Ciao a tutti!
Ho un problema che credo sia nello script del firewall!
Ho un server con tre schede di rete:
eth0 collegata al modem/router che fornisce anche l'indirizzo ip alla scheda
eth1 lan con indirizzo fisso 192.168.2.3
eth2 indirizzo ip 192.168.5.2 collegato ad un access point indirizzo 192.168.5.1
il problema e' questo:
se faccio un ping da lan da un qualsiasi host al server all'indirizzo 192.168.5.2 e' ok
invece se provo a farlo al access point 192.168.5.1 mi dice rete irraggiungibile
quando il problema si presenta simile quando mi collego via wifi riesco a fare tutto ma non accedere ad internet!
questo e' il firewall:
codice:
#!/bin/sh
IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe
LO=lo
LAN=eth1
WAN=eth0
WLAN=eth2
firewall_start ()
{
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp ports=21,31
$MODPROBE ip_conntrack_irc
$MODPROBE ip_nat_ftp ports=21,31
$MODPROBE ip_nat_irc
# Enable IP forwarding, rp_filter and syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Incoming
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i $LO -j ACCEPT
# $IPTABLES -A INPUT -i eth0 -j ACCEPT
# $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type ping -j DROP
$IPTABLES -A INPUT -i $WAN -p tcp --dport 23 -j DROP
$IPTABLES -A INPUT -i $WLAN -s 192.168.5.0/24 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -s 192.168.2.0/24 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p tcp --dport 55522 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p udp --dport bootps -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p tcp --dport 4711 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 55522 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport ftp -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 31 -j ACCEPT
# $IPTABLES -A INPUT -i $WAN -p tcp --dport 5901 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 4663 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport 4666 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p udp --dport 4673 -j ACCEPT
$IPTABLES -A INPUT -i $WAN -p tcp --dport auth -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $WAN -p tcp --dport 4711 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forwarding
$IPTABLES -A FORWARD -i $WAN
$IPTABLES -A FORWARD -o $WAN
$IPTABLES -A FORWARD -i $WLAN -o $LAN -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Masquerading
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE