uovobw
15-11-2004, 21:17
Ciao a tutti,
sto dientando matto, le ho provate tutte ma non va assolutamente nulla!
Allora:
ho una macchina (linux-FC1) che si connette a internet tramite ppp0, e una macchina linux-deb che si connette alla prima tramite eth0.
In entrambe i dns sono impostati, le reti sono su, una è 192.168.0.1 (la macchina connessa a internet) e l'altra è *.*.*.2 (quella debian) ma non si pingano e mi rispondono che il destination host is unreachable.
Il mio firewall è questo:
#!/bin/bash
#moduli...
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_length
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe n_hdlc
/sbin/modprobe ip_conntrack_ftp ip_nat_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
# il temibile proc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
#flusho le regole
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
# reimposto le regole
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING DROP
/sbin/iptables -t nat -P POSTROUTING DROP
# ping
#/sbin/iptables -A INPUT -p icmp -i ppp0 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 -m state --state RELATED -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 --icmp-type echo-request -m length --length 128:65535 -j DROP
#/sbin/iptables -A INPUT -p icmp -i ppp0 --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 -j REJECT --reject-with icmp-host-unreachable
#/sbin/iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j LOG --log-level 1
#/sbin/iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p icmp -m state --state RELATED -j LOG --log-level 1
#/sbin/iptables -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
#/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
#/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# drop INVALID connections
/sbin/iptables -A INPUT -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A OUTPUT -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A FORWARD -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
# droppo le spoofing dalla interfaccia di rete
#/sbin/iptables -A INPUT -i ppp0 --source 192.168.0.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 10/8.*.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 172.16/12.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 192.168/16.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 127/8.*.*.* -j DROP
#retina locale
#/sbin/iptables -A INPUT -i eth0 --source 192.168.0.2 -j ACCEPT
#/sbin/iptables -A INPUT --source localhost -p tcp --dport 2009 -j ACCEPT
#/sbin/iptables -A INPUT --source localhost -p udp --dport 2009 -j ACCEPT
# allow all established and related
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state RELATED -j ACCEPT
#aMule
#/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 4660 -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p udp --dport 4670 -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p udp --dport 4663 -j ACCEPT
#/sbin/iptables -A INPUT --source 127.0.0.1 -p tcp --dport 1241 -j ACCEPT
#---------------------------------------------------------------
#accendo l'ethernet
#/sbin/ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up
# Attiva il nat (routing)
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
e in teoria dovrebbe andare!!!!
ma non lo fa, se sulla macchina debian pingo google.com mi dice host unknown!!
Non so più cosa pensare...
inoltre le due macchine non si piangano a vicenda...
la mia tabella di routing:
1 Kernel IP routing table
2 Destination Gateway Genmask Flags Metric Ref Use Iface
3 c72g1.mo-atm1.n * 255.255.255.255 UH 0 0 0 ppp0
4 192.168.0.0 * 255.255.255.0 U 0 0 0 ppp0
5 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
6 default c72g1.mo-atm1.n 0.0.0.0 UG 0 0 0 ppp0
le righe 3 e 6 servono per la mia adsl USB, le altre 2 (la 4 e la 5) le ho messe io pocciando, e adesso non riesco a eliminarle.
Chi mi può dare una mano??
servono altre info?
grazie ciao
sto dientando matto, le ho provate tutte ma non va assolutamente nulla!
Allora:
ho una macchina (linux-FC1) che si connette a internet tramite ppp0, e una macchina linux-deb che si connette alla prima tramite eth0.
In entrambe i dns sono impostati, le reti sono su, una è 192.168.0.1 (la macchina connessa a internet) e l'altra è *.*.*.2 (quella debian) ma non si pingano e mi rispondono che il destination host is unreachable.
Il mio firewall è questo:
#!/bin/bash
#moduli...
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_length
/sbin/modprobe iptable_filter
/sbin/modprobe ip_tables
/sbin/modprobe n_hdlc
/sbin/modprobe ip_conntrack_ftp ip_nat_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
# il temibile proc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
#flusho le regole
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
# reimposto le regole
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING DROP
/sbin/iptables -t nat -P POSTROUTING DROP
# ping
#/sbin/iptables -A INPUT -p icmp -i ppp0 -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 -m state --state RELATED -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 --icmp-type echo-request -m length --length 128:65535 -j DROP
#/sbin/iptables -A INPUT -p icmp -i ppp0 --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#/sbin/iptables -A INPUT -p icmp -i ppp0 -j REJECT --reject-with icmp-host-unreachable
#/sbin/iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j LOG --log-level 1
#/sbin/iptables -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p icmp -m state --state RELATED -j LOG --log-level 1
#/sbin/iptables -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT
#/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
#/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# drop INVALID connections
/sbin/iptables -A INPUT -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A OUTPUT -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A FORWARD -m state --state INVALID -j LOG --log-level 1
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
# droppo le spoofing dalla interfaccia di rete
#/sbin/iptables -A INPUT -i ppp0 --source 192.168.0.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 10/8.*.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 172.16/12.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 192.168/16.*.* -j DROP
#/sbin/iptables -A INPUT -i ppp0 --source 127/8.*.*.* -j DROP
#retina locale
#/sbin/iptables -A INPUT -i eth0 --source 192.168.0.2 -j ACCEPT
#/sbin/iptables -A INPUT --source localhost -p tcp --dport 2009 -j ACCEPT
#/sbin/iptables -A INPUT --source localhost -p udp --dport 2009 -j ACCEPT
# allow all established and related
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state RELATED -j ACCEPT
#aMule
#/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 4660 -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p udp --dport 4670 -j ACCEPT
#/sbin/iptables -A INPUT -i ppp0 -p udp --dport 4663 -j ACCEPT
#/sbin/iptables -A INPUT --source 127.0.0.1 -p tcp --dport 1241 -j ACCEPT
#---------------------------------------------------------------
#accendo l'ethernet
#/sbin/ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up
# Attiva il nat (routing)
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
e in teoria dovrebbe andare!!!!
ma non lo fa, se sulla macchina debian pingo google.com mi dice host unknown!!
Non so più cosa pensare...
inoltre le due macchine non si piangano a vicenda...
la mia tabella di routing:
1 Kernel IP routing table
2 Destination Gateway Genmask Flags Metric Ref Use Iface
3 c72g1.mo-atm1.n * 255.255.255.255 UH 0 0 0 ppp0
4 192.168.0.0 * 255.255.255.0 U 0 0 0 ppp0
5 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
6 default c72g1.mo-atm1.n 0.0.0.0 UG 0 0 0 ppp0
le righe 3 e 6 servono per la mia adsl USB, le altre 2 (la 4 e la 5) le ho messe io pocciando, e adesso non riesco a eliminarle.
Chi mi può dare una mano??
servono altre info?
grazie ciao