Re: Subredes, proxy y otras yerbas

Hola William,

No, no lo he usado. Es mas no me suena haberlo usado nunca el NAT conjugado con FORWARD...

Aqui posteo lo que me tira un netstat -nr

Destination Gateway Genmask Flags MSS Window irtt Iface

0.0.0.0 192.168.0.216 0.0.0.0 UG 0 0 0 eth1

192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

192.168.30.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0

Donde 192.168.0.216 es el gateway de la subred 0 y 192.168.0.1 es lo mismo para la subred 30

Aqui les muestro un IPTABLES -L

target prot opt source destination

ACCEPT all -- localhost anywhere

ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:3128

ACCEPT tcp -- 192.168.30.0/24 anywhere tcp dpt:3128

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT tcp -- anywhere anywhere tcp dpt:webmin

ACCEPT tcp -- fmiculan.friggorina.local anywhere tcp dpt:netbios-ssn

ACCEPT tcp -- fmiculan.friggorina.local anywhere tcp dpt:microsoft-ds

ACCEPT tcp -- anywhere anywhere tcp dpt:10200

ACCEPT tcp -- anywhere anywhere tcp dpt:5901

ACCEPT udp -- fglp05.friggorina.local anywhere udp dpt:snmp

ACCEPT udp -- fglp05.friggorina.local anywhere udp dpt:snmp-trap

ACCEPT udp -- fglp10.friggorina.local anywhere udp dpt:snmp

ACCEPT udp -- fglp10.friggorina.local anywhere udp dpt:snmp-trap

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT icmp -- fglp05.friggorina.local anywhere

ACCEPT tcp -- anywhere anywhere tcp dpt:domain

ACCEPT udp -- anywhere anywhere udp dpt:domain

Chain FORWARD (policy DROP)

target prot opt source destination

ACCEPT icmp -- anywhere anywhere

ACCEPT tcp -- anywhere anywhere tcp dpt:2222

ACCEPT tcp -- anywhere anywhere tcp spt:2222

ACCEPT tcp -- anywhere anywhere tcp dpt:2221

ACCEPT tcp -- anywhere anywhere tcp spt:2221

ACCEPT tcp -- anywhere anywhere tcp dpt:25000

ACCEPT tcp -- anywhere anywhere tcp spt:25000

ACCEPT tcp -- anywhere anywhere tcp dpt:5938

ACCEPT tcp -- anywhere anywhere tcp spt:5938

ACCEPT tcp -- anywhere anywhere tcp dpt:31193

ACCEPT tcp -- anywhere anywhere tcp spt:31193

ACCEPT tcp -- anywhere anywhere tcp dpt:1935

ACCEPT tcp -- anywhere anywhere tcp spt:1935

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp

ACCEPT tcp -- anywhere anywhere tcp spt:smtp

ACCEPT tcp -- anywhere anywhere tcp dpt:pop3

ACCEPT tcp -- anywhere anywhere tcp spt:pop3

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT tcp -- anywhere anywhere tcp spt:https

ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn

ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn

ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm

ACCEPT tcp -- anywhere anywhere tcp spt:netbios-dgm

ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns

ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ns

ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds

ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds

ACCEPT tcp -- anywhere anywhere tcp dpt:http MAC 00:21:97:D4:9A:92

ACCEPT tcp -- anywhere anywhere tcp spt:http MAC 00:21:97:D4:9A:92

ACCEPT tcp -- anywhere anywhere tcp dpt:https MAC 00:21:97:D4:9A:92

ACCEPT tcp -- anywhere anywhere tcp spt:https MAC 00:21:97:D4:9A:92

ACCEPT tcp -- anywhere anywhere tcp dpt:1723

ACCEPT tcp -- anywhere anywhere tcp spt:1723

ACCEPT tcp -- anywhere anywhere tcp dpt:47

ACCEPT tcp -- anywhere anywhere tcp spt:47

ACCEPT tcp -- anywhere anywhere tcp dpt:3001

ACCEPT tcp -- anywhere anywhere tcp spt:3001

ACCEPT tcp -- anywhere anywhere tcp dpt:mysql MAC 00:E0:4C:73:7E:F6

ACCEPT tcp -- anywhere anywhere tcp spt:mysql MAC 00:E0:4C:73:7E:F6

ACCEPT tcp -- anywhere anywhere tcp dpt:radmin-port

ACCEPT tcp -- anywhere anywhere tcp spt:radmin-port

ACCEPT tcp -- anywhere anywhere tcp dpt:3389

ACCEPT tcp -- anywhere anywhere tcp spt:3389

ACCEPT tcp -- anywhere anywhere tcp dpt:xmpp-client

ACCEPT tcp -- anywhere anywhere tcp spt:xmpp-client

ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-prserver

ACCEPT tcp -- anywhere anywhere tcp spt:afs3-prserver

ACCEPT tcp -- anywhere anywhere tcp dpt:44018

ACCEPT tcp -- anywhere anywhere tcp spt:44018

ACCEPT tcp -- anywhere anywhere MAC 50:E5:49:93:7D:47

ACCEPT tcp -- anywhere anywhere MAC 00:17:C4:99:D8:4C

ACCEPT tcp -- anywhere anywhere MAC 00:1F:16:AA:A3:E9

ACCEPT tcp -- anywhere anywhere MAC B8:76:3F:6D:3B:16

ACCEPT tcp -- anywhere anywhere MAC C4:DA:26:04:8C:D7

ACCEPT tcp -- anywhere anywhere MAC F0:4D:A2:58:04:DE

ACCEPT tcp -- anywhere anywhere MAC B8:B4:2E:EC:D8:69

ACCEPT tcp -- anywhere anywhere MAC B8:8D:12:0E:C1:28

ACCEPT tcp -- anywhere anywhere MAC 00:1E:68:89:F6:31

ACCEPT tcp -- anywhere anywhere MAC 00:21:00:2D:8F:AD

ACCEPT tcp -- anywhere anywhere MAC 74:DE:2B:20:3A:59

ACCEPT tcp -- anywhere anywhere MAC C8:9C:DC:05:EF:A7

ACCEPT tcp -- anywhere anywhere MAC C8:6F:1D:0F:86:D2

ACCEPT tcp -- anywhere anywhere MAC 78:84:3C:2B:AD:3B

ACCEPT tcp -- anywhere anywhere MAC 4C:0F:6E:D6:7B:5D

ACCEPT tcp -- anywhere anywhere MAC 00:23:4E:04:23:ED

ACCEPT tcp -- anywhere anywhere MAC 00:1C:8B:45:BD:5F

ACCEPT tcp -- anywhere anywhere MAC 00:21:5D:C6:C1:C8

ACCEPT tcp -- anywhere anywhere MAC 00:1E:EC:F5:61:C3

ACCEPT tcp -- anywhere anywhere MAC 00:25:56:BB:E9:32

ACCEPT tcp -- anywhere anywhere MAC 00:26:22:CA:47:54

ACCEPT tcp -- anywhere anywhere MAC 00:1E:C2:BD:7E:99

ACCEPT tcp -- anywhere anywhere MAC 00:1D:E0:76:BD:A1

ACCEPT tcp -- anywhere anywhere MAC 00:E0:4C:73:7E:F6

ACCEPT tcp -- anywhere anywhere MAC 80:9B:20:0A:90:34

ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A9:FC:EB

ACCEPT tcp -- anywhere anywhere MAC 00:0A:EB:22:1A:3F

ACCEPT tcp -- anywhere anywhere MAC 00:E0:4C:8D:9B:4C

ACCEPT tcp -- anywhere anywhere MAC 00:1E:33:82:6D:F6

ACCEPT tcp -- anywhere anywhere MAC 00:21:63:A6:46:BB

ACCEPT tcp -- anywhere anywhere MAC 00:16:44:75:AC:07

ACCEPT tcp -- anywhere anywhere MAC 00:A0:D1:8B:C8:CB

ACCEPT tcp -- anywhere anywhere MAC E4:12:1D:83:E2:2C

ACCEPT tcp -- anywhere anywhere MAC E0:B9:A5:4E:40:00

ACCEPT tcp -- anywhere anywhere MAC C4:DA:26:04:88:D0

ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A8:F1:E3

ACCEPT tcp -- anywhere anywhere MAC 68:94:23:C5:E2:F7

ACCEPT tcp -- anywhere anywhere MAC 00:E0:48:00:3C:1C

ACCEPT tcp -- anywhere anywhere MAC 00:23:6C:95:DB:84

ACCEPT tcp -- anywhere anywhere MAC 00:23:DF:97:46:64

ACCEPT tcp -- anywhere anywhere MAC F0:27:65:19:01:57

ACCEPT tcp -- anywhere anywhere MAC 5C:51:4F:29:69:68

ACCEPT tcp -- anywhere anywhere MAC 18:67:B0:BF:DC:14

ACCEPT tcp -- anywhere anywhere MAC 80:60:07:4A:C1:EC

ACCEPT tcp -- anywhere anywhere MAC D4:F4:6F:27:36:42

ACCEPT tcp -- anywhere anywhere MAC 00:1D:E0:94:E5:87

ACCEPT tcp -- anywhere anywhere MAC 00:15:B7:1E:45:F2

ACCEPT tcp -- anywhere anywhere MAC 40:25:C2:A1:A1:F4

ACCEPT tcp -- anywhere anywhere MAC F0:BF:97:E4:85:11

ACCEPT tcp -- anywhere anywhere MAC 80:60:07:91:C9:96

ACCEPT tcp -- anywhere anywhere MAC A8:96:8A:80:79:A1

ACCEPT tcp -- anywhere anywhere MAC 00:00:74:AB:44:81

ACCEPT tcp -- anywhere anywhere MAC 00:50:56:BD:00:00

ACCEPT tcp -- anywhere anywhere MAC 00:03:0D:93:36:8A

ACCEPT tcp -- anywhere anywhere MAC 00:16:44:B3:F0:00

ACCEPT tcp -- anywhere anywhere MAC 00:37:6D:53:0B:E7

ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:49:57

ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:C6:A1:C5

ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:C4:61:F4

ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:49:41

ACCEPT tcp -- anywhere anywhere MAC E8:80:2E:CB:D6:BA

ACCEPT tcp -- anywhere anywhere MAC D0:DE:9A:C4:68:7D

ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:46:B2

ACCEPT tcp -- anywhere anywhere MAC 00:26:82:A5:21:C1

ACCEPT tcp -- anywhere anywhere MAC 88:AE:1D:34:00:E5

ACCEPT tcp -- anywhere anywhere MAC C0:65:99:B6:2E:3E

ACCEPT tcp -- anywhere anywhere MAC 00:1F:3B:32:E4:67

ACCEPT tcp -- anywhere anywhere MAC 00:1C:C4:CC:2D:71

ACCEPT tcp -- anywhere anywhere MAC 00:19:7D:07:16:F1

ACCEPT tcp -- anywhere anywhere MAC 00:0F:B0:CE:B8:62

ACCEPT tcp -- anywhere anywhere MAC DC:0E:A1:A5:87:E9

ACCEPT tcp -- anywhere anywhere MAC 08:ED:B9:10:60:D9

ACCEPT tcp -- anywhere anywhere MAC 1C:4B:D6:67:49:01

ACCEPT tcp -- anywhere anywhere MAC 60:21:C0:39:3F:16

ACCEPT tcp -- anywhere anywhere MAC 88:53:2E:4A:2B:DF

ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:60:35:2E

ACCEPT tcp -- anywhere anywhere MAC 00:24:D6:19:BC:6C

ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A8:E6:26

ACCEPT tcp -- anywhere anywhere MAC 68:94:23:C5:E9:DF

ACCEPT tcp -- anywhere anywhere MAC 00:C2:C6:09:A9:7A

ACCEPT tcp -- anywhere anywhere MAC A4:17:31:EA:89:7B

ACCEPT tcp -- anywhere anywhere MAC 54:53:ED:37:DF:7C

ACCEPT tcp -- anywhere anywhere MAC D4:F4:6F:18:37:92

ACCEPT tcp -- anywhere anywhere MAC 14:10:9F:ED:64:D0

ACCEPT tcp -- anywhere anywhere MAC 00:26:82:59:54:51

ACCEPT tcp -- anywhere anywhere MAC 70:5A:B6:5A:56:AA

ACCEPT tcp -- anywhere anywhere MAC 74:DE:2B:5C:FE:D5

ACCEPT tcp -- anywhere anywhere MAC DC:0E:A1:7A:33:A0

ACCEPT tcp -- anywhere anywhere MAC 64:27:37:25:75:59

ACCEPT tcp -- anywhere anywhere MAC 14:DA:E9:9F:42:86

ACCEPT tcp -- anywhere anywhere MAC 00:1F:3C:58:3F:62

ACCEPT tcp -- anywhere anywhere MAC BC:8C:CD:E7:D9:06

ACCEPT tcp -- anywhere anywhere MAC B4:52:7D:F9:98:D8

ACCEPT tcp -- anywhere anywhere MAC B8:5E:7B:BA:6F:6C

ACCEPT tcp -- anywhere anywhere MAC 68:ED:43:A3:54:67

ACCEPT tcp -- anywhere anywhere MAC 00:21:C5:12:3E:B1

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- anywhere localhost

Y les adjunto el archivo FIRE.SH para que vean el firewall como esta armado.

El 31 de diciembre de 2014, 1:59, William Romero <wromero06@hotmail.com> escribió:

Se me presento un caso en mi trabajo. Tenemos un squid linkeado a un active
> directory de Win(fucker) 2008 en la red 192.168.0.0, ademas de haber
> implementado un firewall con iptables. Todo realizado en un Debian 7.
> Hasta ahí no hay inconvenientes, los usuarios navegan perfectamente según
> los grupos asignados en el active directory.
> El problema se presento justamente hoy, al querer ampliar la red a otra
> subred (192.168.30.0, que dicho sea de paso se implemento en forma de vlan
> en un router mikrotik.)
> La cuestión es, que después de haber agregado la ruta en una de las
> interfaces del debian para que vea la subred 30, estos navegan perfectamente
> en internet, pero no la subred 0, todo lo que sea web no funciona, salvo el
> correo electrónico y el skype.
> Que es lo que puede estar pasando?
> Con netstat -nr se ven las rutas asignadas perfectamente, por ese lado no
> veo el problema... me estará faltando algún tipo de regla adicional en el
> firewall ??
> Si les sirve les puedo postear el script del firewall. La política por
> defecto es DROP y luego permito algunos puertos y mac address para que
> bypaseen el proxy.
>

Falta algo de info, pero adivinando diría que algún cambio afectó laconfiguración de squid donde se daba permiso a la red192.168.0.0/(24?) para utilizar el mismo al habilitar la192.168.30.0(/24?) o lo mismo en iptables donde se permite acceder ala IP:Puerto donde escucha squid.Al decir que anda el correo y skype descarto problemas de ruteo/nat.Cuando desis que no navegan, cual es el error? un error de squiddiciendo que no tienen permiso o que no los clientes nos se puedenconectar al proxy?
Los que no navegan son los equipos de la subred 0 que esquivan el proxy squid a través de una regla iptables por mac address. Si esos equipos los apunto al squid desde el navegador, funcionan bien.Lo extraño es que esa regla funciono de maravillas antes de hacer la subred 30.

Has usado el FORWARD NAT de iptables para llevar 0.0 hacia 30.0 ?

https://lists.debian.org/debian-user-spanish/2008/11/msg00094.html

https://albertomolina.wordpress.com/2009/01/09/nat-con-iptables/

saludos

WRC

--
To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] BAY177-W94A860F656A2EBF7DB72BB65F0@phx.gbl" target="_blank">https://lists.debian.org/[🔎] BAY177-W94A860F656A2EBF7DB72BB65F0@phx.gbl

Fernando Miculan.-
FCM Sistemas
Tel. 15-5435862 / ID: 160*6915

ICQ: 6410724 / Skype: fcmsistemas
http://ferchobbs.ddns.net

BBS Telnet: ferchobbs.ddns.net:23