Firewall não tá Fazendo PROXY TRANSP / e não Redireciona 5900(vnc), PORQUE SERÁ?

[fabianotecnico]

#!/bin/bash
#
#########################################################################
# #
# Função do Script: FIREWALL #
# Versão: 1.0 #
# #
# Copyright (C) 2006 #
#########################################################################
#
EXTERNAL=eth1
INTERNAL=eth0
IP=192.168.1.0/24
SISTEMA=192.168.1.2
TS=192.168.1.2
NS_1=200.204.0.10
NS_2=200.204.0.138
LAN_RANGE='192.168.1.0/24'
SLINUX='192.168.1.1'

#--- Set TOS 16
TOS_SERV='80 443'
TOS_FTP='21'

######################
# Servidor DHCP #
######################

dhcpd

######################
# Servidor PROFTP #
######################

proftpd

##########################
# Webmin - Administrador #
##########################

/etc/webmin/start >/dev/null 2>&1 </dev/null
echo ".....Inicializando o Webmin...."

##########################
# NTOP - Trafégo de Rede #
##########################

/usr/local/bin/ntop -d -w 3000 -u ntop -i eth0
echo ".....Inicializando o NTOP...."

###################### Setando Politicas
iptables -F
iptables -t nat -F
iptables -t mangle -F

###################### Habilitando o roteamento e bloqueando alguns de pacotes
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

###################### CARREGANDO MODULOS
/sbin/modprobe iptable_nat
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_MIRROR
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_TCPMSS
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_multiport
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_state
/sbin/modprobe ipt_tcpmss
/sbin/modprobe ipt_unclean
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_limit

###################### Protegendo DoS ##############################
iptables -A FORWARD -m unclean -j DROP

###################### Liberacao do Loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT

###################### Abre a Rede Local #
iptables -A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

#######
#INPUT#
#######

iptables -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

##################
# Resolvendo DNS #
##################

iptables -t nat -A POSTROUTING -o eth0 -d 200.204.0.10 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -d 200.204.0.138 -j MASQUERADE

###################### LIBERANDO SSH
iptables -A INPUT -p tcp --destination-port 10648 --syn -j ACCEPT
iptables -A INPUT -p tcp --dport 10648 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 10648 --syn -j ACCEPT
iptables -A FORWARD -p tcp --sport 10648 --syn -j ACCEPT
iptables -A INPUT -p tcp --dport 10648 --syn -j DROP
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SLINUX -p tcp --dport 10648 -o $EXTERNAL

# FTP
iptables -A OUTPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 21 -o $EXTERNAL
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED --syn -j ACCEPT
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,RELATED --syn -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 21 --syn -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 21 -j TOS --set-tos 16 #entra no host com prioridade máxima
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 21 -j TOS --set-tos 16

# Msn
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 1863 --syn -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 1863 --syn -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 3306 --syn -j ACCEPT

###################### REDIRECIONAMENTOS
# VNC
iptables -A INPUT -p tcp --destination-port 5900 -j ACCEPT
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to $SISTEMA
iptables -A INPUT -p tcp --destination-port 5900 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5900 -j ACCEPT
iptables -A FORWARD -p tcp --sport 5900 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5900 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5900 -j DNAT --to 192.168.1.2
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5900 -j DNAT --to-destination 192.168.1.2
iptables -t mangle -A PREROUTING -i eth1 -p tcp --sport 5900 -j TOS --set-tos 16
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5900 -o $EXTERNAL

######################################
# Abrindo o Sistema da MULTI-SERVICE #
######################################

iptables -A INPUT -p tcp -s 0/0 --dport 3580 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5907 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 4550 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5550 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5547 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5548 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5549 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5546 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 5900 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 3580 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 4550 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5550 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5547 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5548 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5549 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5546 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 5900 -j ACCEPT

iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 3580 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 4550 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5550 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5547 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5548 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5549 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5546 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $SISTEMA -p tcp --dport 5907 -o $EXTERNAL

iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 3580 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5907 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 4550 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5550 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5547 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5548 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5549 -j ACCEPT
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5546 -j ACCEPT

iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 3580 -j DNAT --to 192.168.1.3
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 4550 -j DNAT --to 192.168.1.3
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5550 -j DNAT --to 192.168.1.3
iptables -t nat -A PREROUTING -d 201.0.51.X -m tcp -p tcp --dport 5900 -j DNAT --to 192.168.1.2

#########################################
# REDIRECIONANDO PORTAS PARA O IP LOCAL #
#########################################

iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 3580 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 4550 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5550 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5547 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5548 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5549 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5546 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5900 -j DNAT --to-destination 192.168.1.2

#########################################
# REDIRECIONANDO PORTAS PARA O IP LOCAL #
#########################################

iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 3580 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 4550 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5550 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5547 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5548 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5549 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5546 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A PREROUTING -s 0/0 -p tcp -i eth1 --dport 5900 -j DNAT --to-destination 192.168.1.2

####################
# Liberando portas #
####################

iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 --dport 3580 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 --dport 5907 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 --dport 4550 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 --dport 5550 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/255.255.255.0 --dport 5900 -j ACCEPT

###################### OUTLOOK
iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 25 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p tcp --dport 110 -o $EXTERNAL
iptables -I POSTROUTING -j MASQUERADE -t nat -s $IP -p udp --dport 53 -o $EXTERNAL
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.204.0.10 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.1.0/24 -d 200.204.0.138 --dport 53 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 110
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -p tcp --destination-port 110 -j ACCEPT

###################### Proxy Transparente ########################################
echo -n "Proxy Transparente sendo CARREGADO...."
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 3128
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

###################### Log a portas proibidas e alguns backdoors

#Porta FTP
iptables -A INPUT -p tcp --dport 21 -j LOG --log-prefix "Servico: FTP"

#Porta Wincrash
iptables -A INPUT -p tcp --dport 5042 -j LOG --log-prefix "Servico: Wincrash"

#Portas BackOrifice
iptables -A INPUT -p tcp --dport 31337 -j LOG --log-prefix "Servico: BackOrifice"
iptables -A INPUT -p tcp --dport 31338 -j LOG --log-prefix "Servico: BackOrifice"

#Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i $EXTERNAL --dport 33435:33525 -j DROP

#Precaucao contra BUG's na traducao de enderecos de rede (NAT)
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

#Bloqueia Pings vindo de fora
iptables -A INPUT -i $EXTERNAL -m state --state NEW -p icmp -j ACCEPT

###################### Port Scanners
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth1 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth1 -j SCANNER

###################### tronjans

iptables -N TROJAN
iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "trojan: "
iptables -A TROJAN -j DROP

###################### Protege contra pacotes danificados
#Portscanners, Ping of Death, ataques DoS, Syb-flood e Etc
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix 'FIREWALL:ARQMORTOS'
iptables -A INPUT -p tcp --dport 3128 -j REJECT --reject-with tcp-reset

# Block all INPUT FORWARD OUTPUT conection DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

###################### Proxy Transparente ########################################
echo -n "Proxy Transparente sendo CARREGADO...."
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-port 3128
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE

# Ativando a Rede Local - Fechando o Resto
#
iptables -A FORWARD -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT

# Fecha fecha conexao squid por interface de rede
iptables -A INPUT -i $EXTERNAL -p tcp --dport 3128 -j DROP

# Fechando o RESTO #
#iptables -A INPUT -p tcp --syn -j DROP

#####################
# SQUID - Proxy #
#####################

# Inicializando o Daemon :
if [ -x /etc/rc.d/rc.squid ]; then
. /etc/rc.d/rc.squid start
fi

# ---------------------------------------------------------------------------------------------------------------------------








********************** ALGUEM PODERIA ME AJUDAR PORQUE NÃO ESTÁ FAZENDO PROXY TRANSPARENTE E PORQUE NÃO ESTÁ REDIRECIONANDO AS PORTAS ACIMA E NEM A DO VNC, SERÁ QUE TEM ALGUMA REGRA BLOQUEANDO.

NO AGUARDO

FABIANO

[douglas_web]

Para os DNATS, experimente habilitar conexão entrante no forward, senão não tem como:

iptables -A FORWARD -d 192.168.1.0/24 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Faça uma pra cada porta, evite o mport. É mais seguro, né?

[fabianotecnico]

é que o pessoal de FORA DA MINHA REDE acessam a MAQUINA LINUX via VNC.....tem como VOC~E CONSEGUIR DÁ UMA AJEITADA NESSE SCRIPT...FAZENDO FAVOR???

ME AJUDE.
OBRIGADO!

[douglas_web]

Cara, infelizmente não dá pra mim, estou com pouco tempo aqui pra poder verificar tudo.
Mas em uma olhada já achei que vc não tem conexão de entrada permitida via forward para sua rede interna. Como vc redireciona o firewall, deveria ter, para aquelas portas que precisar, então:

antes desta regra (acima dela) :
iptables -A FORWARD -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

coloque assim, sem duplicar, claro:
iptables -A FORWARD -d 192.168.1.0/24 -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

Faça uma regra desta de entrada para cada porta que precisar. Só com isso o VNC já deve funcionar.

[xstefanox]

Caro usuário,

Tente fazer apenas o seguinte no seu script:

Código :

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -t nat -A PREROUTING -i $INTERNAL -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INTERNAL -p UDP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $EXTERNAL -p UDP --dport 5900 -j DNAT --to-destination $IP_QUE_RODA_O_VNC

Tente só com isso. Depois vá construindo o resto.


Abraços!

[douglas_web]

Vai na do stéfano que ele tem razão ....
Eu me precipito às vezes mas é verdade.

Se funciona com as regras que ele passou, aí vc vai incrementando seu firewall. Fica mais fácil e mais seguro do que postar todo o firewall aqui, não acha ?

Boa sorte

[fabianotecnico]

**********************************TOPICO FINALIZADO*****************************************************

ATRAVÉS DAS REGRAS AO QUAL O STEFANO ESCREVEU E MAIS ALGUMAS REGRINHAS CONSEGUI RESOLVER O PROBLEMA DO VNC E FUI IMPLEMENTANDO O RESTO DAS COISAS.

OBRIGADO A TODAS AS DICAS E MAIS UMA VEZ AGRADEÇO A VOCÊS PELA CONTRIBUIÇÃO.; NÃO SEI AONDE VOCÊS MORAM DAONDE SÃO.
MAS AGRADEÇO A DEUS...POIS ESTAVA NUMA LUTA TRAVADA COM O MEU IPTABLES.


VALEU

TOPICO FINALIZADO.

FABIANO