2- Agregar en R1 reglas en iptables a la tabla Nat para poder llegar a S1. Ahora verifique nuevamente si
puede llegar con ping. Puede ver la regla y los contadores con el comando iptables -t nat -nvL.
destination
destination
destination
destination
destination
destination
destination
destination
0.0.0.0/0
0.0.0.0/0
root@R1:/tmp/pycore.44299/R1.conf#
destination
ACCEPT
all -- anywhere
anywhere
state RELATED,ESTABLISHED
ACCEPT
tcp -- anywhere
anywhere
tcp dpt:ssh
DROP
all -- anywhere
anywhere
ACCEPT
icmp -- 200.35.2.0/24
anywhere
icmp echo-request
ACCEPT
icmp -- 172.16.1.0/24
anywhere
icmp echo-request
destination
ACCEPT
udp -- anywhere
destination
anywhere
root@R1:/tmp/pycore.44299/R1.conf#
udp spt:ssh
3- Acceda a S1 por ssh desde PC2. Capture el trafico con Wireshark tanto en la interfaz eth0 y eth1 de
R1, como en la interfaz eth0 de S1. Identifique los paquetes correspondientes al acceso ssh en cada caso.
ssh - eth1 R1
ssh - eth0 R1
ssh - eth0 - S1
4- Verifique que inicie ssh en PC1 y mediante Destination NAT en R1 permita el acceso por shh desde
S1 a PC1.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:56.316333 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [S], seq 1808554993, win 29200, options [mss 1460,sackOK,TS val 3250807 ecr
0,nop,wscale 7], length 0
17:42:56.316415 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [S.], seq 53847098, ack 1808554994, win 28960, options [mss 1460,sackOK,TS val 3250807
ecr 3250807,nop,wscale 7], length 0
17:42:56.316566 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 3250807 ecr 3250807], length 0
17:42:56.318847 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 1:44, ack 1, win 229, options [nop,nop,TS val 3250808 ecr 3250807], length 43
17:42:56.318904 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 44, win 227, options [nop,nop,TS val 3250808 ecr 3250808], length 0
17:42:56.339762 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 1:44, ack 44, win 227, options [nop,nop,TS val 3250813 ecr 3250808], length 43
17:42:56.339971 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 44, win 229, options [nop,nop,TS val 3250813 ecr 3250813], length 0
17:42:56.341137 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 44:2012, ack 44, win 229, options [nop,nop,TS val 3250813 ecr 3250813], length
1968
17:42:56.341192 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2012, win 257, options [nop,nop,TS val 3250814 ecr 3250813], length 0
17:42:56.341795 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 44:1652, ack 2012, win 257, options [nop,nop,TS val 3250814 ecr 3250813], length
1608
17:42:56.341946 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 1652, win 254, options [nop,nop,TS val 3250814 ecr 3250814], length 0
17:42:56.362348 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2012:2060, ack 1652, win 254, options [nop,nop,TS val 3250819 ecr 3250814],
length 48
17:42:56.401009 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2060, win 257, options [nop,nop,TS val 3250829 ecr 3250819], length 0
17:42:56.430140 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 1652:2276, ack 2060, win 257, options [nop,nop,TS val 3250836 ecr 3250819],
length 624
17:42:56.449514 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2060:2076, ack 2276, win 276, options [nop,nop,TS val 3250841 ecr 3250836],
length 16
17:42:56.449581 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2076, win 257, options [nop,nop,TS val 3250841 ecr 3250841], length 0
17:42:56.449764 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2076:2128, ack 2276, win 276, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.449790 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2128, win 257, options [nop,nop,TS val 3250841 ecr 3250841], length 0
17:42:56.449908 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2276:2328, ack 2128, win 257, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.450108 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2128:2196, ack 2328, win 276, options [nop,nop,TS val 3250841 ecr 3250841],
length 68
17:42:56.450986 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2328:2380, ack 2196, win 257, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.489347 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2380, win 276, options [nop,nop,TS val 3250851 ecr 3250841], length 0
17:42:59.619196 IP6 fe80::e0f7:60ff:fe87:1f33.5353 > ff02::fb.5353: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
17:43:01.325319 ARP, Request who-has 200.35.2.45 tell 200.35.2.1, length 28
17:43:01.325361 ARP, Reply 200.35.2.45 is-at 00:00:00:aa:00:00, length 28
17:43:02.052559 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2196:2344, ack 2380, win 276, options [nop,nop,TS val 3252241 ecr 3250841],
length 148
17:43:02.089071 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2344, win 280, options [nop,nop,TS val 3252251 ecr 3252241], length 0
17:43:02.188872 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2380:2416, ack 2344, win 280, options [nop,nop,TS val 3252275 ecr 3252241],
length 36
17:43:02.189092 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2416, win 276, options [nop,nop,TS val 3252276 ecr 3252275], length 0
17:43:02.191637 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2344:2464, ack 2416, win 276, options [nop,nop,TS val 3252276 ecr 3252275],
length 120
17:43:02.191687 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2464, win 280, options [nop,nop,TS val 3252276 ecr 3252276], length 0
17:43:02.526081 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2416:2468, ack 2464, win 280, options [nop,nop,TS val 3252360 ecr 3252276],
length 52
17:43:02.526510 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2464:2856, ack 2468, win 276, options [nop,nop,TS val 3252360 ecr 3252360],
length 392
17:43:02.526573 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2856, win 303, options [nop,nop,TS val 3252360 ecr 3252360], length 0
17:43:02.529565 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2468:2576, ack 2856, win 303, options [nop,nop,TS val 3252361 ecr 3252360],
length 108
17:43:02.530774 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2576:2740, ack 2856, win 303, options [nop,nop,TS val 3252361 ecr 3252360],
length 164
17:43:02.531072 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2740, win 299, options [nop,nop,TS val 3252361 ecr 3252361], length 0
17:43:02.872265 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2740:2792, ack 2856, win 303, options [nop,nop,TS val 3252446 ecr 3252361],
length 52
17:43:02.909209 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2792, win 299, options [nop,nop,TS val 3252456 ecr 3252446], length 0
5- Como puedo hacer mediante Destination NAT para acceder desde S1 tanto al servidor ssh de PC1
como de PC2?.
Se puede acceder a PC1 y PC2 enmascarando la red (MASQUERADE).
Ej:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE