andanet
18-04-2005, 22:05
Ciauz ragazzi...vi devo chiedere un aiuto.
Ho configurato un pc con 2 skede di rete; 1 verso la LAN ed 1 collegata ad un router. La distro è FC3
Installato squid e iptables.
Lo script iptables creato è questo:
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -s 192.168.1.250 -j ACCEPT
echo "# SSH."
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 22 -j DNAT --to 192.168.2.8:22
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 22 -o eth1 -j ACCEPT
echo "# Web0."
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 8080 -j DNAT --to 192.168.2.8:8080
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 8080 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 443 -j DNAT --to 192.168.2.8:443
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 443 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 10000 -j DNAT --to 192.168.2.8:443
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 10000 -o eth1 -j ACCEPT
echo "# FTP:"
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 21 -j DNAT --to 192.168.1.7:21
iptables -A FORWARD -p tcp -d 192.168.1.7 --dport 21 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p udp -d 192.168.1.7 --dport 21 -j DNAT --to 192.168.1.7:21
iptables -A FORWARD -p udp -d 192.168.1.7 --dport 21 -o eth1 -j ACCEPT
echo "# SERVER_POPMCLINK dall interno all esterno."
iptables -A PREROUTING -t nat -p tcp -d 192.168.2.8 --dport 110 -j DNAT --to 195.110.128.30:110
iptables -A FORWARD -p tcp -d 195.110.128.30 --dport 110 -o eth0 -j ACCEPT
#abilito per l'uscita della posta
#puo parlare con tutti i server smtp
iptables -A FORWARD -p tcp --dport 25 -s 192.168.2.0 -j ACCEPT
#accetta le risposte
iptables -A FORWARD -d 192.168.2.0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "# PROXY INCOMING"
iptables -A FORWARD -p tcp --dport 8080 -s 192.168.2.8 -j ACCEPT
iptables -A FORWARD -d 192.168.2.8 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "# PROXY OUTGOING"
iptables -A FORWARD -p tcp --dport 80 -s 192.168.1.7 -j ACCEPT
iptables -A FORWARD -d 192.168.1.7 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Ping and friends.
#iptables -A OUTPUT -p icmp -j DROP # to both sides.
#iptables -A FORWARD -p icmp -j DROP
#iptables -A INPUT -p icmp -j DROP
#abilito posta entrante
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d 80.17.31.90 -j DNAT --to-destination 192.168.1.2
#iptables -t nat -A PREROUTING -p tcp --dport 110 -d 80.17.31.90 -j DNAT --to-destination 192.168.1.2
#iptables -A FORWARD -p tcp --dport 25 -d 192.168.1.2 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 110 -d 192.168.1.2 -j ACCEPT
#iptables -A FORWARD -s 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#abilito per l'uscita della posta
#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 80.17.31.90
# iptables -A INPUT -s 212.245.250.46 -j ACCEPT
# iptables -A INPUT -s 62.101.126.231 -j ACCEPT
# iptables -A INPUT --dport 53 -o eth0 -j DROP
# iptables -A INPUT -p tcp --dport 53 -j DROP
#iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j DROP
#iptables -A INPUT -i eth0 -p udp --destination-port 53 -j DROP
#iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
#Enabling IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Esco tranquilklamente su internet, ma la posta non ne vuole sapere...
Mi dite dove sbaglio?
grazie
Ho configurato un pc con 2 skede di rete; 1 verso la LAN ed 1 collegata ad un router. La distro è FC3
Installato squid e iptables.
Lo script iptables creato è questo:
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -s 192.168.1.250 -j ACCEPT
echo "# SSH."
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 22 -j DNAT --to 192.168.2.8:22
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 22 -o eth1 -j ACCEPT
echo "# Web0."
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 8080 -j DNAT --to 192.168.2.8:8080
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 8080 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 443 -j DNAT --to 192.168.2.8:443
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 443 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 10000 -j DNAT --to 192.168.2.8:443
iptables -A FORWARD -p tcp -d 192.168.2.8 --dport 10000 -o eth1 -j ACCEPT
echo "# FTP:"
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.7 --dport 21 -j DNAT --to 192.168.1.7:21
iptables -A FORWARD -p tcp -d 192.168.1.7 --dport 21 -o eth1 -j ACCEPT
iptables -A PREROUTING -t nat -p udp -d 192.168.1.7 --dport 21 -j DNAT --to 192.168.1.7:21
iptables -A FORWARD -p udp -d 192.168.1.7 --dport 21 -o eth1 -j ACCEPT
echo "# SERVER_POPMCLINK dall interno all esterno."
iptables -A PREROUTING -t nat -p tcp -d 192.168.2.8 --dport 110 -j DNAT --to 195.110.128.30:110
iptables -A FORWARD -p tcp -d 195.110.128.30 --dport 110 -o eth0 -j ACCEPT
#abilito per l'uscita della posta
#puo parlare con tutti i server smtp
iptables -A FORWARD -p tcp --dport 25 -s 192.168.2.0 -j ACCEPT
#accetta le risposte
iptables -A FORWARD -d 192.168.2.0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "# PROXY INCOMING"
iptables -A FORWARD -p tcp --dport 8080 -s 192.168.2.8 -j ACCEPT
iptables -A FORWARD -d 192.168.2.8 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "# PROXY OUTGOING"
iptables -A FORWARD -p tcp --dport 80 -s 192.168.1.7 -j ACCEPT
iptables -A FORWARD -d 192.168.1.7 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Ping and friends.
#iptables -A OUTPUT -p icmp -j DROP # to both sides.
#iptables -A FORWARD -p icmp -j DROP
#iptables -A INPUT -p icmp -j DROP
#abilito posta entrante
#iptables -t nat -A PREROUTING -p tcp --dport 25 -d 80.17.31.90 -j DNAT --to-destination 192.168.1.2
#iptables -t nat -A PREROUTING -p tcp --dport 110 -d 80.17.31.90 -j DNAT --to-destination 192.168.1.2
#iptables -A FORWARD -p tcp --dport 25 -d 192.168.1.2 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 110 -d 192.168.1.2 -j ACCEPT
#iptables -A FORWARD -s 192.168.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
#abilito per l'uscita della posta
#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 80.17.31.90
# iptables -A INPUT -s 212.245.250.46 -j ACCEPT
# iptables -A INPUT -s 62.101.126.231 -j ACCEPT
# iptables -A INPUT --dport 53 -o eth0 -j DROP
# iptables -A INPUT -p tcp --dport 53 -j DROP
#iptables -A INPUT -i eth0 -p tcp --destination-port 53 -j DROP
#iptables -A INPUT -i eth0 -p udp --destination-port 53 -j DROP
#iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
#Enabling IP forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Esco tranquilklamente su internet, ma la posta non ne vuole sapere...
Mi dite dove sbaglio?
grazie