[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [NETVAERK] IPTABLES til 4netkort



Per Jørgensen skrev:

Hej SSlug!
Jeg har nu siddet og studeret hele weekenden omkring IPTABLES og prøver at få dette til at fungere - Dog render jeg konstant panden ind i en mur! Da jeg simpelthen ikke kan få hul igennem den maskine! En Soekris Net4801+Lan1621! Der har jeg lavet et script til - men umiddelbart kan der ikke komme hul igennem på dette! Da dette er min første IPTABLES konfiguration er det måske lidt voldsomt - Men skal jo lære noget! Er der nogle der kan se nogle fejl i dette script! Min mening er følgende:
eth0 --> LAN -- 172.16.0.0/24 --> til almindelige klienter
eth1 --> WAN -- Statisk IP eth2 --> DMZ -- 172.16.10.0/24 --> til servere eth3 --> Wireless --172.16.1.0/24 --> til alle bærbare

Umiddelbart kan jeg ikke se udfra man iptables og andre dokumenter på nettet omkring fejl - Men der må være noget jeg totalt har overset eller misforstået!!!
Til at starte med prøver jeg hjemmefra at tilslutte eth1 til min router og få en statisk IP fra den (således agerer jeg internet) Men der kan jeg slet ikke komme i kontakt med nettet! men smider jeg den i eth0 - så er der fint hul igennem - spørgsmålet er så - er det normalt eller skal det fungere den anden vej også??
2. Skal der bygges broer imellem kortene?? -- men er det ikke det samme IPTABLES gør?? Nå men om ikke andet - om der er en flink sjæl der kan se om jeg har misforstået noget totalt her???

# Dette script er lavet til oprettelse af firewall


##############################################################################
# Betegnelse af netvaerk & maskiner mm

##############################################################################
### Netvaerk ###
LAN="172.16.0.0/24"
ETH_LAN="eth0"
WAN="192.168.0.199"
ETH_WAN="eth1"
DMZ="172.16.10.0/24"
ETH_DMZ="eth2"
WRL="172.16.1.0/24"
ETH_WRL="eth3"
LO="127.0.0.1/8"
ETH_LO="lo"

### Maskiner ###
ATLANTIS="172.16.10.10"
HERCULES="172.16.0.2"


##############################################################################
# Selve opsaetningen af diverse kaeder mm

##############################################################################

# Disable routing inden regler starter
echo > /proc/sys/net/ipv4/ip_forward

# Regler og policies flushes
echo " Flushing rules and policies"
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo " Done...."

# Laver de nye kaeder
echo "Making the new chains"
iptables -N lo
iptables -F lo
iptables -N lan
iptables -F lan
iptables -N wan
iptables -F wan
iptables -N dmz
iptables -F dmz
iptables -N wrl
iptables -F wrl echo " Done...."

# Laver de nye forwarderkaeder
echo "Making FORWARD chains"
# Fra WAN til andre interfaces
iptables -N wantodmz
iptables -F wantodmz
iptables -N wantolan
iptables -F wantolan
iptables -N wantowrl
iptables -F wantowrl
# Fra LAN til andre interfaces
iptables -N lantodmz
iptables -F lantodmz
iptables -N lantowan
iptables -F lantowan
iptables -N lantowrl
iptables -F lantowrl
# Fra DMZ til andre interfaces
iptables -N dmztolan
iptables -F dmztolan
iptables -N dmztowan
iptables -F dmztowan
iptables -N dmztowrl
iptables -F dmztowrl
# Fra WRL til andre interfaces
iptables -N wrltodmz
iptables -F wrltodmz
iptables -N wrltowan
iptables -F wrltowan
iptables -N wrltolan
iptables -F wrltolan
echo " Done...."

# Flusher NAT POSTROUTING PREROUTING
echo "Flushing NAT - POSTROUTING & PREROUTING"
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
echo " Done.... NAT module finished"

# Sikrer lokal kommunikation
echo "Setting up local chain"
iptables -A lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo " Done.... Local chain is up and running"

# Setting up lan chain
echo "Setting up LAN chain"
# Sikrer mod IP-spoffing
iptables -A lan -s $WAN -j DROP
iptables -A lan -s $LO -j DROP
iptables -A lan -s $DMZ -j DROP iptables -A lan -s $WRL -j DROP
iptables -A lan -s $LAN -j DROP
# Accepterer alt andet trafik
iptables -A lan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A lan -j LOG --log-prefix "FW LAN:"
iptables -A lan -j DROP
echo " Done....LAN chain is running"

# Setting up WAN chain
echo "Setting up WAN chain"
# Sikrer imod Ip_spoofing
iptables -A wan -s $WAN -j DROP
iptables -A wan -s $DMZ -j DROP
iptables -A wan -s $LAN -j DROP
iptables -A wan -s $LO -j DROP
iptables -A wan -s $WRL -j DROP
# Accepterer alt andet trafik
iptables -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wan -j LOG --log-prefix "FW WAN:"
iptables -A wan -j DROP
echo " Done....WAN chain is running"

# Setting up DMZ chain
echo "Setting up DMZ chain"
# Sikrer imod IP_spoofing
iptables -A dmz -s $WAN -j DROP
iptables -A dmz -s $LAN -j DROP
iptables -A dmz -s $WRL -j DROP
iptables -A dmz -s $LO -j DROP
iptables -A dmz -s $DMZ -j DROP
# Accepterer alle andre forbindelser
iptables -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmz -j LOG --log-prefix "FW DMZ:"
iptables -A dmz -j DROP
echo " Done....DMZ chain is running"

# Setting up WRL chain
echo "Setting up WRL chain"
# Sikrer imod Ip_spoofing
iptables -A wrl -s $WAN -j DROP
iptables -A wrl -s $LO -j DROP
iptables -A wrl -s $LAN -j DROP
iptables -A wrl -s $DMZ -j DROP
iptables -A wrl -s $WRL -j DROP
# Accepterer alle andre forbindelser
iptables -A wrl -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wrl -j LOG --log-prefix "FW WRL:"
iptables -A wrl -j DROP
echo " Done....WRL chain is running"



##############################################################################
# Selve firewall reglerne

##############################################################################
echo "Setting up DMZ portfarwarding"
# SSH
iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 22 -j DNAT --to-destination $ATANLTIS:22
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 22 -j ACCEPT
# SMTP
iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 25 -j DNAT --to-destination $ATLANTIS:25 iptables -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT # HTTP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 80 -j DNAT --to-destination $ATLANTIS:80
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT
# IMAP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 143 -j DNAT --to-destination $ATALNTIS:143
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT

echo " Done.... DMZ portforwarding is up and running"

# Setting up hide NAT
echo "Setting up masquerading - NAT chains"
# NAT from LAN to WAN
iptables -t nat -A POSTROUTING -s $LAN -o $ETH_WAN -j SNAT --to-source $WAN
iptables -t nat -A POSTROUTING -s $DMZ -o $ETH_WAN -j SNAT --to-source $WAN
iptables -t nat -A POSTROUTING -s $WRL -o $ETH_WAN -j SNAT --to-source $WAN echo " Done....NAT chains are up and running"

# Selve reglerne for firewallen
echo "Setting up the rules"
# Packets from DMZ to WAN
iptables -A dmztowan --source $ATLANTIS -p tcp --dport 25 -j ACCEPT
iptables -A dmztowan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmztowan -j LOG --log-prefix "FW DMZTOWAN:"
iptables -A dmztowan -j DROP

# Packets from WAN to DMZ
iptables -A wantodmz -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wantodmz -j LOG --log-prefix "FW WANTODMZ:"
iptables -A wantodmz -j DROP

# packets from DMZ to LAN
iptables -A dmztolan --source $WAN -d $LAN -p tcp --dport 25 -j ACCEPT
iptables -A dmztolan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmztolan -j LOG --log-prefix "FW DMZTOLAN:"
iptables -A dmztolan -j DROP

# packets from LAN to DMZ
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 80 -j ACCEPT
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 22 -j ACCEPT iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 25 -j ACCEPT
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 143 -j ACCEPT
# Logning af trafik iptables -A lantodmz -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A lantodmz -j LOG --log-prefix "FW LANTODMZ:"
iptables -A lantodmz -j DROP

# Packets FROM WRL to DMZ
iptables -A wrltodmz -s $WRL -d $DMZ -p tcp --dport 80 -j ACCEPT
iptables -A wrltodmz -s $WRL -d $DMZ -p tcp --dport 22 -j ACCEPT
iptables -A wrltodmz -s $WRL -d $DMZ -p tcp --dport 25 -j ACCEPT
iptables -A wrltodmz -s $WRL -d $DMZ -p tcp --dport 143 -j ACCEPT
# Logning af trafik
iptables -A wrltodmz -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wrltodmz -j LOG --log-prefix "FW WRLTODMZ:"
iptables -A wrltodmz -j DROP

# Packets from LAN to WAN
iptables -A lantowan -s $LAN -p tcp --dport 80 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 443 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 21 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 22 -j ACCEPT

iptables -A lantowan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A lantowan -j LOG --log-prefix "FW LANTOWAN:"
iptables -A lantowan -j DROP
# Packets from WAN to LAN iptables -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wantolan -j LOG --log-prefix "FW WANTOLAN PORTFWD:"
iptables -A wantolan -j DROP

# Packets from WRL to WAN
iptables -A wrltowan -s $WRL -p tcp --dport 80 -j ACCEPT
iptables -A wrltowan -s $WRL -p tcp --dport 443 -j ACCEPT
iptables -A wrltowan -s $WRL -p tcp --dport 21 -j ACCEPT
iptables -A wrltowan -s $WRL -p tcp --dport 22 -j ACCEPT

iptables -A wrltowan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wrltowan -j LOG --log-prefix "FW WRLTOWAN:"
iptables -A wrltowan -j DROP
# Packets from WAN to WRL
iptables -A wantowrl -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wantowrl -j LOG --log-prefix "FW WANTOWRL PORTFWD:"
iptables -A wantowrl -j DROP

echo " Done....Firewall rules is up and running"

# Loading the different modules
echo "Loading the modules"
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
echo " Done...."

# Activating the chains
echo "Activating the chains"
iptables -A INPUT -i $ETH_LAN -j lan
iptables -A INPUT -i $ETH_WAN -j wan
iptables -A INPUT -i $ETH_DMZ -j dmz
iptables -A INPUT -i $ETH_WRL -j wrl
iptables -A INPUT -i $ETH_LO -j lo
iptables -A FORWARD -i $ETH_WAN -o $ETH_DMZ -j wantodmz
iptables -A FORWARD -i $ETH_WAN -o $ETH_LAN -j wantolan
iptables -A FORWARD -i $ETH_WAN -o $ETH_WRL -j wantowrl
iptables -A FORWARD -i $ETH_LAN -o $ETH_DMZ -j lantodmz
iptables -A FORWARD -i $ETH_LAN -o $ETH_WAN -j lantowan
iptables -A FORWARD -i $ETH_LAN -o $ETH_WRL -j lantowrl
iptables -A FORWARD -i $ETH_DMZ -o $ETH_WAN -j dmztowan
iptables -A FORWARD -i $ETH_DMZ -o $ETH_LAN -j dmztolan
iptables -A FORWARD -i $ETH_DMZ -o $ETH_WRL -j dmztowrl
iptables -A FORWARD -i $ETH_WRL -o $ETH_WAN -j wrltowan
iptables -A FORWARD -i $ETH_WRL -o $ETH_LAN -j wrltolan
iptables -A FORWARD -i $ETH_WRL -o $ETH_DMZ -j wrltodmz

echo "Done.... activating the chains"

Jeg får ingen fejl på scriptet - men absolut heller ingen forbindelse eller lign igennem!!

På forhånd tak
Per Jørgensen

Hov Ved ikke lige helt hvad der skete men originalt ser det således ud:
omkring hvilke porte :
# SMTP
iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 25 -j DNAT --to-destination $ATLANTIS:25 iptables -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT # HTTP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 80 -j DNAT --to-destination $ATLANTIS:80
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT
# IMAP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 143 -j DNAT --to-destination $ATALNTIS:143
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT






 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2006-09-01, 02:01 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *