- redirecionamento TS
+ Responder ao Tópico
-
redirecionamento TS
estou com problema na liberação do ts. estou usando em drop.
o comonado para redirecionar :
iptables -t nat PREROUNTING -s 200.0.0.0 -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 192.0.0.0
o que esta contecento. internamente estou conseguindo conectar. mas o usuários de fora não conseguir conectar.
quem poderia me ajudar.....
-
Re: redirecionamento TS
# Abre algumas portas
iptables -A INPUT -p tcp --destination-port 3389 -j ACCEPT
# Redireciona algumas portas
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 192.168.0.0:3389
iptables -A FORWARD -p tcp -i eth0 --dport 3389 -d 192.168.0.0 -j ACCEPT
-
redirecionamento TS
tenta com essa regra aki
iptables -t nat -A PREROUTING -d 200.0.0.0 -p tcp --dport 3389 -j DNAT --to 192.0.0.0:3389
me diz ai c funciona!
-
redirecionamento TS
-
redirecionamento TS
###################################################
# Script para implementacao de firewall em iptables
# Autor:
# Manutencao:
# Data: Abril/2003
# Ultima Manutencao: 10/04/03
###################################################
##########################################
# Reseta regras do iptables
##########################################
/usr/sbin/iptables --flush
/usr/sbin/iptables --table nat --flush
/usr/sbin/iptables --delete-chain
/usr/sbin/iptables --table nat --delete-chain
##########################################
# Definicao das variaveis
##########################################
IT=/usr/sbin/iptables
# Portas
P_PPTP=1723 # VPN
P_TERMSERV=3389 # Terminal Service Windows
P_ORACLE=1521 # Servidor de Banco de Dados Oracle
P_SQL=1433 # Servidor de banco de Dados SQL
P_PCANYD=5631 # PcAnywhere dados
P_PCANYS=5632 # PcAnywhere status
P_VNCA1=5900 # VNC aplicacao
P_VNCA2=5901 # VNC aplicacao
P_VNCA3=5902 # VNC aplicacao
P_VNCA4=5903 # VNC aplicacao
P_VNCW1=5800 # VNC web applet
P_VNCW2=5801 # VNC web applet
P_VNCW3=5802 # VNC web applet
P_VNCW4=5803 # VNC web applet
P_TREND=80 # Antivirus - Servico de atualizacao
P_CAGEDNET=2500 # CAGEDnet para ACI
P_CONXSOC=2631 # Conectividade Social
#P_DSNET=21 # DSNet - Servidor 200.249.133.132
P_SEFAZNET=50000 # Sefaz Net
P_GIMNET=1023 # GIM Net - Servidor 200.249.15.56
P_CONEX=81 # Sistema de Comercio Exterior da SIMASA
P_MESSENGER=1863 # MSN Messenger
P_MESSENGEV=6901 # MSN Voz - UDP, TCP
P_SAGC99=1049 # Gian - Secret Fazenda Pernamb
P_RAISNET=3007 # Ministerio do Trabalho - servidor 161.148.185.30
P_RALNET1=1500 # Minas e Energia
P_RALNET2=1600 # Minas e Energia
P_RECEITANET=3456 # Receita Federal
P_SINTEGRA=8017 # Secretaria da Fazenda
# Servidores Externos
S_SEFAZNET=200.253.176.68 # Sefaz Net
S_CONSOC=200.201.173.68 # Caixa Economica
S_GIMNET=200.249.15.56 # Secretaria da Tributacao RN
S_PALMTOP=207.66.2.50 # Site da Palm
S_SAGSERVER=200.238.112.123 # Secretaria Fazenda Pernambuco - Gian
S_RAISSERVER=161.148.185.30 # Ministerio do Trabalho e Emprego
S_DSSERVER=200.249.133.132 # Prefeitura Cidade Recife
# Interfaces fisicas
IF_INTERNET=eth1
IF_INTERNA=eth0
# Redes urs/loca/bin/
REDE_INTERNET=200.xx.xx.xx/255.255.255.0
REDE_INTERNA=10.0.5.0/255.255.255.0
# Ips das Interfaces
IP_IF_INTERNET=200.xxx.xxx
IP_IF_INTERNA=10.0.5.101
##########################################
# Protecao contra spoofing
##########################################
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
modprobe iptable_nat
##########################################
# Inicio das Regras do firewall
##########################################
# Diretivas defaults
$IT -P INPUT DROP
$IT -P FORWARD DROP
$IT -P OUTPUT ACCEPT
# Diretiva para int loopback
$IT -A INPUT -i lo -j ACCEPT
$IT -N LOGDROP
$IT -A LOGDROP -m limit --limit 50/hour -j LOG
$IT -A LOGDROP -j DROP
##########################################
# NAT (MASCARAMENTO)
##########################################
# SourceNAT REDE-INTERNA --> INTERNET
$IT --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
$IT --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
#$IT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_INTERNET -j SNAT --to-source $IP_IF_INTERNET
#$IT --table nat --append POSTROUTING -s $REDE_INTERNA --out-interface eth1 -j MASQUERADE
#$IT --append FORWARD --in-interface eth1 -j ACCEPT
##########################################
# NAT (PORT FORWARD)
##########################################
# DestinationNAT INTERNET --> Win2000 da REDE INTERNA
# para VPN
# porta 1723 - PPTP
# prot 47 - GRE
#$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 3389 -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 1723 -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -p 80,21 -d $S_VPN_ALIAS -j DNAT --to $S_VPN_INTERNO
#$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp -d 200.68.173.243 --dport 80 -j ACCEPT
$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 443 -j REDIRECT --to-port 3128
#$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 21 -j REDIRECT --to-port 3128
##########################################
# Definicao das cadeias
##########################################
# Forwards
$IT -N interna-internet
$IT -N interna-interna
$IT -N internet-interna
# Inputs
$IT -N interna-if
$IT -N internet-if
$IT -N icmp-accept
# Definicoes dos forwards
$IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNET -j interna-internet
$IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNA -j interna-interna
$IT -A FORWARD -i $IF_INTERNET -o $IF_INTERNA -j internet-interna
# Definicoes dos inputs
$IT -A INPUT -i $IF_INTERNA -j interna-if
$IT -A INPUT -i $IF_INTERNET -j internet-if
##########################################
# Filtros
##########################################
# Permissoes para pacotes icmp
$IT -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type time-exceeded -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT
$IT -A icmp-accept -p icmp --icmp-type echo-reply -j ACCEPT
# Contra Ping of Death
$IT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Contra Ataques Syn-flood
$IT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
# Contra Port scanners Avançados (nmap)
$IT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
# Contra pacotes danificados ou suspeitos
$IT -A FORWARD -m unclean -j DROP
##########################################
# interna para interna
##########################################
# Libera tudo de interna para interna
$IT -A interna-interna -j ACCEPT
##########################################
# interna para internet
##########################################
# Libera http e ftp para Micros Totalmente Liberados
$IT -A interna-internet -m multiport -p tcp -s 10.0.5.0/16 --dport 80,43,21 -j ACCEPT
#$IT -A interna-internet -p udp -s $S_SERVIDOR --dport 20 -j ACCEPT
# Protocolo 47 GRE para VPN
$IT -A interna-internet -p 47 -j ACCEPT
# Servicos basicos permitidos
$IT -A interna-internet -m multiport -p tcp --dport domain,pop-3,smtp,imap,telnet,ssh,$P_PPTP,$P_TERMSERV,snmp,nntp,nntps,113 -j ACCEPT
$IT -A interna-internet -m multiport -p tcp --dport $P_VNCA1,$P_VNCA2,$P_VNCW1,$P_VNCW2,$P_MESSENGER,$P_MESSENGEV,$P_PCANYD,$P_PCANYS,$P_SQL -j ACCEPT
$IT -A interna-internet -m multiport -p udp --dport domain,snmp,$P_MESSENGER,$P_MESSENGEV,nntp,nntps -j ACCEPT
# Acesso a Receita Federal, Minas e Energia, Ministerio Trabalho, Secret Fazenda
$IT -A interna-internet -m multiport -p tcp --dport $P_RECEITANET,$P_RALNET1,$P_RALNET2,$P_RAISNET,$P_SAGC99,$P_SINTEGRA -j ACCEPT
# Conexao com Conectividade Social
$IT -A interna-internet -p tcp --dport $P_CONXSOC -j ACCEPT
# Conexao com Cegedenet - Ministerio Trabalho
$IT -A interna-internet -p tcp --dport $P_CAGEDNET -j ACCEPT
# Conexao com a Rede SEFAZNET
$IT -A interna-internet -p tcp --dport $P_SEFAZNET -d $S_SEFAZNET -j ACCEPT
# Conexao com a Rede GIMNET
$IT -A interna-internet -p tcp --dport $P_GIMNET -d $S_GIMNET -j ACCEPT
# Conexao com a Caixa Economica
$IT -A interna-internet -p tcp --dport http -d $S_CONSOC -j ACCEPT
# Conexoes estabelecidas e relacionadas
$IT -A interna-internet -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping e ICMP
$IT -A interna-internet -j icmp-accept
$IT -A interna-internet -p icmp --icmp-type ping -j ACCEPT
##########################################
# internet para interna
##########################################
# Conexoes estabelecidas e relacionadas
$IT -A internet-interna -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$IT -A internet-interna -p icmp -j icmp-accept
# Ident e pop3
$IT -A internet-interna -m multiport -p tcp --dport 80,113,pop-3,smtp,ftp-data,ftp -j ACCEPT
# MSN
#$IT -A internet-interna -p tcp --dport 1024:65000 -j ACCEPT
############################################
# Regras de input para o firewall: cautela!
############################################
# ---- INTERFACE INTERNA------
# Conexoes estabelecidas e relacionadas
$IT -A interna-if -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping e ICMP
$IT -A interna-if -j icmp-accept
$IT -A interna-if -p icmp --icmp-type ping -j ACCEPT
# ident
#IT -A interna-if -p tcp --dport 113 -j REJECT
# ftp, ssh e shell
$IT -A interna-if -p tcp --dport ftp -j ACCEPT
$IT -A interna-if -p tcp --dport ssh -j ACCEPT
#permissao de acesso ao squid
$IT -A interna-if -p tcp -s $REDE_INTERNA --dport 3128 -j ACCEPT
#este firewall tambem eh dns para a rede interna
$IT -A interna-if -p tcp --dport domain -j ACCEPT
$IT -A interna-if -p udp --dport domain -j ACCEPT
$IT -A interna-if -p tcp --dport smtp -j ACCEPT
$IT -A interna-if -p tcp --dport pop-3 -j ACCEPT
$IT -A interna-if -p tcp --dport 113 -j ACCEPT
# ---- INTERFACE INTERNET ------
# este firewall tambem eh dns para a rede interna
$IT -A internet-if -p udp --dport domain -j ACCEPT
$IT -A internet-if -p tcp --dport domain -j ACCEPT
$IT -A internet-if -p tcp --dport smtp -j ACCEPT
$IT -A internet-if -p udp --dport smtp -j ACCEPT
$IT -A internet-if -p tcp --dport pop-3 -j ACCEPT
$IT -A internet-if -p tcp --dport 113 -j ACCEPT
$IT -A internet-if -p tcp --dport ftp -j ACCEPT
$IT -A internet-if -p udp --dport ftp-data -j ACCEPT
# Conexoes estabelecidas e relacionadas
$IT -A internet-if -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP
$IT -A internet-if -j icmp-accept
# ident
$IT -A internet-if -p tcp --dport 113 -j REJECT
[size=9px][/size]
#TS
iptables -t nat -A PREROUTING -s 200.xxx.xxx.xxx -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 10.0.0.xxx
o que tem de errado para não permitir o TS ....
outra coisa. não esta permitindo o ftp 200.199.14.8 ... os outros funcionar.