Liberar saída do Terminal Server
Tenho um empresa1 com firewall no qual ela precisa acessar outra empresa2 via Terminal Server.
Mas de denttro dessa empresa1 com firewall eu não consigo acessar. Se eu for em casa, no serviço, eu consigo entrar na empresa2 via terminal server tranquilamente. Como faço para liberar?
Segue meu Firewall.
#Limpar regras
iptables -F #Limpa todas as regras da tabela filter
iptables -X #Deleta todas as cadeias da tabela filter
iptables -Z #Zera o contador da tabela filter
iptables -t nat -F #Limpa todas as regras da tabela NAT
iptables -t nat -X #Deleta todas as cadeias da tabela NAT
iptables -t nat -Z #Zera os contadores da tabela NAT
iptables -t mangle -F
iptables -t mangle -X
#Adiciona os modulos
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
WAN=eth0
LAN=eth1
RINTERNA=192.168.5.0/24
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP
#Liberar Terminal Server
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.5.150
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
iptables -A FORWARD -p udp --sport 3389 -j ACCEPT
iptables -A FORWARD -p udp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --sport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --sport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3389 -j ACCEPT
iptables -A OUTPUT -p udp --sport 3389 -j ACCEPT
iptables -A OUTPUT -p udp --dport 3389 -j ACCEPT
#Liberar servicos de entrada
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#Liberar ping para internet
iptables -A INPUT -p icmp --icmp-type 0 -s $RINTERNA -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -s $RINTERNA -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -i $WAN -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -i $WAN -j ACCEPT
#liberar porta 53 DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#liberar SSH na LAN
iptables -A INPUT -i $LAN -p tcp --dport 22 -j ACCEPT
#Aceita todo trafego vindo da rede interna
iptables -A INPUT -s $RINTERNA -i $WAN -j ACCEPT
#Qualquer outro tipo de trafego
iptables -A INPUT -i $LAN -j ACCEPT
#Bloqueia ataque SSH de forca bruta
iptables -N SSH-BRUTE-FORCE
iptables -A INPUT -i $WAN -p tcp --dport 22 -j SSH-BRUTE-FORCE
iptables -A SSH-BRUTE-FORCE -m limit --limit 2/s --limit-burst 4 -j ACCEPT
iptables -A SSH-BRUTE-FORCE -j DROP
#conectividade social
#iptables -A PREROUTING -t nat -d 200.201.174.207/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 200.201.174.207/24:80
#iptables -A PREROUTING -t nat -s $RINTERNA -d 200.201.174.207 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 80
#iptables -t nat -A PREROUTING -i $WAN -p tcp -d ! obsupgdp.caixa.gov.br --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.201.0.0/16 -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp -i $WAN --sport 2631
iptables -A INPUT -j ACCEPT -p tcp -i $WAN --dport 2631
iptables -A INPUT -j ACCEPT -p tcp -i $WAN -s 200.201.174.0/24
iptables -A INPUT -j ACCEPT -p tcp -i $WAN -d 200.201.174.0/24
#iptables -t nat -A PREROUTING -i $WAN -p tcp -d ! 200.201.174.0/24 --dport 80 -j REDIRECT --to-port 3128
#Bloqueio anti-spoofing
iptables -A INPUT -s $RINTERNA -i $WAN -j DROP
#liberar POP3
iptables -A INPUT -p tcp --sport 1024: --dport 25 -i $WAN -j ACCEPT
#Bloqueio de scanners ocultos (Shealt Scan)
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK, FIN, -m limit --limit 1/s -j ACCEPT
#Protecao Contra WORMS
iptables -A FORWARD -p tcp --dport 135 -i $WAN -j DROP
#Potecao contra ping da morte
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Protecao contra Syn-Flood
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
#Bloqueia pacote danificados (ataques DOS)
iptables -A FORWARD -m unclean -j DROP
####Protecao contra IP Spoofing###
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
#Bloqueio de Trojan
iptables -A INPUT -s $RINTERNA -p tcp --dport 666 -j DROP
iptables -A FORWARD -s $RINTERNA -p tcp --dport 666 -j DROP
iptables -A FORWARD -s $RINTERNA -p tcp --dport 4000 -j DROP
iptables -A INPUT -s $RINTERNA -p tcp --dport 4000 -j DROP
iptables -A FORWARD -s $RINTERNA -p tcp --dport 6000 -j DROP
iptables -A INPUT -s $RINTERNA -p tcp --dport 6000 -j DROP
iptables -A FORWARD -s $RINTERNA -p tcp --dport 6006 -j DROP
iptables -A INPUT -s $RINTERNA -p tcp --dport 6006 -j DROP
iptables -A INPUT -s $RINTERNA -p tcp --dport 1660 -j DROP
iptables -A FORWARD -s $RINTERNA -p tcp --dport 1660 -j DROP
###NAT###
echo 1 > /proc/sys/net/ipv4/ip_forward
##Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
##liberar MAC para MSN
#Luiz
iptables -A FORWARD -m mac --mac-source 00:25:22:17:F9:A0 -p tcp --dport 1863 -j ACCEPT
#Aty - Notebook LAN
iptables -A FORWARD -m mac --mac-source 00:90:F5:8E:49:14 -p tcp --dport 1863 -j ACCEPT
#Aty - Notebook Wireless
iptables -A FORWARD -m mac --mac-source 00:22:43:10:06:E1 -p tcp --dport 1863 -j ACCEPT
#Renato
iptables -A FORWARD -m mac --mac-source 00:1B:B9:E9:48:61 -p tcp --dport 1863 -j ACCEPT
#Wireless
iptables -A FORWARD -m mac --mac-source 00:E0:4A:00:04:3D -p tcp --dport 1863 -j ACCEPT
#Bloquear MSN
iptables -A FORWARD -s $RINTERNA -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -s $RINTERNA -d loginnet.passport.com -j REJECT
#Direcionar porta 80 para 3128 (squid)
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#Fecha outras entradas
iptables -A INPUT -p tcp --syn -j DROP