• No se han encontrado resultados

Redes de Alcantarillado Existentes

5 DIAGNÓSTICO TÉCNICO DE LOS SISTEMAS ACTUALES DE PRESTACIÓN

5.1 Sistema de acueducto

5.2.2 Redes de Alcantarillado Existentes

IP Tables is configureable by command line. A single rule can be added by every command to the filtering table which splits into different chains. These are mainly INPUT, OUTPUT and FORWARD. The INPUT and OUTPUT chain are evaluated for every packet received or sent by the local kernel. The FORWARD chain is evaluated for every packet which is going to be forwarded to other hosts. All given command sets are in bash2 syntax.

3.5.3.1 Ruleset 1

This is the realisation of the first ruleset 3.5.1.1 defined on page 62. In this configuration the firewall allows all the traffic.

iptables -A INPUT -j ACCEPT iptables -A FORWARD -j ACCEPT iptables -A OUTPUT -j ACCEPT

3.5.3.2 Ruleset 2

This is the realisation of the second ruleset 3.5.1.2 defined on page 62. In this configuration the firewall blocks all the traffic.

iptables -A INPUT -j LOG iptables -A INPUT -j DROP iptables -A FORWARD -j LOG iptables -A FORWARD -j DROP iptables -A OUTPUT -j LOG iptables -A OUTPUT -j DROP

3.5.3.3 Ruleset 3

This is the realisation of the third ruleset 3.5.1.3 defined on page 62. In this configuration the firewall allows all the traffic and activates PAT (by dint of NAT) on the right interface.

iptables -A INPUT -j ACCEPT iptables -A FORWARD -j ACCEPT iptables -A OUTPUT -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth0 --protocol tcp --dport 5001 -j \ DNAT --to-destination 192.168.100.4:5001

iptables -t nat -A PREROUTING -i eth0 --protocol udp --dport 5000 -j \ DNAT --to-destination 192.168.100.1:5000

3.5.3.4 Ruleset 4

This is the realisation of the fourth ruleset 3.5.1.4 defined on page 62.

LEFT=192.168.100. RIGHT=192.168.101.

LEFTALL=192.168.100.0/24 RIGHTALL=192.168.101.0/24

iptables -A INPUT -i eth2 -j ACCEPT iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

iptables -A OUTPUT -o eth2 -j ACCEPT iptables -A OUTPUT -j LOG

iptables -A OUTPUT -j DROP

iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \

--destination-port 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHT}1 \

--destination-port 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}1 \

--destination-port 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFTALL} \

--destination-port 7 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${RIGHTALL} -d ${LEFTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT

iptables -A FORWARD -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -j LOG

iptables -A FORWARD -j DROP

3.5.3.5 Ruleset 5

This is the realisation of the fifth ruleset 3.5.1.5 defined on page 63.

LEFT=192.168.100. RIGHT=192.168.101.

LEFTALL=192.168.100.0/24 RIGHTALL=192.168.101.0/24

iptables -A INPUT -i eth2 -j ACCEPT iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

iptables -A OUTPUT -o eth2 -j ACCEPT iptables -A OUTPUT -j LOG

iptables -A OUTPUT -j DROP # ICMP

iptables -A FORWARD -p icmp -s ${LEFTALL} -d ${RIGHTALL} \ -j ACCEPT

-j ACCEPT # DNS

iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHT}1 \ --destination-port 53 -j ACCEPT

iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHT}2 \ --destination-port 53 -j ACCEPT

iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHT}3 \ --destination-port 53 -j ACCEPT

# HTTP

iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \ --destination-port 80 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}1 \ --destination-port 80 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}2 \ --destination-port 80 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}3 \ --destination-port 80 -j ACCEPT

# SMTP

iptables -A FORWARD -p tcp -s ${LEFT}6 -d ${RIGHTALL} \ --destination-port 25 -j ACCEPT

iptables -A FORWARD -p tcp -s ${LEFT}7 -d ${RIGHTALL} \ --destination-port 25 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}6 \ --destination-port 25 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}7 \ --destination-port 25 -j ACCEPT

# SSH

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}6 \ --destination-port 22 -j DROP

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFT}7 \ --destination-port 22 -j DROP

iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \ --destination-port 22 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFTALL} \ --destination-port 22 -j ACCEPT

# TEST_PROTO

iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \ --destination-port 5000:5100 -j ACCEPT

iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHTALL} \ --destination-port 5000:5100 -j ACCEPT

iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFTALL} \ --destination-port 5000:5100 -j ACCEPT

iptables -A FORWARD -p udp -s ${RIGHTALL} -d ${LEFTALL} \ --destination-port 5000:5100 -j ACCEPT

# established links

iptables -A FORWARD -j LOG iptables -A FORWARD -j DROP

3.5.3.6 Ruleset 6

This is the realisation of the sixth ruleset 3.5.1.6 defined on page 64.

RIGHT=192.168.101.

LEFTALL=192.168.100.0/24 RIGHTALL=192.168.101.0/24

iptables -A INPUT -i eth2 -j ACCEPT iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

iptables -A OUTPUT -o eth2 -j ACCEPT iptables -A OUTPUT -j LOG

iptables -A OUTPUT -j DROP PORT=1;

for currentLoop in $(seq 1 $1); do for number in $(seq 1 7); do

iptables -A FORWARD -p tcp -s ${RIGHTALL} \ -d ${LEFT}${number} \

--destination-port $((20000+${PORT})) \ -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${RIGHTALL} \

-d ${LEFT}${number} \

--destination-port $((20000+${PORT})) \ -m state --state NEW,ESTABLISHED -j ACCEPT PORT=$(($PORT + 1));

done; done;

# TEST_PROTO

iptables -A FORWARD -p tcp -s ${LEFTALL} -d ${RIGHTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -s ${RIGHTALL} -d ${LEFTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${RIGHTALL} -d ${LEFTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -s ${LEFTALL} -d ${RIGHTALL} \

--destination-port 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT # established links

iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -p udp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -j LOG

iptables -A FORWARD -j DROP

3.5.3.7 Ruleset 7

This is the realisation of the seventh ruleset 3.5.1.7 defined on page 64.

LEFT=192.168.100. RIGHT=192.168.101.

LEFTALL=192.168.100.0/24 RIGHTALL=192.168.101.0/24

iptables -A INPUT -i eth2 -j ACCEPT iptables -A INPUT -j LOG

iptables -A INPUT -j DROP

iptables -A OUTPUT -j LOG iptables -A OUTPUT -j DROP for number in $(seq 1 7); do if [ $number -gt $1 ]; then

iptables -A FORWARD -p tcp -s ${RIGHT}${number} \ -d ${LEFTALL} -j ACCEPT

iptables -A FORWARD -p udp -s ${RIGHT}${number} \ -d ${LEFTALL} -j ACCEPT

else

iptables -A FORWARD -p tcp -s ${RIGHT}${number} \ -d ${LEFTALL} -j LOG

iptables -A FORWARD -p tcp -s ${RIGHT}${number} \ -d ${LEFTALL} -j ACCEPT

iptables -A FORWARD -p udp -s ${RIGHT}${number} \ -d ${LEFTALL} -j LOG

iptables -A FORWARD -p udp -s ${RIGHT}${number} \ -d ${LEFTALL} -j ACCEPT

fi; done;

Descargar ahora "Diagnóstico Técnico Mu..."

Outline

Documento similar