michoc a écrit :
bonjour,
voici mon problème :
je commence a bosser dans une petite boite d'informatique spécialiser dans les réseaux sans fils. Un client nous a demander de lui mettre en place un firewall arkoon A20, et c'est moi qui est en charge de l'affaire. Le soucis c'est que rien ne marche, je n'arrive pas a me ouvrir une connexion internet. Et personne dans la boite ne peut m'aider.
Voici l'architecture existante :
Internet <------> routeur Zyxel <-----> serveur <-------> LAN
192.168.1.1 192.168.1.2
Ce que je veux faire :
Internet <------> routeur Zyxel <-----> ARKOON <----> serveur <-------> LAN
192.168.1.1 192.168.1.2
Ce que je veux c'est récupere mes flux venant du zyxel en eth2 de mon arkoon et rebalancer sur mon serveur via mon eth1, eth0 pour l'instant me sert pour administrer mon arkoon.
J'ai mis eth1 et eth2 en bridge, fait des reglès de flux mais ca marche pas, si quelqu'un peut regarder ma config, ca serait super, j'ai du oublier une reglès mais je vois pas laquelle :
==============================================================================
# Version du fichier de configuration
version 3.0;
# Arkoon maître
arkoon "boitier1"
{
arkoonid "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
type 1;
# propriétées
properties {
};
# mise à jour
arkupdate {
enable yes;
host "support.arkoon.net";
port 1752;
frequency [@23h51m];
};
# maître / esclave
akslave {
};
# alertes par e-mail
akalertd {
params 30 120 120 60 10;
};
# archivage de la base de données
akdbpurge {
time_launch 04:00;
confpurge_table "pxlogs"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "smtplogs"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "alerts"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "ids_alerts"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "ids_alert_matches"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "logs"
{
automatic_flush yes;
days_bd 30;
backup_datas yes;
backup_format 0;
backup_compression yes;
backup_days 20;
};
confpurge_table "logs_pk"
{
backup_datas no;
backup_compression yes;
};
};
# interfaces
interface "eth0"
{
description "natsemi 10/100";
type 1;
IP 192.168.1.240/24;
};
interface "eth1"
{
description "natsemi 10/100";
type 1;
IP 0.0.0.0/24;
};
interface "eth2"
{
description "natsemi 10/100";
type 1;
IP 0.0.0.0/24;
};
interface "br0"
{
description "InterfaceBridge";
type 8;
IP 0.0.0.0/0;
ignore-broadcast yes ;
bridge_device "eth1";
bridge_device "eth2";
other-valid "LAN" "Zyxel" ;
};
# routes statiques
route "BaseStation To Zyxel"
{
destination "Zyxel ";
nb-hops 1;
gateway "br0";
};
route "Zyxel To BaseStation"
{
destination "Base Station";
nb-hops 1;
gateway "br0";
};
# DNS
dns-servers "Serveur DNS Wanadoo" ;
# NTP
# liens sur serveurs d'authentification
# accès Internet
# relais POP3 anti-virus
server-pop3 "pop3"
{
};
# relais HTTP/FTP
proxy-http "Relais HTTP/FTP"
{
description "Ensemble des paramètres pour le relais HTTP et FTP";
port 80;
nb_process 5 5 10 100;
ftp_ports 21 ;
http_ports 80 ;
https_ports 443 ;
gopher_ports 70 ;
};
# relais SMTP
proxy-smtp "Relais SMTP"
{
description "Ensemble des paramètres pour le relais SMTP";
max_smtpfwdd_childs 10;
frequency [15m];
};
# traps SNMP
snmp {
trap-community "public";
};
# module VPN
ipsec {
rsa_key "xxxxxxxxxxxxxxxxxxxxxxx";
x509cert "xxxxxxxxxxxxxxxxxxxxxx";
};
# surveillance système
# Reporting
akstatsd {
enable yes ;
dir_max_size 200;
dir_max_days 60;
time_launch 01:30;
purge_time_launch 01:20;
};
# IDPS
};
# Serveurs d'authentification
# Utilisateurs
# Certificats
# Horaires
# Catégories
# Hôtes
host "Serveur DNS Wanadoo"
{
IP 80.10.246.2;
};
host "Base Station"
{
IP 192.168.1.2;
};
host "Zyxel "
{
IP 192.168.1.1;
};
# Réseaux
network "LAN"
{
IPNet 192.168.1.1/24;
};
network "Zyxel"
{
IPNet 192.168.1.2/24;
};
# Groupes
# Services
service "tcp"
{
description "All TCP services";
port tcp 0:65535;
};
service "tcp-high"
{
description "TCP services (1024-*)";
port tcp 1024:65535;
};
service "udp"
{
description "All UDP services";
port udp 0:65535;
};
service "udp-high"
{
description "UDP services (1024-*)";
port udp 1024:65535;
};
service "ftp"
{
description "File Transfer Protocol";
port tcp 21;
module "FTP";
};
service "telnet"
{
description "Telnet";
port tcp 23;
};
service "http"
{
description "HTTP";
port tcp 80;
accept_bad_csum yes;
};
service "https"
{
description "HTTP Secure";
port tcp 443;
};
service "smtp"
{
description "Simple Mail Transfer Protocol";
port tcp 25;
module "SMTP";
};
service "pop3"
{
description "POP3";
port tcp 110;
module "POP3";
};
service "pop3-netscape"
{
description "POP3 (Client Netscape)";
port tcp 110;
module "POP3:cmd_allow(XAUTHLIST,XSENDER)";
};
service "imap4"
{
description "IMAP4";
port tcp 143;
module "IMAP4";
};
service "dnsudp"
{
description "Domain Name Service (UDP)";
port udp 53;
module "DNS";
};
service "dnstcp"
{
description "Domain Name Service (TCP)";
port tcp 53;
module "DNSTCP";
};
service "h323"
{
description "H323 - Netmeeting";
port tcp 1720;
module "H323";
};
service "ldap"
{
description "Ldap";
port tcp 389;
};
service "ldap-ssl"
{
description "Ldap over SSL";
port tcp 636;
};
service "ldap-gc"
{
description "Ldap Global Catalog";
port tcp 3268;
};
service "ldap-gc-ssl"
{
description "Ldap Global Catalog over SSL";
port tcp 3269;
};
service "nntp"
{
description "NNTP";
port tcp 119;
module "NNTP";
};
service "ping"
{
description "ICMP - Ping";
port icmp 8;
};
service "icmp-redirect"
{
description "ICMP - Redirect";
port icmp 5;
};
service "tftp"
{
description "Trivial FTP";
port udp 69;
};
service "snmp"
{
description "Simple Network Management Protocol";
port udp 161;
};
service "snmp-trap"
{
description "Trap SNMP";
port udp 162;
};
service "ssh"
{
description "Secure Shell";
port tcp 22;
};
service "gopher"
{
description "Gopher";
port tcp 70;
};
service "ntp"
{
description "Network Time Protocol";
port udp 123;
};
service "ident"
{
description "ident";
port tcp 113;
};
service "rexec"
{
description "rexec";
port tcp 512;
};
service "rlogin"
{
description "rlogin";
port tcp 513;
};
service "rsh"
{
description "rsh";
port tcp 514;
};
service "syslog"
{
description "Syslog";
port udp 514;
};
service "route"
{
description "route";
port udp 520;
};
service "ica"
{
description "ICA - Citrix";
port tcp 1494;
};
service "lotus-notes"
{
description "Lotus Notes";
port tcp 1352;
};
service "epmap"
{
description "DCE endpoint resolution";
port tcp 135;
};
service "netbios-ns"
{
description "Netbios Name Service";
port udp 137;
module "NBNS";
};
service "netbios-dgm"
{
description "Netbios Datagram Service";
port udp 138;
module "NBDGM";
};
service "netbios-ssn"
{
description "Netbios Session Service";
port tcp 139;
module "NBSSN";
};
service "smb-tcp"
{
description "SMB over IP";
port tcp 445;
};
service "microsoft-ds"
{
description "Microsoft-DS";
port tcp 445;
};
service "isakmp"
{
description "ISAKMP";
port udp 500;
};
service "isakmp-nat-t"
{
description "ISAKMP";
port udp 4500;
};
service "rtsp"
{
description "Real Time Streaming Protocol";
port tcp 554;
module "RTSP";
};
service "akman"
{
description "Arkoon Configuration";
port tcp 1750;
};
service "akmon"
{
description "Arkoon Monitoring";
port tcp 1751;
};
service "arkupdate"
{
description "Arkoon Update";
port tcp 1752;
};
service "aklicense"
{
description "Arkoon License";
port tcp 1753;
};
service "akslave"
{
description "Arkoon Master/Slave";
port tcp 1754;
};
service "akauth"
{
description "Arkoon Auth";
port tcp 1755;
};
service "akreport"
{
description "Arkoon Reporting";
port tcp 1757;
};
service "akssf"
{
description "Arkoon SSF";
port tcp 822;
};
service "kerberos"
{
description "Kerberos";
port udp 88;
};
service "wins"
{
description "Windows Internet Name Service";
port tcp 1512;
};
service "wins-replication"
{
description "WINS Replication";
port tcp 42;
};
service "bootps"
{
description "Bootstrap Protocol Server";
port udp 67;
};
service "bootpc"
{
description "Bootstrap Protocol Client";
port udp 68;
};
service "radius"
{
description "RADIUS";
port tcp 1812;
};
service "ms-sql-s"
{
description "Microsoft-SQL-Server";
port tcp 1433;
};
service "ms-sql-m"
{
description "Microsoft-SQL-Monitor";
port udp 1434;
};
service "msrdp"
{
description "Microsoft Remote Display Protocol";
port tcp 3389;
};
# Politiques ICMP
# Flux
rule "WANtoLAN"
{
source "Zyxel " ;
destination "Base Station" ;
action-log yes;
action ACCEPT;
do-nat-hide "boitier1" 255.255.255.255;
};
rule "LANtoWAN"
{
source "Base Station" ;
destination "Zyxel " ;
action-log yes;
action ACCEPT;
do-nat-hide "boitier1" 255.255.255.255;
};
# Clés partagées
# Groupes de tunnels VPN
# Bandes passantes
# IDPS
================================================================================
Autre petite question, le do-nat-hide c'est quoi ?
Si quelqu'un peut m'aider, ca serait top.
cordialement
seb
|