Página 1 de 2 12 ÚltimoÚltimo
+ Responder ao Tópico



  1. #1
    Sam_bass
    Pessoal, estou com um problema, to tentando fazer um DNAT para um servidor da rede interna e não consigo. Um detalhe, usando o redir eu consigo fazer o NAT, mas queria tb aprender pelo iptables, o que estou fazendo de errado?

    #!/bin/bash
    #
    #
    #
    #Carregando módulos
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_nat
    /sbin/modprobe iptable_mangle
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ipt_state
    /sbin/modprobe ipt_multiport
    /sbin/modprobe ipt_ttl
    /sbin/modprobe ip_queue

    #Definindo Variáveis
    IF_INT1="eth0"
    IF_EXT1="eth1"
    IP_INT1="100.100.100.1"
    IP_EXT1="192.168.1.2"
    REDE_INT1="100.100.0.0/16"



    case "$1" in
    start)

    #Definindo padrões
    /sbin/iptables -t filter -P INPUT DROP
    /sbin/iptables -t filter -P FORWARD DROP
    /sbin/iptables -t filter -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    #Liberando acesso interno à Internet
    /sbin/iptables -t nat -A POSTROUTING -s $REDE_INT -o eth0 -j MASQUERADE
    /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    echo "1" > /proc/sys/net/ipv4/ip_forward



    ###################################################################
    ### Tabela filter ###
    ###################################################################

    ### Chain FORWARD ###

    #LOGS
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "FIREWALL:ssh-forward"
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 23 -j LOG --log-prefix "FIREWALL:telnet-forward"
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "FIREWALL:web-forward"

    #ACESSOS
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 21 -j ACCEPT #FTP
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 22 -j ACCEPT #SSH
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 25 -j ACCEPT #SMTP - E-mail
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 53 -j ACCEPT #DNS
    /sbin/iptables -t filter -A FORWARD -p udp --dport 53 -j ACCEPT #DNS
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 80 -j ACCEPT #HTTP
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 110 -j ACCEPT #POP - E-mail
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
    #/sbin/iptables -t filter -A FORWARD -p tcp --dport 1666 -j ACCEPT #HTTPS
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 1863 -j ACCEPT #Messenger
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 3000 -j ACCEPT #Firetower
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 5000 -j ACCEPT
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 3128 -j ACCEPT #Proxy
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 5800 -j ACCEPT #VNC
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 5901 -j ACCEPT #VNC
    #/sbin/iptables -t filter -A FORWARD -p tcp --dport 34123 -j ACCEPT #Porta de redirecionamento
    /sbin/iptables -t filter -A FORWARD -p tcp --dport 35000 -j ACCEPT #Porta de redirecionamento p/ Uruguaiana
    /sbin/iptables -t filter -A FORWARD -p icmp -m limit --limit 1/s -j ACCEPT #Limita ping em 1 ping por segundo
    /sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #Aceita todas conexoes estabilizadas



    ### Chain INPUT ###


    #LOGS
    /sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix "FIREWALL:ssh"
    /sbin/iptables -t filter -A INPUT -p tcp --dport 23 -j LOG --log-level debug --log-prefix "FIREWALL:telnet"

    #ACESSOS
    /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
    /sbin/iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
    /sbin/iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT #DNS
    /sbin/iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT #DNS
    #/sbin/iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP
    /sbin/iptables -t filter -A INPUT -p tcp --dport 3128 -j ACCEPT #Proxy

    /sbin/iptables -t filter -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT #Limita o ping a 1 ping por segundo
    /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Aceita todas as conexoes estabilizadas
    /sbin/iptables -t filter -A INPUT -s $REDE_INT1 -j ACCEPT #Libera acesso total ao servidor pela rede interna (Samba, SSH etc.)



    ###################################################################
    ### Tabela nat ###
    ###################################################################

    /sbin/iptables -t nat -A PREROUTING -d $IP_EXT1 -p tcp --dport 5000 -j DNAT --to 100.100.100.4:22
    #iptables -t nat -A PREROUTING -i $IF_EXT1 -d $IP_EXT1 -p tcp --dport 34123 -j DNAT --to 100.100.100.200:22


    ###################################################################
    ### Tabela mangle ###
    ###################################################################

    #Otimizando serviços de DNS e do Sistema
    /sbin/iptables -t mangle -A FORWARD -p tcp --dport 25 -j TOS --set-tos 0x10
    #/sbin/iptables -t mangle -A FORWARD -p tcp --dport 53 -j TOS --set-tos 0x04
    #/sbin/iptables -t mangle -A FORWARD -p tcp --dport 53 -j TOS --set-tos 0x04
    #/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 0x04
    /sbin/iptables -t mangle -A FORWARD -p tcp --dport 110 -j TOS --set-tos 0x10
    #/sbin/iptables -t mangle -A FORWARD -p tcp --dport 3128 -j TOS --set-tos 0x04

    echo "Iniciando Firewall [ OK ]"
    ;;
    stop)
    #Limpando todas as regras
    /sbin/iptables -t filter -F INPUT
    /sbin/iptables -t filter -F FORWARD
    /sbin/iptables -t filter -F OUTPUT
    /sbin/iptables -t nat -F POSTROUTING
    /sbin/iptables -t nat -F PREROUTING

    #Liberando acesso à Internet para rede interna
    /sbin/iptables -t nat -A POSTROUTING -s $REDE_INT -o eth0 -j MASQUERADE
    echo "1" > /proc/sys/net/ipv4/ip_forward

    #Liberando todas as portas
    /sbin/iptables -t filter -P INPUT ACCEPT
    /sbin/iptables -t filter -P FORWARD ACCEPT
    /sbin/iptables -t filter -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    echo "Parando Firewall [ OK ]"
    ;;
    status)
    status

    ;;
    restart)
    $0 stop
    $0 start
    ;;
    *)
    echo "Uso: %s {start|stop|status|restart}\n" "firewall"
    exit 1
    esac

  2. ###################################################################
    ### Tabela nat ###
    ###################################################################

    /sbin/iptables -t nat -A PREROUTING -d $IP_EXT1 -p tcp --dport 5000 -j DNAT --to 100.100.100.4:22
    #iptables -t nat -A PREROUTING -i $IF_EXT1 -d $IP_EXT1 -p tcp --dport 34123 -j DNAT --to 100.100.100.200:22
    coloca as reggras de nat no final e tenta trocar o -dport pra mesma porta que ta escutando


    /sbin/iptables -t nat -A PREROUTING -d $IP_EXT1 -p tcp --dport 22 -j DNAT --to 100.100.100.4:22
    #iptables -t nat -A PREROUTING -i $IF_EXT1 -d $IP_EXT1 -p tcp --dport 22 -j DNAT --to 100.100.100.200:22


    testa la



  3. #3
    Sam_bass
    cara, ainda nao deu certo, não sei não, mas o NAT no iptables parece ser tão simples, não sei pq não funciona.

  4. #4
    CRASH2k
    O DNAT tb não é muito complicado, mas depende de alguns detalhes. Do jeito como vc está fazendo é preciso que o servidore de SSH local tenha acesso a Internet (use o fw como default gateway) e tenha permissão de resposta (no FORWARD). Agora, se vc não quer que seja assim, adiciona isso:

    iptables -A POSTROUTING -o <if_loca> -d <endereco_ssh> -p tcp --dport 22 -j MASQUERADE

    É por ai.....

    Citação Postado originalmente por Sam_bass
    cara, ainda nao deu certo, não sei não, mas o NAT no iptables parece ser tão simples, não sei pq não funciona.



  5. #5
    Sam_bass
    acontece que esta maquina q estou fazendo o DNAT já é o firewall, que tá como default gw o modem ADSL.






Tópicos Similares

  1. Não funciona DNAT/SNAT...
    Por cldn no fórum Servidores de Rede
    Respostas: 13
    Último Post: 03-12-2010, 15:05
  2. Respostas: 5
    Último Post: 23-04-2009, 15:36
  3. Modem D-LINK DSL-210 USB nao funga
    Por frikasoide no fórum Servidores de Rede
    Respostas: 0
    Último Post: 17-08-2005, 17:40
  4. Modem D-LINK DSL-210 USB não funga
    Por frikasoide no fórum Servidores de Rede
    Respostas: 6
    Último Post: 10-03-2005, 17:43
  5. NAT + DNS nao funga...
    Por frikasoide no fórum Servidores de Rede
    Respostas: 1
    Último Post: 17-11-2004, 08:15

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L