Redirecionamento de porta pelo IPTables
1. Redirecionamento de porta pelo IPTables
poncior
(usa Debian)
Enviado em 30/09/2020 - 14:23h
Boa tarde galera, criei este tópico pois já pesquisei muito mas ainda não consegui encontrar uma solução para o meu problema, além de conhecer pouco sobre o assunto.A questão é a seguinte, tenho uma VPS e vamos dizer que ela tenha o IP 191.212.53.47, e em minha rede local uma máquina de IP 192.168.1.70. Gostaria de expor a porta 8123 da máquina em minha rede através do IP da VPS, que é fixo.
Anteriormente eu tinha uma política bem aberta no IPTables e estou tentando melhorar a segurança, em paralelo, quero deixar de usar o tunelamento SSH reverso e usar o forwarding do IPTables com a ajuda de uma VPN
A VPN tem a rede dinamica principal com a interface as0t0 na subrede 10.0.5.0/24, e a rede estática é a 10.5.5.0/24 (onde a máquina de dentro da minha rede está com o IP 10.5.5.2).
Como a VPS é o server do OpenVPN, ele está com o IP 10.0.5.1.
Se dou um ping da minha VPS até a 10.5.5.2, tudo ocorre normal, se eu faço um tracert ou um wget na porta desejada, tudo tranquilo, funcionando.
Porém, acessando via HTTP o endereço da http://VPS:8123 não existe um retorno.
Percebi também que quando executo os comandos do IPTables (Flush + Rules) o acesso via HTTP funciona normal, mas é só uma conexão acontecer na VPN ou um restart no OpenVPN AS que a tabela do IPTables ganha um monte de registros e o acesso via HTTP para de funcionar.
Suspeito que seja o retorno do 10.5.5.2 para o apache, pois como comentei acima, se executar na VPS:
wget 10.5.5.2:8123
O comando baixa um index.html correto, existe a conectividade.
Obs 1.: Já está liberado o IP Forwarding no sysctl
Obs 1.: Algumas Rules foram omitidas na tabela abaixo pois só dão ACCEPT em algumas portas no protocolo TCP/UDP
Podem me dar uma luz por favor?
IPTables Rules:
#!/bin/bash # first cleanup everything iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X # default drop iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -P OUTPUT ACCEPT # allow loopback device iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow ssh over eth0 from outside to system iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT # allow webserver iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT # Allow masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # System iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # Forwards iptables -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT # OpenVPN iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.27.224.0/20 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i as0t0 -j ACCEPT iptables -A FORWARD -i as0t0 -j ACCEPT iptables -A OUTPUT -o as0t0 -j ACCEPT iptables -A FORWARD -i as0t0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o as0t0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i as0t0 -s 172.27.224.0/20 -d 0.0.0.0/0 -j ACCEPT iptables -A FORWARD -i as0t0 -s 10.5.5.0/24 -d 0.0.0.0/0 -j ACCEPT # Ports iptables -A FORWARD -i eth0 -p tcp --dport 8123 -d 10.5.5.2 -j ACCEPT iptables -A INPUT -i as0t0 -p tcp -s 10.5.5.2 --dport 8123 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to-destination 10.5.5.2:8123 # Logging iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 iptables -A LOGGING -j DROP
Resultado IPTables após restart do OpenVPN
Chain INPUT (policy DROP) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_ACCEPT all -- anywhere anywhere AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_ACCEPT udp -- anywhere vps1234.publiccloud.com.br state NEW udp dpt:openvpn AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_WEBACCEPT tcp -- anywhere vps1234.publiccloud.com.br state NEW tcp dpt:943 ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:9090 ACCEPT tcp -- anywhere anywhere tcp dpt:webmin ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpt:9987 ACCEPT tcp -- anywhere anywhere tcp dpt:10011 ACCEPT tcp -- anywhere anywhere tcp dpt:30033 ACCEPT tcp -- 10.5.5.2 anywhere tcp dpt:8123 LOGGING all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000 AS0_OUT_S2C all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 172.27.224.0/20 anywhere ACCEPT all -- 10.5.5.0/24 anywhere ACCEPT tcp -- anywhere 10.5.5.2 tcp dpt:8123 Chain OUTPUT (policy ACCEPT) target prot opt source destination AS0_OUT_LOCAL all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:http ACCEPT tcp -- anywhere anywhere tcp spt:https ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW ACCEPT tcp -- anywhere anywhere tcp spt:9090 ACCEPT tcp -- anywhere anywhere tcp spt:webmin ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:9987 ACCEPT tcp -- anywhere anywhere tcp spt:10011 ACCEPT tcp -- anywhere anywhere tcp spt:30033 Chain AS0_ACCEPT (4 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain AS0_DNS (2 references) target prot opt source destination ACCEPT all -- anywhere 10.0.5.1 RETURN all -- anywhere anywhere Chain AS0_IN (5 references) target prot opt source destination ACCEPT all -- anywhere 10.0.5.1 AS0_U_INTERNAL_IN all -- 10.5.5.2 anywhere AS0_IN_POST all -- anywhere anywhere Chain AS0_IN_NAT (2 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x8000000 ACCEPT all -- anywhere anywhere Chain AS0_IN_POST (2 references) target prot opt source destination ACCEPT all -- anywhere 10.5.5.0/24 AS0_OUT all -- anywhere anywhere DROP all -- anywhere anywhere Chain AS0_IN_PRE (2 references) target prot opt source destination AS0_DNS tcp -- anywhere anywhere state NEW tcp dpt:domain AS0_DNS udp -- anywhere anywhere state NEW udp dpt:domain AS0_IN all -- anywhere 191.212.53.0/24 AS0_IN all -- anywhere link-local/16 AS0_IN all -- anywhere 192.168.0.0/16 AS0_IN all -- anywhere 172.16.0.0/12 AS0_IN all -- anywhere 10.0.0.0/8 ACCEPT all -- anywhere anywhere Chain AS0_IN_ROUTE (0 references) target prot opt source destination MARK all -- anywhere anywhere MARK or 0x4000000 ACCEPT all -- anywhere anywhere Chain AS0_OUT (2 references) target prot opt source destination AS0_U_INTERNAL_OUT all -- anywhere 10.5.5.2 AS0_OUT_POST all -- anywhere anywhere Chain AS0_OUT_LOCAL (1 references) target prot opt source destination DROP icmp -- anywhere anywhere icmp redirect ACCEPT all -- anywhere anywhere Chain AS0_OUT_POST (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere mark match 0x2000000/0x2000000 DROP all -- anywhere anywhere Chain AS0_OUT_S2C (1 references) target prot opt source destination AS0_OUT all -- anywhere anywhere Chain AS0_U_INTERNAL_IN (1 references) target prot opt source destination AS0_IN_NAT all -- anywhere 10.0.5.0/24 AS0_IN_NAT all -- anywhere 191.212.53.0/24 AS0_IN_POST all -- anywhere anywhere Chain AS0_U_INTERNAL_OUT (1 references) target prot opt source destination ACCEPT all -- 10.5.5.0/24 anywhere ACCEPT all -- 10.0.5.0/24 anywhere ACCEPT all -- 10.5.5.0/24 anywhere AS0_OUT_POST all -- anywhere anywhere Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain LOGGING (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: " DROP all -- anywhere anywhere
ifconfig (VPS)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.0.5.1 netmask 255.255.255.0 destination 10.0.5.1 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC) RX packets 33 bytes 4102 (4.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 24 bytes 8027 (7.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 191.212.53.47 netmask 255.255.255.0 broadcast 191.212.53..255 ether 22:4f:cc:27:d2:59 txqueuelen 1000 (Ethernet) RX packets 17463562 bytes 2335444365 (2.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6311788 bytes 1425763570 (1.3 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 loop txqueuelen 1 (Local Loopback) RX packets 123046 bytes 98937342 (94.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 123046 bytes 98937342 (94.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig (maquina na rede local)
enp2s0f2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.70 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::c051:8794:97c4:7ac3 prefixlen 64 scopeid 0x20<link> inet6 2804:d55:52e2:b800:8914:d08e:4895:4988 prefixlen 64 scopeid 0x0<global> ether 80:ee:73:7d:7d:83 txqueuelen 1000 (Ethernet) RX packets 2468025 bytes 216533800 (206.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13162807 bytes 1984356517 (1.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 21451249 bytes 2170560228 (2.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 21451249 bytes 2170560228 (2.0 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.5.5.2 netmask 255.255.255.0 destination 10.5.5.2 inet6 fe80::cb53:8c05:d238:3cee prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 24 bytes 8027 (7.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 34 bytes 4150 (4.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 6c:71:d9:d2:1b:52 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Pra quem contribui com artigos e dicas (1)
Arch Linux - Guia para Iniciantes (5)
Artigos
tux-gpt - Assistente de IA para o Terminal
Instalação e configuração do Chrony
Programa IRPF - Guia de Instalação e Resolução de alguns Problemas
Dicas
O Que Fazer Após Instalar Ubuntu 25.04
O Que Fazer Após Instalar Fedora 42
Debian 12 -- Errata - Correções de segurança
Instalando o Pi-Hole versão v5.18.4 depois do lançamento da versão v6.0
Tópicos
Monitor fora de escala ao bootar sistema (10)
Pra quem contribui com artigos e dicas (1)
Alguém poderia me ajudar a escolher peças pra montar um desktop? (19)
Top 10 do mês
Scripts
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
