Re: ip_conntrack

To: debian-user-spanish@lists.debian.org
Subject: Re: ip_conntrack
From: "Javier (aka future)" <future@macronukes.com>
Date: Sun, 23 Jan 2005 04:10:32 +0100
Message-id: <[🔎] 200501230410.32398.future@macronukes.com>
In-reply-to: <[🔎] 20050123022042.780cf47c@taniquetil>
References: <[🔎] 20050122162746.165106f8@taniquetil> <[🔎] 200501230002.22718.future@macronukes.com> <[🔎] 20050123022042.780cf47c@taniquetil>

El Domingo, 23 de Enero de 2005 02:20, Manwe Sulimo escribió:
> Cierto día Sun, 23 Jan 2005 00:02:22 +0100
>
> alguien expulsó estas perlas:
> > ¿Tienes algun firewall con iptables corriendo? Me parece que estas dando
> > salida por forwarding a la tarjeta de red equivocada (ya te digo que
> > siempre que controles por un script de iptables).
> > --
>
> si que tengo iptables corriendo. No pienso que pueda ser eso, pero adjunto
> el script
>
> eth0=publica
> eth1=lan
>
>
> #! /bin/bash
> echo "Iniciando iptables..."
> echo ""
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #VACIAR LAS COLAS
> iptables -t filter -F
> iptables -t nat -F
> iptables -t mangle -F
> echo "Reglas limpiadas"
>
> #POLITICA POR DEFECTO
> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT ACCEPT
> echo "Politica establecida"
>
> #HABILITAMOS NAT
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo "NAT habilitado"
>
>
> #ACEPTA SALIENTES Y ESTABLECIDAS
> iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT     #dejamos salir
> todo iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED  -j
> ACCEPT #dejamos todas las establecidas iptables -t filter -A INPUT -m state
> --state ESTABLISHED,RELATED  -j ACCEPT #dejamos entrar respuestas echo
> "Conexiones establecidas permitidas"
>
> #ACEPTAMOS CONEXIONES DESDE LA LAN A CUALQUIER SITIO
> iptables -t filter -A INPUT -i eth1 -j ACCEPT
>
> #ACEPTAMOS CONEXIONES A LA LAN
> iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
> echo "Conexiones LAN habilitadas"
>
> #ABRIR COSAS
> iptables -t filter -A INPUT -i lo -j ACCEPT    #permitimos localhost
> iptables -t filter -A INPUT -i eth0 -p ICMP -j ACCEPT    #aceptamos ICMP
> iptables -t filter -A INPUT -i eth0 -p udp -s 0.0.0.0 --sport bootpc -d
> 255.255.255.255 --dport bootps -j ACCEPT #dhcp echo "Puertos especificos
> abiertos"
>
> #REDIRECCIONAMOS PUERTOS
>
> #P2P
>
> #edonkey (mldonkey)
> iptables -I FORWARD -p tcp -m tcp --dport 4662 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 4662 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 4666 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4666 -j DNAT
> --to-destination 192.168.1.197
>
> #edonkey (amule)
> iptables -I FORWARD -p tcp -m tcp --dport 14662 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 14662 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 4672 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4672 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 4665 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 4665 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 14665 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 14665 -j DNAT
> --to-destination 192.168.1.197
>
>
> #Overnet
> iptables -I FORWARD -p tcp -m tcp --dport 5865 -j ACCEPT
> iptables -I FORWARD -p udp -m udp --dport 5865 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 5865 -j DNAT
> --to-destination 192.168.1.197 iptables -t nat -I PREROUTING -i eth0 -p udp
> -m udp --dport 5865 -j DNAT --to-destination 192.168.1.197
>
> #Bittorrent
> iptables -I FORWARD -p tcp -m tcp --dport 6882 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 6882 -j DNAT
> --to-destination 192.168.1.197
>
> #####
>
> #Servicios:
>
> #ssh
> iptables -I FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT
> --to-destination 192.168.1.197
>
> #http
> iptables -I FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport 80
> -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 80 -j DNAT
> --to-destination 192.168.1.197
>
> #https
> iptables -I FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 8080 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 8080 -j DNAT
> --to-destination 192.168.1.197
>
> #Mysql
> iptables -I FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 3306 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 3306 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 3306 -j DNAT
> --to-destination 192.168.1.197
>
> #Streaming
> iptables -I FORWARD -p tcp -m tcp --dport 1220 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 1220 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p tcp -m tcp --dport
> 554 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 554 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 554 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 554 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p tcp -m tcp --dport
> 7070 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 7070 -j DNAT
> --to-destination 192.168.1.197 iptables -I FORWARD -p udp -m udp --dport
> 6970:6999 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 6970:6999 -j
> DNAT --to-destination 192.168.1.197
>
> iptables -I FORWARD -p udp -m udp --dport 8090 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p udp -m udp --dport 8090 -j DNAT
> --to-destination 192.168.1.197
>
> iptables -I FORWARD -p tcp -m tcp --dport 8090 -j ACCEPT
> iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8090 -j DNAT
> --to-destination 192.168.1.197


Ok, intenta añadir en tus PREROUTING la IP de la tarjeta de red como destino y 
a la regla FORWARD el interface de red, tal que algo así:

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $INET_IP --dport 10130 
-j DNAT --to-destination $IP_EMULE:10130

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -d $IP_EMULE --dport 10130 -j 
ACCEPT

... donde : 
$INET_IFACE=Tu tarjeta de red publica
$INET_IP=La IP publica
$IP_EMULE=Las distintas IP's para los servicios que tienes, IP_EMULE, IP_HTTP, 
etc.
dport=los puertos a los que va dirigidos los servicios.

Espero que te ayude y te sirva. Pruébalo y nos cuentas.
-- 


Saludos,
Javier (aka future)

Linux user #295135
Linux no es dificil,
es exigente con sus usuarios.

Reply to:

Follow-Ups:
- Re: ip_conntrack
  - From: Manwe Sulimo <manwe@euskalnet.net>

References:
- ip_conntrack
  - From: Manwe Sulimo <manwe@euskalnet.net>
- Re: ip_conntrack
  - From: "Javier (aka future)" <future@macronukes.com>
- Re: ip_conntrack
  - From: Manwe Sulimo <manwe@euskalnet.net>

Prev by Date: Re: CONSEGUIR LA BARRA DE PROGRESO EN BOOTSPLASH
Next by Date: Re: ip_conntrack
Previous by thread: Re: ip_conntrack
Next by thread: Re: ip_conntrack
Index(es):
- Date
- Thread