Hola William, No, no lo he usado. Es mas no me suena haberlo usado nunca el NAT conjugado con FORWARD... Aqui posteo lo que me tira un netstat -nr
Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.0.216 0.0.0.0 UG 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.30.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0 Donde 192.168.0.216 es el gateway de la subred 0 y 192.168.0.1 es lo mismo para la subred 30 Aqui les muestro un IPTABLES -L target prot opt source destination ACCEPT all -- localhost anywhere ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:3128 ACCEPT tcp -- 192.168.30.0/24 anywhere tcp dpt:3128 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:webmin ACCEPT tcp -- fmiculan.friggorina.local anywhere tcp dpt:netbios-ssn ACCEPT tcp -- fmiculan.friggorina.local anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:10200 ACCEPT tcp -- anywhere anywhere tcp dpt:5901 ACCEPT udp -- fglp05.friggorina.local anywhere udp dpt:snmp ACCEPT udp -- fglp05.friggorina.local anywhere udp dpt:snmp-trap ACCEPT udp -- fglp10.friggorina.local anywhere udp dpt:snmp ACCEPT udp -- fglp10.friggorina.local anywhere udp dpt:snmp-trap ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- fglp05.friggorina.local anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:domain Chain FORWARD (policy DROP) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:2222 ACCEPT tcp -- anywhere anywhere tcp spt:2222 ACCEPT tcp -- anywhere anywhere tcp dpt:2221 ACCEPT tcp -- anywhere anywhere tcp spt:2221 ACCEPT tcp -- anywhere anywhere tcp dpt:25000 ACCEPT tcp -- anywhere anywhere tcp spt:25000 ACCEPT tcp -- anywhere anywhere tcp dpt:5938 ACCEPT tcp -- anywhere anywhere tcp spt:5938 ACCEPT tcp -- anywhere anywhere tcp dpt:31193 ACCEPT tcp -- anywhere anywhere tcp spt:31193 ACCEPT tcp -- anywhere anywhere tcp dpt:1935 ACCEPT tcp -- anywhere anywhere tcp spt:1935 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp spt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp spt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp spt:https ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ssn ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm ACCEPT tcp -- anywhere anywhere tcp spt:netbios-dgm ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp spt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp spt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:http MAC 00:21:97:D4:9A:92 ACCEPT tcp -- anywhere anywhere tcp spt:http MAC 00:21:97:D4:9A:92 ACCEPT tcp -- anywhere anywhere tcp dpt:https MAC 00:21:97:D4:9A:92 ACCEPT tcp -- anywhere anywhere tcp spt:https MAC 00:21:97:D4:9A:92 ACCEPT tcp -- anywhere anywhere tcp dpt:1723 ACCEPT tcp -- anywhere anywhere tcp spt:1723 ACCEPT tcp -- anywhere anywhere tcp dpt:47 ACCEPT tcp -- anywhere anywhere tcp spt:47 ACCEPT tcp -- anywhere anywhere tcp dpt:3001 ACCEPT tcp -- anywhere anywhere tcp spt:3001 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql MAC 00:E0:4C:73:7E:F6 ACCEPT tcp -- anywhere anywhere tcp spt:mysql MAC 00:E0:4C:73:7E:F6 ACCEPT tcp -- anywhere anywhere tcp dpt:radmin-port ACCEPT tcp -- anywhere anywhere tcp spt:radmin-port ACCEPT tcp -- anywhere anywhere tcp dpt:3389 ACCEPT tcp -- anywhere anywhere tcp spt:3389 ACCEPT tcp -- anywhere anywhere tcp dpt:xmpp-client ACCEPT tcp -- anywhere anywhere tcp spt:xmpp-client ACCEPT tcp -- anywhere anywhere tcp dpt:afs3-prserver ACCEPT tcp -- anywhere anywhere tcp spt:afs3-prserver ACCEPT tcp -- anywhere anywhere tcp dpt:44018 ACCEPT tcp -- anywhere anywhere tcp spt:44018 ACCEPT tcp -- anywhere anywhere MAC 50:E5:49:93:7D:47 ACCEPT tcp -- anywhere anywhere MAC 00:17:C4:99:D8:4C ACCEPT tcp -- anywhere anywhere MAC 00:1F:16:AA:A3:E9 ACCEPT tcp -- anywhere anywhere MAC B8:76:3F:6D:3B:16 ACCEPT tcp -- anywhere anywhere MAC C4:DA:26:04:8C:D7 ACCEPT tcp -- anywhere anywhere MAC F0:4D:A2:58:04:DE ACCEPT tcp -- anywhere anywhere MAC B8:B4:2E:EC:D8:69 ACCEPT tcp -- anywhere anywhere MAC B8:8D:12:0E:C1:28 ACCEPT tcp -- anywhere anywhere MAC 00:1E:68:89:F6:31 ACCEPT tcp -- anywhere anywhere MAC 00:21:00:2D:8F:AD ACCEPT tcp -- anywhere anywhere MAC 74:DE:2B:20:3A:59 ACCEPT tcp -- anywhere anywhere MAC C8:9C:DC:05:EF:A7 ACCEPT tcp -- anywhere anywhere MAC C8:6F:1D:0F:86:D2 ACCEPT tcp -- anywhere anywhere MAC 78:84:3C:2B:AD:3B ACCEPT tcp -- anywhere anywhere MAC 4C:0F:6E:D6:7B:5D ACCEPT tcp -- anywhere anywhere MAC 00:23:4E:04:23:ED ACCEPT tcp -- anywhere anywhere MAC 00:1C:8B:45:BD:5F ACCEPT tcp -- anywhere anywhere MAC 00:21:5D:C6:C1:C8 ACCEPT tcp -- anywhere anywhere MAC 00:1E:EC:F5:61:C3 ACCEPT tcp -- anywhere anywhere MAC 00:25:56:BB:E9:32 ACCEPT tcp -- anywhere anywhere MAC 00:26:22:CA:47:54 ACCEPT tcp -- anywhere anywhere MAC 00:1E:C2:BD:7E:99 ACCEPT tcp -- anywhere anywhere MAC 00:1D:E0:76:BD:A1 ACCEPT tcp -- anywhere anywhere MAC 00:E0:4C:73:7E:F6 ACCEPT tcp -- anywhere anywhere MAC 80:9B:20:0A:90:34 ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A9:FC:EB ACCEPT tcp -- anywhere anywhere MAC 00:0A:EB:22:1A:3F ACCEPT tcp -- anywhere anywhere MAC 00:E0:4C:8D:9B:4C ACCEPT tcp -- anywhere anywhere MAC 00:1E:33:82:6D:F6 ACCEPT tcp -- anywhere anywhere MAC 00:21:63:A6:46:BB ACCEPT tcp -- anywhere anywhere MAC 00:16:44:75:AC:07 ACCEPT tcp -- anywhere anywhere MAC 00:A0:D1:8B:C8:CB ACCEPT tcp -- anywhere anywhere MAC E4:12:1D:83:E2:2C ACCEPT tcp -- anywhere anywhere MAC E0:B9:A5:4E:40:00 ACCEPT tcp -- anywhere anywhere MAC C4:DA:26:04:88:D0 ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A8:F1:E3 ACCEPT tcp -- anywhere anywhere MAC 68:94:23:C5:E2:F7 ACCEPT tcp -- anywhere anywhere MAC 00:E0:48:00:3C:1C ACCEPT tcp -- anywhere anywhere MAC 00:23:6C:95:DB:84 ACCEPT tcp -- anywhere anywhere MAC 00:23:DF:97:46:64 ACCEPT tcp -- anywhere anywhere MAC F0:27:65:19:01:57 ACCEPT tcp -- anywhere anywhere MAC 5C:51:4F:29:69:68 ACCEPT tcp -- anywhere anywhere MAC 18:67:B0:BF:DC:14 ACCEPT tcp -- anywhere anywhere MAC 80:60:07:4A:C1:EC ACCEPT tcp -- anywhere anywhere MAC D4:F4:6F:27:36:42 ACCEPT tcp -- anywhere anywhere MAC 00:1D:E0:94:E5:87 ACCEPT tcp -- anywhere anywhere MAC 00:15:B7:1E:45:F2 ACCEPT tcp -- anywhere anywhere MAC 40:25:C2:A1:A1:F4 ACCEPT tcp -- anywhere anywhere MAC F0:BF:97:E4:85:11 ACCEPT tcp -- anywhere anywhere MAC 80:60:07:91:C9:96 ACCEPT tcp -- anywhere anywhere MAC A8:96:8A:80:79:A1 ACCEPT tcp -- anywhere anywhere MAC 00:00:74:AB:44:81 ACCEPT tcp -- anywhere anywhere MAC 00:50:56:BD:00:00 ACCEPT tcp -- anywhere anywhere MAC 00:03:0D:93:36:8A ACCEPT tcp -- anywhere anywhere MAC 00:16:44:B3:F0:00 ACCEPT tcp -- anywhere anywhere MAC 00:37:6D:53:0B:E7 ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:49:57 ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:C6:A1:C5 ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:C4:61:F4 ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:49:41 ACCEPT tcp -- anywhere anywhere MAC E8:80:2E:CB:D6:BA ACCEPT tcp -- anywhere anywhere MAC D0:DE:9A:C4:68:7D ACCEPT tcp -- anywhere anywhere MAC F0:DE:F1:77:46:B2 ACCEPT tcp -- anywhere anywhere MAC 00:26:82:A5:21:C1 ACCEPT tcp -- anywhere anywhere MAC 88:AE:1D:34:00:E5 ACCEPT tcp -- anywhere anywhere MAC C0:65:99:B6:2E:3E ACCEPT tcp -- anywhere anywhere MAC 00:1F:3B:32:E4:67 ACCEPT tcp -- anywhere anywhere MAC 00:1C:C4:CC:2D:71 ACCEPT tcp -- anywhere anywhere MAC 00:19:7D:07:16:F1 ACCEPT tcp -- anywhere anywhere MAC 00:0F:B0:CE:B8:62 ACCEPT tcp -- anywhere anywhere MAC DC:0E:A1:A5:87:E9 ACCEPT tcp -- anywhere anywhere MAC 08:ED:B9:10:60:D9 ACCEPT tcp -- anywhere anywhere MAC 1C:4B:D6:67:49:01 ACCEPT tcp -- anywhere anywhere MAC 60:21:C0:39:3F:16 ACCEPT tcp -- anywhere anywhere MAC 88:53:2E:4A:2B:DF ACCEPT tcp -- anywhere anywhere MAC D0:DF:9A:60:35:2E ACCEPT tcp -- anywhere anywhere MAC 00:24:D6:19:BC:6C ACCEPT tcp -- anywhere anywhere MAC B8:88:E3:A8:E6:26 ACCEPT tcp -- anywhere anywhere MAC 68:94:23:C5:E9:DF ACCEPT tcp -- anywhere anywhere MAC 00:C2:C6:09:A9:7A ACCEPT tcp -- anywhere anywhere MAC A4:17:31:EA:89:7B ACCEPT tcp -- anywhere anywhere MAC 54:53:ED:37:DF:7C ACCEPT tcp -- anywhere anywhere MAC D4:F4:6F:18:37:92 ACCEPT tcp -- anywhere anywhere MAC 14:10:9F:ED:64:D0 ACCEPT tcp -- anywhere anywhere MAC 00:26:82:59:54:51 ACCEPT tcp -- anywhere anywhere MAC 70:5A:B6:5A:56:AA ACCEPT tcp -- anywhere anywhere MAC 74:DE:2B:5C:FE:D5 ACCEPT tcp -- anywhere anywhere MAC DC:0E:A1:7A:33:A0 ACCEPT tcp -- anywhere anywhere MAC 64:27:37:25:75:59 ACCEPT tcp -- anywhere anywhere MAC 14:DA:E9:9F:42:86 ACCEPT tcp -- anywhere anywhere MAC 00:1F:3C:58:3F:62 ACCEPT tcp -- anywhere anywhere MAC BC:8C:CD:E7:D9:06 ACCEPT tcp -- anywhere anywhere MAC B4:52:7D:F9:98:D8 ACCEPT tcp -- anywhere anywhere MAC B8:5E:7B:BA:6F:6C ACCEPT tcp -- anywhere anywhere MAC 68:ED:43:A3:54:67 ACCEPT tcp -- anywhere anywhere MAC 00:21:C5:12:3E:B1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere localhost Y les adjunto el archivo FIRE.SH para que vean el firewall como esta armado. El 31 de diciembre de 2014, 1:59, William Romero <wromer...@hotmail.com> escribió: > > > Se me presento un caso en mi trabajo. Tenemos un squid linkeado a un > active > > directory de Win(fucker) 2008 en la red 192.168.0.0, ademas de haber > > implementado un firewall con iptables. Todo realizado en un Debian 7. > > Hasta ahí no hay inconvenientes, los usuarios navegan perfectamente según > > los grupos asignados en el active directory. > > El problema se presento justamente hoy, al querer ampliar la red a otra > > subred (192.168.30.0, que dicho sea de paso se implemento en forma de > vlan > > en un router mikrotik.) > > La cuestión es, que después de haber agregado la ruta en una de las > > interfaces del debian para que vea la subred 30, estos navegan > perfectamente > > en internet, pero no la subred 0, todo lo que sea web no funciona, salvo > el > > correo electrónico y el skype. > > Que es lo que puede estar pasando? > > Con netstat -nr se ven las rutas asignadas perfectamente, por ese lado no > > veo el problema... me estará faltando algún tipo de regla adicional en el > > firewall ?? > > Si les sirve les puedo postear el script del firewall. La política por > > defecto es DROP y luego permito algunos puertos y mac address para que > > bypaseen el proxy. > > > > Falta algo de info, pero adivinando diría que algún cambio afectó > laconfiguración de squid donde se daba permiso a la red192.168.0.0/(24?) > para utilizar el mismo al habilitar la192.168.30.0(/24?) o lo mismo en > iptables donde se permite acceder ala IP:Puerto donde escucha squid.Al > decir que anda el correo y skype descarto problemas de ruteo/nat.Cuando > desis que no navegan, cual es el error? un error de squiddiciendo que no > tienen permiso o que no los clientes nos se puedenconectar al proxy? > Los que no navegan son los equipos de la subred 0 que esquivan el proxy > squid a través de una regla iptables por mac address. Si esos equipos los > apunto al squid desde el navegador, funcionan bien.Lo extraño es que esa > regla funciono de maravillas antes de hacer la subred 30. > > > Has usado el FORWARD NAT de iptables para llevar 0.0 hacia 30.0 ? > > https://lists.debian.org/debian-user-spanish/2008/11/msg00094.html > > https://albertomolina.wordpress.com/2009/01/09/nat-con-iptables/ > > > saludos > > WRC > > > > -- > To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > https://lists.debian.org/bay177-w94a860f656a2ebf7db72bb6...@phx.gbl > > -- *Fernando Miculan.-FCM SistemasTel. 15-5435862 / ID: 160*6915* *ICQ: 6410724 / Skype: fcmsistemashttp://ferchobbs.ddns.net <http://ferchobbs.ddns.net>* *BBS Telnet: ferchobbs.ddns.net:23 <http://ferchobbs.no-ip.org:23> *
fire.sh
Description: Bourne shell script