+ Responder ao Tópico



  1. #1
    josedec
    Visitante

    Padrão redirecionamento TS

    estou com problema na liberação do ts. estou usando em drop.

    o comonado para redirecionar :

    iptables -t nat PREROUNTING -s 200.0.0.0 -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 192.0.0.0

    o que esta contecento. internamente estou conseguindo conectar. mas o usuários de fora não conseguir conectar.

    quem poderia me ajudar.....

  2. #2

    Padrão Re: redirecionamento TS

    # Abre algumas portas
    iptables -A INPUT -p tcp --destination-port 3389 -j ACCEPT

    # Redireciona algumas portas
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 192.168.0.0:3389
    iptables -A FORWARD -p tcp -i eth0 --dport 3389 -d 192.168.0.0 -j ACCEPT

  3. #3
    chakalt
    Visitante

    Padrão redirecionamento TS

    tenta com essa regra aki

    iptables -t nat -A PREROUTING -d 200.0.0.0 -p tcp --dport 3389 -j DNAT --to 192.0.0.0:3389

    me diz ai c funciona!

  4. #4
    josedec
    Visitante

    Padrão redirecionamento TS

    vou tentar

  5. #5
    josedec
    Visitante

    Padrão redirecionamento TS

    ###################################################
    # Script para implementacao de firewall em iptables
    # Autor:
    # Manutencao:
    # Data: Abril/2003
    # Ultima Manutencao: 10/04/03
    ###################################################


    ##########################################
    # Reseta regras do iptables
    ##########################################

    /usr/sbin/iptables --flush
    /usr/sbin/iptables --table nat --flush
    /usr/sbin/iptables --delete-chain
    /usr/sbin/iptables --table nat --delete-chain

    ##########################################
    # Definicao das variaveis
    ##########################################

    IT=/usr/sbin/iptables

    # Portas

    P_PPTP=1723 # VPN
    P_TERMSERV=3389 # Terminal Service Windows
    P_ORACLE=1521 # Servidor de Banco de Dados Oracle
    P_SQL=1433 # Servidor de banco de Dados SQL
    P_PCANYD=5631 # PcAnywhere dados
    P_PCANYS=5632 # PcAnywhere status
    P_VNCA1=5900 # VNC aplicacao
    P_VNCA2=5901 # VNC aplicacao
    P_VNCA3=5902 # VNC aplicacao
    P_VNCA4=5903 # VNC aplicacao
    P_VNCW1=5800 # VNC web applet
    P_VNCW2=5801 # VNC web applet
    P_VNCW3=5802 # VNC web applet
    P_VNCW4=5803 # VNC web applet
    P_TREND=80 # Antivirus - Servico de atualizacao
    P_CAGEDNET=2500 # CAGEDnet para ACI
    P_CONXSOC=2631 # Conectividade Social
    #P_DSNET=21 # DSNet - Servidor 200.249.133.132
    P_SEFAZNET=50000 # Sefaz Net
    P_GIMNET=1023 # GIM Net - Servidor 200.249.15.56
    P_CONEX=81 # Sistema de Comercio Exterior da SIMASA
    P_MESSENGER=1863 # MSN Messenger
    P_MESSENGEV=6901 # MSN Voz - UDP, TCP
    P_SAGC99=1049 # Gian - Secret Fazenda Pernamb
    P_RAISNET=3007 # Ministerio do Trabalho - servidor 161.148.185.30
    P_RALNET1=1500 # Minas e Energia
    P_RALNET2=1600 # Minas e Energia
    P_RECEITANET=3456 # Receita Federal
    P_SINTEGRA=8017 # Secretaria da Fazenda

    # Servidores Externos

    S_SEFAZNET=200.253.176.68 # Sefaz Net
    S_CONSOC=200.201.173.68 # Caixa Economica
    S_GIMNET=200.249.15.56 # Secretaria da Tributacao RN
    S_PALMTOP=207.66.2.50 # Site da Palm
    S_SAGSERVER=200.238.112.123 # Secretaria Fazenda Pernambuco - Gian
    S_RAISSERVER=161.148.185.30 # Ministerio do Trabalho e Emprego
    S_DSSERVER=200.249.133.132 # Prefeitura Cidade Recife

    # Interfaces fisicas

    IF_INTERNET=eth1
    IF_INTERNA=eth0

    # Redes urs/loca/bin/

    REDE_INTERNET=200.xx.xx.xx/255.255.255.0
    REDE_INTERNA=10.0.5.0/255.255.255.0

    # Ips das Interfaces

    IP_IF_INTERNET=200.xxx.xxx
    IP_IF_INTERNA=10.0.5.101

    ##########################################
    # Protecao contra spoofing
    ##########################################

    touch /var/lock/subsys/local
    echo 1 > /proc/sys/net/ipv4/ip_forward
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
    modprobe iptable_nat


    ##########################################
    # Inicio das Regras do firewall
    ##########################################

    # Diretivas defaults

    $IT -P INPUT DROP
    $IT -P FORWARD DROP
    $IT -P OUTPUT ACCEPT

    # Diretiva para int loopback

    $IT -A INPUT -i lo -j ACCEPT


    $IT -N LOGDROP
    $IT -A LOGDROP -m limit --limit 50/hour -j LOG
    $IT -A LOGDROP -j DROP


    ##########################################
    # NAT (MASCARAMENTO)
    ##########################################

    # SourceNAT REDE-INTERNA --> INTERNET

    $IT --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
    $IT --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

    #$IT -t nat -A POSTROUTING -s $REDE_INTERNA -o $IF_INTERNET -j SNAT --to-source $IP_IF_INTERNET
    #$IT --table nat --append POSTROUTING -s $REDE_INTERNA --out-interface eth1 -j MASQUERADE
    #$IT --append FORWARD --in-interface eth1 -j ACCEPT

    ##########################################
    # NAT (PORT FORWARD)
    ##########################################

    # DestinationNAT INTERNET --> Win2000 da REDE INTERNA
    # para VPN
    # porta 1723 - PPTP
    # prot 47 - GRE

    #$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 3389 -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -p tcp -d $S_VPN_ALIAS --dport 1723 -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -p 80,21 -d $S_VPN_ALIAS -j DNAT --to $S_VPN_INTERNO

    #$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp -d 200.68.173.243 --dport 80 -j ACCEPT
    $IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 80 -j REDIRECT --to-port 3128
    $IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 443 -j REDIRECT --to-port 3128
    #$IT -t nat -A PREROUTING -s $REDE_INTERNA -p tcp --dport 21 -j REDIRECT --to-port 3128

    ##########################################
    # Definicao das cadeias
    ##########################################

    # Forwards

    $IT -N interna-internet
    $IT -N interna-interna
    $IT -N internet-interna

    # Inputs

    $IT -N interna-if
    $IT -N internet-if
    $IT -N icmp-accept

    # Definicoes dos forwards

    $IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNET -j interna-internet
    $IT -A FORWARD -i $IF_INTERNA -o $IF_INTERNA -j interna-interna
    $IT -A FORWARD -i $IF_INTERNET -o $IF_INTERNA -j internet-interna

    # Definicoes dos inputs

    $IT -A INPUT -i $IF_INTERNA -j interna-if
    $IT -A INPUT -i $IF_INTERNET -j internet-if


    ##########################################
    # Filtros
    ##########################################

    # Permissoes para pacotes icmp

    $IT -A icmp-accept -p icmp --icmp-type destination-unreachable -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type source-quench -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type time-exceeded -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type parameter-problem -j ACCEPT
    $IT -A icmp-accept -p icmp --icmp-type echo-reply -j ACCEPT

    # Contra Ping of Death
    $IT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    # Contra Ataques Syn-flood
    $IT -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
    # Contra Port scanners Avançados (nmap)
    $IT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m limit --limit 1/s -j ACCEPT
    # Contra pacotes danificados ou suspeitos
    $IT -A FORWARD -m unclean -j DROP

    ##########################################
    # interna para interna
    ##########################################

    # Libera tudo de interna para interna
    $IT -A interna-interna -j ACCEPT

    ##########################################
    # interna para internet
    ##########################################

    # Libera http e ftp para Micros Totalmente Liberados
    $IT -A interna-internet -m multiport -p tcp -s 10.0.5.0/16 --dport 80,43,21 -j ACCEPT
    #$IT -A interna-internet -p udp -s $S_SERVIDOR --dport 20 -j ACCEPT

    # Protocolo 47 GRE para VPN
    $IT -A interna-internet -p 47 -j ACCEPT

    # Servicos basicos permitidos
    $IT -A interna-internet -m multiport -p tcp --dport domain,pop-3,smtp,imap,telnet,ssh,$P_PPTP,$P_TERMSERV,snmp,nntp,nntps,113 -j ACCEPT

    $IT -A interna-internet -m multiport -p tcp --dport $P_VNCA1,$P_VNCA2,$P_VNCW1,$P_VNCW2,$P_MESSENGER,$P_MESSENGEV,$P_PCANYD,$P_PCANYS,$P_SQL -j ACCEPT

    $IT -A interna-internet -m multiport -p udp --dport domain,snmp,$P_MESSENGER,$P_MESSENGEV,nntp,nntps -j ACCEPT

    # Acesso a Receita Federal, Minas e Energia, Ministerio Trabalho, Secret Fazenda
    $IT -A interna-internet -m multiport -p tcp --dport $P_RECEITANET,$P_RALNET1,$P_RALNET2,$P_RAISNET,$P_SAGC99,$P_SINTEGRA -j ACCEPT

    # Conexao com Conectividade Social
    $IT -A interna-internet -p tcp --dport $P_CONXSOC -j ACCEPT

    # Conexao com Cegedenet - Ministerio Trabalho
    $IT -A interna-internet -p tcp --dport $P_CAGEDNET -j ACCEPT

    # Conexao com a Rede SEFAZNET
    $IT -A interna-internet -p tcp --dport $P_SEFAZNET -d $S_SEFAZNET -j ACCEPT

    # Conexao com a Rede GIMNET
    $IT -A interna-internet -p tcp --dport $P_GIMNET -d $S_GIMNET -j ACCEPT

    # Conexao com a Caixa Economica
    $IT -A interna-internet -p tcp --dport http -d $S_CONSOC -j ACCEPT

    # Conexoes estabelecidas e relacionadas
    $IT -A interna-internet -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Ping e ICMP
    $IT -A interna-internet -j icmp-accept
    $IT -A interna-internet -p icmp --icmp-type ping -j ACCEPT

    ##########################################
    # internet para interna
    ##########################################

    # Conexoes estabelecidas e relacionadas
    $IT -A internet-interna -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ICMP
    $IT -A internet-interna -p icmp -j icmp-accept

    # Ident e pop3
    $IT -A internet-interna -m multiport -p tcp --dport 80,113,pop-3,smtp,ftp-data,ftp -j ACCEPT

    # MSN
    #$IT -A internet-interna -p tcp --dport 1024:65000 -j ACCEPT

    ############################################
    # Regras de input para o firewall: cautela!
    ############################################

    # ---- INTERFACE INTERNA------
    # Conexoes estabelecidas e relacionadas
    $IT -A interna-if -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Ping e ICMP
    $IT -A interna-if -j icmp-accept
    $IT -A interna-if -p icmp --icmp-type ping -j ACCEPT

    # ident
    #IT -A interna-if -p tcp --dport 113 -j REJECT

    # ftp, ssh e shell
    $IT -A interna-if -p tcp --dport ftp -j ACCEPT
    $IT -A interna-if -p tcp --dport ssh -j ACCEPT

    #permissao de acesso ao squid
    $IT -A interna-if -p tcp -s $REDE_INTERNA --dport 3128 -j ACCEPT

    #este firewall tambem eh dns para a rede interna
    $IT -A interna-if -p tcp --dport domain -j ACCEPT
    $IT -A interna-if -p udp --dport domain -j ACCEPT
    $IT -A interna-if -p tcp --dport smtp -j ACCEPT
    $IT -A interna-if -p tcp --dport pop-3 -j ACCEPT
    $IT -A interna-if -p tcp --dport 113 -j ACCEPT

    # ---- INTERFACE INTERNET ------
    # este firewall tambem eh dns para a rede interna
    $IT -A internet-if -p udp --dport domain -j ACCEPT
    $IT -A internet-if -p tcp --dport domain -j ACCEPT
    $IT -A internet-if -p tcp --dport smtp -j ACCEPT
    $IT -A internet-if -p udp --dport smtp -j ACCEPT
    $IT -A internet-if -p tcp --dport pop-3 -j ACCEPT
    $IT -A internet-if -p tcp --dport 113 -j ACCEPT
    $IT -A internet-if -p tcp --dport ftp -j ACCEPT
    $IT -A internet-if -p udp --dport ftp-data -j ACCEPT

    # Conexoes estabelecidas e relacionadas
    $IT -A internet-if -m state --state ESTABLISHED,RELATED -j ACCEPT

    # ICMP
    $IT -A internet-if -j icmp-accept

    # ident
    $IT -A internet-if -p tcp --dport 113 -j REJECT
    [size=9px][/size]

    #TS
    iptables -t nat -A PREROUTING -s 200.xxx.xxx.xxx -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 10.0.0.xxx


    o que tem de errado para não permitir o TS ....
    outra coisa. não esta permitindo o ftp 200.199.14.8 ... os outros funcionar.