Créer un routeur avec Linux

RouteurVous vous souvenez peut-être de l’article “Créer un routeur avec Linux” que j’ai publié il y a longtemps. Comme il est aujourd’hui complètement obsolète et que j’ai découvert de nouvelles possibilités, Me revoilà avec une page qui sera mis à jour en fonction des éventuelles évolutions. Pour rappel, créer un routeur avec Linux en utilisant un vieil ordinateur est un moyen efficace de sécuriser votre réseau privé tout en ayant un niveau de performance élevé pour un coup financier réduit. Un ordinateur très ancien est amplement suffisant pour cette tâche (par exemple un Pentium III 600 MHz avec 256 Mo de RAM et un disque dur de 2 Go).

1. Ce qu’il vous faut

1.1. Hardware

En fait l’ordinateur en lui même n’a pas vraiment d’importance, il doit juste être capable d’exécuter une distribution Linux minimaliste. D’un point de vu écologique, un ordinateur avec carte Mini-ITX ou encore quelque chose comme un Raspberry Pi avec une carte réseau USB secondaire sont parfait car suffisamment puissant, faiblement encombrant et surtout ne consommant que quelques watt. La seule contrainte est la possibilité s’une seconde carte réseau, au moins, voire d’avantage en fonction du nombre de sous réseaux que vous souhaiterez ou d’une carte WiFi si vous souhaitez également créer un point d’accès WiFi. Pour un usage privé, deux interface réseau seront dont largement suffisant, et si vous souhaitez un réseau WiFi isolé (comme exemple, votre réseau WiFi peut partager sans problème la même zone que votre réseau filaire mais c’est parfois moins sécurisé, notamment si vous partagez votre réseau WiFi publiquement). L’autre matériel indispensable qu’il vous faudra sera un switch Ethernet et pour le WiFi dans la même zone un point d’accès. Quoi qu’il arrive il vaut mieux du matériel de qualité puisqu’un routeur n’est pas supposé être éteint.

1.2. Logiciel

Un routeur Linux requiert fort peu de choses puisque l’ensemble des fonctions de routage, filtrage et de redirection sont dans le noyau Linux. Il vous faudra vous orienter vers une distribution stable et aussi légère que possible. Pour ma part Debian reste le meilleur choix proposant des performances agréable sur de petites configurations (moins de 256 Mo de RAM), sa stabilité reconnue et la facilité d’utilisation. Par ailleurs, bien qu’il existe des distributions plus légères pour lesquels je ne m’en fait pas trop du point de vue de la stabilité, elles sont malheureusement bien moins documentés et souvent relativement marginale. N’envisagez en aucun cas l’utilisation d’Ubuntu, Mandriva, OpenSuse ou n’importe quelle grosses distributions car elle ne sont pas conçue avec la priorité de la stabilité et de la sécurité ou (notamment pour les déclinaisons professionnelles) elles installent beaucoup trop de choses inutiles pour un routeur. Gardez à l’esprit que votre routeur n’est même pas supposé être redémarré fréquemment et qu’il sera la seule machine visible depuis l’extérieur (c’est à dire l’internet), donc on ne pense qu’a deux choses dans ce cas : stabilité et sécurité. C’est pourquoi je considère Debian comme le meilleur choix et que la suite de ce tutoriel considérera l’utilisation d’une Debian (valable sur Lenny, Squeeze et Wheezy).

Le site internet Distrowatch peut vous aidez à comparer des centaines de distributions et ainsi vous permettre de choisir. Voici une liste de distributions intéressantes, qui remplissent, de réputation, les exigences de stabilité et de sécurité, et créée de manière à pouvoir fonctionner sur du vieux matériel depuis le Pentium MMX avec 64 ou 128 Mo de RAM :

  • Debian GNU/Linux qui peut fonctionner sur de nombreuses architectures différente comme MIPS, SPARC, Alpha, etc.
  • Arch Linux qui est un tout petit peut plus légère que Debian, hautement configurable mais moins simple d’usage
  • Slackware très bonne distribution pour les utilisateurs avancé (pas de dépendance avec le gestionnaire de paquet)
  • SLAX basée sur Slackware elle possède un excellent système de détection matériel, utile si on possède du matériel exotique
  • Crux un compromis entre Debian et Arch, mais dont le support est le plus gros points faible

Il se peut que vous ayez un ordinateur encore plus vieux à partir du i386 avec 4Mi de RAM. Dans cette situation vous aurez besoin de quelque chose d’encore plus petit. Il faut remarquer que de telles distributions peuvent inclurent des versions plus ancienne des paquets requis. De ce fait les commandes et instructions données dans la suite de cette page, de même que certain fichiers de configuration pourrait nécessiter des modifications pour fonctionner. Un autre problème potentiel serait que ces distributions n’incluront pas de serveur DHCP ou iptables. Cela signifie que vous aurez à compiler vous même une version ancienne (de préférence la même que le client fournis pour DHCP) de ces logiciels. Voici une liste de ces distributions, mais je ne les connais pas suffisamment bien pour donner plus de détails :

Il existe également des distrubutions spécialisés pour le routage. Elles ont l’avantage de la simplicité, le plus souvent la disponibilité de serveurs uPNP et un interface Web permettant de configurer votre routeur, y compris à distance, de la même manière que les routeurs professionnel qu’on peut acheter sur certains sites. Leur principaux inconvéniant est la perte de votre totale liberté de créatoin, limité par votre seule imagination et vos compétences technique. Il y aura également une possible perte de flexibilité et ils sont des sources de problèmes de sécurité (notamment avec le piratage des interface web de gestion). Du coup si vos besoins sont modestes et peu ouvert vers l’extérieurs (et que vous n’avez pas envie de vous amuser) vous avez tout intérêt à vous tourner vers les distribution suivante :

Maintenant nous pouvons entrer dans le vif du sujet. Pour monter un routeur vous aurez besoin d’installer les logiciels et services suivants :

  • Un serveur DHCP qui sera chargé de fournir une configuration réseau correcte aux machines de votre réseau local ;
  • IPTables version au moins égale à 1.0.0 qui nous fournira un outil de configuration à la fois pour le firewall et pour le système de translation d’adresse, le coeur du système de routage ;
  • Un éditeur de texte comme Vim, Nano ou EMacs ;
    • Un client DHCP qui pourrait être requis pour configurer votre connexion réseau coté opérateur, notamment si vous savez que votre opérateur fourni des adresses dynamique ;
  • Un navigateur web en mode texte comme w3m or links peut être utile pour tester la connexion ;
  • Des logiciels serveurs pourrait être installé sur votre routeur afin de permettre l’accès à des services sur internet ;
  • Si vous voulez l’uPNP (que je ne recommande pas pour des raison de sécurité) le paquet upnp-router-control (sur Debian).

With Debian you should consider installing Leny or Squeeze or any newer version than Etch (elsewhere, the given command and parameters should not work). Anyway do not use Sid for Debian or any unstable version of the chosen system. On a Debian system you have to install all of this minimal requirement using command lines like those ones:

su
#type your root password unless you already logged in as root
apt-get install dhcp3-server dhcp3-client iptables nano w3m upnp-router-control
apt-get install

You can use apt-cache search <your search> command if you don’t know the exact name of the additional server package you want.

As stability and security are the most important thing in such configuration, you should not install the X server and any graphical application or any unneeded software or servers. The best is to do a fresh Debian minimal installation (or the equivalent with the given distribution) and to type the commands given above once logged in.

Note that oppositely to the last tutorial I made, I do not recommend any more the use of iptables-persistant as a script will be created with this tutorial replacing its use with is much more efficient and can be loaded at boot time with an init script (in case of server reboot).

2. Configuring your connection

Now, lets suppose the following configuration of your future router:

  • eth0 (first network card: external network) will be connected to your modem (or some  set-top box)
  • eth1 (second network card: private network) will be connected to an Ethernet hub or switch
  • eth2 (third network card) will be connected to a WiFi access point for a public WiFi network

Of course the public WiFi access is optional and will be given as an example for such a use. For private WiFi access the best way is to connect it to the switch of the private network. You can also have several private separate network as well as several public WiFi. To do this you will just have to reproduce the lines given for that for each with the good parameters.

The base address that will be used is something like 192.168.x.y but you can use something else. Nevertheless, this base remains a good choice as you are sure it will not conflict with external address you may need to access. For example if you choose for one of your private network a base like 209.85.229.x, you may not be able to access the Google website, or part of it, wich is using it (209.85.229.147 is one of the address of www.google.com) as your private network will have the priority. The base address you can use are 192.168.x.y or (mainly if you have bigger needs) 10.x.y.z.

Note that this tutorial will consider that 192.168.1.y and 192.168.2.y will be considered as two different sub-network for more simplicity. This is enough  most of the time as it’s rare to need to connect more than 250 computers. People doing this use more specialized systems providing much more complex routing systems (and so server systems) which is a bit out of this tutorial. Nevertheless, this is possible by attributing address on one sub-network with x and y are significant (e.g. a range of address from 192.168.0.1 to 192.168.3.254 for a first sub-network and 192.168.128.1 to 192.168.129.254 for a second one). To do this, the best is to calculate the network masks with precision. If you don’t know what is a network mask, you should forget to try that ;)…

Now, I will consider the following for the remainder of this tutorial:

  • The internet zone will have the address given via DHCP. This address is either given by your ISP or by a router (like the integrated one in some advanced router or set-top box). If the address is something like 192.168.0.254, your private network can’t use the same sub-network (in that case 192.168.0.y).
  • The private zone will have address dynamically attributed by the router you are about to build with a range of address from 192.168.0.1 to 192.168.0.250. The last address (192.168.0.251 to 192.168.0.254) will be reserved for statically attributed address that may be needed for other server. The router itself will have the static address 192.168.0.254.
  • In the same way that the private zone, the public WiFi zone will have dynamic address from 192.168.1.1 to 192.168.1.5 (in order to limit the number of guest to five). The router will have the static address 192.168.1.254.

2.1 The /etc/network/interfaces file

This file is about configuring your network connections and is used by boot script to configure it correctly. Be careful, that configuration file is for Debian based based system and few others distributions using Debian scripts. You can have detailed information about this file here. According to the previous definitions it will look like that:

# Begin of /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo,eth0,eth1,eth2
iface lo inet static

# Primary network interface: internet zone
auto eth0
iface eth0 inet dhcp

# Second network interface: private zone
iface eth1 inet static
      address 192.168.0.254
      network 192.168.0.0
      netmask 255.255.255.0
      broadcast 192.168.0.255
      gateway 192.168.0.254

# Third network interface: wifi zone
iface eth2 inet static
      address 192.168.1.127
      network 192.168.1.0
      netmask 255.255.255.128
      broadcast 192.168.1.255
      gateway 192.168.1.127

# End of /etc/network/interfaces

Now let’s explain that: we are defining four different interface. First we have the loopback network interface. This is a special and reserved zone with the default address 127.0.0.1. This is a zone where the computer is speaking to himself simulating a virtual network card. Every POSIX systems have such a feature allowing, for example, simulation. This is highly recommended to keep that as-is as some programs need it to work properly.

Then we have three real network interface. The first one is different because it is activated with DHCP. DHCP means Dynamic Host Configuration Protocol. This is commonly used when you boot up your computer to give him an IP address. In our case, we need that the modem give to the first interface a valid IP address particularly if your ISP is giving you a dynamic address that may change from time to time. It will be, so, our external address. The “auto” line, just before the configuration line for eth0 means that in case of service interruption (obviously from your ISP) or in case of external address change (most of the ISP change your address from time to time) the interface will be reconfigured automatically.

The two last network interfaces are configured manually. Habitually the router address ends up with 254. This is not an obligation, but more something like a tradition. We define the gateway as same as the IP address. This allows us to have the best security as IPTables will redirect everything to the good interface. In that way each zone is clearly separated from the others, IPTables making the link.

If you want more details about that file and much more advanced tweaks about it you should read the associated manual page with writing “man interface(5)” in a terminal.

2.2. Configuring DHCP server

The DHCP server’s job is to give IP address automatically to the computers that will be plugged on our network, as it’s difficult to ask anybody to configure manually its network connection. So we need that server to give us correct parameters for the following :

  • IP address: it’s our address on the network;
  • Mask: the mask is a way for the computers to know who is allowed to speak directly to them, everything that is not covered by this mask will be ignored;
  • Gateway: it’s typically the router itself, so the computer that making the link between our private area and an external area;
  • DNS (Domain Name Server): when you want to go on Google you type www.google.com and not an IP address: the DNS server(s) translate that name in IP address;
  • Optionally the DHCP server can give more information such as PXE file, or an other DHCP server as master…

The file to edit to configure all of that stuff is /etc/dhcp/dhcpd.conf. If you are using Debian, the existing file contains many commented samples with explanation which could be a good help. Note that Debian version prior to Squeeze have /etc/dhcp3/dhcpd.conf file instead. Here is what that file look like:

# Begin /etc/dhcp/dhcpd.conf

# Use "interim" style name server updating procedures. This allow to update
# DNS server name in case of change via DHCP client. In that case the update
# is made in case of change (via a testing thread). The "ad-hoc" parametter is
#  not testing and ask for DNS update periodically. It is considered as unsafe
# and deprecated. If your DNS is not supposed to change, change that
# parameter to "none".
ddns-update-style interim;

# Configure client's dns settings: replace 212.27.40.24x with your ISP DNS
# servers and optionally add your DNS server (192.168.1.254 here) if you have
# your own (here the router is also a DNS server).
option domain-name "jeff.levasseur.org";
option domain-name-servers 212.27.40.241, 212.27.40.240, 192.168.1.254;

# Configure lease time (in seconds) : here is the max values
default-lease-time 600000000;
max-lease-time 720000000;

# eth1 subnet configuration: this will give address from 192.168.1.10 to
# 192.168.1.250 and it's the only thing you may change. Note that you
# can have several range, and ranges with only one address.
subnet 192.168.0.0 netmask 255.255.255.0 {
    range 192.168.0.10 192.168.0.250;
    option routers 192.168.0.254;
    option broadcast-address 192.168.0.255;
}

# eth2 subnet configuration: here you have an example of multiple range
# and a different mask
subnet 192.168.1.0 netmask 255.255.255.128 {
    range 192.168.1.1 192.168.1.10;
    range 192.168.1.30 192.168.1.40;
    range 192.168.1.50
    option routers 192.168.1.127;
    option broadcast-address 192.168.1.255;
}
# End /etc/dhcp3/dhcpd.conf

To apply the changes, you need to restart the DHCP server with:

/etc/init.d/dhcp3-server restart

You should test the DHCP server by reconfiguring the network and pinging the server on one of the client machine. For example with Linux:

dhclient eth0
ifconfig
ping 192.168.1.1

If dhclient is giving you a good IP address (shown with ifconfig) and ping returns no packet transmission error, you’re DHCP server is well configured. With Windows, you should use the “Control Panel” to configure the network settings of the client. If you use a WiFi hotspot you have to configure it before doing this test.

Note that at this point your local network should be fully functional but you will have no access to any external network and internet as there’s still no routing functionality activated. This is the next point subject.

2.3. Configuring IPTables

IPTables is a command line tool managing NetFilter. NetFilter is the firewall integrated in Linux kernel. But NetFilter is far more than a firewall, it is a redirecting utility working either on port or IP address, a NAT (Network Address Translation), it have Proxy capabilities, etc… Here we will need nearly all of those feature to make a very strong firewall and router. To be able to activate our rules at boot time we will create a script that will be called in the Init script of our distribution. Now that script is looking like that:

#!/bin/sh

#  IPTABLES  PROXY  script for the Linux >= 2.4 kernel.
#  This script is a derivative of the script presented in
#  the IP Masquerade HOWTO page at (obsolete):
#  www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
#  It was simplified to coincide with the configuration of
#  the sample system presented in the Guides section of
#  www.aboutdebian.com
#
#    PLEASE SET THE USER VARIABLES
#    IN SECTIONS A AND B OR C

echo "SETTING UP IPTABLES PROXY..."

# === SECTION A
# -----------   FOR EVERYONE

# SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK
#   The default value below is for "eth0".  This value
#   could also be "eth1" if you have TWO NICs in your system.
#   You can use the ifconfig command to list the interfaces
#   on your system.  The internal interface will likely have
#   have an address that is in one of the private IP address
#   ranges.
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.
#   Enter the internal interface's designation for the
#   INTIF variable:
INTIF="eth1"

# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
#   The default value below is "ppp0" which is appropriate
#   for a MODEM connection.
#   If you have two NICs in your system change this value
#   to "eth0" or "eth1" (whichever is opposite of the value
#   set for INTIF above).  This would be the NIC connected
#   to your cable or DSL modem (WITHOUT a cable/DSL router).
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.
#   Enter the external interface's designation for the
#   EXTIF variable:
EXTIF="eth0"

# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0/24"

# Enter the IP address of the Internal Interface
INTIP="192.168.0.254/24"

# ! ! ! ! !  Use ONLY Section B  *OR*  Section C depending on
#  ! ! ! !   the type of Internet connection you have.

# === SECTION B
# -----------   FOR THOSE WITH STATIC PUBLIC IP ADDRESSES

# SET YOUR EXTERNAL IP ADDRESS
#   If you specified a NIC (i.e. "eth0" or "eth1" for
#   the external interface (EXTIF) variable above,
#   AND if that external NIC is configured with a
#   static, public IP address (assigned by your ISP),
#   UNCOMMENT the following EXTIP line and enter the
#   IP address for the EXTIP variable:
EXTIP="82.x.y.z"

# === SECTION C
# ----------   DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS
# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
#   If you get your IP address dynamically from SLIP, PPP,
#   BOOTP, or DHCP, UNCOMMENT the command below.
#   (No values have to be entered.)
#         Note that if you are uncommenting these lines then
#         the EXTIP line in Section B must be commented out.
#EXTIP="`/sbin/ifconfig eth1 | grep 'inet ' | awk '{print $2}' | sed -e 's/.*://'`"

# Define our universe (all the internet)
UNIVERSE="0.0.0.0/0"

# --------  No more variable setting beyond this point  --------

echo "    Loading required stateful/NAT kernel modules..."

# Updating module's dependencies
/sbin/depmod -a

# Force loading and activation of all the NAT and IPTables needed modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "        Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "        External interface: $EXTIF"
echo "        External interface IP address is: $EXTIP"

echo "        Loading proxy server rules..."

echo "            Clearing existing rules..."
# Clearing any existing rules and setting default policy
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# Flush the user chain... if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e "          Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

#  OPTIONAL:  Uncomment the following two commands if plan on running
#             an Apache Web site on the firewall server itself
#
#echo "            Allowing EXTERNAL access to the WWW server"
#iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

echo "              Allowing EXTERNAL access to the SSH server"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo "        Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo "         Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Enabling NAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo  "    Proxy server rule loading complete"

To be continued…

Partagez éthiquement

8 thoughts on “Créer un routeur avec Linux”

  1. I’m so sad that this tutorial is not finished, it’s hard to find another like this 🙁

  2. In fact it nearly is… The next step is to treat some particular case (eg. a router behind a proxy or wifi access point or again PXE server adaptations). Actually the given instructions are good enough to build a good and simple router.

  3. Hi there, thanks a lot for this excelent tut, i have some questions please – ‘iptables -A INPUT -i $EXTIF -m state –state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP –dport 22 -j ACCEPT’ if i remove this i still can make a new connection to 22 port from outside.. is this ok?

  4. Hum, as far as I know, it should not. But in all case internal network protection is the only goal of that script… The external interface may still be unprotected. In my case the router is allowing me special servises and complex redirection system. The router itself is protected by a set-top-box which act as a router as well. I’ll try to find a better external interface protection and give it to you when I get it. Note that default protection given by Netfilter depends on kernel compilation configuration, and so on, the distribution you use.

  5. I’m on a debian6 box with 2.6.32 standard kernel, also this ‘
    if [ “`iptables -L | grep drop-and-log-it`” ]; then
    iptables -F drop-and-log-it
    fi’ does not find anything and the only solution is dropping all of them with ‘iptables -F’
    Also when you have some time could you please post some port forward rules?

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *