El día 7 de julio de 2010 17:24, Camaleón
El Wed, 07 Jul 2010 10:34:46 -0300, jp_listero escribió:
toy teniendo un problita con el firewall que no me deja pasar unos paquetes kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth2 SRC=192.168.0.23 DST=172.21.14.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59198 SEQ=1 ^^^^^^^^^^
Hum... es un paquete ICMP y creo que en el cortafuegos de openSUSE para rechazar o admitir este tipo de tráfico se configura de forma individual, mediante variables concretas.
¿Sólo te rechaza paquetes ICMP o todo tipo de tráfico?
todo el trafico ...
tengo dos tarjetas de red, la eht0 con ID red 192.168.0.0 y la eth2 con ID red 172.21.0.0 ...
A la espera de que algún gurú del cortafuegos te diga alguna cosa, ¿estás haciendo routing con/sin NAT, con/sin enmascaramiento...?
tengo FW con esta config: FW_ROUTE="yes" FW_MASQUERADE="yes" y después tengo habilitada la opción "Habilitar Reenvió de IP" en network devices.
agregue en el suse firewall ... FW_FORWARD="192.168.0.0/24,172.21.0.0/24 172.21.0.0/24,192.168.0.0/24"
tendré que agregar algo a nivel de ip tables ?
Pon el resultado de "iptables -L" a ver qué aparece.
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_int all -- anywhere anywhere input_int all -- anywhere anywhere input_int all -- anywhere anywhere input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU forward_int all -- anywhere anywhere forward_int all -- anywhere anywhere forward_int all -- anywhere anywhere forward_ext all -- anywhere anywhere forward_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (2 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.0.0/24 172.21.0.0/24 limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-FORW ' ACCEPT all -- 192.168.0.0/24 172.21.0.0/24 state NEW,RELATED,ESTABLISHED ACCEPT all -- 172.21.0.0/24 192.168.0.0/24 state RELATED,ESTABLISHED LOG all -- 172.21.0.0/24 192.168.0.0/24 limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-FORW ' ACCEPT all -- 172.21.0.0/24 192.168.0.0/24 state NEW,RELATED,ESTABLISHED ACCEPT all -- 192.168.0.0/24 172.21.0.0/24 state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere Chain forward_int (3 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.0.0/24 172.21.0.0/24 limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-FORW ' ACCEPT all -- 192.168.0.0/24 172.21.0.0/24 state NEW,RELATED,ESTABLISHED ACCEPT all -- 172.21.0.0/24 192.168.0.0/24 state RELATED,ESTABLISHED LOG all -- 172.21.0.0/24 192.168.0.0/24 limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-FORW ' ACCEPT all -- 172.21.0.0/24 192.168.0.0/24 state NEW,RELATED,ESTABLISHED ACCEPT all -- 192.168.0.0/24 172.21.0.0/24 state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV ' reject_func all -- anywhere anywhere Chain input_ext (3 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere Chain input_int (3 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain reject_func (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable gracias!
Saludos,
-- Camaleón
-- Para dar de baja la suscripción, mande un mensaje a: opensuse-es+unsubscribe@opensuse.org Para obtener el resto de direcciones-comando, mande un mensaje a: opensuse-es+help@opensuse.org
-- Para dar de baja la suscripción, mande un mensaje a: opensuse-es+unsubscribe@opensuse.org Para obtener el resto de direcciones-comando, mande un mensaje a: opensuse-es+help@opensuse.org