Bon, test grandeur nature.
service iptables stop
puis copier-coller de la ligne de commande SNAT suivie d'un appuie rageur sur la touche entrée 🙂 et c'est pas bon.
Les lignes
iptables -L -t nat et
iptables -L -t filter donnent les bonnes infos.
Je ping depuis XP correctement 192.168.0.254, 192.168.168.254 ainsi que l'adresse ip attribué par le FAI à ppp0, mais pas 194.2.0.20 (100% de pertes).
J'ai pas fait le test tcpdump (un peu pressé pr le temps) et je lance firestarter je dis que ppp0 est l'accès internet, que eth1 est l'accès au réseau local, je coche l'accès dhcp pour les 2 et ça marche !
iptables -L -t nat donne :
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ce qui doit se traduire par la commande :
iptables -t nat -A POSTROUTING -s 0.0.0.0/24 -o ppp0 -j MASQUERADE -to-source 0.0.0.0/24
c'est ça ?
et
iptables -L -t filter
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- ns3.wanadoo.fr anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- ns3.wanadoo.fr anywhere
ACCEPT tcp -- ns4.wanadoo.fr anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- ns4.wanadoo.fr anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere default
DROP all -- anywhere anywhere state INVALID
LSI all -f anywhere anywhere limit: avg 10/min burst 5
INBOUND all -- anywhere anywhere
INBOUND all -- anywhere 192.168.0.254
INBOUND all -- anywhere ABayonne-256-1-41-166.w90-30.abo.wanadoo.fr
INBOUND all -- anywhere 192.168.0.255
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Forward'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- ABayonne-256-1-41-166.w90-30.abo.wanadoo.fr ns3.wanadoo.fr tcp dpt:domain
ACCEPT udp -- ABayonne-256-1-41-166.w90-30.abo.wanadoo.fr ns3.wanadoo.fr udp dpt:domain
ACCEPT tcp -- ABayonne-256-1-41-166.w90-30.abo.wanadoo.fr ns4.wanadoo.fr tcp dpt:domain
ACCEPT udp -- ABayonne-256-1-41-166.w90-30.abo.wanadoo.fr ns4.wanadoo.fr udp dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere default
DROP all -- anywhere anywhere state INVALID
OUTBOUND all -- anywhere anywhere
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Unknown Output'
Chain INBOUND (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
LSI all -- anywhere anywhere
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTBOUND (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere