Problemas IPTABLES

Alfonso Pinto Fri, 04 Feb 2005 05:27:44 -0800

Tengo un problema con IPTABLES con el que me he
quedado atascado. He googleado, he mirado los
documentos de netfilter.org, los de linuxguruz.com y
no consigo arreglarlo.


Os comento más o menos lo que me pasa.

Las redes de la empresa para la que trabajo están tal
que así:


    @ @ @         __________________ eth1
  @       @  eth0| FIREWALL         |----RED1
@  INTERNET @----|GATEWAY RED 1 Y 2 |eth2
  @   1   @      |__________________|----RED2
    @ @ @             |eth3
                      |
                      |
                      |
                      |
                      |
    @ @ @         ____|eth2________
  @       @  eth1| FIREWALL       |eth0
@  INTERNET @----|GATEWAY RED 3   |------RED3
  @   2   @      |________________|
    @ @ @

Las REDES 1 y 2 se ven entre si y pueden salir a
internet por INTERNET 1.
La RED 3 sale a internet por por INTERNET 2.

El problema que tengo es que necesito interconectar
entre si las REDES 1 y 2 con la RED 3 para que se vean
entre las 3. No encuentro la forma de hacerlo.

Lo primero es que ni siquiera consigo hacer un ping
desde la RED 3 al FIREWALL de las REDES 1 y 2.

Alguien puede darme alguna indicación de por donde
puedo continuar?

Os paso la configuracion de iptables de los equipos.
Los dos FIREWALL son debian/sarge con kernel de la
rama 2.6.

estos son los script de iptables generados por ipmasq
que funcionan, no pongo las modificaciones hechas por
mi porque cada modificación que he hecho ha servido
para fastidiar algo.

Muchas gracias

FIREWALL/GATEWAY REDES 1 Y 2

#: Interfaces found:
#:   eth0       1.1.2.1/255.255.255.0
#:   eth0       1.1.2.1/255.255.255.0
#:   eth1       4.4.1.2/255.255.255.0
#:   eth2       4.4.2.2/255.255.255.0
#:   eth3       3.3.3.2/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: ***                   CUSTOM CHAINS                
   ***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: ***                   FORWARD CHAIN                
   ***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.2/255.255.255.0 -d 4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.1.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
4.4.2.2/255.255.255.0 -d 3.3.3.2/255.255.255.0
#:
#:
**********************************************************
#: ***                    INPUT CHAIN                 
   ***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -s
3.3.3.2/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth3 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.1.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
4.4.2.2/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth0 -s
3.3.3.2/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s
3.3.3.2/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
1.1.2.255/32
#:
#:
**********************************************************
#: ***                  IP MASQUERADING               
   ***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.1.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s
4.4.1.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
4.4.2.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth0 -s
4.4.2.2/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s
3.3.3.2/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth3 -o eth0 -s
3.3.3.2/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: ***                    OUTPUT CHAIN                
   ***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
3.3.3.2/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth3 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.1.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
4.4.2.2/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d
3.3.3.2/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d
3.3.3.2/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s
1.1.2.255/32
#:
#:
**********************************************************
#: ***                      SERVICES                  
   ***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#:   2 hrs for TCP
#:   10 sec for TCP after FIN has been sent
#:   160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0


FIREWALL/GATEWAY RED 3

#: Interfaces found:
#:   eth1       1.1.1.1/255.255.255.0
#:   eth1       1.1.1.1/255.255.255.0
#:   eth0       2.2.2.1/255.255.255.0
#:   eth2       3.3.3.1/255.255.255.0
#: Turn off forwarding for 2.1 kernels
#: Disable automatic IP defragmentation
echo "0" > /proc/sys/net/ipv4/ip_forward
#: Flush all and set default policy of deny.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#:
#:
**********************************************************
#: ***                   CUSTOM CHAINS                
   ***
#:
**********************************************************
#:
#:
#:
**********************************************************
#: ***                   FORWARD CHAIN                
   ***
#:
**********************************************************
#:
#: Forward packets among internal networks
/sbin/iptables -A FORWARD -j ACCEPT -s
3.3.3.1/255.255.255.0 -d 2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j ACCEPT -s
2.2.2.1/255.255.255.0 -d 3.3.3.1/255.255.255.0
#:
#:
**********************************************************
#: ***                    INPUT CHAIN                 
   ***
#:
**********************************************************
#:
#: Accept all packets coming in from the loopback
interface
/sbin/iptables -A INPUT -j ACCEPT -i lo
#: Deny and log all packets trying to come in from a
127.0.0.0/8 address
#: over a non-'lo' interface
/sbin/iptables -A INPUT -j LOG -i ! lo -s
127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s
127.0.0.1/255.0.0.0
#: Accept dumb broadcast packets on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
255.255.255.255/32
#: Accept packets from internal networks on internal
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -s
3.3.3.1/255.255.255.0
#: Accept multicast packets (adresses 224.0.0.0) from
internal interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth2 -d
224.0.0.0/4 -p ! 6
#: Disallow and log packets trying to come in over
external interfaces
#: from hosts claiming to be internal
/sbin/iptables -A INPUT -j LOG -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
2.2.2.1/255.255.255.0
/sbin/iptables -A INPUT -j LOG -i eth1 -s
3.3.3.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth1 -s
3.3.3.1/255.255.255.0
#: Accept dumb broadcast packets on external
interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
255.255.255.255/32
#: Accept incoming packets from external networks on
external interfaces
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.1/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d
1.1.1.255/32
#:
#:
**********************************************************
#: ***                  IP MASQUERADING               
   ***
#:
**********************************************************
#:
#: Masquerade packets from internal networks
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
2.2.2.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -s
2.2.2.1/255.255.255.0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s
3.3.3.1/255.255.255.0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth2 -o eth1 -s
3.3.3.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
#:
#:
**********************************************************
#: ***                    OUTPUT CHAIN                
   ***
#:
**********************************************************
#:
#: Allow packets to go out over the loopback interface
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
#: Allow dumb broadcast packets to leave on internal
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
255.255.255.255/32
#: Allow packets for internal hosts to be delivered
using internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
3.3.3.1/255.255.255.0
#: Allow multicast packets (adresses 224.0.0.0) to be
delivered using
#: internal interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d
224.0.0.0/4 -p ! 6
/sbin/iptables -A OUTPUT -j ACCEPT -o eth2 -d
224.0.0.0/4 -p ! 6
#: Deny and log packets attempting to leave over
external interfaces claiming
#: to be for internal networks
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
2.2.2.1/255.255.255.0
/sbin/iptables -A FORWARD -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j LOG -o eth1 -d
3.3.3.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth1 -d
3.3.3.1/255.255.255.0
#: Allow dumb broadcast packets to leave on external
interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d
255.255.255.255/32
#: Allow packets for external networks leave over
external interfaces
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.1/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -s
1.1.1.255/32
#:
#:
**********************************************************
#: ***                      SERVICES                  
   ***
#:
**********************************************************
#:
#: Turn on forwarding for 2.1 kernels
#: Enable automatic IP defragmentation
echo "1" > /proc/sys/net/ipv4/ip_forward
#: Set masqerading timeouts:
#:   2 hrs for TCP
#:   10 sec for TCP after FIN has been sent
#:   160 sec for UDP (important for ICQ users)
#: Run the deprecated /etc/ipmasq.rules, if present
#: Deny and log anything that may have snuck past any
of our other rules
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d
0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0


                
______________________________________________ 
Renovamos el Correo Yahoo!: ¡250 MB GRATIS! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Problemas IPTABLES

Responder a