julio1400
(usa Ubuntu)
Enviado em 27/04/2010 - 12:59h
Bom dia pessoal estoucom um problema de cominucação com minh VPN (openVPN)
quando tento conectar a ela via intranet ela está conectando normalmente, porém quando tento conectar externamente não conecta, tento fazer via windows um acesso via telnet na porta 1194 e falha a conexão,
segue abaixo as regras do meu firewall por favor help me.....
#!/bin/sh
externa='eth0'
interna='eth1'
meuip='189.33.200.156'
mundo='0/0'
rede='10.10.1.0/24'
codc01='10.10.1.1'
cofw01='10.10.1.254'
producao1='10.10.1.10'
producao2='10.10.1.21'
nfe='10.10.1.99'
monitoramento='10.10.1.23'
firewall_start(){
#limpando o firewall
iptables -F
iptables -F -t nat
iptables -t mangle -F
iptables -X
iptables -Z
#carregando os modulos
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe iptable_filter
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
#repassa os pacotes para o resto da rede
echo 1 > /proc/sys/net/ipv4/ip_forward
#faz o mascaramento VPN
iptables -t nat -s 10.0.0.2 -A POSTROUTING -o $interna -j MASQUERADE
#faz o mascaramento
iptables -t nat -I POSTROUTING -s 10.10.1.0/24 -j MASQUERADE
iptables -A FORWARD -s 10.10.1.0/24 -j ACCEPT
#libera conexao com sefaz
iptables -A FORWARD -s $rede -p tcp -d 200.201.173.0/24 -j ACCEPT
iptables -A FORWARD -s $rede -p tcp -d 200.201.174.0/24 -j ACCEPT
#regra do squid
iptables -t nat -A PREROUTING -i $interna -p tcp --dport 80 -j REDIRECT --to-port 3129 ! -s 10.10.1.100
#######################################################################################
#define as politicas padrao
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT DROP
# Permite conexao interface de rede local e na porta 22:
iptables -A INPUT -i $interna -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Regras basicas de firewall:
iptables -A INPUT -i lo -j ACCEPT
# Garante que o firewall permitir pacotes de conexaocao iniciadas:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#regras padroes
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 1194 -j ACCEPT
iptables -A FORWARD -p tcp -i $externa --dport 1194 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 2631 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -i $interna --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 465 -j ACCEPT
iptables -A FORWARD -p tcp -i $interna --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp --dport 7620:7625 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 7620:7625 -j ACCEPT
iptables -A INPUT -p tcp --dport 7620:7625 -j ACCEPT
#nat do SSH
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 22:22 -j DNAT --to-dest $cofw01
iptables -A FORWARD -p tcp --dport 22:22 -d $cofw01 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 22:22 -j DNAT --to-dest $cofw01
iptables -A FORWARD -p udp --dport 22:22 -d $cofw01 -j ACCEPT
#nat da VPN
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 1194:1194 -j DNAT --to-dest $cofw01
iptables -A FORWARD -p tcp --dport 1194:1194 -d $cofw01 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 1194:1194 -j DNAT --to-dest $cofw01
iptables -A FORWARD -p udp --dport 1194:1194 -d $cofw01 -j ACCEPT
#nat do rdp
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 3389:3389 -j DNAT --to-dest $codc01
iptables -A FORWARD -p tcp --dport 3389:3389 -d $codc01 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 3389:3389 -j DNAT --to-dest $codc01
iptables -A FORWARD -p udp --dport 3389:3389 -d $codc01 -j ACCEPT
#nat do monitoramento
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 7620:7625 -j DNAT --to-dest $monitoramento
iptables -A FORWARD -p tcp --dport 7620:7625 -d $monitoramento -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 7620:7625 -j DNAT --to-dest $monitoramento
iptables -A FORWARD -p udp --dport 7620:7625 -d $monitoramento -j ACCEPT
#nat do banco
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 3306:3306 -j DNAT --to-dest $codc01
iptables -A FORWARD -p tcp --dport 3306:3306 -d $codc01 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 3306:3306 -j DNAT --to-dest $codc01
iptables -A FORWARD -p udp --dport 3306:3306 -d $codc01 -j ACCEPT
#nat do isia
iptables -t nat -A PREROUTING -s $mundo -p tcp -d $meuip --dport 1001:1001 -j DNAT --to-dest $codc01
iptables -A FORWARD -p tcp --dport 1001:1001 -d $codc01 -j ACCEPT
iptables -t nat -A PREROUTING -s $mundo -p udp -d $meuip --dport 1001:1001 -j DNAT --to-dest $codc01
iptables -A FORWARD -p udp --dport 1001:1001 -d $codc01 -j ACCEPT
# Bloqueia as portas UDP de 0 a 1023 (com exc. abertas acima):
#iptables -A INPUT -p udp --dport 0:1023 -j DROP
#final
#iptables -A INPUT -p tcp --syn -j DROP
echo "Regras de firewall e compartilhamento ativados"
}
firewall_stop(){
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
}
case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
echo "ok."
;;
"restart")
echo "O Firewall esta sendo reiniciado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac