Re: Problemas IPTABLES

To: <debian-user-spanish@lists.debian.org>
Subject: Re: Problemas IPTABLES
From: <velkrox@yahoo.com.ar>
Date: Fri, 4 Feb 2005 12:14:12 -0300
Message-id: <[🔎] 02ee01c50acc$3af33270$0c2aa8c0@hdserver4.ar>
References: <[🔎] 20050204132720.78435.qmail@web52309.mail.yahoo.com>
alfonso:
si no entiendo mal, una solucion simple, es crear rutas estaticas en los
firewalls.

ej:
en el firewall 1y2: pones una regla para que todo lo que viene de la red 1 o
2, y que tenga destino red 3, lo forwardeas por la eth3. y en el firewall3
pones una regla para que todo lo entra por la eth2 con destino red 3, lo
forwardeas por la eth0.
lo mismo pero a la inversa, para permitir a la red 3 comunicarse con la red
1 y 2.

ojo: tene en cuenta que este modo de funcionamiento requiere que ambas redes
(1, 2, y 3) tengan diferentes subredes.

disculpa que no llegue a mirar tu archivo de configuracion porque no
dispongo de mucho tiempo.
saludos, velkro.

----- Original Message ----- 
From: "Alfonso Pinto" <elhodred@yahoo.es>
To: <debian-user-spanish@lists.debian.org>
Sent: Friday, February 04, 2005 10:27
Subject: Problemas IPTABLES


Tengo un problema con IPTABLES con el que me he
quedado atascado. He googleado, he mirado los
documentos de netfilter.org, los de linuxguruz.com y
no consigo arreglarlo.

Os comento más o menos lo que me pasa.

Las redes de la empresa para la que trabajo están tal
que así:


    @ @ @         __________________ eth1
  @       @  eth0| FIREWALL         |----RED1
@  INTERNET @----|GATEWAY RED 1 Y 2 |eth2
  @   1   @      |__________________|----RED2
    @ @ @             |eth3
                      |
                      |
                      |
                      |
                      |
    @ @ @         ____|eth2________
  @       @  eth1| FIREWALL       |eth0
@  INTERNET @----|GATEWAY RED 3   |------RED3
  @   2   @      |________________|
    @ @ @

Las REDES 1 y 2 se ven entre si y pueden salir a
internet por INTERNET 1.
La RED 3 sale a internet por por INTERNET 2.

El problema que tengo es que necesito interconectar
entre si las REDES 1 y 2 con la RED 3 para que se vean
entre las 3. No encuentro la forma de hacerlo.

Lo primero es que ni siquiera consigo hacer un ping
desde la RED 3 al FIREWALL de las REDES 1 y 2.

Alguien puede darme alguna indicación de por donde
puedo continuar?

Os paso la configuracion de iptables de los equipos.
Los dos FIREWALL son debian/sarge con kernel de la
rama 2.6.

estos son los script de iptables generados por ipmasq
que funcionan, no pongo las modificaciones hechas por
mi porque cada modificación que he hecho ha servido
para fastidiar algo.

Muchas gracias

FIREWALL/GATEWAY REDES 1 Y 2

#: Interfaces found:
#:   eth0 1.1.2.1/255.255.255.0
#:   eth0 1.1.2.1/255.255.255.0
#:   eth1 4.4.1.2/255.255.255.0
#:   eth2 4.4.2.2/255.255.255.0
#:   eth3 3.3.3.2/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: ***                   CUSTOM CHAINS
   ***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: ***                   FORWARD CHAIN
   ***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
#:
#:
**********************************************************
#: ***                    INPUT CHAIN
   ***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -s
3.3.3.2/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
3.3.3.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
3.3.3.2/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.255/32
#:
#:
**********************************************************
#: ***                  IP MASQUERADING
   ***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.1.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s
4.4.1.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.2.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth0 -s
4.4.2.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
3.3.3.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth3 -o eth0 -s
3.3.3.2/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: ***                    OUTPUT CHAIN
   ***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
3.3.3.2/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.255/32
#:
#:
**********************************************************
#: ***                      SERVICES
   ***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#:   2 hrs for TCP
#:   10 sec for TCP after FIN has been sent
#:   160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0


FIREWALL/GATEWAY RED 3

#: Interfaces found:
#:   eth1 1.1.1.1/255.255.255.0
#:   eth1 1.1.1.1/255.255.255.0
#:   eth0 2.2.2.1/255.255.255.0
#:   eth2 3.3.3.1/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: ***                   CUSTOM CHAINS
   ***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: ***                   FORWARD CHAIN
   ***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0
#:
#:
**********************************************************
#: ***                    INPUT CHAIN
   ***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
3.3.3.1/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth1 -s
3.3.3.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
3.3.3.1/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.255/32
#:
#:
**********************************************************
#: ***                  IP MASQUERADING
   ***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
2.2.2.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s
2.2.2.1/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
3.3.3.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s
3.3.3.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: ***                    OUTPUT CHAIN
   ***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
3.3.3.1/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.255/32
#:
#:
**********************************************************
#: ***                      SERVICES
   ***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#:   2 hrs for TCP
#:   10 sec for TCP after FIN has been sent
#:   160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0



______________________________________________
Renovamos el Correo Yahoo!: ¡250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es


-- 
To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to:
References:
- Problemas IPTABLES
  - From: Alfonso Pinto <elhodred@yahoo.es>
Prev by Date: Re: Ayuda Hylafax
Next by Date: Re: Saludos y consulta
Previous by thread: Problemas IPTABLES
Next by thread: Re: Problemas IPTABLES
Index(es):
- Date
- Thread