Re: problema regole iptables firewall di una lan
Dario grazie alle tue dritte sembra funzionare, ma "zoppica ancora";
mi spiego: la tabella di routing è così:
# ip route
145.10.168.0/24 dev eth0 proto kernel scope link src 145.10.168.1
145.10.168.0/24 dev eth1 proto kernel scope link src
145.10.168.100
192.168.106.0/24 dev eth2 proto kernel scope link src
192.168.106.1
default via 145.10.168.254 dev eth0
per far si che funzioni anche attraverso il MASQ sulla 80(ovvero per
la rete eth1) devo settare il routing in questo modo:
# ip route del 145.10.168.0/24 dev eth0 proto kernel scope link src
145.10.168.1
# ip route add 145.10.168.254/32 dev eth0 src 145.10.168.1
con questi "ip route" mi restituisce:
145.10.168.254 dev eth0 scope link src 145.10.168.1
145.10.168.0/24 dev eth1 proto kernel scope link src
145.10.168.100
192.168.106.0/24 dev eth2 proto kernel scope link src
192.168.106.1
default via 145.10.168.254 dev eth0
Il problema e' che si navigo su internet come voluto (da eth1) ma non
riesco a raggiungere piu' (neanche dal firewall stesso, ne ping ne ssh
ne http) degli host allo stesso "livello";
infatti sia il firewall che altri 2 server (145.10.168.2 e
145.10.168.3) sono connessi allo stesso gateway 145.10.168.254 e dopo
questi due comandi non li raggiungo piu'.
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
145.10.168.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0
145.10.168.0 0.0.0.0 255.255.255.0 U 0
0 0 eth1
192.168.106.0 0.0.0.0 255.255.255.0 U 0
0 0 eth2
0.0.0.0 145.10.168.254 0.0.0.0 UG 0
0 0 eth0
------------------------ script iptables
----------------------------------
#!/bin/bash
# delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# DEFAULT policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# eth1 open ports
iptables -A INPUT -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -m multiport --dports
22,80,8080,443,25,110,115,995 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
# eth2 open ports
iptables -A INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --dport 8080 -j ACCEPT
# enable ping
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec
-j ACCEPT
# Masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <indirizzo
ip>
# to allow ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Reply to: