conectar servidor em LANS diferentes [RESOLVIDO]

jr.jorro
(usa Debian)

Enviado em 22/06/2010 - 10:49h

Pessoal,

Tenho 3 interfaces de rede em meu gateway, WAN, LAN, CROSS(entre as redes) e preciso acessar um servidor web que fica na outra LAN.
=============== 2.9 eth0
LAN ---------------- GW/fw ------- WAN 189.3.2.0
192.168.3.0/24 et1 3.1 |
==============|2.20 eth2
==============CROSS
==============192.168.0.0/24

Do GW tenho conectividade com todos, mas das estações não consigo acessar o sistema web (192.168.0.2).
Não consigo pinga do GW na estação 192.168.3.7 (só limpando as regras do fw)

O meu firewall está assim:
# Local para o executavel do IPTables
IPT=iptables

LAN="eth1"; # Interface da rede INTERNA

WAN="eth0"; # Interface da rede EXTERNA

CROSS="eth2"; # Interface CROSS LAN

REDE_INTERNA="192.168.3.0/24"; # Definição da rede interna

#ativa o roteamento dinamico
echo 1 > /proc/sys/net/ipv4/ip_forward

# Padrao
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT

# Cria chain com regras de segurança
$IPT -N BLOCK
$IPT -A BLOCK -p icmp --icmp-type echo-request -j DROP
$IPT -A BLOCK -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
$IPT -A BLOCK -m unclean -j DROP
$IPT -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A BLOCK -j LOG --log-prefix "FW_ALERT: "
$IPT -A BLOCK -j DROP

# Libera trafego local
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i $LAN -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN -j ACCEPT

# Libera tráfego para 18
$IPT -t filter -A INPUT -i $CROSS -j ACCEPT
$IPT -t filter -A FORWARD -i $CROSS -j ACCEPT

# Serviços
$IPT -t filter -A INPUT -i $WAN -p tcp -m multiport --dports 21,22,443,80 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p tcp -m multiport --sports 21,22,443,80 -j ACCEPT

# Libera a conexao para a rede interna
$IPT -t nat -A POSTROUTING -s $REDE_INTERNA -j MASQUERADE

# Regras para evitar packet flood
$IPT -A INPUT -j BLOCK
$IPT -A FORWARD -j BLOCK

rotas
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
189.3.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 189.3.2.1 0.0.0.0 UG 100 0 0 eth0

tcpdump duma estação lan 192.168.3.7
root@ubu:/home/casa# tcpdump -i eth1 -n host 192.168.3.2 and port 8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:29:13.599685 IP 192.168.3.2.14229 > 84.16.88.15.80: Flags [R.], seq 486939601
10:29:15.628613 IP 192.168.3.2.14245 > 192.168.0.2.80: Flags [S], seq 1251650230
10:29:18.631210 IP 192.168.3.2.14245 > 192.168.0.2.80: Flags [S], seq 1251650230
10:29:24.630642 IP 192.168.3.2.14245 > 192.168.0.2.80: Flags [S], seq 1251650230
10:29:28.356140 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [S], seq 4217250
10:29:28.368293 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [S.], seq 405318
10:29:28.368623 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [.], ack 1, win
10:29:28.369262 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [P.], seq 1:1132
10:29:28.379757 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [.], ack 1132, w
10:29:28.560705 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [P.], seq 1:402,
10:29:28.565256 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [P.], seq 402:18
10:29:28.565888 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [.], ack 1820, w
10:29:28.568531 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [P.], seq 1820:2
10:29:28.772214 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [.], ack 2144, w
10:29:36.290350 IP 192.168.3.2.14250 > 192.168.0.2.80: Flags [S], seq 3936811044
10:29:39.288060 IP 192.168.3.2.14250 > 192.168.0.2.80: Flags [S], seq 3936811044
10:29:45.290665 IP 192.168.3.2.14250 > 192.168.0.2.80: Flags [S], seq 3936811044
10:29:57.291626 IP 192.168.3.2.14253 > 192.168.0.2.80: Flags [S], seq 2621457242
10:30:00.284043 IP 192.168.3.2.14253 > 192.168.0.2.80: Flags [S], seq 2621457242
10:30:06.289658 IP 192.168.3.2.14253 > 192.168.0.2.80: Flags [S], seq 2621457242 , win 65535, options [mss 1460,nop,nop,sackOK], length 0
10:30:09.501558 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [P.], seq 1132:2 260, ack 2144, win 16364, length 1128
10:30:09.520641 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [.], ack 2260, w in 161, length 0
10:30:09.801070 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [P.], seq 2144:2 545, ack 2260, win 161, length 401
10:30:09.802078 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [.], seq 2545:39 75, ack 2260, win 161, length 1430
10:30:09.802809 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [.], ack 3975, w in 16445, length 0
10:30:09.802992 IP 64.233.163.104.80 > 192.168.3.2.14248: Flags [P.], seq 3975:4 246, ack 2260, win 161, length 271
10:30:10.008152 IP 192.168.3.2.14248 > 64.233.163.104.80: Flags [.], ack 4246, w in 16377, length 0
27 packets captured
27 packets received by filter
0 packets dropped by kernel

irado
(usa XUbuntu)

Enviado em 22/06/2010 - 11:22h

não é por nada não, colega, mas fico tontinho quando vejo tanta letrinha e linha assim junta.. acabo por não ler.

se entendo bem, vc tem duas redes distintas, em interfaces distintas.. e vc quer ligar a rede A à uma ou mais máquinas da rede B..

==========|/---> rede A
0--máquina|
==========|\---> rede B

se for apenas isso, vc habilita o ip.forwarding (até deve estar) e faz ROTEAMENTO de uma rede para outra (man route).

jr.jorro
(usa Debian)

Enviado em 22/06/2010 - 15:36h

Ok Irado,

Tentei ser detalhista. Vou procurar evitar os excessos na próxima. Eu dei um FORWARD ACCEPT na interface LAN-LAN e consegui a conexão.

Ah.. o VivaoLinux deforma os gráficos textos :(

Muito obrigado