Dúvida de iniciante.

xmegax
(usa Slackware)

Enviado em 20/08/2014 - 21:40h

Senhores, comecei a aprender iptables e estou com algumas dúvidas.
Segue a imagem da minha topologia de teste.

http://tinypic.com/r/2w3p1ed/8
No caso não estou conseguindo criar uma regra que libere o cliente 1 (10.0.3.2) para passar direto pelo NAT do firewall,
ele só tem acesso externo quando eu mudo a política padrão do FORWARD para ACCEPT, mas neste caso todos os hosts da rede local conseguem o acesso.
Preciso que a política padrão do FORWARD continue DROP mas que o cliente 1 consiga acesso externo normalmente.

Segue meu script.
E já agradeço qualquer ajuda.

#!/bin/bash

IF_WEB=eth0
IF_LAN=eth1


stop(){

##########################
# Limpa as Regras #
##########################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

}

start(){
##########################
# Limpa as Regras #
##########################
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


###############################
# Aplica as Políticas padrões #
###############################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


###############################################
# Permite host da rede local pingar o firewall#
###############################################
iptables -A INPUT -i $IF_LAN -p icmp -j ACCEPT
iptables -A OUTPUT -o $IF_LAN -p icmp -j ACCEPT

#################################################################
# Permite os que o Hosts da rede local acessem a porta do squid #
#################################################################
iptables -A INPUT -i $IF_LAN -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $IF_LAN -p tcp --sport 3128 -j ACCEPT

#########################
# Nat Para Internet #
#########################
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $IF_WEB -j MASQUERADE


######################################################
# Libera a Saída full Para uma excessão (cliente 1) #
######################################################
??????????????????????????



}

case $1 in

start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

*)
echo "Erro, utilize os seguintes parâmetros: start | stop | restart"
exit 0
;;
esac

n4t4n
(usa Arch Linux)

Enviado em 21/08/2014 - 06:33h

Olá, Diego. Bom dia.

Supondo que o endereço da máquina a ser liberada seja 192.168.0.10, a regra fica assim.

iptables -A FORWARD -i $IF_LAN -s 192.168.0.10/32 -o $IF_WEB -j ACCEPT

E para permitir a resposta à requisição dessa máquina ( inclusive das outras máquinas) sugiro usar a regra do estado das conexões.

Buckminster
(usa Debian)

Enviado em 21/08/2014 - 08:35h

###############################
# Aplica as Políticas padrões #
###############################
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT <<< aqui pode colocar ACCEPT.
iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.3.2 -j ACCEPT <<< coloque essas duas regras nessa posição.
iptables -A FORWARD -d 10.0.3.2 -j ACCEPT