[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_conntrack

Cierto día Sun, 23 Jan 2005 00:02:22 +0100
alguien expulsó estas perlas:


> 
> ¿Tienes algun firewall con iptables corriendo? Me parece que estas dando 
> salida por forwarding a la tarjeta de red equivocada (ya te digo que siempre 
> que controles por un script de iptables). 
> -- 

si que tengo iptables corriendo. No pienso que pueda ser eso, pero adjunto el script

eth0=publica
eth1=lan


#! /bin/bash
echo "Iniciando iptables..."
echo ""
echo "1" > /proc/sys/net/ipv4/ip_forward

#VACIAR LAS COLAS
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
echo "Reglas limpiadas"

#POLITICA POR DEFECTO
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
echo "Politica establecida"

#HABILITAMOS NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "NAT habilitado"


#ACEPTA SALIENTES Y ESTABLECIDAS
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT     #dejamos salir todo
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED  -j ACCEPT #dejamos todas las establecidas
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT #dejamos entrar respuestas
echo "Conexiones establecidas permitidas"

#ACEPTAMOS CONEXIONES DESDE LA LAN A CUALQUIER SITIO
iptables -t filter -A INPUT -i eth1 -j ACCEPT

#ACEPTAMOS CONEXIONES A LA LAN
iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
echo "Conexiones LAN habilitadas"

#ABRIR COSAS
iptables -t filter -A INPUT -i lo -j ACCEPT    #permitimos localhost
iptables -t filter -A INPUT -i eth0 -p ICMP -j ACCEPT    #aceptamos ICMP
iptables -t filter -A INPUT -i eth0 -p udp -s 0.0.0.0 --sport bootpc -d 255.255.255.255 --dport bootps -j ACCEPT #dhcp
echo "Puertos especificos abiertos"

#REDIRECCIONAMOS PUERTOS

#P2P

#edonkey (mldonkey)
iptables -I FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 4666 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4666 -j DNAT --to-destination 192.168.1.197

#edonkey (amule)
iptables -I FORWARD -p tcp -m tcp --dport 14662 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 14662 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 4672 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4672 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 4665 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4665 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 14665 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 14665 -j DNAT --to-destination 192.168.1.197


#Overnet
iptables -I FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
iptables -I FORWARD -p udp -m udp --dport 5865 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 5865 -j DNAT --to-destination 192.168.1.197
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 5865 -j DNAT --to-destination 192.168.1.197

#Bittorrent
iptables -I FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 6882 -j DNAT --to-destination 192.168.1.197

#####

#Servicios:

#ssh
iptables -I FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.197

#http
iptables -I FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination 192.168.1.197

#https
iptables -I FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 8080 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 8080 -j DNAT --to-destination 192.168.1.197

#Mysql
iptables -I FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 3306 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 3306 -j DNAT --to-destination 192.168.1.197

#Streaming
iptables -I FORWARD -p tcp -m tcp --dport 1220 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 1220 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p tcp -m tcp --dport 554 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 554 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 554 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 554 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p tcp -m tcp --dport 7070 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 7070 -j DNAT --to-destination 192.168.1.197
iptables -I FORWARD -p udp -m udp --dport 6970:6999 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.197

iptables -I FORWARD -p udp -m udp --dport 8090 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 8090 -j DNAT --to-destination 192.168.1.197

iptables -I FORWARD -p tcp -m tcp --dport 8090 -j ACCEPT
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8090 -j DNAT --to-destination 192.168.1.197
Reply to: