[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previaPróxima revisiónAmbos lados, revisión siguiente | ||
es:howtos:network_services:running_an_access_point_from_a_slackware_box [2019/06/17 05:24 (UTC)] – [4.4 Firewalling] antares_alf | es:howtos:network_services:running_an_access_point_from_a_slackware_box [2019/06/17 05:39 (UTC)] – [4.4 Cortafuegos] antares_alf | ||
---|---|---|---|
Línea 247: | Línea 247: | ||
-A FORWARD -m mac --mac-source 00: | -A FORWARD -m mac --mac-source 00: | ||
- | With something like this | + | Con algo como esto |
| | ||
-A INPUT -p all -i br0 -j ACCEPT | -A INPUT -p all -i br0 -j ACCEPT | ||
-A FORWARD -p all -i br0 -j ACCEPT | -A FORWARD -p all -i br0 -j ACCEPT | ||
- | Most off the shelf AP also let you do a number of port forwarding, this is also an iptables | + | La mayoría de los AP disponibles también le permiten hacer una cantidad de reenvío de puertos, esto también es un trabajo de iptables. |
- | + | ||
-A FORWARD -p tcp -d 192.168.0.2 -m multiport --dports 80,443 -j ACCEPT -m comment --comment "allow http traffic to be routed thought the box only to the correct server" | -A FORWARD -p tcp -d 192.168.0.2 -m multiport --dports 80,443 -j ACCEPT -m comment --comment "allow http traffic to be routed thought the box only to the correct server" | ||
- | and a rule like this in the PREROUTING | + | y una regla como esta en la cadena |
| | ||
-A PREROUTING -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.0.2 -m comment --comment "nat incomming http requests to local destination before routing" | -A PREROUTING -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.0.2 -m comment --comment "nat incomming http requests to local destination before routing" | ||
- | To understand how this works you need to look at the [[http:// | + | Para entender cómo funciona esto, debe consultar el [[http:// |
- | As a http request arrives to the AP from the internet link it will first have the DNAT changed in the nat prerouting stage, but it would get dropped by the filter policy if we don't find a way to let it in, that's where the forward filter rule comes in to play. | + | Cuando una solicitud |
- | If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning | + | Si comienza |
- | If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall | + | Si su ISP le da algún tipo de cuota de tráfico, es posible que desee agregar algunas cuotas a la configuración de su firewall. |
- | * rules with quotas stop matching once quota is exceeded | + | |
- | * flushing your tables will reset all quota counters | + | |
- | * quota counters do not reset themselves whenever your ISP resets your internet quota | + | |
- | Here's an example of how you could go about putting a quota on the FORWARD | + | * las reglas con cuotas dejan de coincidir una vez que se excede la cuota |
+ | * el lavado de sus tablas reiniciará todos los contadores de cuotas | ||
+ | * los contadores de cuota no se reinician cuando su ISP restablece su cuota de Internet | ||
+ | |||
+ | Este es un ejemplo de cómo podría poner una cuota en la cadena | ||
| | ||
-A FORWARD -p all -m conntrack --ctstate ESTABLISHED, | -A FORWARD -p all -m conntrack --ctstate ESTABLISHED, | ||
Línea 279: | Línea 279: | ||
-A FORWARD -s 192.168.0.200 -d 192.168.0.0/ | -A FORWARD -s 192.168.0.200 -d 192.168.0.0/ | ||
- | Or you could use a user-defined chain to group all your quoted traffic into a single quota like this: | + | O puede usar una cadena definida por el usuario para agrupar todo su cuota de tráfico en una sola cuota como esta: |
| | ||
-A FORWARD -d 192.168.1.0/ | -A FORWARD -d 192.168.1.0/ | ||
Línea 286: | Línea 286: | ||
-A QUOTA -m comment --comment "when quota is exceeded start rejecting" | -A QUOTA -m comment --comment "when quota is exceeded start rejecting" | ||
- | Along with this you need to flush the iptables | + | Junto con esto, debe vaciar los contadores de iptables |
iptables -Z | iptables -Z | ||
- | I generally do this with an AT job because | + | |
- | Here's one possible way of making an AT job re schedule itself every day at 00:30: | + | Generalmente hago esto con un trabajo de AT porque |
+ | Aquí hay una manera posible de hacer que un trabajo de AT se programe todos los días a las 00:30: | ||
# cat / | # cat / | ||
/ | / | ||
/usr/bin/at -f / | /usr/bin/at -f / | ||
# | # | ||
- | Just run it once and it should then re schedule itself. On a readonly system you will need to have atjobs directory on tmpfs and run it the first time from rc.local. | ||
+ | Simplemente ejecútelo una vez y luego debería volver a programarse. En un sistema de solo lectura, deberá tener el directorio atjobs en tmpfs y ejecutarlo la primera vez desde rc.local. | ||