[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: problema regole iptables firewall di una lan

Dario grazie alle tue dritte sembra funzionare, ma "zoppica ancora";
mi spiego: la tabella di routing è così:
 # ip route
 145.10.168.0/24 dev eth0  proto kernel  scope link  src 145.10.168.1
 145.10.168.0/24 dev eth1  proto kernel  scope link  src
145.10.168.100
 192.168.106.0/24 dev eth2  proto kernel  scope link  src
192.168.106.1
 default via 145.10.168.254 dev eth0

per far si che funzioni anche attraverso il MASQ sulla 80(ovvero per
la rete eth1) devo settare il routing in questo modo:
 # ip route del 145.10.168.0/24 dev eth0 proto kernel scope link src
145.10.168.1
 # ip route add 145.10.168.254/32 dev eth0 src 145.10.168.1

con questi "ip route" mi restituisce:
 145.10.168.254 dev eth0  scope link  src 145.10.168.1
 145.10.168.0/24 dev eth1  proto kernel  scope link  src
145.10.168.100
 192.168.106.0/24 dev eth2  proto kernel  scope link  src
192.168.106.1
 default via 145.10.168.254 dev eth0

Il problema e' che si navigo su internet come voluto (da eth1) ma non
riesco a raggiungere piu' (neanche dal firewall stesso, ne ping ne ssh
ne http) degli host allo stesso "livello";
infatti sia il firewall che altri 2 server (145.10.168.2 e
145.10.168.3) sono connessi allo stesso gateway 145.10.168.254 e dopo
questi due comandi non li raggiungo piu'.

 # netstat -rn
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window
irtt Iface
 145.10.168.0    0.0.0.0         255.255.255.0   U         0
0          0 eth0
 145.10.168.0    0.0.0.0         255.255.255.0   U         0
0          0 eth1
 192.168.106.0   0.0.0.0         255.255.255.0   U         0
0          0 eth2
 0.0.0.0         145.10.168.254 0.0.0.0         UG         0
0          0 eth0

------------------------ script iptables
----------------------------------

#!/bin/bash



# delete all existing rules.

iptables -F

iptables -t nat -F

iptables -t mangle -F

iptables -X



# DEFAULT policies

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP



# Always accept loopback traffic

iptables -A INPUT -i lo -j ACCEPT



# Allow established connections, and those not coming from the outside

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT



# eth1 open ports

iptables -A INPUT -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT



iptables -A FORWARD -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT

iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT



# eth2 open ports

iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT



# enable ping

iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
-j ACCEPT



# Masquerade

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <indirizzo
ip>


# to allow ip forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward
Reply to: