Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 76)

## Trusted hosts/nets

# This is our trusted host list. These have access to everything.

for i in $TRUSTED; do

$IPCHAINS −A input −s $i −j ACCEPT

done

# Port Forwarding

# Which ports get forwarded to which host. This is one to one

# port mapping (ie 80 −> 80) in this case.

# NOTE: ipmasqadm is a separate package from ipchains and needs

# to be installed also. Check first!

[ −n "$FORWARD_HOST" ] && ipmasqadm portfw −f &&\

for i in $FORWARD_PORTS; do

ipmasqadm portfw −a −P tcp −L $WAN_IP $i −R $FORWARD_HOST $i

done

## Open, but Restricted Access ports/services

# Allow DHCP server (their port 67) to client (to our port 68) UDP traffic

# from outside source.

[ −n "$DHCP_SERVER" ] &&\

$IPCHAINS −A input −p udp −s $DHCP_SERVER 67 −d $ANYWHERE 68 −j ACCEPT

# Allow 'identd' (to our TCP port 113) from mail server only.

[ −n "$MAIL_SERVER" ] &&\

$IPCHAINS −A input −p tcp −s $MAIL_SERVER −d $WAN_IP 113 −j ACCEPT

# Open up PUBLIC server ports here (available to the world):

for i in $PUBLIC_PORTS; do

$IPCHAINS −A input −p tcp −s $ANYWHERE −d $WAN_IP $i −j ACCEPT

done

# So I can check my home POP3 mailbox from work. Also, so I can ssh

# in to home system. Only allow connections from my workplace's

# various IPs. Everything else is blocked.

$IPCHAINS −A input −p tcp −s 255.10.9.8/29 −d $WAN_IP 110 −j ACCEPT

# Uncomment to allow ftp data back (active ftp). Not required for 'passive'

# ftp connections.

#$IPCHAINS −A input −p tcp −s $ANYWHERE 20 −d $WAN_IP $LOCAL_PORTS −y −j ACCEPT

# Accept non−SYN TCP, and UDP connections to LOCAL_PORTS. These are

# the high, unprivileged ports (1024 to 4999 by default). This will

# allow return connection traffic for connections that we initiate

# to outside sources. TCP connections are opened with 'SYN' packets.

# We have already opened those services that need to accept SYNs

# for, so other SYNs are excluded here for everything else.

$IPCHAINS −A input −p tcp −s $ANYWHERE −d $WAN_IP $LOCAL_PORTS ! −y −j ACCEPT

# We can't be so selective with UDP since that protocol does not know

# about SYNs.

$IPCHAINS −A input −p udp −s $ANYWHERE −d $WAN_IP $LOCAL_PORTS −j ACCEPT

# Allow access to the masquerading ports conditionally. Masquerading

# uses it's own port range −− on 2.2 kernels ONLY! 2.4 kernels, do not

# use these ports, so comment out!

[ −n "$LAN_NET" ] &&\

$IPCHAINS −A input −p tcp −s $ANYWHERE −d $WAN_IP 61000: ! −y −j ACCEPT &&\

$IPCHAINS −A input −p udp −s $ANYWHERE −d $WAN_IP 61000: −j ACCEPT

Security Quick−Start HOWTO for Red Hat Linux

8.9. Secure Alternatives 73

1 2 ... 71 72 73 74 75 76 77 78 79 80 81 82

Commenti su questo manuale

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 76

Commenti su questo manuale