Mirado por encima aqui no veo problemas pero y la salidad de route El vie, 04-02-2005 a las 14:27 +0100, Alfonso Pinto escribi�: > Tengo un problema con IPTABLES con el que me he > quedado atascado. He googleado, he mirado los > documentos de netfilter.org, los de linuxguruz.com y > no consigo arreglarlo. > > Os comento m�s o menos lo que me pasa. > > Las redes de la empresa para la que trabajo est�n tal > que as�: > > > @ @ @ __________________ eth1 > @ @ eth0| FIREWALL |----RED1 > @ INTERNET @----|GATEWAY RED 1 Y 2 |eth2 > @ 1 @ |__________________|----RED2 > @ @ @ |eth3 > | > | > | > | > | > @ @ @ ____|eth2________ > @ @ eth1| FIREWALL |eth0 > @ INTERNET @----|GATEWAY RED 3 |------RED3 > @ 2 @ |________________| > @ @ @ > > Las REDES 1 y 2 se ven entre si y pueden salir a > internet por INTERNET 1. > La RED 3 sale a internet por por INTERNET 2. > > El problema que tengo es que necesito interconectar > entre si las REDES 1 y 2 con la RED 3 para que se vean > entre las 3. No encuentro la forma de hacerlo. > > Lo primero es que ni siquiera consigo hacer un ping > desde la RED 3 al FIREWALL de las REDES 1 y 2. > > Alguien puede darme alguna indicaci�n de por donde > puedo continuar? > > Os paso la configuracion de iptables de los equipos. > Los dos FIREWALL son debian/sarge con kernel de la > rama 2.6. > > estos son los script de iptables generados por ipmasq > que funcionan, no pongo las modificaciones hechas por > mi porque cada modificaci�n que he hecho ha servido > para fastidiar algo. > > Muchas gracias > > FIREWALL/GATEWAY REDES 1 Y 2 > > #: Interfaces found: > #: eth0 1.1.2.1/255.255.255.0 > #: eth0 1.1.2.1/255.255.255.0 > #: eth1 4.4.1.2/255.255.255.0 > #: eth2 4.4.2.2/255.255.255.0 > #: eth3 3.3.3.2/255.255.255.0 > #: Turn off forwarding for 2.1 kernels > #: Disable automatic IP defragmentation > echo "0" > /proc/sys/net/ipv4/ip_forward > #: Flush all and set default policy of deny. > /sbin/iptables -P INPUT DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -P FORWARD DROP > /sbin/iptables -F INPUT > /sbin/iptables -F OUTPUT > /sbin/iptables -F FORWARD > /sbin/iptables -t mangle -P PREROUTING ACCEPT > /sbin/iptables -t mangle -P OUTPUT ACCEPT > /sbin/iptables -t mangle -F PREROUTING > /sbin/iptables -t mangle -F OUTPUT > /sbin/iptables -t nat -P PREROUTING ACCEPT > /sbin/iptables -t nat -P POSTROUTING ACCEPT > /sbin/iptables -t nat -P OUTPUT ACCEPT > /sbin/iptables -t nat -F PREROUTING > /sbin/iptables -t nat -F POSTROUTING > /sbin/iptables -t nat -F OUTPUT > #: > #: > ********************************************************** > #: *** CUSTOM CHAINS > *** > #: > ********************************************************** > #: > #: > #: > ********************************************************** > #: *** FORWARD CHAIN > *** > #: > ********************************************************** > #: > #: Forward packets among internal networks > /sbin/iptables -A FORWARD -j ACCEPT -s > 4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0 > #: > #: > ********************************************************** > #: *** INPUT CHAIN > *** > #: > ********************************************************** > #: > #: Accept all packets coming in from the loopback > interface > /sbin/iptables -A INPUT -j ACCEPT -i lo > #: Deny and log all packets trying to come in from a > 127.0.0.0/8 address > #: over a non-'lo' interface > /sbin/iptables -A INPUT -j LOG -i ! lo -s > 127.0.0.1/255.0.0.0 > /sbin/iptables -A INPUT -j DROP -i ! lo -s > 127.0.0.1/255.0.0.0 > #: Accept dumb broadcast packets on internal > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d > 255.255.255.255/32 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d > 255.255.255.255/32 > /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d > 255.255.255.255/32 > #: Accept packets from internal networks on internal > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -s > 4.4.1.2/255.255.255.0 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s > 4.4.2.2/255.255.255.0 > /sbin/iptables -A INPUT -j ACCEPT -i eth3 -s > 3.3.3.2/255.255.255.0 > #: Accept multicast packets (adresses 224.0.0.0) from > internal interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A INPUT -j ACCEPT -i eth3 -d > 224.0.0.0/4 -p ! 6 > #: Disallow and log packets trying to come in over > external interfaces > #: from hosts claiming to be internal > /sbin/iptables -A INPUT -j LOG -i eth0 -s > 4.4.1.2/255.255.255.0 > /sbin/iptables -A INPUT -j DROP -i eth0 -s > 4.4.1.2/255.255.255.0 > /sbin/iptables -A INPUT -j LOG -i eth0 -s > 4.4.2.2/255.255.255.0 > /sbin/iptables -A INPUT -j DROP -i eth0 -s > 4.4.2.2/255.255.255.0 > /sbin/iptables -A INPUT -j LOG -i eth0 -s > 3.3.3.2/255.255.255.0 > /sbin/iptables -A INPUT -j DROP -i eth0 -s > 3.3.3.2/255.255.255.0 > #: Accept dumb broadcast packets on external > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d > 255.255.255.255/32 > #: Accept incoming packets from external networks on > external interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d > 1.1.2.1/32 > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d > 1.1.2.255/32 > #: > #: > ********************************************************** > #: *** IP MASQUERADING > *** > #: > ********************************************************** > #: > #: Masquerade packets from internal networks > /sbin/iptables -t nat -A POSTROUTING -o eth0 -s > 4.4.1.2/255.255.255.0 -j MASQUERADE > /sbin/iptables -A FORWARD -i eth1 -o eth0 -s > 4.4.1.2/255.255.255.0 -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth0 -s > 4.4.2.2/255.255.255.0 -j MASQUERADE > /sbin/iptables -A FORWARD -i eth2 -o eth0 -s > 4.4.2.2/255.255.255.0 -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth0 -s > 3.3.3.2/255.255.255.0 -j MASQUERADE > /sbin/iptables -A FORWARD -i eth3 -o eth0 -s > 3.3.3.2/255.255.255.0 -j ACCEPT > /sbin/iptables -A FORWARD -m state --state > RELATED,ESTABLISHED -j ACCEPT > #: > #: > ********************************************************** > #: *** OUTPUT CHAIN > *** > #: > ********************************************************** > #: > #: Allow packets to go out over the loopback interface > /sbin/iptables -A OUTPUT -j ACCEPT -o lo > #: Allow dumb broadcast packets to leave on internal > interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d > 255.255.255.255/32 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 255.255.255.255/32 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d > 255.255.255.255/32 > #: Allow packets for internal hosts to be delivered > using internal interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d > 4.4.1.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 4.4.2.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d > 3.3.3.2/255.255.255.0 > #: Allow multicast packets (adresses 224.0.0.0) to be > delivered using > #: internal interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d > 224.0.0.0/4 -p ! 6 > #: Deny and log packets attempting to leave over > external interfaces claiming > #: to be for internal networks > /sbin/iptables -A FORWARD -j LOG -o eth0 -d > 4.4.1.2/255.255.255.0 > /sbin/iptables -A FORWARD -j DROP -o eth0 -d > 4.4.1.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j LOG -o eth0 -d > 4.4.1.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j DROP -o eth0 -d > 4.4.1.2/255.255.255.0 > /sbin/iptables -A FORWARD -j LOG -o eth0 -d > 4.4.2.2/255.255.255.0 > /sbin/iptables -A FORWARD -j DROP -o eth0 -d > 4.4.2.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j LOG -o eth0 -d > 4.4.2.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j DROP -o eth0 -d > 4.4.2.2/255.255.255.0 > /sbin/iptables -A FORWARD -j LOG -o eth0 -d > 3.3.3.2/255.255.255.0 > /sbin/iptables -A FORWARD -j DROP -o eth0 -d > 3.3.3.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j LOG -o eth0 -d > 3.3.3.2/255.255.255.0 > /sbin/iptables -A OUTPUT -j DROP -o eth0 -d > 3.3.3.2/255.255.255.0 > #: Allow dumb broadcast packets to leave on external > interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d > 255.255.255.255/32 > #: Allow packets for external networks leave over > external interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s > 1.1.2.1/32 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s > 1.1.2.255/32 > #: > #: > ********************************************************** > #: *** SERVICES > *** > #: > ********************************************************** > #: > #: Turn on forwarding for 2.1 kernels > #: Enable automatic IP defragmentation > echo "1" > /proc/sys/net/ipv4/ip_forward > #: Set masqerading timeouts: > #: 2 hrs for TCP > #: 10 sec for TCP after FIN has been sent > #: 160 sec for UDP (important for ICQ users) > #: Run the deprecated /etc/ipmasq.rules, if present > #: Deny and log anything that may have snuck past any > of our other rules > /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d > 0.0.0.0/0 > > > FIREWALL/GATEWAY RED 3 > > #: Interfaces found: > #: eth1 1.1.1.1/255.255.255.0 > #: eth1 1.1.1.1/255.255.255.0 > #: eth0 2.2.2.1/255.255.255.0 > #: eth2 3.3.3.1/255.255.255.0 > #: Turn off forwarding for 2.1 kernels > #: Disable automatic IP defragmentation > echo "0" > /proc/sys/net/ipv4/ip_forward > #: Flush all and set default policy of deny. > /sbin/iptables -P INPUT DROP > /sbin/iptables -P OUTPUT DROP > /sbin/iptables -P FORWARD DROP > /sbin/iptables -F INPUT > /sbin/iptables -F OUTPUT > /sbin/iptables -F FORWARD > /sbin/iptables -t mangle -P PREROUTING ACCEPT > /sbin/iptables -t mangle -P OUTPUT ACCEPT > /sbin/iptables -t mangle -F PREROUTING > /sbin/iptables -t mangle -F OUTPUT > /sbin/iptables -t nat -P PREROUTING ACCEPT > /sbin/iptables -t nat -P POSTROUTING ACCEPT > /sbin/iptables -t nat -P OUTPUT ACCEPT > /sbin/iptables -t nat -F PREROUTING > /sbin/iptables -t nat -F POSTROUTING > /sbin/iptables -t nat -F OUTPUT > #: > #: > ********************************************************** > #: *** CUSTOM CHAINS > *** > #: > ********************************************************** > #: > #: > #: > ********************************************************** > #: *** FORWARD CHAIN > *** > #: > ********************************************************** > #: > #: Forward packets among internal networks > /sbin/iptables -A FORWARD -j ACCEPT -s > 3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0 > /sbin/iptables -A FORWARD -j ACCEPT -s > 2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0 > #: > #: > ********************************************************** > #: *** INPUT CHAIN > *** > #: > ********************************************************** > #: > #: Accept all packets coming in from the loopback > interface > /sbin/iptables -A INPUT -j ACCEPT -i lo > #: Deny and log all packets trying to come in from a > 127.0.0.0/8 address > #: over a non-'lo' interface > /sbin/iptables -A INPUT -j LOG -i ! lo -s > 127.0.0.1/255.0.0.0 > /sbin/iptables -A INPUT -j DROP -i ! lo -s > 127.0.0.1/255.0.0.0 > #: Accept dumb broadcast packets on internal > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d > 255.255.255.255/32 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d > 255.255.255.255/32 > #: Accept packets from internal networks on internal > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -s > 2.2.2.1/255.255.255.0 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -s > 3.3.3.1/255.255.255.0 > #: Accept multicast packets (adresses 224.0.0.0) from > internal interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth0 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A INPUT -j ACCEPT -i eth2 -d > 224.0.0.0/4 -p ! 6 > #: Disallow and log packets trying to come in over > external interfaces > #: from hosts claiming to be internal > /sbin/iptables -A INPUT -j LOG -i eth1 -s > 2.2.2.1/255.255.255.0 > /sbin/iptables -A INPUT -j DROP -i eth1 -s > 2.2.2.1/255.255.255.0 > /sbin/iptables -A INPUT -j LOG -i eth1 -s > 3.3.3.1/255.255.255.0 > /sbin/iptables -A INPUT -j DROP -i eth1 -s > 3.3.3.1/255.255.255.0 > #: Accept dumb broadcast packets on external > interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d > 255.255.255.255/32 > #: Accept incoming packets from external networks on > external interfaces > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d > 1.1.1.1/32 > /sbin/iptables -A INPUT -j ACCEPT -i eth1 -d > 1.1.1.255/32 > #: > #: > ********************************************************** > #: *** IP MASQUERADING > *** > #: > ********************************************************** > #: > #: Masquerade packets from internal networks > /sbin/iptables -t nat -A POSTROUTING -o eth1 -s > 2.2.2.1/255.255.255.0 -j MASQUERADE > /sbin/iptables -A FORWARD -i eth0 -o eth1 -s > 2.2.2.1/255.255.255.0 -j ACCEPT > /sbin/iptables -t nat -A POSTROUTING -o eth1 -s > 3.3.3.1/255.255.255.0 -j MASQUERADE > /sbin/iptables -A FORWARD -i eth2 -o eth1 -s > 3.3.3.1/255.255.255.0 -j ACCEPT > /sbin/iptables -A FORWARD -m state --state > RELATED,ESTABLISHED -j ACCEPT > #: > #: > ********************************************************** > #: *** OUTPUT CHAIN > *** > #: > ********************************************************** > #: > #: Allow packets to go out over the loopback interface > /sbin/iptables -A OUTPUT -j ACCEPT -o lo > #: Allow dumb broadcast packets to leave on internal > interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d > 255.255.255.255/32 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 255.255.255.255/32 > #: Allow packets for internal hosts to be delivered > using internal interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d > 2.2.2.1/255.255.255.0 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 3.3.3.1/255.255.255.0 > #: Allow multicast packets (adresses 224.0.0.0) to be > delivered using > #: internal interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d > 224.0.0.0/4 -p ! 6 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d > 224.0.0.0/4 -p ! 6 > #: Deny and log packets attempting to leave over > external interfaces claiming > #: to be for internal networks > /sbin/iptables -A FORWARD -j LOG -o eth1 -d > 2.2.2.1/255.255.255.0 > /sbin/iptables -A FORWARD -j DROP -o eth1 -d > 2.2.2.1/255.255.255.0 > /sbin/iptables -A OUTPUT -j LOG -o eth1 -d > 2.2.2.1/255.255.255.0 > /sbin/iptables -A OUTPUT -j DROP -o eth1 -d > 2.2.2.1/255.255.255.0 > /sbin/iptables -A FORWARD -j LOG -o eth1 -d > 3.3.3.1/255.255.255.0 > /sbin/iptables -A FORWARD -j DROP -o eth1 -d > 3.3.3.1/255.255.255.0 > /sbin/iptables -A OUTPUT -j LOG -o eth1 -d > 3.3.3.1/255.255.255.0 > /sbin/iptables -A OUTPUT -j DROP -o eth1 -d > 3.3.3.1/255.255.255.0 > #: Allow dumb broadcast packets to leave on external > interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d > 255.255.255.255/32 > #: Allow packets for external networks leave over > external interfaces > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s > 1.1.1.1/32 > /sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s > 1.1.1.255/32 > #: > #: > ********************************************************** > #: *** SERVICES > *** > #: > ********************************************************** > #: > #: Turn on forwarding for 2.1 kernels > #: Enable automatic IP defragmentation > echo "1" > /proc/sys/net/ipv4/ip_forward > #: Set masqerading timeouts: > #: 2 hrs for TCP > #: 10 sec for TCP after FIN has been sent > #: 160 sec for UDP (important for ICQ users) > #: Run the deprecated /etc/ipmasq.rules, if present > #: Deny and log anything that may have snuck past any > of our other rules > /sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d > 0.0.0.0/0 > /sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0 > > > > ______________________________________________ > Renovamos el Correo Yahoo!: �250 MB GRATIS! > Nuevos servicios, m�s seguridad > http://correo.yahoo.es > > -- Antonio Trujillo Carmona <[EMAIL PROTECTED]>
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
