IPTables » Historique » Version 23
« Précédent -
Version 23/31
(diff) -
Suivant » -
Version actuelle
Laurent GUERBY, 25/08/2014 19:27
IPTables¶
iptables links¶
- http://www.bortzmeyer.org/dns-netfilter-u32.html
- http://www.stearns.org/doc/iptables-u32.current.html
- http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
- http://ebtables.sourceforge.net/
- http://www.inetdoc.net/guides/iptables-tutorial/traversingoftables.html
- http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
- https://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
DHCP ?
sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
iptables -A INPUT -p udp --sport 68 --dport 67 -j DROP
https://bugzilla.redhat.com/show_bug.cgi?id=512206
- libnml
iptables hairpin¶
Hair pin / hairpin / hairpinning / NAT reflection
http://serverfault.com/questions/205040/accessing-the-dnatted-webserver-from-inside-the-lan
Avec PUB_IP = ip publique sur le host, et LXC_IP l'ip privee de la VM
iptables -t nat -A PREROUTING -d ${PUB_IP}/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination ${LXC_IP} iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d ${LXC_IP}/32 -p tcp -m multiport --dports 80,443 -j MASQUERADE iptables -t nat -A OUTPUT -d ${PUB_IP} -p tcp -m multiport --dports 80,443 -j DNAT --to-destination ${LXC_IP}
ebtables¶
ebtables -A FORWARD -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A INPUT --in-interface br0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A INPUT --in-interface br0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface br0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface br0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP