problemas iptables
buenas a todos tengo un script de iptables con las
políticas por defecto (todas) como DROP... toda la red
funciona. el HTTP, los pings. Todo está bien
configurado en el script (que bastante me costó,
porque como es todo DROP) lo único que no he logrado
hacer funciona es el DNAT. La regla que estoy
utilizando es:
/sbin/iptables -t nat -A PREROUTING -p tcp -d
200.250.152.64 --dport 80 -j DNAT --to-destination
192.168.1.20:80
No me funciona para nada... no carga nada, se queda
esperando respuesta pero a la final no recibe nada
El script de iptables es el siguiente. Espero que me
ayuden y gracias
#!/bin/bash
/sbin/modprobe ip_conntrack_irc
/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t filter -A INPUT -p icmp --icmp-type
0 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp --icmp-type
8 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p icmp --icmp-type
8 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp --icmp-type
0 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p udp --dport 53
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p udp --sport 53 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 80
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 80 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 443
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 443
-j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp --dport 6667
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 6667
-j ACCEPT
/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--sport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--dport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--dport 3000 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--sport 3000 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp -i eth0 -m
mac --mac-source 00:09:6B:60:23:E7 --dport 10000 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp -o eth0
--sport 10000 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp -s 0.0.0.0/0
--dport 80 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp -d 0.0.0.0/0
--sport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 80 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 443 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p udp --sport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 8 -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 8 -i eth0 -o eth1 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 0 -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 0 -i eth0 -o eth1 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -s
192.168.1.0/24 -i eth1 -o eth0 --dport 6667 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -d
192.168.1.0/24 -i eth0 -o eth1 --sport 6667 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -s
192.168.1.0/24 -i eth1 -o eth0 --dport 22 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -d
192.168.1.0/24 -i eth0 -o eth1 --sport 22 -j ACCEPT
### DNAT PROBLEMA!!!
/sbin/iptables -t nat -A PREROUTING -p tcp -d
200.250.152.64 --dport 80 -j DNAT --to-destination
192.168.1.20:80
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Done"
____________________________________________________________________________________
Get the free Yahoo! toolbar and rest assured with the
added security of spyware protection.
http://new.toolbar.yahoo.com/toolbar/features/norton/index.php
____________________________________________________________________________________
Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow
Reply to: