Добрый день!
Подскажите, что надо прописать, чтобы открыть порт 139? Два дня бьюсь.. Порт открывается, только если фаерволл совсем остановить :(
В Линуксе чайник - а кроме меня совсем некому..фаерволл:
IPT=/usr/sbin/iptables
IPTR=/usr/sbin/iptables-restore
IPTS=/usr/sbin/iptables-save
INT_LAN=eth2
EXT_LAN=eth1
IP_INT_LAN=192.168.0.254
IP_EXT_LAN=222.222.222.222
BROADCAST_INT_LAN=192.168.0.255
BROADCAST_EXT_LAN=222.222.222.255
start()
{
echo -n "Starting firewall... "
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPTR -c /etc/iptables
echo "Done"
}
stop()
{
echo -n "Stop firewall... "
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
echo "Done"
}
save()
{
echo -n "Save firewall rules... "
$IPTS -c > /etc/iptables
echo "Done"
}
init()
{
echo -n "Init firewall... "
reset
#==================================================
$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 222.222.222.222
$IPT -A FORWARD -i eth2 -m state --state NEW -j ACCEPT
#==================================================
#
# SAVE rules in file ====== /etc/iptables
$IPTS -c > /etc/iptables
echo "Done"
}
reset()
{
$IPT -F
$IPT -X
$IPT -Z
$IPT -t nat -F
$IPT -t mangle -F
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
#==================================================
# STATE RULES
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# LOCALHOST ===========
$IPT -A FORWARD ! -i lo -s 127.0.0.1 -j DROP
$IPT -A INPUT ! -i lo -s 127.0.0.1 -j DROP
$IPT -A FORWARD ! -i lo -d 127.0.0.1 -j DROP
$IPT -A INPUT ! -i lo -d 127.0.0.1 -j DROP
$IPT -A INPUT -i $INT_LAN -s $IP_INT_LAN -j DROP
$IPT -A INPUT -i $EXT_LAN -s $IP_EXT_LAN -j DROP
$IPT -A FORWARD -i $INT_LAN -s $IP_INT_LAN -j DROP
$IPT -A FORWARD -i $EXT_LAN -s $IP_EXT_LAN -j DROP
$IPT -A INPUT -d 127.0.0.1 -j ACCEPT
$IPT -A INPUT -s 127.0.0.1 -j ACCEPT
$IPT -A INPUT -i $INT_LAN -d $BROADCAST_INT_LAN -j DROP
$IPT -A INPUT -i $EXT_LAN -d $BROADCAST_EXT_LAN -j DROP
# SYN-FLOOD Х ==========
$IPT -N syn-flood
$IPT -A INPUT -p tcp --syn -j syn-flood
$IPT -A FORWARD -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j LOG --log-prefix "SYN-FLOOD PACKETS: "
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NOT SYN PACKETS: "
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NOT SYN PACKETS: "
$IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
# ICMP ENABLED
$IPT -A INPUT -p icmp -j ACCEPT
# SSH enable
$IPT -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 20 -j DROP
$IPT -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'save')
save
;;
'init')
init
;;
'reset')
reset
;;
*)
echo "Usage /etc/rc.d/rc.firewall start|stop|save|init|reset"
exit 88
esac