Montando uma NAT pra uma maquina

[jricardo]

[size=18px]
Fala Galera...

Pessoal, estou tendo uns problemas, queria que uma maquina da minha rede interna se conecta-se diratamente a internet via uma NAT. O grande problema, faço a autenticação com o velox e me conecto a internet, e as outras maquinas acessam via Squid, mas essa maquina com o IP 10.0.0.10 queria q fosse direto.

As minhas configurações são essas:

[/size]
[size=9px]


eth0 Encapsulamento do Link: Ethernet Endereço de HW 00:50:04:71:FD:53
inet end.: 10.0.0.1 Bcast:10.255.255.255 Masc:255.0.0.0
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:69756 errors:0 dropped:0 overruns:0 frame:0
TX packets:94276 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:100
RX bytes:13412343 (12.7 MiB) TX bytes:85940697 (81.9 MiB)
IRQ:16 Endereço de E/S:0xec00

eth1 Encapsulamento do Link: Ethernet Endereço de HW 00:10:4B0:4E:98
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:80648 errors:0 dropped:0 overruns:0 frame:0
TX packets:79273 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:100
RX bytes:68943064 (65.7 MiB) TX bytes:11699902 (11.1 MiB)
IRQ:17 Endereço de E/S:0xe800

ppp0 Encapsulamento do Link: Protocolo Ponto-a-Ponto
inet end.: 200.25.82.3 P-a-P:200.217.72.80 Masc:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Métrica:1
RX packets:80109 errors:0 dropped:0 overruns:0 frame:0
TX packets:78731 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:3
RX bytes:67110165 (64.0 MiB) TX bytes:9935207 (9.4 MiB)



*mangle
:PREROUTING ACCEPT [147112:78214784]
:INPUT ACCEPT [145889:77532512]
:FORWARD ACCEPT [1102:653874]
:OUTPUT ACCEPT [170652:92943761]
:POSTROUTING ACCEPT [171744:93597155]
COMMIT
# Completed on Fri Jul 1 15:32:55 2005
# Generated by iptables-save v1.2.6a on Fri Jul 1 15:32:55 2005
*filter
:INPUT DROP [292:93950]
:FORWARD DROP [10:480]
:OUTPUT DROP [0:0]
:allow_services - [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udpincoming_packets - [0:0]
-A INPUT -s 0.0.0.0 -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -i ppp0 -p icmp -j icmp_packets
-A INPUT -i ppp0 -p tcp -j tcp_packets
-A INPUT -i ppp0 -p udp -j udpincoming_packets
-A INPUT -d 10.255.255.255 -i eth0 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 10.0.0.1 -i lo -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth0 -j allow_services
-A FORWARD -m state --state RELATED,ESTABLISHED -j allow_services
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 10.0.0.1 -j ACCEPT
-A OUTPUT -j ACCEPT
-A allow_services -p tcp -m tcp --dport 25 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 110 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 143 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 993 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 995 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 23 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 22 -j ACCEPT
-A allow_services -p udp -m udp --dport 22 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 53 -j ACCEPT
-A allow_services -p udp -m udp --dport 53 -j ACCEPT
-A allow_services -p tcp -m tcp --dport 3456 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 25 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 110 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 143 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 993 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 995 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 23 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 22 -j ACCEPT
-A allow_services -p udp -m udp --sport 22 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 53 -j ACCEPT
-A allow_services -p udp -m udp --sport 53 -j ACCEPT
-A allow_services -p tcp -m tcp --sport 3456 -j ACCEPT
-A allow_services -p icmp -j ACCEPT
-A allow_services -s 10.0.0.101 -j ACCEPT
-A allow_services -d 10.0.0.101 -j ACCEPT
-A allow_services -s 200.201.174.207 -j ACCEPT
-A allow_services -d 200.201.174.207 -j ACCEPT
-A allow_services -s 10.0.0.5 -j ACCEPT
-A allow_services -d 10.0.0.5 -j ACCEPT
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A bad_tcp_packets -s 192.168.0.0/255.255.0.0 -i ppp0 -j DROP
-A bad_tcp_packets -s 10.0.0.0/255.0.0.0 -i ppp0 -j DROP
-A bad_tcp_packets -s 172.16.0.0/255.240.0.0 -i ppp0 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 21 -j allowed
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 113 -j allowed
-A udpincoming_packets -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Fri Jul 1 15:32:55 2005
# Generated by iptables-save v1.2.6a on Fri Jul 1 15:32:55 2005
*nat
:PREROUTING ACCEPT [3806:408740]
:POSTROUTING ACCEPT [6:504]
:OUTPUT ACCEPT [4730:285412]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

[/size]

[size=18px]Alguem poderia me ajudar a criar a rega no iptables pra isso??

Valeu galera....[/size]

[jricardo]

A regra que eu usava no ipfwadm era:
-F -i accept -m -P tcp -S 10.0.0.0/8 1024:65535 -D 200.201.174.0/24) 80

porque, somente me interresa acesso as essas maquinas, mas não consegui passar essa regra pro iptables.

Alguém pode me ajudar, por favor.....

[PiTsA]

#acessar sem passar pelo squid
iptables -t nat -A PREROUTING -p TCP -s 192.168.1.69 -d 0/0 --dport 80 -j ACCEPT
#liberar forward de portas caso elas estejam bloqueadas
iptables -A FORWARD -s 192.168.1.69 --protocol tcp --source-port 1024:65535 -j ACCEPT
iptables -A FORWARD -s 192.168.1.69 --protocol udp --source-port 1024:65535 -j ACCEPT

essas regars deverão estar acima da regra de redirecionamento de porta do squid... acho que ira funcionar assim...