Re: problema regole iptables firewall di una lan
ciao dario e grazie per la risposta; ricapitolando con i tuoi consigli
lo script adesso è così, ma purtroppo non sembra funzionare, sotto
metto anche il risultato di un iptables -L -v
Per adesso solo da eth2 attraverso l'uso del proxy riesco a
connettermi ad internet, anche se lo imposto da eth1 funziona; mentre
se lo disabilito non va
...........script............
#!/bin/bash
# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# DEFAULT policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# eth1 open ports
iptables -A INPUT -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT
# eth2 open ports
iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT
# enable ping
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
-j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
.................. iptables -L -v ...............
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo any anywhere
anywhere
0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere multiport dports ssh,www,http-
alt,https,smtp,pop3,sftp,pop3s
0 0 ACCEPT tcp -- eth2 any anywhere
anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- eth2 any anywhere
anywhere tcp dpt:http-alt
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request limit: avg 1/sec burst 5
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth0 eth1 anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 any anywhere
anywhere multiport dports ssh,www,http-
alt,https,smtp,pop3,sftp,pop3s
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Reply to: