Bonjour,
Voici mon problème, je ne parviens plus à faire fonctionner le transfert de port sur mon firewall.
Le port 443 est droppé et le port 80 n’est pas redirigé sur la machine 192.168.0.23 comme il devrait.
Ma patte externe est eth0 (IP du FAI) l’autre est 192.168.0.1.
Je ne sais pas se qui bloque et j’ai le nez depuis trop longtemps dedans pour m’en sortir, merci de m’aider.
Voici le script:
[code]function start()
{
INET_INTERF=eth0
LAN1_INTERF=eth1
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
echo 1 > /proc/sys/net/ipv4/ip_forward
echo -n “Etablissement des règles IPTABLES…”
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
iptables -t nat -N LOG_DROP
iptables -t nat -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j LOG_DROP
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -o $INET_INTERF -m state --state NEW -j ACCEPT
iptables -A INPUT -p ALL -i $INET_INTERF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INET_INTERF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i $LAN1_INTERF -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN1_INTERF -j ACCEPT
iptables -A INPUT -d 192.168.0.255 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.255 -j ACCEPT
iptables -t nat -A POSTROUTING -o $INET_INTERF -j MASQUERADE
iptables -t nat -A POSTROUTING -o $LAN1_INTERF -j MASQUERADE
iptables -A FORWARD -i $LAN1_INTERF -j ACCEPT
iptables -A FORWARD -o $LAN1_INTERF -j ACCEPT
iptables -t nat -A PREROUTING -i $INET_INTERF -p tcp --dport 443 -j DNAT --to-destination 192.168.0.20:443
iptables -t nat -A PREROUTING -i $INET_INTERF -p tcp --dport 80 -j DNAT --to-destination 192.168.0.23:80
iptables -t nat -A PREROUTING -i $INET_INTERF -p tcp --dport 1194 -j DNAT --to-destination 192.168.0.21:1194
iptables -A INPUT -j LOG --log-level debug --log-prefix "iptables: filt/input DROP: " --log-ip-options
iptables -A OUTPUT -j LOG --log-level debug --log-prefix "iptables: filt/output DROP: " --log-ip-options
iptables -A FORWARD -j LOG --log-level debug --log-prefix "iptables: filt/forward DROP: " --log-ip-options
iptables -t nat -A PREROUTING -j LOG --log-level debug --log-prefix "iptables: nat/prert. DROP: " --log-ip-options
iptables -t nat -A POSTROUTING -j LOG --log-level debug --log-prefix "iptables: nat/postrt. DROP: " --log-ip-options
iptables -t nat -A OUTPUT -j LOG --log-level debug --log-prefix "iptables: nat/output DROP: " --log-ip-options
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
iptables -A FORWARD -j LOG_DROP
iptables -t nat -A PREROUTING -j LOG_DROP
iptables -t nat -A POSTROUTING -j LOG_DROP
iptables -t nat -A OUTPUT -j LOG_DROP
echo "ok."
}
function stop()
{
echo -n "Suppression des règles IPTABLES…"
echo 0 > /proc/sys/net/ipv4/ip_forward
cat /proc/net/ip_tables_names | while read table;
do
iptables -t $table -L -n | while read c chain rest;
do
if test "X$c" = "XChain" ;
then
iptables -t $table -F $chain
iptables -t $table -P $chain ACCEPT
fi
done
iptables -t $table -X
done
rmmod -s ipt_TCPMSS
rmmod -s ipt_LOG
rmmod -s ipt_MASQUERADE
rmmod -s iptable_nat
rmmod -s iptable_filter
rmmod -s ip_conntrack_ftp
rmmod -s ip_nat
rmmod -s xt_state
rmmod -s ip_conntrack
rmmod -s ip_tables
rmmod -s xt_tcpmss
rmmod -s xt_tcpudp
rmmod -s x_tables
echo "ok."
}
function status()
{
cat /proc/net/ip_tables_names | while read table;
do
echo "table $table :"
echo
iptables -t $table -L -v
echo
done
}
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
$0 stop && $0 start
;;
status)
status
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart|status}"
exit 1
esac
exit 0[/code]
Merci,
analog.