Under-Linux.org Fóruns - Ver Resposta Única

pabinho · 02-07-2008, 10:12

Bom, aqui está o meu firewall.... creio que pode ser aqui até, pelo fato de somente agora precisar usar 2 ou mais clientes ovpn windows de uma mesma rede direto no servidor na matriz...

Grato.
*********************************** *******************
debian:~# cat /usr/bin/firewall
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -t nat -F
iptables -F

iptables -t nat -A PREROUTING -p tcp -d 192.168.4.1 --dport 23 -j DNAT --to 192.168.1.10:23
iptables -t nat -A PREROUTING -p tcp -d 10.12.0.1 --dport 23 -j DNAT --to 192.168.1.10:23
iptables -t nat -A PREROUTING -p tcp -d 10.11.0.1 --dport 23 -j DNAT --to 192.168.1.10:23
iptables -t nat -A PREROUTING -p tcp -d 10.10.0.1 --dport 23 -j DNAT --to 192.168.1.10:23
iptables -t nat -A PREROUTING -p tcp -d 10.9.0.1 --dport 23 -j DNAT --to 192.168.1.10:23
iptables -t nat -A PREROUTING -p tcp -d 10.8.0.1 --dport 23 -j DNAT --to 192.168.1.10:23

iptables -A INPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A INPUT -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT

#iptables -A INPUT -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT
#iptables -A OUTPUT -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT
#iptables -A FORWARD -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT

#iptables -A INPUT -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT
#iptables -A OUTPUT -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT
#iptables -A FORWARD -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT

#iptables -A INPUT -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT
#iptables -A OUTPUT -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT
#iptables -A FORWARD -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 53 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 53 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1194 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1194 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1195 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1195 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1196 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1196 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1197 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1197 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1198 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1198 -j MASQUERADE
iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT

iptables -A INPUT -p udp --destination-port 53 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1195 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1196 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1197 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1198 -j ACCEPT

iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1195 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1196 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1197 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1198 -j ACCEPT

# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT

iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

#Manter o estado as conexda maquina local e da rede interna
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tun3 -j MASQUERADE

#iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

02-07-2008, 10:12	#3 (permalink)
Bom, aqui está o meu firewall.... creio que pode ser aqui até, pelo fato de somente agora precisar usar 2 ou mais clientes ovpn windows de uma mesma rede direto no servidor na matriz... Grato. ********************************* ***************** debian:~# cat /usr/bin/firewall modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_conntrack_ftp iptables -t nat -F iptables -F iptables -t nat -A PREROUTING -p tcp -d 192.168.4.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -t nat -A PREROUTING -p tcp -d 10.12.0.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -t nat -A PREROUTING -p tcp -d 10.11.0.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -t nat -A PREROUTING -p tcp -d 10.10.0.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -t nat -A PREROUTING -p tcp -d 10.9.0.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -t nat -A PREROUTING -p tcp -d 10.8.0.1 --dport 23 -j DNAT --to 192.168.1.10:23 iptables -A INPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A FORWARD -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT iptables -A INPUT -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT iptables -A OUTPUT -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT iptables -A FORWARD -p tcp --syn -s 192.168.4.0/255.255.255.0 -j ACCEPT #iptables -A INPUT -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT #iptables -A OUTPUT -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT #iptables -A FORWARD -p tcp --syn -s 10.8.0.0/255.255.255.0 -j ACCEPT #iptables -A INPUT -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT #iptables -A OUTPUT -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT #iptables -A FORWARD -p tcp --syn -s 10.9.0.0/255.255.255.0 -j ACCEPT #iptables -A INPUT -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT #iptables -A OUTPUT -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT #iptables -A FORWARD -p tcp --syn -s 10.10.0.0/255.255.255.0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 53 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 53 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1194 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1194 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1195 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1195 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1196 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1196 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1197 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1197 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1198 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1198 -j MASQUERADE iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT iptables -A INPUT -p udp --destination-port 53 -j ACCEPT iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT iptables -A INPUT -p tcp --destination-port 1195 -j ACCEPT iptables -A INPUT -p tcp --destination-port 1196 -j ACCEPT iptables -A INPUT -p tcp --destination-port 1197 -j ACCEPT iptables -A INPUT -p tcp --destination-port 1198 -j ACCEPT iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT iptables -A INPUT -p udp --destination-port 1195 -j ACCEPT iptables -A INPUT -p udp --destination-port 1196 -j ACCEPT iptables -A INPUT -p udp --destination-port 1197 -j ACCEPT iptables -A INPUT -p udp --destination-port 1198 -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT #Manter o estado as conexda maquina local e da rede interna iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun2 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun3 -j MASQUERADE #iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward Última edição por pabinho; 02-07-2008 às 11:45.	pabinho Registrado em: Aug 2006 Localização: Paraná Idade: 29 Posts: 28 Agradeceu: 5 Agradecido 0 vez(es) em 0 Posts Reputação: 0