Categorías

GRE, ACCESS LIST & IPTABLES

David Armando hace 8 años
1
Agregar a
  • Quieres leer esto mas tarde?
  • Ingresa para añadir esta nota a una lista de notas.
Compartir

IPTABLES

echo "1" > /proc/sys/net/ipv4/ip_forward

route add -net 30.30.30.0 net netmask 255.255.255.0 dev wlan0

route add -net 40.40.40.0 net netmask 255.255.255.0 dev eth0

route add default gw 40.40.40.254 eth0

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 30.30.30.0/24 -i wlan0 -j ACCEPT

iptables -N FWD-30-1

iptables -A FORWARD -s 30.30.30.11 -j FWD-30-1

iptables -A FORWARD -d 30.30.30.11 -j FWD-30-1

iptables -N FWD-30-2

iptables -A FORWARD -s 30.30.30.22 -j FWD-30-2

iptables -A FORWARD -d 30.30.30.22 -j FWD-30-2

iptables -A FWD-30-1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p tcp --dport 80 -j ACCEPT

iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FWD-30-1 -s 30.30.30.11 -d 100.100.100.100 -p tcp --dport 23 -j ACCEPT

iptables -A FWD-30-1 -s 30.30.30.11 -d 200.200.200.200 -p tcp --dport 23 -j ACCEPT

iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 30.30.30.11 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 30.30.30.11 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -s 10.10.10.11 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 10.10.10.11 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -s 10.10.10.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 10.10.10.22 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT

iptables -A FWD-30-2 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 80 -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 21 -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 100.100.100.100 -p tcp --dport 23 -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 200.200.200.200 -p tcp --dport 23 -j ACCEPT

iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT

ACCESS  LIST

enable password cisco

!

interface Loopback0

 ip address 200.200.200.200 255.255.255.0

!

interface Embedded-Service-Engine0/0

 no ip address

 shutdown

!

interface GigabitEthernet0/0

 ip address 10.10.10.254 255.255.255.0

 ip access-group 110 in

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 no ip address

 shutdown

 duplex auto

 speed auto

!

interface Serial0/0/0

 ip address 1.1.1.2 255.255.255.252

 ip access-group 110 out

!

interface Serial0/0/1

 no ip address

 shutdown

 clock rate 2000000

!

router rip

 version 2

 network 1.0.0.0

 network 10.0.0.0

 network 200.200.200.0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!        

ip route 30.30.30.0 255.255.255.0 Serial0/0/0

!

access-list 110 permit tcp host 10.10.10.11 host 20.20.20.20 eq www

access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq www

access-list 110 permit tcp host 30.30.30.11 host 20.20.20.20 eq www

access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq www

access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq ftp

access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq ftp

access-list 110 permit icmp host 10.10.10.11 host 20.20.20.20 echo

access-list 110 permit icmp host 10.10.10.22 host 20.20.20.20 echo

access-list 110 permit icmp host 30.30.30.11 host 20.20.20.20 echo

access-list 110 permit icmp host 30.30.30.22 host 20.20.20.20 echo

access-list 110 deny   icmp host 20.20.20.20 any echo

access-list 110 permit icmp host 10.10.10.11 host 30.30.30.11 echo

access-list 110 permit icmp host 30.30.30.11 host 10.10.10.11 echo

access-list 110 permit tcp host 10.10.10.11 host 100.100.100.100 eq telnet

access-list 110 permit tcp host 10.10.10.22 host 100.100.100.100 eq telnet

access-list 110 permit tcp host 30.30.30.11 host 100.100.100.100 eq telnet

access-list 110 permit tcp host 30.30.30.22 host 100.100.100.100 eq telnet

access-list 110 permit tcp host 10.10.10.11 host 200.200.200.200 eq telnet

access-list 110 permit tcp host 10.10.10.22 host 200.200.200.200 eq telnet

access-list 110 permit tcp host 30.30.30.11 host 200.200.200.200 eq telnet

access-list 110 permit tcp host 30.30.30.22 host 200.200.200.200 eq telnet

access-list 110 permit tcp host 10.10.10.11 host 20.20.20.20 eq 22

access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq 22

access-list 110 permit tcp host 30.30.30.11 host 20.20.20.20 eq 22

access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq 22

access-list 110 deny   ip any any

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

 no activation-character

 no exec 

 transport preferred none

 transport input all

 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

 stopbits 1

line vty 0 5

 password cisco

 login

 transport input all

!

scheduler allocate 20000 1000

end

IPSEC

R1

conf t

int f0/1

ip add 172.16.5.1 255.255.255.0

no shut

exit

int s1/0

ip add 137.23.193.2 255.255.255.252

clock rate 64000

no shut

exit

ip route 0.0.0.0 0.0.0.0 137.23.193.1

router ospf 1

network 137.23.193.0 0.0.0.3 area 0

exit

access-list 110 permit ip 172.16.5.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto isakmp policy 10

encryption aes

authentication pre-share

group 2

exit

crypto isakmp key cisco address 189.100.29.2

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to R4

set peer 189.100.29.2

set transform-set VPN-SET

match address 110

exit

interface s1/0

crypto map VPN-MAP

R4

conf t

int s1/0

ip add 189.100.29.2 255.255.255.252

no shut

exit

int f0/1

ip add 192.168.2.1 255.255.255.0

no shut

exit

ip route 0.0.0.0 0.0.0.0 189.100.29.1

router ospf 1

network 189.100.29.0 0.0.0.3 area 0

exit

access-list 110 permit ip 192.168.2.0 0.0.0.255 172.16.5.0 0.0.0.255

crypto isakmp policy 10

encryption aes

authentication pre-share

group 2

exit

crypto isakmp key cisco address 137.23.193.2

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

crypto map VPN-MAP 10 ipsec-isakmp

description VPN connection to R1

set peer 137.23.193.2

set transform-set VPN-SET

match address 110

exit

interface s1/0

crypto map VPN-MAP

GRE

HQ(config)#interface tunnel 1    

HQ(config-if)#tunnel source  fastEthernet 0/0

HQ(config-if)#tunnel destination  192.168.23.3

HQ(config-if)#ip address 192.168.13.1  255.255.255.0

Branch(config)#interface tunnel 1

Branch(config-if)#tunnel source  fastEthernet 0/0

Branch(config-if)#tunnel destination  192.168.12.1

Branch(config-if)#ip address  192.168.13.3 255.255.255.0



También te puede interesar...

Debate

0 debates en esta nota

Opiniones