Hallo,
ich nutze unter Suse 10.0 den VMware-server-1.0.0-27828.i386 mit (u.a.) einem Win98-Gast.
Für Lernzwecke will ich JEDEN vom Win98-Gast ausgehenden traffic ins Internet loggen -
wie muß ich die Regel korrigieren ?
mein Script:
Hat jemand 'n Tip ?
ich nutze unter Suse 10.0 den VMware-server-1.0.0-27828.i386 mit (u.a.) einem Win98-Gast.
Für Lernzwecke will ich JEDEN vom Win98-Gast ausgehenden traffic ins Internet loggen -
wie muß ich die Regel korrigieren ?
Code:
$IPT -A INPUT -s $_WIN98 -d ! $_VNETPUB -i vmnet1 -j LOG --log-level 7 --log-prefix "NU_OUTGOING_win98_CONNECT: "
Code:
#!/bin/bash
IPT=/usr/sbin/iptables
/usr/bin/test -x $IPT || exit 1
_HOST=192.168.0.230
_VNETPUB=172.16.186.0/24
_VMNET1=172.16.186.1
_WIN98=172.16.186.128
# no packets with source-routing set
# don't allow somebody else to change our routing table
# (we don't try to change somebody else's one)
# ignore ping's to all machines at once via sending request to broadcast address
# activate syncookie safety mechanism (must be activated in kernel at compile-time, section "net").
# activate general ip-packet forwarding
for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do
echo 0 >$i
done
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/ip_forward
# INPUT rules (FROM Win98 machine TO Samba Server):
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -s $_WIN98 -d $_VMNET1 -p udp --destination-port 137:139 -i vmnet1 -j ACCEPT # Accept UDP NetBIOS requests
$IPT -A INPUT -s $_WIN98 -d $_VMNET1 -p tcp --destination-port 137:139 -i vmnet1 -j ACCEPT # Accept TCP NetBIOS requests
$IPT -A INPUT -s $_WIN98 -d $_VMNET1 -p tcp --dport 445 -i vmnet1 -j ACCEPT
$IPT -A INPUT -p udp --sport 67 --dport 68 -d $_WIN98 -i vmnet1 -j ACCEPT
# xxxxxx
# --->
# --->
$IPT -A INPUT -s $_WIN98 -d ! $_VNETPUB -i vmnet1 -j LOG --log-level 7 --log-prefix "NU_OUTGOING_win98_CONNECT: "
# <---
# <---
# xxxxxx
$IPT -A INPUT -i vmnet1 -j DROP
# OUTPUT Rules (FROM host TO Win98)
$IPT -A OUTPUT -s $_HOST -d $_WIN98 -o vmnet1 -j ACCEPT
$IPT -A OUTPUT -s $_WIN98 -j DROP
# FORWARD Rules (FROM Win98 to Outside)
$IPT -A FORWARD -s $_WIN98 -j DROP
# NAT postrouting Rules
$IPT -t nat -A POSTROUTING -s $_WIN98 -o dsl0 -j DROP
Code:
# ifconfig
dsl0 Link encap:Point-to-Point Protocol
inet addr:xx.xx.130.219 P-t-P:xx.xx.247.95 Mask:255.255.255.255
eth1 Link encap:Ethernet HWaddr 00:0C:76:71:02:09
inet addr:192.168.0.230 Bcast:192.168.0.255 Mask:255.255.255.0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
inet addr:172.16.186.1 Bcast:172.16.186.255 Mask:255.255.255.0
Hat jemand 'n Tip ?