Redirecionamento de Portas (Dúvida)

1. Redirecionamento de Portas (Dúvida)

Marcos Paulo de Campos
mpc94

(usa Outra)

Enviado em 25/08/2016 - 22:19h

Fala galera, boa noite.
Sou novato em Linux e estou tendo dificuldades na configuração de um forwarding.
A Empresa contratou um técnico p/ dar suporte em Linux mas não deu certo... ai estou assumindo.
Tenho um ddns na internet (exemplo.ddns.me) e queria que quando fosse usar o Windows p/fazer conexão remota com este endereço, o firewall redirecionasse p/ um servidor que tenho na Empresa (192.168.1.11:3390)

Como coloco essa regra no ufirewall?

Minha configuração lá está assim:

#!/bin/bash
##############################################
# Script de Firewall #
# Data: 2014-01-08 / Update: 2014-05-20 #
# Criado por Thiago Oliviera #
# Editado por Marcos Paulo #
##############################################

#CARREGA MODULOS
modprobe ip_nat_sip
modprobe ip_nat_ftp
modprobe ip_gre
modprobe ip_nat_pptp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack_proto_gre

#VARIAVEIS
RDP="192.168.1.250"
BD="192.168.1.11"
LOCAL="192.168.1.0/24"
MULTI="192.168.2.0/24"
LAN="eth1"
NET="eth0"

#Portas autorizadas a entrar no servidor pela LAN
LOCAL_PORTS="22,53,80"

IPT=`which iptables`
case $1 in
start)
echo "AGUARDE ENQUANTO O FIREWALL CARREGA...."

#ROTEAMENTO ENTRE INTERFACES
echo 1 > /proc/sys/net/ipv4/ip_forward

#TUNNING SYSCTL
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects > /dev/null &
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects > /dev/null &
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > /dev/null &
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all > /dev/null &
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /dev/null &
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp > /dev/null &
echo 1 > /proc/sys/net/ipv4/conf/eth1/secure_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/bootp_relay > /dev/null &
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries > /dev/null &
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries > /dev/null &
echo 3 > /proc/sys/net/ipv4/tcp_retries1 > /dev/null &
echo 5 > /proc/sys/net/ipv4/tcp_retries1 > /dev/null &
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > /dev/null &
echo 3 > /proc/sys/net/ipv4/tcp_keepalive_probes > /dev/null &
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl > /dev/null &

#limpando as chains
$IPT -F
$IPT -X
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

#DEFINE POLITICAS PADRAO
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

#Regras de INPUT
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i tun0 -j ACCEPT
$IPT -t filter -A INPUT -s $MULTI -j ACCEPT
#$IPT -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -t filter -A INPUT -m multiport -p tcp -s $LOCAL --dport $LOCAL_PORTS -j ACCEPT
$IPT -t filter -A INPUT -m multiport -p udp -s $LOCAL --dport $LOCAL_PORTS -j ACCEPT
$IPT -t filter -A INPUT -i $NET -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -i $LAN -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --syn -s $LOCAL -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -s $LOCAL -i $NET -j DROP
$IPT -t filter -A INPUT -s 10.0.0.0/8 -i $NET -j DROP
$IPT -t filter -A INPUT -s 172.16.0.0/16 -i $NET -j DROP
$IPT -t filter -A INPUT -s 192.168.0.0/24 -i $NET -j DROP

#REGRAS DE FORWARD E LIBERAR SITES BLOQUEADOS
$IPT -t filter -A FORWARD -i tun0 -j ACCEPT
#$IPT -t nat -A PREROUTING -d $net -p -tcp --dport 3390 -j DNAT --to 192.168.1.11:3390
#$IPT -t nat -A POSTROUTING -d 192.168.1.11:3390 -p -tcp --dport 3390 -j SNAT --to $net

$IPT -I FORWARD -d 192.168.1.108 -m string --algo bm --string "sulamericaparadiso.uol.com.br" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.108 -m string --algo bm --string "sulamericaparadiso.uol.com.br" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.137 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.137 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.156 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.156 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.189 -m string --algo bm --string "facebook.com" -j ACCEPT #mp-asus-note
$IPT -I FORWARD -s 192.168.1.189 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.189 -m string --algo bm --string "linkedin.com" -j ACCEPT #MP-asus-NOTE
$IPT -I FORWARD -s 192.168.1.189 -m string --algo bm --string "linkedin.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.201 -m string --algo bm --string "facebook.com" -j ACCEPT #mp-5s
$IPT -I FORWARD -s 192.168.1.201 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.140 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.140 -m string --algo bm --string "facebook.com" -j ACCEPT

$IPT -I FORWARD -d 192.168.1.114 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.114 -m string --algo bm --string "facebook.com" -j ACCEPT

$IPT -I FORWARD -d 192.168.1.140 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.140 -m string --algo bm --string "youtube.com" -j ACCEPT

$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "emprego" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "emprego" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "curriculum" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "curriculum" -j ACCEPT


# $IPT -I FORWARD -d 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
# $IPT -I FORWARD -s 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -A FORWARD -p tcp --dport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --sport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --dport 443 -m string --string 'linkedin.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --sport 443 -m string --string 'linkedin.com' --algo bm -j DROP
#$IPT -A FORWARD -p tcp --dport 443 -m string --string 'youtube.com' --algo bm -j DROP
#$IPT -A FORWARD -p tcp --sport 443 -m string --string 'youtube.com' --algo bm -j DROP

#$IPT -A FORWARD -m mac --mac-source 00:26:18:F7:84:E0 -m string --string 'facebook.com' --algo bm -j ACCEPT

#PRIORIZA ENTRADA/SAIDA DE PACOTES ORIGINADOS NO FIREWALL
#$IPT -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay
#$IPT -t mangle -A FORWARD -s $LOCAL -d $SERVERS -m multiport -p tcp --dport 1433,139,445 -j TOS --set-tos Maximize-Throughput
#$IPT -t mangle -A FORWARD -s $LOCAL -d $SERVERS -m multiport -p udp --dport 137,138 -j TOS --set-tos Maximize-Throughput

#LIBERAR IP DO PROXY
$IPT -t nat -I PREROUTING -s 192.168.1.157 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.198 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.145 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.11 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.104 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.193 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.192 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.186 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.200 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.140 -j ACCEPT
$IPT -t nat -A PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT #Server Sistema
$IPT -t nat -A PREROUTING -s 192.168.1.150 -p tcp --dport 80 -j ACCEPT #Rafa Fat
$IPT -t nat -A PREROUTING -s 192.168.1.162 -p tcp --dport 80 -j ACCEPT #Bruno Gomes
$IPT -t nat -A PREROUTING -s 192.168.1.133 -p tcp --dport 80 -j ACCEPT #Paulo Contabil
$IPT -t nat -A PREROUTING -s 192.168.1.112 -p tcp --dport 80 -j ACCEPT #Thiago-MKT
#$IPT -t nat -A PREROUTING -s 192.168.1.183 -p tcp --dport 80 -j ACCEPT #MP-PC
$IPT -t nat -A PREROUTING -s 192.168.1.140 -p tcp --dport 80 -j ACCEPT #MP-TERRA


#HABILITA PROXY TRANSPARENTE
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to 3128

#NAT DE TODAS PORTAS
$IPT -t nat -A POSTROUTING -s $LOCAL -o $NET -j MASQUERADE

#DEFINIR MTU AUTOMATICAMENTE
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Setando uma valor para MTU (use com cuidado - em caso de voip use o valor de 128)
#IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128

#Redireciona a porta 1723 para VPN SERVER - VIA RADIO e Speedy
$IPT -t nat -A PREROUTING -i $NET -p tcp --dport 3389 -j DNAT --to $RDP:3389
$IPT -t nat -A POSTROUTING -s $RDP -p tcp --sport 3389 -j MASQUERADE
$IPT -t filter -A FORWARD -d $RDP -p tcp --dport 3389 -j ACCEPT
$IPT -t filter -A FORWARD -s $RDP -p tcp --sport 3389 -j ACCEPT

#Redireciona a porta 1723 para VPN SERVER - VIA RADIO e Speedy
#$IPT -t nat -A PREROUTING -i $NET -p tcp --dport 3390 -j DNAT --to $RDP:3389
#$IPT -t nat -A POSTROUTING -s $BD -p tcp --sport 3390 -j MASQUERADE
#$IPT -t filter -A FORWARD -d $BD -p tcp --dport 3390 -j ACCEPT
#$IPT -t filter -A FORWARD -s $BD -p tcp --sport 3390 -j ACCEPT



#RETORNO DOS PACOTES - FORWARD
$IPT -t filter -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "FIREWALL INICIADO COM SUCESSO [OK]"

#MASCARA A VPN COM NAT
$IPT -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE

;;
stop)
#DESABILITA ROTEAMENTO ENTRE INTERFACES
echo 0 > /proc/sys/net/ipv4/ip_forward

#limpando as chains
$IPT -F
$IPT -X
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo "FIREWALL PARADO COM SUCESSO [OK]"
;;
restart)
$0 stop
$0 start
;;
status)
iptables -nvL
;;
*)
echo "Voce deve usar: $0 {start|stop|restart|status}"
;;

O que estava em negrito foi o que tentei alterar agora e dá erro...
Se alguém puder me ajudar!!


  


2. Re: Redirecionamento de Portas (Dúvida)

Saulo Alberto
saulobdkrt

(usa Debian)

Enviado em 26/08/2016 - 08:59h

iptables -t nat -A PREROUTING -i $net -p tcp --dport 3390 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.11



3. RES:

Marcos Paulo de Campos
mpc94

(usa Outra)

Enviado em 26/08/2016 - 09:53h

Acabei de testar aqui, ele dá um erro:

bad argument (tcp)

Fiz exatamente o que passou.. oq fiz de errado será? Obrigado.


4. Re: Redirecionamento de Portas (Dúvida)

Marcos Paulo de Campos
mpc94

(usa Outra)

Enviado em 29/08/2016 - 07:47h

Alguém?


5. Re: Redirecionamento de Portas (Dúvida)

Marcos Paulo de Campos
mpc94

(usa Outra)

Enviado em 01/09/2016 - 11:08h

Alguém?!






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts