У меня такой вопрос, на freeBsd поднят ipfw , вот конфиг
${fwcmd} -f flush
${fwcmd} add check-state
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
# Stop spoofing
# ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
# ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny ip from any to 10.0.0.0/8 in via ${oif}
${fwcmd} add deny ip from any to 172.16.0.0/12 in via ${oif}
${fwcmd} add deny ip from any to 192.168.0.0/16 in via ${oif}
${fwcmd} add deny ip from any to 0.0.0.0/8 in via ${oif}
${fwcmd} add deny ip from any to 169.254.0.0/16 in via ${oif}
${fwcmd} add deny ip from any to 240.0.0.0/4 in via ${oif}
${fwcmd} add deny icmp from any to any frag
${fwcmd} add deny log icmp from any to 255.255.255.255 in via ${oif}
${fwcmd} add deny log icmp from any to 255.255.255.255 out via ${oif}
#*********************MAIN RULES******************************************************** #****************************************************************************** * ******* # NAT
${fwcmd} add divert natd ip from ${cbank0} to any out via ${oif}
${fwcmd} add divert natd ip from ${cbank1} to any out via ${oif}
${fwcmd} add divert natd ip from ${aftn} to any 80 out via ${oif}
${fwcmd} add divert natd ip from any to ${oip} in via ${oif}
#****************************************************************************** * ******* ${fwcmd} add fwd 127.0.0.1,3128 tcp from ${netin} to any 80,443 via ${oif}
${fwcmd} add divert natd ip from ${inet}/${imask} to any out via ${oif}
#****************************************************************************** * *******
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny ip from 10.0.0.0/8 to any out via ${oif}
${fwcmd} add deny ip from 172.16.0.0/12 to any out via ${oif}
${fwcmd} add deny ip from 192.168.0.0/16 to any out via ${oif}
${fwcmd} add deny ip from 0.0.0.0/8 to any out via ${oif}
${fwcmd} add deny ip from 169.254.0.0/16 to any out via ${oif}
${fwcmd} add deny ip from 192.0.2.0/24 to any out via ${oif}
${fwcmd} add deny ip from 224.0.0.0/4 to any out via ${oif}
# Allow TCP through if setup succeeded !!!all connect!!!nado
${fwcmd} add allow tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
#server in inet - GO
${fwcmd} add allow ip from ${oip} to any out xmit ${oif}
# Allow setup of incoming email
# ${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add allow udp from any 53 to any via ${oif} # for in lan!!!
# ${fwcmd} add fwd 127.0.0.1 tcp from 192.168.1.39/32 to any via ${oif}
# Squid # ${fwcmd} add fwd 127.0.0.1,3128 tcp from ${netin} to any via ${oif}
#${fwcmd} add fwd 192.168.1.39 tcp from ${netin} to any
# PING ${fwcmd} add allow icmp from any to any icmptypes 0,8,11
# OPEN PORTS # ${fwcmd} add allow all from any to any 3128,21,22,25,110,139,445,80 via ${iif}
${fwcmd} add allow udp from any to any via ${iif}
${fwcmd} add allow tcp from any to any via ${iif}
# ${fwcmd} add allow all from 192.168.1.39 to not 192.168.1.0/24 in via ${iif} setup
# ъбртеф ипдйфш нйнп улчйдб ${fwcmd} add deny all from ${netin} to any via ${oif}
# ${fwcmd} add allow all from 192.168.1.39 to not 192.168.1.0/24 in via ${iif} setup
#****** ALL FACKE OFF******************************************************** ${fwcmd} add deny ip from any to any #****************************************************************************** * *****
# ${fwcmd} add pass udp from any to ${oip} 53
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
# ${fwcmd} add pass tcp from any to ${oip} 80 setup
# ${fwcmd} add pass tcp from any to any 80 setup
# Reject&Log all setup of incoming connections from the outside
# ${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
# ${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
# ${fwcmd} add pass udp from ${oip} to any 123 keep-state
Как мне это реалезовать например в CenTose? Ну или просто скажите к каким цепочкам относятся эти правила в IPTABLES?
>>>