ora dopo lunghe peripezie sembra funzionare a dovere; spero di non aver fatto errori grossolani ma la rete va come volevo (pingo ed esco con il gateway .254) tranne per la connesione ftp (porta 21) dai client (nel range) all'esterno che mi fa fare il login ma quando lancio sul server remoto dir no mi ritorna nulla e mi da un errore "only accept connection to 145.10.168.1"
script iptables............................................ #!/bin/bash ########## ATTIVO IL BRIDGE ifconfig eth0 down ifconfig eth1 down ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 sleep 1s; dhclient br0 echo "bridge attivato.." sleep 1s; ########## REGOLE IPTABLES # definisco le variabili che utilizzo WAN_IF="br0" LAN_IF="eth2" WAN_IP="145.10.168.1" CLIENT_RANGE="145.10.168.2-145.10.168.130" # ssh, internet e posta elettronica AMMINSTRAZIONE="145.10.168.87-145.10.168.90" # oracle e prog amministrazione SERVER="145.10.168.2" # per Remote desktop # delete all existing rules. iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # DEFAULT policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $WAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT # WAN_IF open ports iptables -A INPUT -i $WAN_IF -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $WAN_IF -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $WAN_IF -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $WAN_IF -p tcp -m multiport --dports 53,80,443,8080 -j ACCEPT iptables -A FORWARD -i $WAN_IF -p tcp -m iprange --src-range $CLIENT_RANGE -m multiport --dports 21,22,23,25,110,115,993,995,389,1521,1526,1527,6667 -j ACCEPT # accesso dall'esterno a un specifico pc per Remote Desktop iptables -A INPUT -i $WAN_IF -p tcp -s $SERVER --dport 3389 -j ACCEPT iptables -A INPUT -i $WAN_IF -p tcp -d $SERVER --dport 3389 -j ACCEPT iptables -A FORWARD -i $WAN_IF -p tcp -s $SERVER --dport 3389 -j ACCEPT iptables -A FORWARD -i $WAN_IF -p tcp -d $SERVER --dport 3389 -j ACCEPT # LAN_IF open ports iptables -A INPUT -i $LAN_IF -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $LAN_IF -p tcp --dport 8080 -j ACCEPT # enable ping iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE # to allow ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward -- Per REVOCARE l'iscrizione alla lista, inviare un email a [email protected] con oggetto "unsubscribe". Per problemi inviare un email in INGLESE a [email protected] To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
