Bloquear comunicação entre duas sub-redes

jptudobem
(usa Debian)

Enviado em 28/10/2010 - 12:16h

Galera, tenho a seguinte situação:

- DHCP + BIND + SQUID + IPTABLES

Todos esses serviços rodando no mesmo servidor.

Interfaces:

eth0 - Lan - 192.168.x.y
eth0:1 - vLan - 192.168.x.z
eth0:2 - vLan - 192.168.y.w
eth2 - Internet

Segue o meu esquema:

* DHCP

shared-network eth0 {

ddns-update-style none;
ddns-updates off;
log-facility local7;
authoritative;
default-lease-time 600;
max-lease-time 7200;

subnet 192.168.y.0 netmask 255.255.255.0 {

allow unknown-clients;
option domain-name-servers 192.168.y.w;
option domain-name "hotspot";
option routers 192.168.y.w;
range 192.168.y.100 192.168.y.110;
}

subnet 192.168.x.0 netmask 255.255.255.0 {

deny unknown-clients;
option domain-name-servers 192.168.x.z;
option domain-name "intranet";
option routers 192.168.x.z;

}
}

#######################################################

* IPTABLES

#!/bin/bash

modprobe ip_conntrack_ftp
modprobe ip_conntrack_tftp

IFINTERNET=eth2
IFLOCAL=eth0

NETLOCAL=192.168.x.0/24
NETLOCAL2=192.168.y.0/24
IPLOCAL=192.168.x.z

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT


############## COMPARTILHAMENTO DE INTERNET ###############
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $IFINTERNET -j MASQUERADE
###########################################################

#################### COMUNICACAO ENTRE REDES ######################
iptables -A FORWARD -s 192.168.y.0/24 -d 192.168.x.0/24 -j DROP
iptables -A FORWARD -s 192.168.X.0/24 -d 192.168.Y.0/24 -j DROP
###################################################################

###########################################################################
###### IPs na rede interna com permissao total de acesso a internet #######
###########################################################################

iptables -t nat -N NOREDIRECT

iptables -A FORWARD -i $IFLOCAL -s 192.168.y.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i $IFLOCAL -s 192.168.y.0/24 -j NOREDIRECT

iptables -t nat -A NOREDIRECT -j ACCEPT

############################################################################
####### Servicos permitidos para a rede interna acessar na internet ########
############################################################################

## SMTP
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL -p tcp --dport 465 -j ACCEPT

iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL2 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL2 -p tcp --dport 465 -j ACCEPT

# PING
iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL -p icmp -j ACCEPT

iptables -A FORWARD -i $IFLOCAL -s $NETLOCAL2 -p icmp -j ACCEPT

####### Aceita todos os pacotes stablished e related da internet para rede interna #########
iptables -A FORWARD -o $IFLOCAL -d $NETLOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $IFLOCAL -d $NETLOCAL2 -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################################################################

####################################### REDIRECIONAMENTO PARA PROXY ##########################################
iptables -t nat -A PREROUTING -i $IFLOCAL -d 192.168.x.z -p tcp --dport 80 -j DNAT --to 192.168.x.z:80
iptables -t nat -A PREROUTING -i $IFLOCAL -d 192.168.x.y -p tcp --dport 80 -j DNAT --to 192.168.x.y:80
iptables -t nat -A PREROUTING -i $IFLOCAL -p tcp --dport 80 -j DNAT --to $IPLOCAL:880
##############################################################################################################

####################################################################
####################### SERVIÇOS LOCAIS ########################
####################################################################

## Aceita conexoes locais (127.0.0.1)

iptables -A INPUT -i lo -j ACCEPT

## Aceita todos pacotes com estado ESTABLISHED e RELATED

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Aceita todas conexoes da rede interna

iptables -A INPUT -i $IFLOCAL -s $NETLOCAL -j ACCEPT

iptables -A INPUT -i $IFLOCAL -s $NETLOCAL2 -j ACCEPT

## DHCP

iptables -A INPUT -i $IFLOCAL -p tcp --dport 67 -j ACCEPT

## PING

iptables -A INPUT -p icmp -j ACCEPT

#####################################################################

Tenho a internet compartilhanda entre as sub-redes porém, essas sub redes não podem se comunicar entre si, não pode haver tráfego local entre elas, apenas a internet deve ser compartilhada. Adicionei a regra no iptables que teoricamente faria esse bloqueio mas não funcionou. Não sei se o problema está realmente no firewall também.

Poderiam me ajudar nisso?

Valeu!
Editar

irado
(usa XUbuntu)

Enviado em 28/10/2010 - 13:13h

acho um pouco "misturada"; IMHO idealmente vc deveria ter PREROUTING seguida por INPUT seguida por FORWARD, seguida por POSROUTING (cf. artigo do prof. Elgio Schlemer aqui: http://www.vivaolinux.com.br/artigo/Estrutura-do-Iptables/); também julgo desnecessária a criação da tabela "NOREDIRECT", afinal vc não tem tantas regras assim. Então, após "desmisturar" suas regras, convém analisar o seguinte:

FORWARD: eu acrescentaria um '!' (NOT) destino:

iptables -A FORWARD -i ???? -s 192.168.y.0/24 ! -d 192.168.x.0/24 -j ACCEPT

repita para a outra interface/rede

êsse modêlo define que ACEITA para qualquer destino, MENOS aquêle um.

jptudobem
(usa Debian)

Enviado em 28/10/2010 - 14:13h

essa regra não equivale à que ja tenho?

iptables -A FORWARD -s 192.168.y.0/24 -d 192.168.x.0/24 -j DROP
iptables -A FORWARD -s 192.168.X.0/24 -d 192.168.Y.0/24 -j DROP

Se não, em que parte do firewall vc acescentaria?

Sobre a NOREDIRECT, eu tenho masi regras nela... mas deixei só uma como exemplo para nao ficar um post muito extenso.

miura 787
(usa Ubuntu)

Enviado em 28/10/2010 - 14:22h

Dê uma pesquisada sobre vLans!


Ats
Miura 787

jptudobem
(usa Debian)

Enviado em 28/10/2010 - 14:27h

Acho a VOL o maior centro de conhecimento e pesquisa de Linux do Brasil.
Se vim aqui, se postei algo a respeito do meu problema, pressupõe-se que preciso de ajuda.

Acredito que, se respostas como "Dê uma pesquisada sobre vLans" resolvesse problemas, a VOL podia redirecionar todos os links das comunidades que possui para o www.google.com.br.

Se não pode ajudar amigo, deixe este espaço para quem pode e quer ajudar.