problemas iptables

To: debian-user-spanish@lists.debian.org
Subject: problemas iptables
From: Ricardo Ciliberto <ricardodebian@yahoo.com>
Date: Fri, 29 Jun 2007 21:28:49 -0700 (PDT)
Message-id: <[🔎] 227746.13017.qm@web57504.mail.re1.yahoo.com>

buenas a todos tengo un script de iptables con las
políticas por defecto (todas) como DROP... toda la red
funciona. el HTTP, los pings. Todo está bien
configurado en el script (que bastante me costó,
porque como es todo DROP) lo único que no he logrado
hacer funciona es el DNAT. La regla que estoy
utilizando es:

/sbin/iptables -t nat -A PREROUTING -p tcp  -d
200.250.152.64 --dport 80 -j DNAT --to-destination
192.168.1.20:80

No me funciona para nada... no carga nada, se queda
esperando respuesta pero a la final no recibe nada

El script de iptables es el siguiente. Espero que me
ayuden y gracias 

#!/bin/bash
/sbin/modprobe ip_conntrack_irc

/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT

/sbin/iptables -t filter -A INPUT -p icmp --icmp-type
0 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp --icmp-type
8 -j ACCEPT
/sbin/iptables -t filter -A INPUT -p icmp --icmp-type
8 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p icmp --icmp-type
0 -j ACCEPT

/sbin/iptables -t filter -A OUTPUT -p udp --dport 53
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p udp --sport 53 -j
ACCEPT

/sbin/iptables -t filter -A OUTPUT -p tcp --dport 80
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 80 -j
ACCEPT

/sbin/iptables -t filter -A OUTPUT -p tcp --dport 443
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 443
-j ACCEPT

/sbin/iptables -t filter -A OUTPUT -p tcp --dport 6667
-j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --sport 6667
-j ACCEPT

/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--sport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--dport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--dport 22 -j ACCEPT

/sbin/iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp
--dport 3000 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -d 0.0.0.0/0 -p tcp
--sport 3000 -j ACCEPT

/sbin/iptables -t filter -A INPUT -p tcp -i eth0 -m
mac --mac-source  00:09:6B:60:23:E7 --dport 10000 -j
ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp -o eth0
--sport 10000 -j ACCEPT

/sbin/iptables -t filter -A INPUT -p tcp -s 0.0.0.0/0
--dport 80 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -p tcp -d 0.0.0.0/0
--sport 80 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j
MASQUERADE

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 80 -j ACCEPT

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 443 -j ACCEPT

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p tcp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p tcp --sport 53 -j ACCEPT

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24
-i eth1 -o eth0 -p udp --dport 53 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.1.0/24
-i eth0 -o eth1 -p udp --sport 53 -j ACCEPT


/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 8 -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 8 -i eth0 -o eth1 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 0 -i eth1 -o eth0 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p icmp
--icmp-type 0 -i eth0 -o eth1 -j ACCEPT

/sbin/iptables -t filter -A FORWARD -p tcp -s
192.168.1.0/24 -i eth1 -o eth0 --dport 6667 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -d
192.168.1.0/24 -i eth0 -o eth1 --sport 6667 -j ACCEPT


/sbin/iptables -t filter -A FORWARD -p tcp -s
192.168.1.0/24 -i eth1 -o eth0 --dport 22 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp -d
192.168.1.0/24 -i eth0 -o eth1 --sport 22 -j ACCEPT

### DNAT PROBLEMA!!!

/sbin/iptables -t nat -A PREROUTING -p tcp  -d
200.250.152.64 --dport 80 -j DNAT --to-destination
192.168.1.20:80

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Done"



       
____________________________________________________________________________________
Get the free Yahoo! toolbar and rest assured with the
added security of spyware protection.
http://new.toolbar.yahoo.com/toolbar/features/norton/index.php


       
____________________________________________________________________________________
Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games.
http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow

Reply to:

Follow-Ups:
- Re: problemas iptables
  - From: Alejandro Garrido Mota <garridomota@gmail.com>

Prev by Date: Re: Usuario de Nagios
Next by Date: Re: problemas iptables
Previous by thread: Re: problema al instalar paquetes
Next by thread: Re: problemas iptables
Index(es):
- Date
- Thread