Controle remoto via internet em rede atras de firewall Linux
Gostaria de acessar as máquinas Windows 98 que ficam atras de um servidor Conectiva Linux 8 ligado à internet por Speedy.
Onde trabalho, estamos conectados a internet pelo Speedy, através de um windows 2000 server.
Como faço para fazer controle remoto nas máquinas atras do servidor Linux?
Gostaria se possível de usar o VNC.
Obrigado
Paulo
Controle remoto via internet em rede atras de firewall Linux
vc vai precisar fazer redirecionamento de pacotes com NAT...
de uma olhada na seção proxy/nat/firewall
Controle remoto via internet em rede atras de firewall Linux
Li os artigos da seção e também dúvidas semelhantes existentes no forum, mas continua não funcionando...
Uso Iptables no servidor linux, segui as instruções tanto dos artigos quanto do forum e nada de funcionar....
Controle remoto via internet em rede atras de firewall Linux
Estou tentando acessar através da internet, as máquinas da rede interna, usando o VNC, mas não consigo. Se alguem puder me ajudar, fico agradecido.
Segue abaixo meu script de firewall, os endereços abaixo são os utilizados em máquinas de teste. O 192.168.1.98 representa o endereço válido na internet e o 192.168.2.1 o ip da rede interna.
No kernel.log estão as seguintes mensagens.
Obrigado
Paulo
kernel.log
Dec 19 17:00:21 cobaiaserver kernel: IPT FORWARD packet died:IN=eth0 OUT=eth1 SRC=192.168.1.1 DST=192.168.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=7515 DF PROTO=TCP SPT=62678 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 19 17:00:24 cobaiaserver kernel: IPT FORWARD packet died:IN=eth0 OUT=eth1 SRC=192.168.1.1 DST=192.168.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=7645 DF PROTO=TCP SPT=62678 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 19 17:00:30 cobaiaserver kernel: IPT FORWARD packet died:IN=eth0 OUT=eth1 SRC=192.168.1.1 DST=192.168.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=7866 DF PROTO=TCP SPT=62678 DPT=5900 WINDOW=64240 RES=0x00 SYN URGP=0
Script Firewall
#
#1 Configuration options
#
# 1.1 Internet Configuration
INET_IP="192.168.1.98"
INET_IFACE="eth0"
#1.1.1 DHCP
#1.1.2 PPPoE
#1.2 Local Area Network configuration
#
#
LAN_IP="192.168.2.1"
LAN_IP_RANGE="192.168.2.0/24"
LAN_BCAST_ADRESS="192.168.2.255"
LAN_IFACE="eth1"
#1.3 DMZ Configuration
#1.4 Localhost Configuration
LO_IFACE="lo"
LO_IP="127.0.0.1"
#1.5 IPTables Configuration
IPTABLES="/usr/sbin/iptables"
#1.6 Other Configuration
#2. Module loading
/sbin/depmod -a
#2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
#2.2 Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
#3. /proc set up
#
#3.1 Required proc configuration
#
echo "1" >/proc/sys/net/ipv4/ip_forward
#
#3.2 Non-Required proc configuration
#echo "1" >/proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" >/proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" >/proc/sys/net/ipv4/ip_dynaddr
#
#4. rule set up
#4.1 Filter table
#4.1.1 Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
#4.1.2 Create user specified chains
#
#Create chain for bad tcp packets
$IPTABLES -N bad_tcp_packets
#
#Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
#4.1.3 Create content in user specified chains
#bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
#allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
#TCP RULES
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5900 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 5800 -j allowed
#UDP PORTS
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#ICMP RULES
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#4.1.4 INPUT CHAIN
# BAD TCP PACKETS WE DON´T WANT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#RULES FOR SPECIAL NETWORKS NOT PART OF THE INTERNET
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
#RULES FOR INCOMING PACKETS FROM THE INTERNET
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -s 192.168.1.1 -j ACCEPT
#LOG WEIRD PACKETS THAT DON´T MATCH THE ABOVE
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died:"
#4.1.5 FORWARD CHAIN
#BAD TCP PACKETS WE DON´T WANT
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#ACCEPTS THE PACKETS WE ACTUALLY WANT TO FORWARD
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -o eth1 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i eth0 -o eth1 -d 192.168.2.2 --dport 5800 -j ACCEPT
#LOG WEIRD PACKETS THAT DON´T MATCH THE ABOVE
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died:"
#4.1.6 OUTPUT CHAIN
#BAD TCP PACKETS WE DON´T WANT
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#SPECIAL OUTPUT RULES TO DECIDE WHICH IP´S TO ALLOW
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#LOG WEIRD PACKETS THAT DON´T MATCH THE ABOVE
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
#4.2 NAT TABLE
#4.2.1 SET POLICIES
#4.2.2 CREATE USER SPECIFIED CHAINS
#4.2.3 CREATE CONTENT IN USER SPECIFIED CHAINS
#4.2.4 PREROUTING CHAIN
$IPTABLES -t nat -A PREROUTING -p tcp -d 192.168.1.98 --dport 5900 -j DNAT --to 192.168.2.2
#4.2.5 POSTROUTING CHAIN
#ENABLESIMPLE IP FORWARDING AND NETWORK ADDRESS TRANSLATION
$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.2.2 --sport 5900 -j SNAT --to 192.168.1.98
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#4.2.6 OUTPUT CHAIN
#4.3 MANGLE TABLE
#4.3.1 SET POLICIES
#4.3.2 CREATE USER SPECIFIED CHAINS
#4.3.3 CREATE CONTENT IN USER SPECIFIED CHAINS
#4.3.4 PREROUTING CHAIN
#4.3.5 INPUT CHAIN
#4.3.6 FORWARD CHAIN
#4.3.7 OUTPUT CHAIN
#4.3.8 POSTROUTING CHAIN
Controle remoto via internet em rede atras de firewall Linux
so um comentario ...
pq vcs complicam tanto? <IMG SRC="images/forum/icons/icon_eek.gif">