alfonso: si no entiendo mal, una solucion simple, es crear rutas estaticas en los firewalls.
ej: en el firewall 1y2: pones una regla para que todo lo que viene de la red 1 o 2, y que tenga destino red 3, lo forwardeas por la eth3. y en el firewall3 pones una regla para que todo lo entra por la eth2 con destino red 3, lo forwardeas por la eth0. lo mismo pero a la inversa, para permitir a la red 3 comunicarse con la red 1 y 2. ojo: tene en cuenta que este modo de funcionamiento requiere que ambas redes (1, 2, y 3) tengan diferentes subredes. disculpa que no llegue a mirar tu archivo de configuracion porque no dispongo de mucho tiempo. saludos, velkro. ----- Original Message ----- From: "Alfonso Pinto" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, February 04, 2005 10:27 Subject: Problemas IPTABLES Tengo un problema con IPTABLES con el que me he quedado atascado. He googleado, he mirado los documentos de netfilter.org, los de linuxguruz.com y no consigo arreglarlo. Os comento m�s o menos lo que me pasa. Las redes de la empresa para la que trabajo est�n tal que as�: @ @ @ __________________ eth1 @ @ eth0| FIREWALL |----RED1 @ INTERNET @----|GATEWAY RED 1 Y 2 |eth2 @ 1 @ |__________________|----RED2 @ @ @ |eth3 | | | | | @ @ @ ____|eth2________ @ @ eth1| FIREWALL |eth0 @ INTERNET @----|GATEWAY RED 3 |------RED3 @ 2 @ |________________| @ @ @ Las REDES 1 y 2 se ven entre si y pueden salir a internet por INTERNET 1. La RED 3 sale a internet por por INTERNET 2. El problema que tengo es que necesito interconectar entre si las REDES 1 y 2 con la RED 3 para que se vean entre las 3. No encuentro la forma de hacerlo. Lo primero es que ni siquiera consigo hacer un ping desde la RED 3 al FIREWALL de las REDES 1 y 2. Alguien puede darme alguna indicaci�n de por donde puedo continuar? Os paso la configuracion de iptables de los equipos. Los dos FIREWALL son debian/sarge con kernel de la rama 2.6. estos son los script de iptables generados por ipmasq que funcionan, no pongo las modificaciones hechas por mi porque cada modificaci�n que he hecho ha servido para fastidiar algo. Muchas gracias FIREWALL/GATEWAY REDES 1 Y 2 #: Interfaces found: #: eth0 1.1.2.1/255.255.255.0 #: eth0 1.1.2.1/255.255.255.0 #: eth1 4.4.1.2/255.255.255.0 #: eth2 4.4.2.2/255.255.255.0 #: eth3 3.3.3.2/255.255.255.0 #: Turn off forwarding for 2.1 kernels #: Disable automatic IP defragmentation echo "0" > /proc/sys/net/ipv4/ip_forward #: Flush all and set default policy of deny. /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -F PREROUTING /sbin/iptables -t mangle -F OUTPUT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -t nat -F OUTPUT #: #: ********************************************************** #: *** CUSTOM CHAINS *** #: ********************************************************** #: #: #: ********************************************************** #: *** FORWARD CHAIN *** #: ********************************************************** #: #: Forward packets among internal networks /sbin/iptables -A FORWARD -j ACCEPT -s 4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0 #: #: ********************************************************** #: *** INPUT CHAIN *** #: ********************************************************** #: #: Accept all packets coming in from the loopback interface /sbin/iptables -A INPUT -j ACCEPT -i lo #: Deny and log all packets trying to come in from a 127.0.0.0/8 address #: over a non-'lo' interface /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 #: Accept dumb broadcast packets on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d 255.255.255.255/32 #: Accept packets from internal networks on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 4.4.1.2/255.255.255.0 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s 4.4.2.2/255.255.255.0 /sbin/iptables -A INPUT -j ACCEPT -i eth3 -s 3.3.3.2/255.255.255.0 #: Accept multicast packets (adresses 224.0.0.0) from internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d 224.0.0.0/4 -p ! 6 #: Disallow and log packets trying to come in over external interfaces #: from hosts claiming to be internal /sbin/iptables -A INPUT -j LOG -i eth0 -s 4.4.1.2/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i eth0 -s 4.4.1.2/255.255.255.0 /sbin/iptables -A INPUT -j LOG -i eth0 -s 4.4.2.2/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i eth0 -s 4.4.2.2/255.255.255.0 /sbin/iptables -A INPUT -j LOG -i eth0 -s 3.3.3.2/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i eth0 -s 3.3.3.2/255.255.255.0 #: Accept dumb broadcast packets on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 #: Accept incoming packets from external networks on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 1.1.2.1/32 /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 1.1.2.255/32 #: #: ********************************************************** #: *** IP MASQUERADING *** #: ********************************************************** #: #: Masquerade packets from internal networks /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 4.4.1.2/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth1 -o eth0 -s 4.4.1.2/255.255.255.0 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 4.4.2.2/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth2 -o eth0 -s 4.4.2.2/255.255.255.0 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 3.3.3.2/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth3 -o eth0 -s 3.3.3.2/255.255.255.0 -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #: #: ********************************************************** #: *** OUTPUT CHAIN *** #: ********************************************************** #: #: Allow packets to go out over the loopback interface /sbin/iptables -A OUTPUT -j ACCEPT -o lo #: Allow dumb broadcast packets to leave on internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d 255.255.255.255/32 #: Allow packets for internal hosts to be delivered using internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d 3.3.3.2/255.255.255.0 #: Allow multicast packets (adresses 224.0.0.0) to be delivered using #: internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d 224.0.0.0/4 -p ! 6 #: Deny and log packets attempting to leave over external interfaces claiming #: to be for internal networks /sbin/iptables -A FORWARD -j LOG -o eth0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o eth0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o eth0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o eth0 -d 4.4.1.2/255.255.255.0 /sbin/iptables -A FORWARD -j LOG -o eth0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o eth0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o eth0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o eth0 -d 4.4.2.2/255.255.255.0 /sbin/iptables -A FORWARD -j LOG -o eth0 -d 3.3.3.2/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o eth0 -d 3.3.3.2/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o eth0 -d 3.3.3.2/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o eth0 -d 3.3.3.2/255.255.255.0 #: Allow dumb broadcast packets to leave on external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32 #: Allow packets for external networks leave over external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 1.1.2.1/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 1.1.2.255/32 #: #: ********************************************************** #: *** SERVICES *** #: ********************************************************** #: #: Turn on forwarding for 2.1 kernels #: Enable automatic IP defragmentation echo "1" > /proc/sys/net/ipv4/ip_forward #: Set masqerading timeouts: #: 2 hrs for TCP #: 10 sec for TCP after FIN has been sent #: 160 sec for UDP (important for ICQ users) #: Run the deprecated /etc/ipmasq.rules, if present #: Deny and log anything that may have snuck past any of our other rules /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 FIREWALL/GATEWAY RED 3 #: Interfaces found: #: eth1 1.1.1.1/255.255.255.0 #: eth1 1.1.1.1/255.255.255.0 #: eth0 2.2.2.1/255.255.255.0 #: eth2 3.3.3.1/255.255.255.0 #: Turn off forwarding for 2.1 kernels #: Disable automatic IP defragmentation echo "0" > /proc/sys/net/ipv4/ip_forward #: Flush all and set default policy of deny. /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -F PREROUTING /sbin/iptables -t mangle -F OUTPUT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -t nat -F OUTPUT #: #: ********************************************************** #: *** CUSTOM CHAINS *** #: ********************************************************** #: #: #: ********************************************************** #: *** FORWARD CHAIN *** #: ********************************************************** #: #: Forward packets among internal networks /sbin/iptables -A FORWARD -j ACCEPT -s 3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A FORWARD -j ACCEPT -s 2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0 #: #: ********************************************************** #: *** INPUT CHAIN *** #: ********************************************************** #: #: Accept all packets coming in from the loopback interface /sbin/iptables -A INPUT -j ACCEPT -i lo #: Deny and log all packets trying to come in from a 127.0.0.0/8 address #: over a non-'lo' interface /sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 /sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0 #: Accept dumb broadcast packets on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 255.255.255.255/32 #: Accept packets from internal networks on internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s 2.2.2.1/255.255.255.0 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s 3.3.3.1/255.255.255.0 #: Accept multicast packets (adresses 224.0.0.0) from internal interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d 224.0.0.0/4 -p ! 6 #: Disallow and log packets trying to come in over external interfaces #: from hosts claiming to be internal /sbin/iptables -A INPUT -j LOG -i eth1 -s 2.2.2.1/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i eth1 -s 2.2.2.1/255.255.255.0 /sbin/iptables -A INPUT -j LOG -i eth1 -s 3.3.3.1/255.255.255.0 /sbin/iptables -A INPUT -j DROP -i eth1 -s 3.3.3.1/255.255.255.0 #: Accept dumb broadcast packets on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32 #: Accept incoming packets from external networks on external interfaces /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 1.1.1.1/32 /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 1.1.1.255/32 #: #: ********************************************************** #: *** IP MASQUERADING *** #: ********************************************************** #: #: Masquerade packets from internal networks /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 2.2.2.1/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o eth1 -s 2.2.2.1/255.255.255.0 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 3.3.3.1/255.255.255.0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth2 -o eth1 -s 3.3.3.1/255.255.255.0 -j ACCEPT /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT #: #: ********************************************************** #: *** OUTPUT CHAIN *** #: ********************************************************** #: #: Allow packets to go out over the loopback interface /sbin/iptables -A OUTPUT -j ACCEPT -o lo #: Allow dumb broadcast packets to leave on internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 255.255.255.255/32 #: Allow packets for internal hosts to be delivered using internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 3.3.3.1/255.255.255.0 #: Allow multicast packets (adresses 224.0.0.0) to be delivered using #: internal interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 224.0.0.0/4 -p ! 6 /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d 224.0.0.0/4 -p ! 6 #: Deny and log packets attempting to leave over external interfaces claiming #: to be for internal networks /sbin/iptables -A FORWARD -j LOG -o eth1 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o eth1 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o eth1 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o eth1 -d 2.2.2.1/255.255.255.0 /sbin/iptables -A FORWARD -j LOG -o eth1 -d 3.3.3.1/255.255.255.0 /sbin/iptables -A FORWARD -j DROP -o eth1 -d 3.3.3.1/255.255.255.0 /sbin/iptables -A OUTPUT -j LOG -o eth1 -d 3.3.3.1/255.255.255.0 /sbin/iptables -A OUTPUT -j DROP -o eth1 -d 3.3.3.1/255.255.255.0 #: Allow dumb broadcast packets to leave on external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32 #: Allow packets for external networks leave over external interfaces /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 1.1.1.1/32 /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s 1.1.1.255/32 #: #: ********************************************************** #: *** SERVICES *** #: ********************************************************** #: #: Turn on forwarding for 2.1 kernels #: Enable automatic IP defragmentation echo "1" > /proc/sys/net/ipv4/ip_forward #: Set masqerading timeouts: #: 2 hrs for TCP #: 10 sec for TCP after FIN has been sent #: 160 sec for UDP (important for ICQ users) #: Run the deprecated /etc/ipmasq.rules, if present #: Deny and log anything that may have snuck past any of our other rules /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 ______________________________________________ Renovamos el Correo Yahoo!: �250 MB GRATIS! Nuevos servicios, m�s seguridad http://correo.yahoo.es -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
