Tengo un problema con IPTABLES con el que me he
quedado atascado. He googleado, he mirado los
documentos de netfilter.org, los de linuxguruz.com y
no consigo arreglarlo.
Os comento m�s o menos lo que me pasa.
Las redes de la empresa para la que trabajo est�n tal
que as�:
@ @ @ __________________ eth1
@ @ eth0| FIREWALL |----RED1
@ INTERNET @----|GATEWAY RED 1 Y 2 |eth2
@ 1 @ |__________________|----RED2
@ @ @ |eth3
|
|
|
|
|
@ @ @ ____|eth2________
@ @ eth1| FIREWALL |eth0
@ INTERNET @----|GATEWAY RED 3 |------RED3
@ 2 @ |________________|
@ @ @
Las REDES 1 y 2 se ven entre si y pueden salir a
internet por INTERNET 1.
La RED 3 sale a internet por por INTERNET 2.
El problema que tengo es que necesito interconectar
entre si las REDES 1 y 2 con la RED 3 para que se vean
entre las 3. No encuentro la forma de hacerlo.
Lo primero es que ni siquiera consigo hacer un ping
desde la RED 3 al FIREWALL de las REDES 1 y 2.
Alguien puede darme alguna indicaci�n de por donde
puedo continuar?
Os paso la configuracion de iptables de los equipos.
Los dos FIREWALL son debian/sarge con kernel de la
rama 2.6.
estos son los script de iptables generados por ipmasq
que funcionan, no pongo las modificaciones hechas por
mi porque cada modificaci�n que he hecho ha servido
para fastidiar algo.
Muchas gracias
FIREWALL/GATEWAY REDES 1 Y 2
#: Interfaces found:
#: eth0 1.1.2.1/255.255.255.0
#: eth0 1.1.2.1/255.255.255.0
#: eth1 4.4.1.2/255.255.255.0
#: eth2 4.4.2.2/255.255.255.0
#: eth3 3.3.3.2/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: *** CUSTOM CHAINS
***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: *** FORWARD CHAIN
***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
#:
#:
**********************************************************
#: *** INPUT CHAIN
***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -s
3.3.3.2/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
3.3.3.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
3.3.3.2/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.255/32
#:
#:
**********************************************************
#: *** IP MASQUERADING
***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.1.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s
4.4.1.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.2.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth0 -s
4.4.2.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
3.3.3.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth3 -o eth0 -s
3.3.3.2/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: *** OUTPUT CHAIN
***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
3.3.3.2/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.255/32
#:
#:
**********************************************************
#: *** SERVICES
***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#: 2 hrs for TCP
#: 10 sec for TCP after FIN has been sent
#: 160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
FIREWALL/GATEWAY RED 3
#: Interfaces found:
#: eth1 1.1.1.1/255.255.255.0
#: eth1 1.1.1.1/255.255.255.0
#: eth0 2.2.2.1/255.255.255.0
#: eth2 3.3.3.1/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: *** CUSTOM CHAINS
***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: *** FORWARD CHAIN
***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0
#:
#:
**********************************************************
#: *** INPUT CHAIN
***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
3.3.3.1/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth1 -s
3.3.3.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
3.3.3.1/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.255/32
#:
#:
**********************************************************
#: *** IP MASQUERADING
***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
2.2.2.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s
2.2.2.1/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
3.3.3.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s
3.3.3.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: *** OUTPUT CHAIN
***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
3.3.3.1/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.255/32
#:
#:
**********************************************************
#: *** SERVICES
***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#: 2 hrs for TCP
#: 10 sec for TCP after FIN has been sent
#: 160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
______________________________________________
Renovamos el Correo Yahoo!: �250 MB GRATIS!
Nuevos servicios, m�s seguridad
http://correo.yahoo.es
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
