Pessoal, estou com um problema, to tentando fazer um DNAT para um servidor da rede interna e não consigo. Um detalhe, usando o redir eu consigo fazer o NAT, mas queria tb aprender pelo iptables, o que estou fazendo de errado?
#!/bin/bash
#
#
#
#Carregando módulos
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_mangle
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_state
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_ttl
/sbin/modprobe ip_queue
#Definindo Variáveis
IF_INT1="eth0"
IF_EXT1="eth1"
IP_INT1="100.100.100.1"
IP_EXT1="192.168.1.2"
REDE_INT1="100.100.0.0/16"
case "$1" in
start)
#Definindo padrões
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
#Liberando acesso interno à Internet
/sbin/iptables -t nat -A POSTROUTING -s $REDE_INT -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
echo "1" > /proc/sys/net/ipv4/ip_forward
###################################################################
### Tabela filter ###
###################################################################
### Chain FORWARD ###
#LOGS
/sbin/iptables -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "FIREWALL:ssh-forward"
/sbin/iptables -t filter -A FORWARD -p tcp --dport 23 -j LOG --log-prefix "FIREWALL:telnet-forward"
/sbin/iptables -t filter -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "FIREWALL:web-forward"
#ACESSOS
/sbin/iptables -t filter -A FORWARD -p tcp --dport 21 -j ACCEPT #FTP
/sbin/iptables -t filter -A FORWARD -p tcp --dport 22 -j ACCEPT #SSH
/sbin/iptables -t filter -A FORWARD -p tcp --dport 25 -j ACCEPT #SMTP - E-mail
/sbin/iptables -t filter -A FORWARD -p tcp --dport 53 -j ACCEPT #DNS
/sbin/iptables -t filter -A FORWARD -p udp --dport 53 -j ACCEPT #DNS
/sbin/iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT #HTTP
/sbin/iptables -t filter -A FORWARD -p tcp --dport 110 -j ACCEPT #POP - E-mail
/sbin/iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
#/sbin/iptables -t filter -A FORWARD -p tcp --dport 1666 -j ACCEPT #HTTPS
/sbin/iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT #Messenger
/sbin/iptables -t filter -A FORWARD -p tcp --dport 3000 -j ACCEPT #Firetower
/sbin/iptables -t filter -A FORWARD -p tcp --dport 5000 -j ACCEPT
/sbin/iptables -t filter -A FORWARD -p tcp --dport 3128 -j ACCEPT #Proxy
/sbin/iptables -t filter -A FORWARD -p tcp --dport 5800 -j ACCEPT #VNC
/sbin/iptables -t filter -A FORWARD -p tcp --dport 5901 -j ACCEPT #VNC
#/sbin/iptables -t filter -A FORWARD -p tcp --dport 34123 -j ACCEPT #Porta de redirecionamento
/sbin/iptables -t filter -A FORWARD -p tcp --dport 35000 -j ACCEPT #Porta de redirecionamento p/ Uruguaiana
/sbin/iptables -t filter -A FORWARD -p icmp -m limit --limit 1/s -j ACCEPT #Limita ping em 1 ping por segundo
/sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Aceita todas conexoes estabilizadas
### Chain INPUT ###
#LOGS
/sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix "FIREWALL:ssh"
/sbin/iptables -t filter -A INPUT -p tcp --dport 23 -j LOG --log-level debug --log-prefix "FIREWALL:telnet"
#ACESSOS
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
/sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT #DNS
/sbin/iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT #DNS
#/sbin/iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP
/sbin/iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT #Proxy
/sbin/iptables -t filter -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT #Limita o ping a 1 ping por segundo
/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Aceita todas as conexoes estabilizadas
/sbin/iptables -t filter -A INPUT -s $REDE_INT1 -j ACCEPT #Libera acesso total ao servidor pela rede interna (Samba, SSH etc.)
###################################################################
### Tabela nat ###
###################################################################
/sbin/iptables -t nat -A PREROUTING -d $IP_EXT1 -p tcp --dport 5000 -j DNAT --to 100.100.100.4:22
#iptables -t nat -A PREROUTING -i $IF_EXT1 -d $IP_EXT1 -p tcp --dport 34123 -j DNAT --to 100.100.100.200:22
###################################################################
### Tabela mangle ###
###################################################################
#Otimizando serviços de DNS e do Sistema
/sbin/iptables -t mangle -A FORWARD -p tcp --dport 25 -j TOS --set-tos 0x10
#/sbin/iptables -t mangle -A FORWARD -p tcp --dport 53 -j TOS --set-tos 0x04
#/sbin/iptables -t mangle -A FORWARD -p tcp --dport 53 -j TOS --set-tos 0x04
#/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 0x04
/sbin/iptables -t mangle -A FORWARD -p tcp --dport 110 -j TOS --set-tos 0x10
#/sbin/iptables -t mangle -A FORWARD -p tcp --dport 3128 -j TOS --set-tos 0x04
echo "Iniciando Firewall [ OK ]"
;;
stop)
#Limpando todas as regras
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F PREROUTING
#Liberando acesso à Internet para rede interna
/sbin/iptables -t nat -A POSTROUTING -s $REDE_INT -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
#Liberando todas as portas
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
echo "Parando Firewall [ OK ]"
;;
status)
status
;;
restart)
$0 stop
$0 start
;;
*)
echo "Uso: %s {start|stop|status|restart}\n" "firewall"
exit 1
esac