перенос правил iptables на другой линух

Форум — Security
    При переносе правил с fedora 8 на fedora 9 (версии iptables совпадают)
    iptables-restore < iptables
    ругаетца на
    [root@shata-new sysconfig]# iptables-restore < iptables
    iptables-restore: line 271 failed

    а 271 строка это COMMIT.Последняя строка в конфиге

    вот собственно код (сокращенный)

    # Generated by iptables-save v1.3.8 on Fri Nov 16 09:09:07 2007
    *nat
    :PREROUTING ACCEPT [16952:1498121]
    :POSTROUTING ACCEPT [8150:470210]
    :OUTPUT ACCEPT [1717:132048]
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.3.1
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.0.1.5
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.20
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.3.1
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.3.1
    -A PREROUTING -d 217.20.182.* -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.3.1
    #-A POSTROUTING -s 10.0.1.39 -d 212.66.32.18 -p tcp -m tcp --dport 119 -j SNAT --to-source 217.20.182.*
    #-A POSTROUTING -s 10.0.1.39 -d 195.184.207.* -p tcp -m tcp --dport 119 -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -s 192.168.135.* -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024
    -A POSTROUTING -s 10.0.1.54 -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -s 10.0.2.60 -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -s 10.0.2.48 -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -s 10.0.3.1 -j SNAT --to-source 217.20.182.*
    -A POSTROUTING -s 10.0.0.8 -d 80.91.161.93 -j SNAT --to-source 217.20.182.*
    COMMIT
    # Completed on Fri Nov 16 09:09:07 2007
    # Generated by iptables-save v1.3.8 on Fri Nov 16 09:09:07 2007
    *mangle
    :PREROUTING ACCEPT [503765:176310631]
    :INPUT ACCEPT [19897:3160529]
    :FORWARD ACCEPT [482524:172751281]
    :OUTPUT ACCEPT [19668:*9093]
    :POSTROUTING ACCEPT [502129:174727332]
    -A PREROUTING -j MARK --set-mark 0x32
    COMMIT
    # Completed on Fri Nov 16 09:09:07 2007
    # Generated by iptables-save v1.3.8 on Fri Nov 16 09:09:07 2007
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [19668:*9093]
    :PORT01_IN - [0:0]
    :PORT01_OUT - [0:0]
    :PORT02_IN - [0:0]
    :PORT02_OUT - [0:0]
    :PORT12_OUT - [0:0]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -s 192.168.135.0/255.255.255.0 -j ACCEPT
    -A INPUT -s 194.90.34.6 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 192.168.135.222 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
    -A INPUT -s 10.0.3.1 -d 10.0.2.250 -j ACCEPT
    -A INPUT -m iprange --src-range 10.0.2.200-10.0.2.249 -j ACCEPT
    -A INPUT -s 195.140.178.653 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 193.47.137.641 -p icmp -j ACCEPT
    -A INPUT -s 217.20.191.600/255.255.255.192 -p icmp -j ACCEPT
    -A INPUT -s 193.125.78.617 -p icmp -j ACCEPT
    -A INPUT -s 217.10.38.609 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
    #-A INPUT -s 10.0.1.83 -j ACCEPT
    #-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s 10.0.1.61 -j DROP
    -A INPUT -s 10.0.1.80 -j DROP
    -A INPUT -s 212.82.216.* -p icmp -j ACCEPT
    -A INPUT -s 193.201.116.2 -p icmp -j ACCEPT
    -A INPUT -s 195.149.112.1 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -j RH-Firewall-1-INPUT
    -A INPUT -s 193.219.194.9 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 193.219.194.7 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -s 194.67.57.50 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --dport 25 -j PORT01_IN
    -A INPUT -p tcp -m tcp --dport 21 -j PORT02_IN
    -A INPUT -p tcp -m tcp --dport 80 -j PORT03_IN
    -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j PORT04_IN
    -A INPUT -p tcp -m tcp --dport 110 -j PORT06_IN
    -A INPUT -p tcp -m tcp --dport 139 -j PORT07_IN
    -A INPUT -p tcp -m tcp --dport 3306 -j PORT08_IN
    -A INPUT -p tcp -m tcp --dport 4559 -j PORT09_IN
    -A INPUT -p tcp -m tcp --dport 8080 -j PORT10_IN
    -A INPUT -p tcp -m tcp --dport 53 -j PORT11_IN
    -A INPUT -p tcp -m tcp --dport 5900 -j PORT12_IN
    -A FORWARD -s 192.168.135.0/255.255.255.0 -j ACCEPT
    -A FORWARD -s 192.168.135.222 -j ACCEPT
    -A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
    -A FORWARD -p tcp -m tcp --dport 143 -j ACCEPT
    -A FORWARD -p udp -m udp --dport 4500 -j ACCEPT
    -A FORWARD -p tcp -m tcp --dport 3389 -j ACCEPT
    #-A FORWARD -p tcp -m tcp --dport 5280 -j ACCEPT
    -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A FORWARD -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A FORWARD -i ppp+ -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024
    -A FORWARD -s 10.0.1.61 -j DROP
    -A FORWARD -s 10.0.1.80 -j DROP
    -A FORWARD -i eth1 -o eth0 -p gre -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A OUTPUT -p tcp -m tcp --sport 25 -j PORT01_OUT
    -A OUTPUT -p tcp -m tcp --sport 5900 -j PORT12_OUT
    -A RH-Firewall-1-INPUT -m iprange --src-range 10.0.2.200-10.0.2.249 -j ACCEPT
    -A RH-Firewall-1-INPUT -s 81.23.22.1 -p tcp -m tcp --dport 23 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5223 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5222 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 6222 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 6223 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 5269 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -s 212.40.34.149 -j REJECT --reject-with icmp-port-unreachable
    -A RH-Firewall-1-INPUT -s 209.249.64.204 -j REJECT --reject-with icmp-port-unreachable
    -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -d 224.0.0.0/255.0.0.0 -i eth1 -j DROP
    -A RH-Firewall-1-INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A RH-Firewall-1-INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ULOG --ulog-prefix "New not syn:"
    -A RH-Firewall-1-INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    -A RH-Firewall-1-INPUT -p gre -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
     -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4406 -m state --state NEW -j ACCEPT
    #-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT
    -A RH-Firewall-1-INPUT -s 10.0.1.156 -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -s 10.0.1.40 -i eth0 -j ACCEPT
    -A RH-Firewall-1-INPUT -i eth1 -j ULOG --ulog-prefix "DROPPED"
    #-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Fri Nov 16 09:09:07 2007
>>>
stepany4
(21.10.08 17:45:00 MSD)
3 комментария
Настроил файервол. Спорим не....

Форум — Talks
Настроил файервол - супер..Дырок нет. Так что - если кто желает пробить - милости просим - 193.201.80.68

Перемещено JB из General
>>>
stepany4
(17.10.08 17:50:01 MSD)
70 комментариев (стр. 2)
Сообщения stepany4

перенос правил iptables на другой линух

Настроил файервол. Спорим не....
