ipchains, forwarding (Не могу понять что держит)

murder · Сообщение **murder** » 16.12.2005 18:28

Встретилась мне тут древняя машина (Red Hat 7.3), не могу ее нормально донастроить, а именно ipchains. Никогда с ним не работал.
Машина находится в радиосегменте, внешний интерфес 10.20.130.69, внутренняя локалка 10.101.20.1.
С нее поднят тунель на другую машину в радио и в этот тунель заручены два хоста 10.200.1.2 и 10.200.1.3. Внутреняя сеть должна иметь доступ только к этим двум хостам через тунель. Вот это то и не получаеться. Применяю нижеописанный ipchains, с радио и снутри я шлюз пингую, захожу по ssh (т.к. он открыт), но то что в тунели идет нифига не работает ни в ту ни в другую сторону

Причем по ssh я на машину захожу из тунеля.

Код: Выделить всё

#!/bin/sh
#
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 08 92
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: "
echo
# ----------------------------------------------------------------------------
# Internet Configuration
INET_IP="10.20.130.69"
INET_IFACE="eth0"
INET_NETWORK="10.20.130.0/24"

# Lan Configuration
LAN_IP="10.101.20.1"
LAN_IFACE="eth1"
LAN_NETWORK="10.101.20.0/24"

# Loopback Configuration
LOOPBACK_IFACE="lo"
LOOPBACK="127.0.0.0/8"

# Multicast
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"

# Broadcast
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

# Ports
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
SSH_PORTS="1022:1023"

#----------------------------------------------------------------------------
# Clean rules
ipchains -F
ipchains -X

#----------------------------------------------------------------------------
# Set policies
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY

# ----------------------------------------------------------------------------
# LOOPBACK
ipchains -A input -i $LOOPBACK_IFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_IFACE -j ACCEPT

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
ipchains -A input -i $INET_IFACE -s $INET_IP -j DENY -l
ipchains -A input -i $LAN_IFACE -s $LAN_IP -j DENY -l

ipchains -A input -i $INET_IFACE -s $LOOPBACK -j DENY -l
ipchains -A input -i $LAN_IFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $INET_IFACE -s $LOOPBACK -j REJECT -l
ipchains -A output -i $LAN_IFACE -s $LOOPBACK -j REJECT -l

ipchains -A input -i $INET_IFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $INET_IFACE -d $BROADCAST_SRC -j DENY -l

ipchains -A input -i $INET_IFACE -s $CLASS_D_MULTICAST -j DENY -l
ipchains -A input -i $INET_IFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# ----------------------------------------------------------------------------
# ICMP
# 0: echo-reply (pong)
# 8: echo-request (ping)
# 11: time-exceeded
ipchains -A input -i $INET_IFACE -p icmp -s any/0 0 -d $INET_IP -j ACCEPT
ipchains -A input -i $LAN_IFACE -p icmp -s any/0 0 -d $LAN_IP -j ACCEPT

ipchains -A input -i $INET_IFACE -p icmp -s any/0 8 -d $INET_IP -j ACCEPT
ipchains -A input -i $LAN_IFACE -p icmp -s any/0 8 -d $LAN_IP -j ACCEPT

ipchains -A input -i $INET_IFACE -p icmp -s any/0 11 -d $INET_IP -j ACCEPT
ipchains -A input -i $LAN_IFACE -p icmp -s any/0 11 -d $LAN_IP -j ACCEPT

ipchains -A output -i $INET_IFACE -p icmp -s $INET_IP 0 -d any/0 -j ACCEPT
ipchains -A output -i $LAN_IFACE -p icmp -s $LAN_IP 0 -d any/0 -j ACCEPT

ipchains -A output -i $INET_IFACE -p icmp -s $INET_IP 8 -d any/0 -j ACCEPT
ipchains -A output -i $LAN_IFACE -p icmp -s $LAN_IP 8 -d any/0 -j ACCEPT

ipchains -A output -i $INET_IFACE -p icmp -s $INET_IP 11 -d any/0 -j ACCEPT
ipchains -A output -i $LAN_IFACE -p icmp -s $LAN_IP 11 -d any/0 -j ACCEPT

# ----------------------------------------------------------------------------
# SSH
ipchains -A input -i tnl -p tcp -s any/0 $UNPRIVPORTS -d $INET_IP 22 -j ACCEPT
ipchains -A input -i $INET_IFACE -p tcp -s any/0 $UNPRIVPORTS -d $INET_IP 22 -j ACCEPT
ipchains -A input -i $LAN_IFACE -p tcp -s any/0 $UNPRIVPORTS -d $LAN_IP 22 -j ACCEPT

ipchains -A output -i tnl -p tcp ! -y -s $INET_IP 22 -d any/0 $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $INET_IFACE -p tcp ! -y -s $INET_IP 22 -d any/0 $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $LAN_IFACE -p tcp ! -y -s $LAN_IP 22 -d any/0 $UNPRIVPORTS -j ACCEPT

ipchains -A input -i tnl -p tcp -s any/0 $SSH_PORTS -d $INET_IP 22 -j ACCEPT
ipchains -A input -i $INET_IFACE -p tcp -s any/0 $SSH_PORTS -d $INET_IP 22 -j ACCEPT
ipchains -A input -i $LAN_IFACE -p tcp -s any/0 $SSH_PORTS -d $LAN_IP 22 -j ACCEPT

ipchains -A output -i tnl -p tcp ! -y -s $INET_IP 22 -d any/0 $SSH_PORTS -j ACCEPT
ipchains -A output -i $INET_IFACE -p tcp ! -y -s $INET_IP 22 -d any/0 $SSH_PORTS -j ACCEPT
ipchains -A output -i $LAN_IFACE -p tcp ! -y -s $LAN_IP 22 -d any/0 $SSH_PORTS -j ACCEPT

# ----------------------------------------------------------------------------
# DENY Like
ipchains -A input -i $INET_IFACE -p tcp -d $INET_IP -j DENY -l
ipchains -A input -i $LAN_IFACE -p tcp -d $LAN_IP -j DENY -l

ipchains -A input -i $INET_IFACE -p udp -d $INET_IP $PRIVPORTS -j DENY -l
ipchains -A input -i $LAN_IFACE -p udp -d $LAN_IP $PRIVPORTS -j DENY -l

ipchains -A input -i $INET_IFACE -p icmp -s any/0 5 -d $INET_IP -j DENY -l
ipchains -A input -i $LAN_IFACE -p icmp -s any/0 5 -d $LAN_IP -j DENY -l

ipchains -A input -i $INET_IFACE -p icmp -s any/0 13:255 -d $INET_IP -j DENY -l
ipchains -A input -i $LAN_IFACE -p icmp -s any/0 13:255 -d $LAN_IP -j DENY -l
# ---------------------------------------------------------------------------
# Clients
ipchains -A input -b -s 10.200.1.2/32 -d $LAN_NETWORK -j ACCEPT
ipchains -A input -b -s 10.200.1.3/32 -d $LAN_NETWORK -j ACCEPT

ipchains -A forward -b -s 10.200.1.2/32 -d $LAN_NETWORK -j ACCEPT
ipchains -A forward -b -s 10.200.1.3/32 -d $LAN_NETWORK -j ACCEPT

ipchains -A output -b -s 10.200.1.2/32 -d $LAN_NETWORK -j ACCEPT
ipchains -A output -b -s 10.200.1.3/32 -d $LAN_NETWORK -j ACCEPT

# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: "
echo
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}"
exit 1
esac
exit 0

Может кто-нибудь помочь?