Responder 
 
Avaliação do Tópico:
  • 0 Votos - 0 Média
  • 1
  • 2
  • 3
  • 4
  • 5
redirecionamento de portas no iptables
12/11/2008, 11:51
Resposta: #1
redirecionamento de portas no iptables
Olá, tenho aqui na empresa um script que faz o redirecionamento de algumas portas externas do gateway para estações internas. O script funciona, com um porém: a porta externa(gateway) precisa ser igual a porta interna(estacao com serviço). Ex:

Código:
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 9000:9000 -j DNAT --to-destination $IP_E31:9000
--> funciona

Código:
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 10000:10000 -j DNAT --to-destination $IP_E31:9000
--> não funciona


abaixo o script de firewall completo:
*** esse script eu fiz por um gerador em: http://easyfwgen.morizot.net/
Código:
#!/bin/sh

########## PARAMETROS DE CONFIGURACAO ##########################
#
# localizacao do binario iptables
IPT="/sbin/iptables"
#
# interface de rede internet
IF_WAN="eth2"
IP_WAN=`ifconfig eth2 | grep addr: | awk '{print $2}' | cut -d\: -f2`
IP_WIN2003="10.1.1.253"
IP_E31="10.1.1.113"
IP_SERVRV="10.1.1.247"
# interface de rede local
IF_LAN="eth1"
IP_LAN="10.1.1.254"        # ip local desta maquina
NET_LAN="10.1.1.0/24"    # rede na qual esta inserida
BCAST_LAN="10.1.1.255"    # broadcast da rede
#
# interface de loopback
IF_LO="lo"
IP_LO="127.0.0.1"
#
################################################################

########## CARREGA MODULOS DO KERNEL ###########################
#
echo "Carregando Modulos do Kernel..."
# modulo principal
/sbin/modprobe ip_tables
# modulo de conexao estabelecida
/sbin/modprobe ip_conntrack
# modulo de conexao nat
/sbin/modprobe iptable_nat
# modulo de alvo masquerade
/sbin/modprobe ipt_MASQUERADE
# modulo para ftp nao passivo
/sbin/modprobe ip_nat_ftp
# modulo para ftp
/sbin/modprobe ip_conntrack_ftp
#
################################################################

########## CONFIGURA MODULOS DO KERNEL #########################
#
echo "Configurando Modulos do Kernel..."
# compartilha a conexao
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# habilita ip dinamico na conexao (WAN)
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# habilita protecao contra syn flood
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# habilita validacao por caminho reverso
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# previne contra ataques smurfs e DoS
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# desabilita pacotes roteados pela fonte
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# aceita icmp vindos do gateway por redirecionamento
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# loga pacotes vindos de enderecos impossiveis
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#
################################################################

########## LIMPA REGRAS DO IPTABLES ############################
#
echo "Limpando Regras do Iptables..."
# reseta regras
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# limpa todas as regras
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# apaga todas as regras nao padroes
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
# se o parametro for 'stop', o script finaliza
if [ "$1" = "stop" ]
then
    echo "Firewall Morto"
    exit 0
fi
#
################################################################

########## TABELA DE FILTROS ###################################
#
echo "Criando Tabela de Filtros"
# seta politicas
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
######## CORRENTES PERSONALIZADAS ############################
echo "Criando Correntes Personalizadas"
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
echo "Setando Correntes Personalizadas"
###### CORRENTE BAD_PACKETS ################################
# pacotes forjados da internet
#$IPT -A bad_packets -p ALL -i $IF_WAN -s $NET_LAN -j LOG --log-prefix "::pacote forjado> "
$IPT -A bad_packets -p ALL -i $IF_WAN -s $NET_LAN -j DROP
# pacotes invalidos
#$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "::pacote invalido> "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# checa pacotes tcp, indo para a corrente bad_tcp_packets
$IPT -A bad_packets -p TCP -j bad_tcp_packets
# tudo certo, entao retorna
$IPT -A bad_packets -p ALL -j RETURN
############################################################

###### CORRENTE BAD_TCP_PACKETS ############################
# permite pacotes tcp vindos da interface local
$IPT -A bad_tcp_packets -p TCP -i $IF_LAN -j RETURN
#
#$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "::pacote tcp ruim-t1> "
$IPT -A bad_tcp_packets -p TCP ! --syn -m state --state NEW -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL NONE -j LOG --log-prefix "::pacote tcp ruim-t2> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL NONE -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL ALL -j LOG --log-prefix "::pacote tcp ruim-t3> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL ALL -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "::pacote tcp ruim-t4> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "::pacote tcp ruim-t5> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "::pacote tcp ruim-t6> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,RST SYN,RST -j DROP
#$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "::pacote tcp ruim-t7> "
$IPT -A bad_tcp_packets -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP
## tudo certo, entao retorna
$IPT -A bad_tcp_packets -p TCP -j RETURN
############################################################

###### CORRENTE ICMP_PACKETS ###############################
# protecao contra DoS
#$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "::pacote ataque dos> "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# ignora pings da interface de internet
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# retorna para que seja logado
$IPT -A icmp_packets -p ICMP -j RETURN
############################################################

###### CORRENTE UDP_INBOUND ################################
# joga fora chamadas de netbios
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# endereco dinamico
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
# retorna para que seja logado
$IPT -A udp_inbound -p UDP -j RETURN
############################################################

###### CORRENTE UDP_OUTBOUND ###############################
# bloqueia icq (porta 4000)
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 4000 -j REJECT
# aceita outros
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
############################################################

###### CORRENTE TCP_INBOUND ################################
# permite servidor sshd para a internet (wan)
# $IPT -A tcp_inbound -p TCP -s 0/0 --dport 8963 -j ACCEPT
# retorna para que seja logado
$IPT -A tcp_inbound -p TCP -j RETURN
############################################################

###### CORRENTE TCP_OUTBOUND ###############################
# bloqueia SSH para fora
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT
# bloqueia IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT
# bloqueia telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT
# bloqueia usenet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT
# bloqueia aim
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 5190 -j REJECT
# bloqueia msn
$IPT -A tcp_outbound -p TCP -s 10.1.1.8 --dport 1863 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 10.1.1.105 --dport 1863 -j ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 1863 -j LOG --log-prefix "::tentativa msn> "
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 1863 -j REJECT
# aceita outros
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
############################################################
##############################################################

######## CORRENTE INPUT ######################################
echo "Setando Corrente Input"
# permite tudo na interface local
$IPT -A INPUT -p ALL -i $IF_LO -j ACCEPT
# joga fora pacotes ruims
$IPT -A INPUT -p ALL -j bad_packets
# modem
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# regras para a rede privada
$IPT -A INPUT -p ALL -i $IF_LAN -s $NET_LAN -j ACCEPT
$IPT -A INPUT -p ALL -i $IF_LAN -d $BCAST_LAN -j ACCEPT
# permite requisicoes dhcp na interface local
$IPT -A INPUT -p UDP -i $IF_LAN --source-port 68 --destination-port 67 -j ACCEPT
# permite o ssh da rede local
$IPT -A INPUT -p TCP -i $IF_LAN --dport 8963 -j ACCEPT
# permite o apache da rede local
# $IPT -A INPUT -p TCP -i $IF_LAN --dport 80 -j ACCEPT
# aceita conexoes ja estabelecidas
$IPT -A INPUT -p ALL -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# roteia os outros pacotes para a corrente apropriada
$IPT -A INPUT -p TCP -i $IF_WAN -j tcp_inbound
$IPT -A INPUT -p UDP -i $IF_WAN -j udp_inbound
$IPT -A INPUT -p ICMP -i $IF_WAN -j icmp_packets
# joga fora pacotes de broadcast restantes
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
##############################################################

######## CORRENTE FORWARD ####################################
echo "Setando Corrente Forward"
# bloqueio do pop.gmail.com
$IPT -A FORWARD -p ALL -d 74.125.45.109 -j LOG --log-prefix "::tentativa gmail> "
$IPT -A FORWARD -p ALL -d 74.125.45.111 -j LOG --log-prefix "::tentativa gmail> "
#$IPT -A FORWARD -p ALL -d 66.249.83.109 -j DROP
#$IPT -A FORWARD -p ALL -d 66.249.83.111 -j DROP
# bloqueio do pop3.uol.com.br
$IPT -A FORWARD -p ALL -d 200.221.4.5 -j LOG --log-prefix "::tentativa uol> "
#$IPT -A FORWARD -p ALL -d 200.221.4.5 -j DROP
# bloqueio do pop3.bol.com.br
$IPT -A FORWARD -p ALL -d 200.221.4.119 -j LOG --log-prefix "::tentativa bol> "
#$IPT -A FORWARD -p ALL -d 200.221.4.119 -j DROP
# bloqueio do pop.mail.yahoo.com.br
$IPT -A FORWARD -p ALL -d 209.191.69.3 -j LOG --log-prefix "::tentativa yahoo> "
$IPT -A FORWARD -p ALL -d 206.190.53.11 -j LOG --log-prefix "::tentativa yahoo> "
#$IPT -A FORWARD -p ALL -d 209.191.69.3 -j DROP
# bloqueio do pop.mail.yahoo.com
#$IPT -A FORWARD -p ALL -d 206.190.53.11 -j DROP

# joga fora pacotes ruims
$IPT -A FORWARD -p ALL -j bad_packets
# aceita pacotes tcp que serao redirecionados de fontes internas
$IPT -A FORWARD -p TCP -i $IF_LAN -j tcp_outbound
# aceita pacotes udp que serao direcionados de fontes internas
$IPT -A FORWARD -p UDP -i $IF_LAN -j udp_outbound
# aceita outros
$IPT -A FORWARD -p ALL -i $IF_LAN -j ACCEPT
# lida com pacotes vindos da interface da internet
$IPT -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# terminal service do windows 2003
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 3389 --destination $IP_WIN2003 -j LOG --log-prefix "::tswin2003> "
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 3389 --destination $IP_WIN2003 -j ACCEPT
# terminal service da estacao 31
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 9000 --destination $IP_E31 -j LOG --log-prefix "::tsE31> "
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 9000 --destination $IP_E31 -j ACCEPT
# servidor servicos rio vivo
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 1980 --destination $IP_SERVRV -j LOG --log-prefix "::tsSERVRV:1980:TCP> "
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 1980 --destination $IP_SERVRV -j ACCEPT
$IPT -A FORWARD -p UDP -i $IF_WAN --destination-port 1980 --destination $IP_SERVRV -j LOG --log-prefix "::tsSERVRV:1980:UDP> "
$IPT -A FORWARD -p UDP -i $IF_WAN --destination-port 1980 --destination $IP_SERVRV -j ACCEPT

$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 9003 --destination $IP_SERVRV -j LOG --log-prefix "::tsSERVRV:80> "
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 9003 --destination $IP_SERVRV -j ACCEPT

$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 1982 --destination $IP_SERVRV -j LOG --log-prefix "::tsSERVRV:1982>"
$IPT -A FORWARD -p TCP -i $IF_WAN --destination-port 1982 --destination $IP_SERVRV -j ACCEPT

$IPT -A FORWARD -p TCP -i $IF_WAN -j LOG --log-prefix "somet>"

##############################################################

######## CORRENTE OUTPUT #####################################
echo "Setando Corrente Output"
# joga fora pacotes icmp
$IPT -A OUTPUT -m state -p ICMP --state INVALID -j DROP
# loopback
$IPT -A OUTPUT -p ALL -s $IP_LO -j ACCEPT
$IPT -A OUTPUT -p ALL -o $IF_LO -j ACCEPT
# rede local
$IPT -A OUTPUT -p ALL -s $IP_LAN -j ACCEPT
$IPT -A OUTPUT -p ALL -o $IF_LAN -j ACCEPT
# internet
$IPT -A OUTPUT -p ALL -o $IF_WAN -j ACCEPT
##############################################################

######## TABELA NAT ##########################################
echo "Setando Tabela NAT"
# redireciona acesso ao windows 2003
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 3389:3389 -j DNAT --to-destination $IP_WIN2003:3389
# redireciona acesso a estacao31
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 9000:9000 -j DNAT --to-destination $IP_E31:9000
# redireciona acesso a servidor rio vivo
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 1980 -j DNAT --to-destination $IP_SERVRV:1980

$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN -d $IP_WAN --dport 9003 -j DNAT --to $IP_SERVRV:80
$IPT -t nat -A PREROUTING -p TCP -i $IF_WAN --destination-port 1982 -j DNAT --to-destination $IP_SERVRV:1982

# proxy transparente
$IPT -t nat -A PREROUTING -p TCP -s 10.1.1.2 --destination-port 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p TCP -s 10.1.1.247 --destination-port 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p TCP -s 10.1.1.8 --destination-port 80 -j ACCEPT
$IPT -t nat -A PREROUTING -p TCP --destination-port 80 -j REDIRECT --to-ports 3128
# compartilhamento de internet
$IPT -t nat -A POSTROUTING -o $IF_WAN -j MASQUERADE
##############################################################

######## TABELA MANGLE #######################################
echo "Setando Tabela Mangle"
$IPT -t mangle -A OUTPUT -o $IF_WAN -j TTL --ttl-set 128
##############################################################

se alguém souber o porque das portas(interna, externa) precisarem ser iguais...

Obrigado,
Renato
Citar esta mensagem em uma resposta
Responder 


Ir ao Fórum:


Usuários visualizando este tópico: 1 Visitantes

Entre em Contato | Fórum Debian | Voltar ao Topo | Voltar ao Conteúdo | Modo Leve (Arquivo) | Feeds RSS