Documente Academic
Documente Profesional
Documente Cultură
Paquetes Entrantes/Salientes
debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
DROP
icmp -- 10.0.0.1
echo-request
Chain FORWARD (policy ACCEPT)
destination
anywhere
icmp
target
destination
destination
debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
destination
destination
10.0.0.1
icmp
Paquetes Salientes/Entrantes
destination
icmp
--- 10.0.0.1 ping statistics --4 packets transmitted, 0 received, 100% packet loss, time 3000ms
debian:~#
target
destination
Paquetes Reenviados
Poltica predeterminada: ACEPTAR TODO
Genmask
255.0.0.0
0.0.0.0
UG
nameserver 208.67.220.220
#nameserver 200.48.225.130
#nameserver 200.48.225.146
debian:~# host www.google.com
Nameserver not responding
www.google.com A record not found, try again
debian:~#
to:192.168.1.3
google.navigation.opendns.com
google.navigation.opendns.com
debian:~#
A
A
208.67.219.230
208.67.219.231
to:192.168.1.3
Paquetes Reenviados
Poltica predeterminada: DENEGAR TODO
Creacin de script bsico:
[root@FW ~]# cat fw.sh
iptables -F
iptables -X
iptables -Z
iptables -t nat F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -j LOG
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 192.168.1.3
[root@FW ~]#
[root@FW ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain FORWARD (policy DROP)
target prot opt source
destination
LOG
all -- anywhere
anywhere
to:192.168.1.3
target
destination
to:192.168.1.3
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
tcp -- 0.0.0.0/0
udp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 0.0.0.0/0
tcp -- 10.0.0.2
tcp -- 0.0.0.0/0
tcp -- 10.0.0.2
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
10.0.0.2
0.0.0.0/0
10.0.0.2
0.0.0.0/0
tcp spt:53
udp spt:53
tcp dpt:80
tcp spt:80
tcp dpt:80
tcp spt:80
tcp dpt:22
tcp spt:22
to:192.168.1.3
Estados de conexin
to:192.168.1.3
Lnea interesante:
iptables -t nat -A PREROUTING -m mac --mac-source 00:16:76:8f:DE:F2 -i
eth1 -s
! 192.168.1.22 -j DROP
Le estas diciendo que si esa mac tiene un ip DIFERENTE (!) al
192.168.1.22 elimine los paquetes.