On Wed, Feb 02, 2005 at 10:02:59AM -0300, [EMAIL PROTECTED] wrote:
> Date: Wed, 2 Feb 2005 10:02:59 -0300
> From: [EMAIL PROTECTED]
> Subject: Re: redireccionar ssh a la lan
> To: debian-user-spanish@lists.debian.org
> X-Mailer: Microsoft Outlook Express 6.00.2800.1478
>
> walter:
> depende de varias cosas, por ej: que el chain forward tenga la default
> policy drop, y no lo estes aceptando. seria bueno que postees las reglas
> (completo, que no falte nada) como para poder ayudarte.
>
> igualmente, te comento que en mi casa forwardeo con iptables a una de las
> pcs de adentro de la lan, y no tengo ningun problema.
es un choclo ... no me maten
#!/bin/sh
# This is the location of the iptables command
IPTABLES="/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--Begin Firewall-##
#Default-Interfaces-#
## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth0"
## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth1"
#Special Variables-#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"
#Flood Variables-#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
#Automatically determine infos about involved interfaces-#
### External Interface:
## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF
## Interfaz que conecta a internet, en este caso la eth0 conecta
## al modem ADSL - Determine external IP 200.40.171.158
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP
## Determine external gateway 200.40.171.157
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
### Internal Interface:
## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF
## Interfaz que conecta con la LAN - Determine internal IP 192.168.1.9
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP
## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK
## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN
echo ""
#Load IPTABLES-modules-#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1
#Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6
echo " --- "
#Clear/Reset all chains-#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat