Pomoc oko NAT-a

Linux pomoć Mreža
1

Na ISP se konektujem preko pppoe, sve fino radio sa pppoe-setup sam nastimao konekciju…
Spojen sam preko utp kabla na eth0 192.168.0.1 netmask 255.255.255.0

Hocu da ovu masinu iskorisitm za ruter tako da druga masina ima net tako da sam u ovo ubacio još jednu mrežnu
eth1 192.168.1.1 netmask 255.255.255.0

Klijent eth0 192.168.1.2 netmask 255.255.255.0 gateway 192.168.0.1

Masine se uredno pingaju mreza je znaci ok, ali kad treba da pustim net na klijenta tj 192.168.1.2 nece

evo iptablesa

[quote]#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -X

#NAT na eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Forvardujemo sve

iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

Blokiramo sve ostalo spolja

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP[/quote]
Pomoc dobrodosla… :slight_smile:

2

jesi li tome klijentu stavio rutu i DNS-ove?

route add default gw 192.168.1.1
echo “nameserver 195.222.32.20” > /etc/resolv.conf
echo “nameserver 4.2.2.2” >> /etc/resolv.conf

3

http://forum.linux.org.ba/viewtopic.php?id=3869

evo ima tu skripta koju sam ja koristio…

a obavezno provjeri ovo sto ti je aldin reko!

4

Klijent je windows, nisam dirao dns, zar treba?

5

nema veze što je windows, moraš mu podesiti route i dns

ps:
…ili da na tom linuxu postaviš dhcp server, pa da se windows klijent nakači automatski

6

Izbjegavaj komplikacije dok ti NAT ne proradi (onaj dio za blokiranje ti svakako nije dobar)
Također mislim da nisi dobro postavio gateway na toj drugoj mašini, ili ja nisam skontao dobro iz tvog posta.

Probaj ovako nešto:

  • eth0, vanjski interfejs, prema internetu (192.168.0.2/24)
  • eth1, prema unutrašnjoj mreži (192.168.1.1/24)
    Očigledno je da sve mašine za koje radimo masqurading moraju kao gateway imati 192.168.1.1

[code]#!/bin/sh

enable forwarding, tell kernel we don’t have static IP

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

flush chains and delete user-defined chains

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

Forward all outgoing traffic from internal network

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

Forward only related incoming traffic

iptables -A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state ESTABLISHED,RELATED -j ACCEPT

masquerading

One can masquerade using incoming interface name (-i eth1) or using source address (-s)

This is right way ™

iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE[/code]

7

Znači da rezimiramo…

Internet ->eth0 (RUTER) eth1 -> eth0(KLIJENT)

RUTER:

-etho ( ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up)
-eth1 (ifconfig eth1 192.168.1.1 netmask 255.255.255.0 up)

KLIJENT

-eth0 (ifconfig eth0 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1)

I da dodam ovaj iptables od adisa.

8

Probao i opet nece

[quote]root@mracnjak:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.0.49 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::218:f3ff:fed4:4964/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1697 errors:0 dropped:0 overruns:0 frame:0
TX packets:1717 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:195409 (190.8 KiB) TX bytes:200683 (195.9 KiB)
Interrupt:12 Base address:0xe800

eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe82:cf11/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:439 errors:0 dropped:0 overruns:0 frame:0
TX packets:321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37720 (36.8 KiB) TX bytes:39132 (38.2 KiB)
Interrupt:11 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2421 (2.3 KiB) TX bytes:2421 (2.3 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:x.x.x.x P-t-P:x.x.x.x Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1488 Metric:1
RX packets:1663 errors:0 dropped:0 overruns:0 frame:0
TX packets:1683 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:149516 (146.0 KiB) TX bytes:154714 (151.0 KiB)[/quote]

[quote]root@mracnjak:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.x.x.x 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0[/quote]

9

[code]#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -X

Omogućavamo NAT na eth0

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Forvardujemo sve što dolazi na eth1 na izlaz eth0

iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

Omogućavamo pristup ssh serveru spolja

iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT

Omogucavamo pristup HTTP serveru spolja

iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT

Blokiramo sve ostalo spolja

iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP[/code]

10

evo kako je kod mene bilo
http://forum.linux.org.ba/viewtopic.php?id=3059

ps:
opet, jesi ti podesio tu windows mašinu kako treba (DNS)

11

Sve djeluje ok, jedino što mi pada na pamet je da nemaš od ranije kakva iptables pravila na toj router mašini? Ja bih probao iskomentirati linije ispod “Blokiramo sve spolja” a ispod iptables -X dodati

iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
Pa ako proradi onda kasnije dodati blokiranje.