Re: [CentOS-es] Ayuda Rutas

Francesc Guitart Tue, 11 Mar 2014 01:46:37 -0700

El 11/03/2014 0:20, César Martinez escribió:
> Hola Francesc perdón por la demora la regla funcionó a la perfección
> muchas gracias por todo


Recuerda que,

INPUT es para paquetes con destino el firewall.
OUTPUT es para paquetes originados en el propio firewall.
FORWARD es para paquetes que pasan a traves del firewall. Es decir que 
no tienen como destino final ni origen el propio firewall si no que 
pasan a través de él, como era tu caso.


>
>
> Saludos
>
> César
>

Saludos,


>
>
>> El 07/03/2014 11:24, Francesc Guitart escribió:
>>> Hola César,
>>>
>>> Prueba añadiendo esta regla:
>>>
>>> $IPTABLES -I FORWARD -d 172.25.144.0/24 -i eth1 -j ACCEPT
>>>
>>> Por cierto, en cuanto a las reglas que me mandaste en el otro mail:
>>> $IPTABLES -A INPUT -s 192.168.0.0/24 -j ACCEPT
>>> $IPTABLES -A OUTPUT -d 172.25.144.0/24 -j ACCEPT
>>> $IPTABLES -A OUTPUT -p tcp -d 172.25.144.0/24 -j ACCEPT
>>> $IPTABLES -I OUTPUT -d 172.25.144.0/24 -j ACCEPT
>>> $IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE
>>>
>>> La primera y la cuarta son exactamente iguales. Elimina una de las dos.
>>> La tercera esta incluida dentro de la segunda (o la cuarta, como
>>> prefieras). Bórrala también.
>>>
>> Olvidé una cosa. La quita regla parece que funciona bien, pero para ser
>> exactos sería más bien:
>>
>> $IPTABLES -t nat -A POSTROUTING -o $EXTERNALIF -j MASQUERADE
>>
>>
>>> El 07/03/2014 11:04, César Martinez escribió:
>>>> Hola Gracias por responder, paso por le proxy porque el cable del tunel
>>>> de datos esta conectado ahora directo al switch que esta en el segmento
>>>> 192.168.0.X, el isp creo unas rutas para enviar todo el trafico de datos
>>>> a la ip 192.168.0.1 que es la ip de mi proxy actualmente. Como te
>>>> menciono si bajo el firewall momentaneamente puedo hacer ping o entrar a
>>>> un recurso compartido de la red 172.25.144.4 que es actualmente donde
>>>> debo llegar, esta ip es un servidor windows que tiene una carpeta
>>>> compartida. Te adjunto la salida de los comandos, muchas gracias por tu
>>>> ayuda
>>>>
>>>> ip route
>>>> 181.113.66.72/29 dev eth0  proto kernel  scope link  src 181.113.66.78
>>>> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
>>>> 172.25.144.0/24 via 192.168.0.3 dev eth1
>>>> 169.254.0.0/16 dev eth1  scope link
>>>> default via 181.113.66.73 dev eth
>>>>
>>>>       ip route show table local
>>>> broadcast 181.113.66.79 dev eth0  proto kernel  scope link  src 
>>>> 181.113.66.78
>>>> broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src 192.168.0.1
>>>> local 181.113.66.78 dev eth0  proto kernel  scope host  src 181.113.66.78
>>>> broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
>>>> broadcast 181.113.66.72 dev eth0  proto kernel  scope link  src 
>>>> 181.113.66.78
>>>> local 192.168.0.1 dev eth1  proto kernel  scope host  src 192.168.0.1
>>>> broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src 192.168.0.1
>>>> broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
>>>> local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
>>>> local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
>>>>
>>>>
>>>>       ifconfig -a
>>>> eth0      Link encap:Ethernet  HWaddr 00:26:5A:84:C3:B0
>>>>                inet addr:181.113.66.78  Bcast:181.113.66.79  
>>>> Mask:255.255.255.248
>>>>                inet6 addr: fe80::226:5aff:fe84:c3b0/64 Scope:Link
>>>>                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>                RX packets:322452 errors:0 dropped:0 overruns:0 frame:0
>>>>                TX packets:315335 errors:0 dropped:0 overruns:0 carrier:0
>>>>                collisions:0 txqueuelen:1000
>>>>                RX bytes:218551617 (208.4 MiB)  TX bytes:50814320 (48.4 MiB)
>>>>                Interrupt:169 Base address:0xc000
>>>>
>>>> eth1      Link encap:Ethernet  HWaddr 3C:4A:92:B2:92:E4
>>>>                inet addr:192.168.0.1  Bcast:192.168.0.255  
>>>> Mask:255.255.255.0
>>>>                inet6 addr: fe80::3e4a:92ff:feb2:92e4/64 Scope:Link
>>>>                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>                RX packets:401472 errors:0 dropped:0 overruns:0 frame:0
>>>>                TX packets:326596 errors:0 dropped:0 overruns:0 carrier:0
>>>>                collisions:0 txqueuelen:1000
>>>>                RX bytes:60175972 (57.3 MiB)  TX bytes:235191189 (224.2 MiB)
>>>>                Interrupt:177 Memory:fbdf0000-fbe00000
>>>>
>>>> eth2      Link encap:Ethernet  HWaddr 54:E6:FC:80:4C:C5
>>>>                BROADCAST MULTICAST  MTU:1500  Metric:1
>>>>                RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>                collisions:0 txqueuelen:1000
>>>>                RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>>>>                Interrupt:90 Base address:0xa000
>>>>
>>>> lo        Link encap:Local Loopback
>>>>                inet addr:127.0.0.1  Mask:255.0.0.0
>>>>                inet6 addr: ::1/128 Scope:Host
>>>>                UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>>>                RX packets:485 errors:0 dropped:0 overruns:0 frame:0
>>>>                TX packets:485 errors:0 dropped:0 overruns:0 carrier:0
>>>>                collisions:0 txqueuelen:0
>>>>                RX bytes:59577 (58.1 KiB)  TX bytes:59577 (58.1 KiB)
>>>>
>>>> sit0      Link encap:IPv6-in-IPv4
>>>>                NOARP  MTU:1480  Metric:1
>>>>                RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>                collisions:0 txqueuelen:0
>>>>                RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b
>>>>
>>>>
>>>>
>>>>
>>>>       iptables -L -nChain INPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>>> ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
>>>> ACCEPT     41   --  0.0.0.0/0            0.0.0.0/0
>>>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
>>>> limit: avg 1/sec burst 5
>>>> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
>>>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 
>>>> reject-with icmp-port-unreachable
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
>>>> RELATED,ESTABLISHED
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1976
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
>>>> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443
>>>> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:11200
>>>> ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> MSSQL '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:1433
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6670 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Deepthrt '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6670
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6711 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Sub7 '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6711
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6712 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Sub7 '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6712
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6713 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Sub7 '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6713
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12345 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Netbus '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12345
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12346 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Netbus '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:12346
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20034 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> Netbus '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:20034
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:31337 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> BO '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:31337
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6000 
>>>> limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Firewalled packet: 
>>>> XWin '
>>>> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:6000
>>>> DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp 
>>>> dpts:33434:33523
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     2    --  0.0.0.0/0            0.0.0.0/0           reject-with 
>>>> icmp-port-unreachable
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
>>>> flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix 
>>>> `Firewalled packet:'
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with 
>>>> tcp-reset
>>>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:55347 
>>>> reject-with icmp-port-unreachable
>>>> DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 
>>>> reject-with icmp-port-unreachable
>>>> REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139 
>>>> reject-with icmp-port-unreachable
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
>>>> RELATED,ESTABLISHED
>>>> LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp 
>>>> flags:0x17/0x02 limit: avg 5/min burst 5 LOG flags 0 level 4 prefix 
>>>> `Firewalled packet:'
>>>> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with 
>>>> tcp-reset
>>>> DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> ACCEPT     all  --  0.0.0.0/0            172.25.144.0/24
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
>>>> ACCEPT     all  --  0.0.0.0/0            172.25.144.0/24
>>>> ACCEPT     tcp  --  0.0.0.0/0            172.25.144.0/24
>>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Hola Cesar,
>>>>>
>>>>> Por favor, envía los mails a la lista. La discusión de tu problema se
>>>>> estaba realizando en ese canal. ¿Porqué cambiar?
>>>>>
>>>>> Si he entendido bien después de varios mensajes, tienes la interfaz del
>>>>> aparato que hace el túnel conectado directamente a la red interna.
>>>>> Entonces ¿porqué pasas por el firewall para ir de una oficina a otra?
>>>>> Hay algo que no he entendido bien. ¿Puedes explicar la situación actual
>>>>> desde el principio sin omitir nada?
>>>>>
>>>>> Añade por favor la salida de estos comandos:
>>>>>
>>>>> ip route
>>>>> ip route show table local
>>>>> ifconfig -a
>>>>> iptables -L -n
>>>>>
>>>>> Gracias.
>>>>>
>>>>>
>>>> _______________________________________________
>>>> CentOS-es mailing list
>>>> CentOS-es@centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos-es
>>>>
>>>
>>
>
> _______________________________________________
> CentOS-es mailing list
> CentOS-es@centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>




-- 
Francesc Guitart
_______________________________________________
CentOS-es mailing list
CentOS-es@centos.org
http://lists.centos.org/mailman/listinfo/centos-es

Re: [CentOS-es] Ayuda Rutas

Responder a