[Sysadmins] iptables rules DNAT ftp passive

[Grigory Fateyev]

Hello Starodumoff Ilya!
On Sat, 17 May 2008 00:03:22 +0600 you wrote:

> pasv_address=20.13.20.194
> 
> и подчистить forward надо бы... "кудряво как-то"... :)

Вроде ничего особенного...

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $OVZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -d $WEB1_VE -m state --state NEW -p tcp --dport 21
 -j ACCEPT $IPTABLES -A FORWARD -d $WEB1_VE -m state --state NEW -p \ 
tcp --dport 65000:65535 -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $OVZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $OVZ_IFACE -o $INET_IFACE -j ACCEPT

# Routing VEs outside
$IPTABLES -A FORWARD -p all -s $OVZ_NET -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p all -d $OVZ_NET -i $INET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT 
#$IPTABLES -A FORWARD -p all -s $OVZ_NET -j ACCEPT 
#$IPTABLES -A FORWARD -p all -d $OVZ_NET -j ACCEPT


-- 
Всего наилучшего! Григорий
greg [at] anastasia [dot] ru
Письмо отправлено: 2008/05/16 22:20