Problema con iptables

**nomida** · 21-04-2007, 12:34

Ciao a tutti!

Ho un problema che credo sia nello script del firewall!

Ho un server con tre schede di rete:

eth0 collegata al modem/router che fornisce anche l'indirizzo ip alla scheda

eth1 lan con indirizzo fisso 192.168.2.3

eth2 indirizzo ip 192.168.5.2 collegato ad un access point indirizzo 192.168.5.1

il problema e' questo:

se faccio un ping da lan da un qualsiasi host al server all'indirizzo 192.168.5.2 e' ok
invece se provo a farlo al access point 192.168.5.1 mi dice rete irraggiungibile

quando il problema si presenta simile quando mi collego via wifi riesco a fare tutto ma non accedere ad internet!

questo e' il firewall:

codice:

#!/bin/sh

IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe

LO=lo
LAN=eth1
WAN=eth0
WLAN=eth2
firewall_start ()
{

  $MODPROBE ip_tables
  $MODPROBE iptable_filter
  $MODPROBE iptable_nat
  $MODPROBE ip_conntrack
  $MODPROBE ip_conntrack_ftp ports=21,31
  $MODPROBE ip_conntrack_irc
  $MODPROBE ip_nat_ftp ports=21,31
  $MODPROBE ip_nat_irc

  # Enable IP forwarding, rp_filter and syncookies
  echo 1 > /proc/sys/net/ipv4/ip_forward
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies

  # Incoming
  $IPTABLES -P INPUT DROP
  $IPTABLES -A INPUT -i $LO -j ACCEPT
#  $IPTABLES -A INPUT -i eth0 -j ACCEPT
#  $IPTABLES -A INPUT -i $LAN -p icmp --icmp-type ping -j DROP
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 23 -j DROP
 $IPTABLES -A INPUT -i $WLAN -s 192.168.5.0/24 -j ACCEPT
  $IPTABLES -A INPUT -i $LAN -s 192.168.2.0/24 -j ACCEPT

  $IPTABLES -A INPUT -i $LAN -p tcp --dport 21 -j ACCEPT
  $IPTABLES -A INPUT -i $LAN -p tcp --dport 55522 -j ACCEPT
  $IPTABLES -A INPUT -i $LAN -p udp --dport bootps -j ACCEPT
  $IPTABLES -A INPUT -i $LAN -p tcp --dport 4711 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 55522 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport ftp -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 31 -j ACCEPT
#  $IPTABLES -A INPUT -i $WAN -p tcp --dport 5901 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 4663 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 4666 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p udp --dport 4673 -j ACCEPT
  $IPTABLES -A INPUT -i $WAN -p tcp --dport auth -j REJECT --reject-with tcp-reset
  $IPTABLES -A INPUT -i $WAN -p tcp --dport 4711 -j ACCEPT
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forwarding
  $IPTABLES -A FORWARD -i $WAN
  $IPTABLES -A FORWARD -o $WAN
  $IPTABLES -A FORWARD -i $WLAN -o $LAN -j ACCEPT

  $IPTABLES -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j DROP
  $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

  # Masquerading
  $IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE

**prometeus** · 21-04-2007, 15:08

A naso mi sembra che queste regole siano incomplete

$IPTABLES -A FORWARD -i $WAN
$IPTABLES -A FORWARD -o $WAN
$IPTABLES -A FORWARD -i $WLAN -o $LAN -j ACCEPT

Io farei tipo

$IPTABLES -A FORWARD -i $WAN -o $WLAN -j ACCEPT
$IPTABLES -A FORWARD -o $WAN -i $WLAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $LAN -j ACCEPT
$IPTABLES -A FORWARD -o $WAN -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WLAN -j ACCEPT
$IPTABLES -A FORWARD -o $LAN -i $WLAN -j ACCEPT

**nomida** · 21-04-2007, 17:34

Nada stesso problema!

Discussione: Problema con iptables

Strumenti discussione

Ricerca discussione

Visualizza

Problema con iptables

Permessi di invio