(linux-br) Problemas com Ipchains

Rafael Cioti de Queiroz Ferreira Fri, 06 Apr 2001 07:07:41 -0700
Senhores,


        tenho a seguinte configuração:


        
        rede externa
                |
        -------------------------------------   
        |172.20.22.0 (eth1)     |
        |                       |  rede interna( 192.168.10.0 - eth0)   
        |                       |
---------------------------------------------------
        |                       |
        |10.10.1.0(eth1:0)      |
        -------------------------------------
                |
                intranet 

        Descrição: Duas placas de redes, uma sendo utilizada para minha rede
interna (eth0) e a outra sendo utilizada para duas interfaces (eth1 e
eth1:0)
        estou usando o Ipchains com o Redhat 7.0
        O Problema: Não estou conseguindo comfigurar a interface eth1:0
segue abaixo o meu script. O QUE EU POSSO ESTAR FAZENDO ERRADO..????




depmod -a
modprobe ip_masq_ftp
modprobe ip_masq_portfw
modprobe ip_masq_raudio
echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -M -S 7200 10 60
#========================[ Comecando as regras ]==========================#
#
echo -n "Iniciando as Regras do Firewall.. "
#
ipchains -P input ACCEPT
ipchains -P forward ACCEPT 
ipchains -P output  ACCEPT
ipchains -F input
ipchains -F forward
ipchains -F output
ipchains -F bad-int
ipchains -F int-bad
ipchains -F dmz-int
ipchains -F int-dmz
ipchains -F icmp-acc
ipchains -F bad-if
ipchains -F int-if
ipchains -F dmz-if

ipmasqadm portfw -f

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

ipchains -A input -i ! lo -j DENY -l
ipchains -A output -i ! lo -j DENY -l
ipchains -A forward -j DENY -l

ipchains -X bad-int
ipchains -X int-bad
ipchains -X dmz-int
ipchains -X int-dmz
ipchains -X icmp-acc
ipchains -X bad-if
ipchains -X int-if
ipchains -X dmz-if

ipchains -N bad-int
ipchains -N int-bad
ipchains -N dmz-int
ipchains -N int-dmz
ipchains -N icmp-acc
ipchains -N bad-if
ipchains -N int-if
ipchains -N dmz-if

ipchains -A forward -s 10.10.1.0/24 -i eth0 -j dmz-int -l
ipchains -A forward -s 192.168.10.0/24 -i eth1 -j int-bad -l
ipchains -A forward -s 192.168.10.0/24 -i eth1:0 -j int-dmz -l
ipchains -A forward -i eth0 -j bad-int -l
ipchains -A forward -j DENY -l

ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
-l
ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT -l
ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT -l
ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT -l

#ipchains -A dmz-int -p tcp  -d 192.168.10.1 www -j MASQ -l 
ipchains -A dmz-int -p icmp -j icmp-acc -l
ipchains -A dmz-int -j DENY -l

#ipchains -A bad-int -p tcp -d 192.168.10.1 www -j DENY -l
ipchains -A bad-int -p icmp -j icmp-acc -l
ipchains -A bad-int -j DENY -l

ipchains -A int-dmz -p icmp -j icmp-acc -l
ipchains -A int-dmz -j DENY -l

ipchains -A int-bad -p tcp -s 192.168.10.1 --dport www -j MASQ -l
#ipchains -A int-bad -s 192.168.10.1 -j MASQ -l
ipchains -A int-bad -p tcp --dport 1000:2000 -j ACCEPT
#ipchains -A int-bad -p tcp --dport ftp -j MASQ -l
ipchains -A int-bad -j DENY -l

ipchains -A bad-int -j REJECT

ipchains -A input -d 172.20.22.254 -j bad-if -l
ipchains -A input -d 192.168.10.254 -j int-if -l
ipchains -A input -d 10.10.1.254 -j dmz-if -l

ipchains -A bad-if -i ! eth1 -j DENY -l
ipchains -A bad-if -p tcp -s 172.20.22.0/24 --dport www -j ACCEPT -l
ipchains -A bad-if -p tcp -s 172.20.22.0/24 --dport ftp -j ACCEPT -l
ipchains -A bad-if -p tcp -s 172.20.22.0/24 --dport 5900 -j ACCEPT -l
ipchains -A bad-if -p tcp --dport 1000:2000 -j ACCEPT
ipchains -A bad-if -p tcp --dport 61000:65096 -j ACCEPT -l
ipchains -A bad-if -p udp --dport 61000:65096 -j ACCEPT -l
ipchains -A bad-if -p icmp --icmp-type pong -j ACCEPT -l
ipchains -A bad-if -j icmp-acc -l
ipchains -A bad-if -j DENY -l

ipchains -A int-if -i ! eth0 -j DENY -l
ipchains -A int-if -p icmp --icmp-type pong -j ACCEPT -l
ipchains -A int-if -j icmp-acc -l
ipchains -A int-if -j DENY -l

ipchains -A dmz-if -s ! 10.10.1.254 -j DENY -l
ipchains -A dmz-if -p tcp --dport www -j ACCEPT -l
ipchains -A dmz-if -p tcp --dport 1000:2000 -j ACCEPT -l
ipchains -A dmz-if -p tcp --dport 61000:65096 -j ACCEPT -l
ipchains -A dmz-if -p udp --dport 61000:65096 -j ACCEPT -l
ipchains -A dmz-if -p icmp --icmp-type pong -j ACCEPT -l
ipchains -A dmz-if -j icmp-acc -l
ipchains -A dmz-if -j DENY -l

ipchains -D input 1
ipchains -D forward 1
ipchains -D output 1

ipmasqadm portfw -a -P tcp -L 172.20.22.254 www -R 192.168.10.1 www
ipmasqadm portfw -a -P tcp -L 172.20.22.254 ftp -R 192.168.10.1 ftp
ipmasqadm portfw -a -P tcp -L 10.10.1.254 www -R 192.168.10.1 www

echo "Concluído!"


Assinantes em 06/04/2001: 2187
Mensagens recebidas desde 07/01/1999: 108063
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
            mailto:[EMAIL PROTECTED]
(linux-br) Problemas com Ipchains

Responder a
