10
« il: Giugno 12, 2008, 09:45:58 am »
Allora, ho inserito le due regole ma se dal pc 1 con ip 192.168.1.100 collegato al router voglio accedere al pc dietro la fonera con ip 192.168.223 (Ip pc 192.168.2.150) non funziona. Dal pc dietro la fonera riesco ad entrare inserendo l'ip 192.168.1.100 e vedere le cartelle condivise. Io ho creato solo una regola che redirige tutto il traffico sull'Ip del pc dietrola Fonera e, funziona Vnc ecc. ma l'accesso alle cartelle condivise non v?, macredo che sia un problema di apparteneza a 2 sottoreti diverse. Saluti.
Ti allego il fine /etc/init.d/firewall.
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
## Please make changes in /etc/firewall.user
START=45
start() {
include /lib/network
scan_interfaces
config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname
config_get_bool NAT_LAN lan nat 1
if [ $NAT_LAN -ne 0 ]
then
config_get LAN_MASK lan netmask
config_get LAN_IP lan ipaddr
LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
fi
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan
iptables -t nat -N NEW
iptables -t nat -N prerouting_rule
iptables -t nat -N prerouting_wan
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
iptables -A FORWARD -i $WAN -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
### Only LAN, unless told not to
if [ $NAT_LAN -ne 0 ]
then
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
fi
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/firewall.config ] && {
export WAN
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
}
}
stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
}