mk forward firewall
Napsal: 19 Nov 2013 09:14
ahojte, mam klientsky mk, ktory robi len routing
ip mk
192.168.155.2/24 na wlan1
192.168.3.1/24 eth1
192.168.155.1 gw aj dns
za nim je na ethernete NAT router
ip nat routera za mk na strane ethernetu
192.168.3.100/24
192.168.3.1 gw aj dns
potrebujem na tom klientskom MK zakazat vsetko z vonku co pride na 192.168.3.100 a povolit len tcp porty 22, 8033, 8034, 8035, 5900 a udp port 1194 ale tak aby som nezakazal tomu NAT routeru internet... na ten nat router sa nedostanem, je to klientsky stroj o ktory sa nevedia postarat a mali tam dns flood...
mam to takto, je to ok? nemoze sa stat ze im odpasnem net? je nutne specifikovat ten in interface? nemam si to kde testnut a potrebujem si byt sto percent isty ze to bude ok, dakujem
4 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=22
5 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=5900
6 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8033
7 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8034
8 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8035
9 X chain=forward action=accept protocol=udp dst-address=192.168.3.100 dst-port=1194
10 X chain=forward action=accept protocol=icmp dst-address=192.168.3.100
11 X chain=forward action=log dst-address=192.168.3.100 in-interface=wlan1 log-prefix=""
12 X chain=forward action=drop dst-address=192.168.3.100 in-interface=wlan1
ip mk
192.168.155.2/24 na wlan1
192.168.3.1/24 eth1
192.168.155.1 gw aj dns
za nim je na ethernete NAT router
ip nat routera za mk na strane ethernetu
192.168.3.100/24
192.168.3.1 gw aj dns
potrebujem na tom klientskom MK zakazat vsetko z vonku co pride na 192.168.3.100 a povolit len tcp porty 22, 8033, 8034, 8035, 5900 a udp port 1194 ale tak aby som nezakazal tomu NAT routeru internet... na ten nat router sa nedostanem, je to klientsky stroj o ktory sa nevedia postarat a mali tam dns flood...
mam to takto, je to ok? nemoze sa stat ze im odpasnem net? je nutne specifikovat ten in interface? nemam si to kde testnut a potrebujem si byt sto percent isty ze to bude ok, dakujem
4 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=22
5 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=5900
6 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8033
7 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8034
8 X chain=forward action=accept protocol=tcp dst-address=192.168.3.100 dst-port=8035
9 X chain=forward action=accept protocol=udp dst-address=192.168.3.100 dst-port=1194
10 X chain=forward action=accept protocol=icmp dst-address=192.168.3.100
11 X chain=forward action=log dst-address=192.168.3.100 in-interface=wlan1 log-prefix=""
12 X chain=forward action=drop dst-address=192.168.3.100 in-interface=wlan1