># <BR># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># # PORT PORT(S) DEST <BR># ACCEPT net:130.252.100.69,130.252.100.70 <BR># tcp 22 <BR>############################################################################## <BR>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <BR># PORT PORT(S) DEST <BR>ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - <BR>ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - <BR>ACCEPT fw masq tcp 631,515,137,138,139 - <BR>ACCEPT fw masq udp 631,515,137,138,139 - <BR>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE <BR> <BR>RFC1918: <BR> <BR># <BR># Shorewall 1.4 -- RFC1918 File <BR># <BR># /etc/shorewall/rfc1918 <BR># <BR># Lists the subnetworks that are blocked by the 'norfc1918' interface option. <BR># <BR># The default list includes those IP addresses listed in RFC 1918, those listed <BR># as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C <BR># reserved for use in documentation and examples. <BR># <BR># Columns are: <BR># <BR># SUBNET The subnet (host addresses also allowed) <BR># TARGET Where to send packets to/from this subnet <BR># RETURN - let the packet be processed normally <BR># DROP - silently drop the packet <BR># logdrop - log then drop <BR># <BR>############################################################################### <BR>#SUBNET TARGET <BR>255.255.255.255 RETURN # We need to allow limited broadcast <BR>169.254.0.0/16 DROP # DHCP autoconfig <BR>172.16.0.0/12 logdrop # RFC 1918 <BR>192.0.2.0/24 logdrop # Example addresses <BR>192.168.0.0/16 logdrop # RFC 1918 <BR># <BR># The following are generated with the help of the Python program found at: <BR># <BR># http://www.shorewall.net/pub/shorewall/ ... _reserved/ <BR># <BR># The program was contributed by Andy Wiggin <BR># <BR>0.0.0.0/7 logdrop # Reserved <BR>2.0.0.0/8 logdrop # Reserved <BR>5.0.0.0/8 logdrop # Reserved <BR>7.0.0.0/8 logdrop # Reserved <BR>10.0.0.0/8 logdrop # Reserved <BR>23.0.0.0/8 logdrop # Reserved <BR>27.0.0.0/8 logdrop # Reserved <BR>31.0.0.0/8 logdrop # Reserved <BR>36.0.0.0/7 logdrop # Reserved <BR>39.0.0.0/8 logdrop # Reserved <BR>41.0.0.0/8 logdrop # Reserved <BR>42.0.0.0/8 logdrop # Reserved <BR>49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 <BR>50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98 <BR>58.0.0.0/7 logdrop # Reserved <BR>60.0.0.0/8 logdrop # Reserved <BR>70.0.0.0/7 logdrop # Reserved <BR>72.0.0.0/5 logdrop # Reserved <BR>83.0.0.0/8 logdrop # Reserved <BR>84.0.0.0/6 logdrop # Reserved <BR>88.0.0.0/5 logdrop # Reserved <BR>96.0.0.0/3 logdrop # Reserved <BR>127.0.0.0/8 logdrop # Loopback <BR>197.0.0.0/8 logdrop # Reserved <BR>198.18.0.0/15 logdrop # Reserved <BR>201.0.0.0/8 logdrop # Reserved - Central & South America <BR>240.0.0.0/4 logdrop # Reserved <BR># <BR># End of generated entries <BR># <BR>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE <BR> <BR>
Avatar de l’utilisateur
chaba
Quartier Maître
Quartier Maître
 
Messages: 15
Inscrit le: 07 Déc 2003 01:00
Localisation: Annecy

Suivant

Retour vers Mandriva MNF & SNF

Qui est en ligne ?

Utilisateur(s) parcourant actuellement ce forum : Aucun utilisateur inscrit et 1 invité