Regra para liberar NAT [RESOLVIDO]

leonardosoaress
(usa CentOS)

Enviado em 17/01/2013 - 10:30h

Ola...

Estou configurando o meu firewall e me deparei com um problema, acredito que possam me ajudar.

Quero manter minhas regras Default como DROP ou REJECT e ir liberando outras regras como de acordo com o necessário.

Vejam:

###############################LIBERA CONEXÃO TS DO SERVICE####################################
iptables -A FORWARD -p tcp --dport 33444 -j ACCEPT
iptables -A FORWARD -p tcp --sport 33444 -j ACCEPT

###################REDIRECIONA PORTAS PARA TS DO SERVICE#######################################
iptables -t nat -A PREROUTING -p tcp --dport 33444 -j DNAT --to 192.168.0.3:3389

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Se manter as regras como estão não consigo acessar o terminal server do windows externamente. Se mudar a politica padrão do FORWARD para ACCEPT então o acesso remoto funciona.

O comando que usei para liberar a porta 33444 que logo abaixo é direcionada para maquina na porta 3389 não funcionou.

Qual regra devo usar para realizar essa liberação?










Problema resolvido!

Utilizando as dicas do Artigo do phrich no dia 17/01/2012 resolvi meu problema.

link da solução: http://www.vivaolinux.com.br/artigo/Iptables-Seguranca-total-para-sua-rede/?pagina=3

phrich
(usa Slackware)

Enviado em 17/01/2013 - 10:34h

Isso é apenas a ordem das regras, faça assim:

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -t nat -A PREROUTING -p tcp --dport 33444 -j DNAT --to 192.168.0.3:3389

iptables -A FORWARD -p tcp --dport 33444 -j ACCEPT
iptables -A FORWARD -p tcp --sport 33444 -j ACCEPT

saitam
(usa Slackware)

Enviado em 17/01/2013 - 10:37h

Exatamente o que iria comentar...

saitam
(usa Slackware)

Enviado em 17/01/2013 - 10:37h

Exatamente o que iria comentar...

leonardosoaress
(usa CentOS)

Enviado em 17/01/2013 - 10:44h

Te perguntar o iptables faz a leitura do aquivo de cima para baixo ou ao contrario?

Por exemplo:

Devo colocar as regras de liberação na parte superior do arquivo e as de bloqueio na inferior ou ao contrario?

phrich estou espantado com a rapidez da resposta muito obrigado.

renato_pacheco
(usa Debian)

Enviado em 17/01/2013 - 10:46h

EU ACHO q deve liberar o FORWARD da porta 3389 para o destino interno, ficando assim:

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -t nat -A PREROUTING -p tcp --dport 33444 -j DNAT --to 192.168.0.3:3389
iptables -A FORWARD -p tcp --dport 33444 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT

Mantendo a ordem q o pessoal sugeriu.

phrich
(usa Slackware)

Enviado em 17/01/2013 - 10:51h

Correto renato_pacheco!

Quanto a outra dúvida, depende, se vc colocar -A ele insere a regra abaixo, se for -I ele insere acima, logo se tudo ficar como -A ele lê de baixo para cima...

leonardosoaress
(usa CentOS)

Enviado em 17/01/2013 - 10:53h

Segui as sugestões dos três comentários mas ainda não conectou.

Veja meu arquivo do iptables completo.

########BLOQUEIO#############
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A FORWARD -p tcp -j LOG

###############################################################################################
###############################################################################################
###############################################################################################

echo "ATIVANDO REGRAS DO FIREWALL - IPTABLES"
######CONFIGURAR PLACAS DE REDE################################################
ifconfig eth0 192.168.0.251 netmask 255.255.255.0 up
ifconfig eth1 192.168.1.2 netmask 255.255.255.0 up

######ATIVANDO COMPARTILHAMENTO################################################
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

######BLOQUEIO DE ACESSO A PLACA DE REDE EXTERNA###############################
#iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -j DROP

######LIBERA FIREWALL OUTPUT###################################################
iptables -A OUTPUT -j ACCEPT

#######LIBERA PACOTES loopback E REDE INTERNA##################################
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth0 -j ACCEPT

############################LIBERA SSH#########################################
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

###########################LIBERA O ACESSO A PORTA 80 HTTP#####################
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 --sport 80 -j ACCEPT

#########################LIBERA A PORTA 443 HTTPS##############################
iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 --sport 443 -j ACCEPT

######DIRECIONA A PORTA 80 HTTP PARA O SQUID###################################
#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

###############################################################################################
###############################################################################################
###############################################################################################

###################REDIRECIONA PORTAS PARA TS DO SERVICE#######################################
iptables -t nat -A PREROUTING -p tcp --dport 33444 -j DNAT --to 192.168.0.3:3389

###############################LIBERA CONEXÃO TS DO SERVICE####################################
iptables -A FORWARD -p tcp --dport 33444 -j ACCEPT
iptables -A FORWARD -p tcp --sport 33444 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -d 192.168.0.3 -j ACCEPT

renato_pacheco
(usa Debian)

Enviado em 17/01/2013 - 11:09h

Tente liberar dois estados d conexão:

iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

 

leonardosoaress
(usa CentOS)

Enviado em 18/01/2013 - 11:09h

Quem estiver com problema parecido leia o tópico:

http://www.vivaolinux.com.br/artigo/Iptables-Seguranca-total-para-sua-rede/?pagina=3