[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: problema regole iptables firewall di una lan

ciao dario e grazie per la risposta; ricapitolando con i tuoi consigli
lo script adesso è così, ma purtroppo non sembra funzionare, sotto
metto anche il risultato di un iptables -L -v
Per adesso solo da eth2 attraverso l'uso del proxy riesco a
connettermi ad internet, anche se lo imposto da eth1 funziona; mentre
se lo disabilito non va

...........script............
#!/bin/bash

# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# DEFAULT policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# eth1 open ports
iptables -A INPUT -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT

# eth2 open ports
iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT

# enable ping
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
-j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

.................. iptables -L -v ...............
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  lo     any     anywhere
anywhere
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   any     anywhere
anywhere            multiport dports ssh,www,http-
alt,https,smtp,pop3,sftp,pop3s
    0     0 ACCEPT     tcp  --  eth2   any     anywhere
anywhere            tcp dpt:ssh
    0     0 ACCEPT     tcp  --  eth2   any     anywhere
anywhere            tcp dpt:http-alt
    0     0 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp echo-reply
    0     0 ACCEPT     icmp --  any    any     anywhere
anywhere            icmp echo-request limit: avg 1/sec burst 5

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth0   eth1    anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   any     anywhere
anywhere            multiport dports ssh,www,http-
alt,https,smtp,pop3,sftp,pop3s

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
Reply to: