iptables + DNAT

Caros estou com um problema, não esta sendo possivel por exemplo redirecionar o trafego e porta do vnc (5900) para uma estação, eu nao sei mais o q fazer...
Código :

$IPTABLES -t nat -A PREROUTING -p tcp -d $WAN --dport 5900 -i $EXT_IF -j DNAT --to 10.201.201.2:5900 $IPTABLES -A FORWARD -p tcp -d 10.201.201.2 --dport 5900 -i $EXT_IF -o $INT_IF -j ACCEPT
Alguem saberia o que pode ser?

Grato

Re: iptables + DNAT

IPTABLES -t nat -A PREROUTING -p tcp -d $WAN --dport 5900 -i $EXT_IF -j DNAT --to 10.201.201.2:5900

Coloca com -I , vai q tem algum ACCEPT Acima ... e nao precisa passar a interface (-i) jah q eh o ip valido q ta filtrando !

iptables -t nat -I PREROUTING -d $WAN -p tcp --dport 5900 -j DNAT --to 10.201.201.2:5900

Re: iptables + DNAT

Citação:

Postado originalmente por Denis Iarossi

IPTABLES -t nat -A PREROUTING -p tcp -d $WAN --dport 5900 -i $EXT_IF -j DNAT --to 10.201.201.2:5900

Coloca com -I , vai q tem algum ACCEPT Acima ... e nao precisa passar a interface (-i) jah q eh o ip valido q ta filtrando !

iptables -t nat -I PREROUTING -d $WAN -p tcp --dport 5900 -j DNAT --to 10.201.201.2:5900

Amigo, o pior é que nao deu certo, segue meu firewall

Código :

#!/bin/sh
#
# by Diogo Borsoi
#
 
IPTABLES=/usr/local/sbin/iptables
INT_IF=eth1
EXT_IF=eth0
LOCAL_NETWORK=10.201.201.0/24
WAN=201.x.x.x
 
 
# Limpa regras
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t mangle -Z
 
##### Definição de Policiamento #####
echo 'Loading chains...'
 
# Tabela filter
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD DROP
 
# Tabela nat
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING DROP
 
# Tabela mangle
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
 
 
##### Proteção contra IP Spoofing #####
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 >$i
 done
 
##### Proteção contra Syncookies #####
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
 then
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
 
##### Ativamos o redirecionamento de pacotes (requerido para NAT) #####
echo "1" > /proc/sys/net/ipv4/ip_forward
 
#echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
 
 
###############################################################
#           Tabela filter             #
###############################################################
 
##### Chain INPUT #####
$IPTABLES -N local-input
$IPTABLES -N eth0-input
 
$IPTABLES -A INPUT -i lo -j ACCEPT
 
#$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
 
$IPTABLES -A INPUT -s $LOCAL_NETWORK -i $INT_IF -j local-input
 
$IPTABLES -A INPUT -i $EXT_IF -j eth0-input
 
$IPTABLES -A INPUT -p tcp -i $INT_IF --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INT_IF --dport 67:68 -j ACCEPT
 
$IPTABLES -A INPUT -j LOG --log-prefix "FIREWALL: INPUT "
$IPTABLES -A INPUT -j DROP
 
 
##### Chain FORWARD ####
 
### Controle de ip por lista
#for i in $(cat /etc/rc.d/clientes.fw);do $IPTABLES -A FORWARD -d $i -i $EXT_IF -o $INT_IF -j ACCEPT;done
#for i in $(cat /etc/rc.d/clientes.fw);do $IPTABLES -A FORWARD -s $i -i $INT_IF -o $EXT_IF -j ACCEPT;done
 
### Script que atrela IP ao MAC Address ###
/etc/rc.d/clientes.fw
 
$IPTABLES -A FORWARD -d $LOCAL_NETWORK -i $EXT_IF -o $INT_IF -j ACCEPT
#$IPTABLES -A FORWARD -s $LOCAL_NETWORK -i $INT_IF -o $EXT_IF -j ACCEPT
$IPTABLES -A FORWARD -j LOG --log-prefix "FIREWALL: FORWARD "
$IPTABLES -A FORWARD -j DROP
 
 
##### Chain local-input ####
 
$IPTABLES -A local-input -p icmp -m limit --limit 2/s -j ACCEPT
 
# www
$IPTABLES -A local-input -p tcp --dport 80 -j ACCEPT
 
# ssh
$IPTABLES -A local-input -p tcp --dport 22 -j ACCEPT
 
$IPTABLES -A local-input -p tcp --dport 53 -j ACCEPT
$IPTABLES -A local-input -p udp --dport 53 -j ACCEPT
 
$IPTABLES -A local-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: local-in "
$IPTABLES -A local-input -m state --state ! ESTABLISHED,RELATED -j DROP
 
$IPTABLES -A local-input -j ACCEPT
 
 
##### Chain eth0-input ####
$IPTABLES -A eth0-input -p icmp -m limit --limit 2/s -j ACCEPT
 
# www
$IPTABLES -A eth0-input -p tcp --dport 80 -j ACCEPT
 
# ssh
$IPTABLES -A eth0-input -p tcp --dport 22 -j ACCEPT
 
# ftp
#$IPTABLES -A eth0-input -p tcp --dport 21 -j ACCEPT
 
# vpn
#$IPTABLES -A eth0-input -p udp --dport 5000 -j ACCEPT
 
$IPTABLES -A eth0-input -p tcp --dport 21 -j LOG --log-prefix "FIREWALL: ftp "
$IPTABLES -A eth0-input -p tcp --dport 25 -j LOG --log-prefix "FIREWALL: smtp "
$IPTABLES -A eth0-input -p udp --dport 53 -j LOG --log-prefix "FIREWALL: dns "
$IPTABLES -A eth0-input -p tcp --dport 110 -j LOG --log-prefix "FIREWALL: pop3 "
$IPTABLES -A eth0-input -p tcp --dport 113 -j LOG --log-prefix "FIREWALL: identd "
$IPTABLES -A eth0-input -p udp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
$IPTABLES -A eth0-input -p tcp --dport 111 -j LOG --log-prefix "FIREWALL: rpc"
$IPTABLES -A eth0-input -p tcp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
$IPTABLES -A eth0-input -p udp --dport 137:139 -j LOG --log-prefix "FIREWALL: samba "
 
$IPTABLES -A eth0-input -m state --state ! ESTABLISHED,RELATED -j LOG --log-prefix "FIREWALL: eth0-in "
$IPTABLES -A eth0-input -m state --state ! ESTABLISHED,RELATED -j DROP
 
$IPTABLES -A eth0-input -j ACCEPT
 
 
#######################################################
#         Tabela nat            #
#######################################################
 
##### Chain PREROUTING #####
$IPTABLES -t nat -A PREROUTING -p tcp -d $WAN --dport 5900 -j REDIRECT --to 10.201.201.4:5900
$IPTABLES -A FORWARD -p tcp -d 10.201.201.4 --dport 5900 -j ACCEPT
 
##### Chain POSTROUTING #####
$IPTABLES -t nat -A POSTROUTING -o lo -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $INT_IF -j ACCEPT
 
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -o $EXT_IF -j MASQUERADE
 
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -d $LOCAL_NETWORK -j LOG --log-prefix "FIREWALL: SNAT unknown"
 
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -d $LOCAL_NETWORK -j DROP
 
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j ACCEPT
 
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "FIREWALL: SNAT "
$IPTABLES -t nat -A POSTROUTING -j DROP
 
###############################################
#        Tabela mangle        #
###############################################
 
##### Chain OUTPUT #####
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 21 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 23 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p tcp --dport 6665:6668 -j TOS --set-tos 0x10
$IPTABLES -t mangle -A OUTPUT -o $EXT_IF -p udp --dport 53 -j TOS --set-tos 0x10
 
echo 'Firewall started!!'

Re: iptables + DNAT

realmente esta tudo certinho ..

O que pode verificar , eh do servidor tentar atingir o servidor virtual , e verificar se a rota default do servidor virtual está p/ o server qual esta fazendo as regras !

No mais nao estou conseguindo te ajudar !
pode ateh monitorar com o tcpdump e colar aqui pra gente qq esta batento nele

tcpdump -i ethx port 5900

Re: iptables + DNAT

Código :

WAN=201.x.x.x
Vc tem ADSL com IP dinâmico?

Em caso positivo, tem certeza que seus ips sempre serão 201.x?

Re: iptables + DNAT

Caros muito obrigado pelas dicas, achei o erro estava nesta linha
Código :

IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j ACCEPT
na qual tive q alterar para
Código :

$IPTABLES -t nat -A POSTROUTING -j ACCEPT
Grato

Re: iptables + DNAT

Vc tmb poderia liberar a porta do vnc ...

$IPTABLES -A local-input -p tcp --dport 5900 -j ACCEPT

falow ...