Re: Problemas IPTABLES
Mirado por encima aqui no veo problemas pero y la salidad de route
El vie, 04-02-2005 a las 14:27 +0100, Alfonso Pinto escribió:
> Tengo un problema con IPTABLES con el que me he
> quedado atascado. He googleado, he mirado los
> documentos de netfilter.org, los de linuxguruz.com y
> no consigo arreglarlo.
>
> Os comento más o menos lo que me pasa.
>
> Las redes de la empresa para la que trabajo están tal
> que así:
>
>
> @ @ @ __________________ eth1
> @ @ eth0| FIREWALL |----RED1
> @ INTERNET @----|GATEWAY RED 1 Y 2 |eth2
> @ 1 @ |__________________|----RED2
> @ @ @ |eth3
> |
> |
> |
> |
> |
> @ @ @ ____|eth2________
> @ @ eth1| FIREWALL |eth0
> @ INTERNET @----|GATEWAY RED 3 |------RED3
> @ 2 @ |________________|
> @ @ @
>
> Las REDES 1 y 2 se ven entre si y pueden salir a
> internet por INTERNET 1.
> La RED 3 sale a internet por por INTERNET 2.
>
> El problema que tengo es que necesito interconectar
> entre si las REDES 1 y 2 con la RED 3 para que se vean
> entre las 3. No encuentro la forma de hacerlo.
>
> Lo primero es que ni siquiera consigo hacer un ping
> desde la RED 3 al FIREWALL de las REDES 1 y 2.
>
> Alguien puede darme alguna indicación de por donde
> puedo continuar?
>
> Os paso la configuracion de iptables de los equipos.
> Los dos FIREWALL son debian/sarge con kernel de la
> rama 2.6.
>
> estos son los script de iptables generados por ipmasq
> que funcionan, no pongo las modificaciones hechas por
> mi porque cada modificación que he hecho ha servido
> para fastidiar algo.
>
> Muchas gracias
>
> FIREWALL/GATEWAY REDES 1 Y 2
>
> #: Interfaces found:
> #: eth0 1.1.2.1/255.255.255.0
> #: eth0 1.1.2.1/255.255.255.0
> #: eth1 4.4.1.2/255.255.255.0
> #: eth2 4.4.2.2/255.255.255.0
> #: eth3 3.3.3.2/255.255.255.0
> #: Turn off forwarding for 2.1 kernels
> #: Disable automatic IP defragmentation
> echo "0" > /proc/sys/net/ipv4/ip_forward
> #: Flush all and set default policy of deny.
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -t mangle -P PREROUTING ACCEPT
> /sbin/iptables -t mangle -P OUTPUT ACCEPT
> /sbin/iptables -t mangle -F PREROUTING
> /sbin/iptables -t mangle -F OUTPUT
> /sbin/iptables -t nat -P PREROUTING ACCEPT
> /sbin/iptables -t nat -P POSTROUTING ACCEPT
> /sbin/iptables -t nat -P OUTPUT ACCEPT
> /sbin/iptables -t nat -F PREROUTING
> /sbin/iptables -t nat -F POSTROUTING
> /sbin/iptables -t nat -F OUTPUT
> #:
> #:
> **********************************************************
> #: *** CUSTOM CHAINS
> ***
> #:
> **********************************************************
> #:
> #:
> #:
> **********************************************************
> #: *** FORWARD CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Forward packets among internal networks
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
> #:
> #:
> **********************************************************
> #: *** INPUT CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Accept all packets coming in from the loopback
> interface
> /sbin/iptables -A INPUT -j ACCEPT -i lo
> #: Deny and log all packets trying to come in from a
> 127.0.0.0/8 address
> #: over a non-'lo' interface
> /sbin/iptables -A INPUT -j LOG -i ! lo -s
> 127.0.0.1/255.0.0.0
> /sbin/iptables -A INPUT -j DROP -i ! lo -s
> 127.0.0.1/255.0.0.0
> #: Accept dumb broadcast packets on internal
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
> 255.255.255.255/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
> 255.255.255.255/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
> 255.255.255.255/32
> #: Accept packets from internal networks on internal
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -s
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A INPUT -j ACCEPT -i eth3 -s
> 3.3.3.2/255.255.255.0
> #: Accept multicast packets (adresses 224.0.0.0) from
> internal interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
> 224.0.0.0/4 -p ! 6
> #: Disallow and log packets trying to come in over
> external interfaces
> #: from hosts claiming to be internal
> /sbin/iptables -A INPUT -j LOG -i eth0 -s
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i eth0 -s
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A INPUT -j LOG -i eth0 -s
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i eth0 -s
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A INPUT -j LOG -i eth0 -s
> 3.3.3.2/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i eth0 -s
> 3.3.3.2/255.255.255.0
> #: Accept dumb broadcast packets on external
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
> 255.255.255.255/32
> #: Accept incoming packets from external networks on
> external interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
> 1.1.2.1/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
> 1.1.2.255/32
> #:
> #:
> **********************************************************
> #: *** IP MASQUERADING
> ***
> #:
> **********************************************************
> #:
> #: Masquerade packets from internal networks
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> 4.4.1.2/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -s
> 4.4.1.2/255.255.255.0 -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> 4.4.2.2/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth2 -o eth0 -s
> 4.4.2.2/255.255.255.0 -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -s
> 3.3.3.2/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth3 -o eth0 -s
> 3.3.3.2/255.255.255.0 -j ACCEPT
> /sbin/iptables -A FORWARD -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> #:
> #:
> **********************************************************
> #: *** OUTPUT CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Allow packets to go out over the loopback interface
> /sbin/iptables -A OUTPUT -j ACCEPT -o lo
> #: Allow dumb broadcast packets to leave on internal
> interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
> 255.255.255.255/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 255.255.255.255/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
> 255.255.255.255/32
> #: Allow packets for internal hosts to be delivered
> using internal interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
> 3.3.3.2/255.255.255.0
> #: Allow multicast packets (adresses 224.0.0.0) to be
> delivered using
> #: internal interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
> 224.0.0.0/4 -p ! 6
> #: Deny and log packets attempting to leave over
> external interfaces claiming
> #: to be for internal networks
> /sbin/iptables -A FORWARD -j LOG -o eth0 -d
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o eth0 -d
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o eth0 -d
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o eth0 -d
> 4.4.1.2/255.255.255.0
> /sbin/iptables -A FORWARD -j LOG -o eth0 -d
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o eth0 -d
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o eth0 -d
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o eth0 -d
> 4.4.2.2/255.255.255.0
> /sbin/iptables -A FORWARD -j LOG -o eth0 -d
> 3.3.3.2/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o eth0 -d
> 3.3.3.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o eth0 -d
> 3.3.3.2/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o eth0 -d
> 3.3.3.2/255.255.255.0
> #: Allow dumb broadcast packets to leave on external
> interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
> 255.255.255.255/32
> #: Allow packets for external networks leave over
> external interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
> 1.1.2.1/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
> 1.1.2.255/32
> #:
> #:
> **********************************************************
> #: *** SERVICES
> ***
> #:
> **********************************************************
> #:
> #: Turn on forwarding for 2.1 kernels
> #: Enable automatic IP defragmentation
> echo "1" > /proc/sys/net/ipv4/ip_forward
> #: Set masqerading timeouts:
> #: 2 hrs for TCP
> #: 10 sec for TCP after FIN has been sent
> #: 160 sec for UDP (important for ICQ users)
> #: Run the deprecated /etc/ipmasq.rules, if present
> #: Deny and log anything that may have snuck past any
> of our other rules
> /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d
> 0.0.0.0/0
>
>
> FIREWALL/GATEWAY RED 3
>
> #: Interfaces found:
> #: eth1 1.1.1.1/255.255.255.0
> #: eth1 1.1.1.1/255.255.255.0
> #: eth0 2.2.2.1/255.255.255.0
> #: eth2 3.3.3.1/255.255.255.0
> #: Turn off forwarding for 2.1 kernels
> #: Disable automatic IP defragmentation
> echo "0" > /proc/sys/net/ipv4/ip_forward
> #: Flush all and set default policy of deny.
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -t mangle -P PREROUTING ACCEPT
> /sbin/iptables -t mangle -P OUTPUT ACCEPT
> /sbin/iptables -t mangle -F PREROUTING
> /sbin/iptables -t mangle -F OUTPUT
> /sbin/iptables -t nat -P PREROUTING ACCEPT
> /sbin/iptables -t nat -P POSTROUTING ACCEPT
> /sbin/iptables -t nat -P OUTPUT ACCEPT
> /sbin/iptables -t nat -F PREROUTING
> /sbin/iptables -t nat -F POSTROUTING
> /sbin/iptables -t nat -F OUTPUT
> #:
> #:
> **********************************************************
> #: *** CUSTOM CHAINS
> ***
> #:
> **********************************************************
> #:
> #:
> #:
> **********************************************************
> #: *** FORWARD CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Forward packets among internal networks
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0
> /sbin/iptables -A FORWARD -j ACCEPT -s
> 2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0
> #:
> #:
> **********************************************************
> #: *** INPUT CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Accept all packets coming in from the loopback
> interface
> /sbin/iptables -A INPUT -j ACCEPT -i lo
> #: Deny and log all packets trying to come in from a
> 127.0.0.0/8 address
> #: over a non-'lo' interface
> /sbin/iptables -A INPUT -j LOG -i ! lo -s
> 127.0.0.1/255.0.0.0
> /sbin/iptables -A INPUT -j DROP -i ! lo -s
> 127.0.0.1/255.0.0.0
> #: Accept dumb broadcast packets on internal
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
> 255.255.255.255/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
> 255.255.255.255/32
> #: Accept packets from internal networks on internal
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
> 3.3.3.1/255.255.255.0
> #: Accept multicast packets (adresses 224.0.0.0) from
> internal interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
> 224.0.0.0/4 -p ! 6
> #: Disallow and log packets trying to come in over
> external interfaces
> #: from hosts claiming to be internal
> /sbin/iptables -A INPUT -j LOG -i eth1 -s
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i eth1 -s
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A INPUT -j LOG -i eth1 -s
> 3.3.3.1/255.255.255.0
> /sbin/iptables -A INPUT -j DROP -i eth1 -s
> 3.3.3.1/255.255.255.0
> #: Accept dumb broadcast packets on external
> interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
> 255.255.255.255/32
> #: Accept incoming packets from external networks on
> external interfaces
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
> 1.1.1.1/32
> /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
> 1.1.1.255/32
> #:
> #:
> **********************************************************
> #: *** IP MASQUERADING
> ***
> #:
> **********************************************************
> #:
> #: Masquerade packets from internal networks
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s
> 2.2.2.1/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth0 -o eth1 -s
> 2.2.2.1/255.255.255.0 -j ACCEPT
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s
> 3.3.3.1/255.255.255.0 -j MASQUERADE
> /sbin/iptables -A FORWARD -i eth2 -o eth1 -s
> 3.3.3.1/255.255.255.0 -j ACCEPT
> /sbin/iptables -A FORWARD -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> #:
> #:
> **********************************************************
> #: *** OUTPUT CHAIN
> ***
> #:
> **********************************************************
> #:
> #: Allow packets to go out over the loopback interface
> /sbin/iptables -A OUTPUT -j ACCEPT -o lo
> #: Allow dumb broadcast packets to leave on internal
> interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
> 255.255.255.255/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 255.255.255.255/32
> #: Allow packets for internal hosts to be delivered
> using internal interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 3.3.3.1/255.255.255.0
> #: Allow multicast packets (adresses 224.0.0.0) to be
> delivered using
> #: internal interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
> 224.0.0.0/4 -p ! 6
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
> 224.0.0.0/4 -p ! 6
> #: Deny and log packets attempting to leave over
> external interfaces claiming
> #: to be for internal networks
> /sbin/iptables -A FORWARD -j LOG -o eth1 -d
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o eth1 -d
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o eth1 -d
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o eth1 -d
> 2.2.2.1/255.255.255.0
> /sbin/iptables -A FORWARD -j LOG -o eth1 -d
> 3.3.3.1/255.255.255.0
> /sbin/iptables -A FORWARD -j DROP -o eth1 -d
> 3.3.3.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j LOG -o eth1 -d
> 3.3.3.1/255.255.255.0
> /sbin/iptables -A OUTPUT -j DROP -o eth1 -d
> 3.3.3.1/255.255.255.0
> #: Allow dumb broadcast packets to leave on external
> interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
> 255.255.255.255/32
> #: Allow packets for external networks leave over
> external interfaces
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
> 1.1.1.1/32
> /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
> 1.1.1.255/32
> #:
> #:
> **********************************************************
> #: *** SERVICES
> ***
> #:
> **********************************************************
> #:
> #: Turn on forwarding for 2.1 kernels
> #: Enable automatic IP defragmentation
> echo "1" > /proc/sys/net/ipv4/ip_forward
> #: Set masqerading timeouts:
> #: 2 hrs for TCP
> #: 10 sec for TCP after FIN has been sent
> #: 160 sec for UDP (important for ICQ users)
> #: Run the deprecated /etc/ipmasq.rules, if present
> #: Deny and log anything that may have snuck past any
> of our other rules
> /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
> 0.0.0.0/0
> /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
>
>
>
> ______________________________________________
> Renovamos el Correo Yahoo!: ¡250 MB GRATIS!
> Nuevos servicios, más seguridad
> http://correo.yahoo.es
>
>
--
Antonio Trujillo Carmona <trujo@dti2.net>
Reply to: