Ajuda com iptables para conexões externar [RESOLVIDO]
1. Ajuda com iptables para conexões externar [RESOLVIDO]
tmello
(usa Debian)
Enviado em 30/05/2013 - 21:26h
Galera é o seguinte, montei um servidor em linux, ja esta rodando em rede interna, mas o problema é liberar as benditas portas para conexão externa.Ja tentei de todas as maneiras. Uso no-ip para fixar o ip, preciso liberar as portas 9014 / 2106 / 7777 e 3306 para conexão externa
Alguém por favor pode me ajudar ? :O
Já usei as seguintes regras
#limpando tabelas
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
#liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
iptables -A OUTPUT -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
iptables -A FORWARD -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
#Liberando portas MYSQL
iptables -t nat -A PREROUTING -p tcp --dport 3306 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas LS
iptables -t nat -A PREROUTING -p tcp --dport 2106 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2106 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 2106 -j ACCEPT
iptables -A INPUT -p tcp --dport 2106 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2106 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2106 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas LS2
iptables -t nat -A PREROUTING -p tcp --dport 9014 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9014 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 9014 -j ACCEPT
iptables -A INPUT -p tcp --dport 9014 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 9014 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 9014 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas GS
iptables -t nat -A PREROUTING -p tcp --dport 7777 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 7777 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 7777 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 3306 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 3306 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 2106 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 2106 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 7777 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 7777 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 9014 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 9014 -j ACCEPT
#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 192.168.0.133/255.255.255.0 -o eth1 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Proteção contra IP Spoofing
iptables -A INPUT -s 172.16.0.0/16 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
#Anulando as respostas a ICMP 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#termina
echo "Iptables Pronto"
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
#liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
iptables -A OUTPUT -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
iptables -A FORWARD -p tcp --syn -s 192.168.0.133/255.255.255.0 -j ACCEPT &&
#Liberando portas MYSQL
iptables -t nat -A PREROUTING -p tcp --dport 3306 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3306 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 3306 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas LS
iptables -t nat -A PREROUTING -p tcp --dport 2106 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2106 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 2106 -j ACCEPT
iptables -A INPUT -p tcp --dport 2106 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2106 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2106 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 2106 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas LS2
iptables -t nat -A PREROUTING -p tcp --dport 9014 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 9014 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 9014 -j ACCEPT
iptables -A INPUT -p tcp --dport 9014 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 9014 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 9014 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 9014 -s 192.168.0.133/24 -j ACCEPT
#Liberando portas GS
iptables -t nat -A PREROUTING -p tcp --dport 7777 -s 192.168.0.133/255.255.255.0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to 192.168.0.133
iptables -A FORWARD -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 7777 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --dport 7777 -s 0/0 -d 192.168.0.133/24 -j ACCEPT
iptables -A FORWARD -p tcp --sport 7777 -s 192.168.0.133/24 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 3306 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 3306 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 2106 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 2106 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 7777 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 7777 -j ACCEPT
iptables -t nat -p tcp -I PREROUTING -s 0/0 -d tfmelo.sytes.net --dport 9014 -j DNAT --to 192.168.0.133
iptables -I FORWARD -p TCP --dport 9014 -j ACCEPT
#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 192.168.0.133/255.255.255.0 -o eth1 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Proteção contra IP Spoofing
iptables -A INPUT -s 172.16.0.0/16 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
#Anulando as respostas a ICMP 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#termina
echo "Iptables Pronto"
ja tentei essas tbm.
#limpando tabelas
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
iptables -t nat -A PREROUTING -p tcp --dport 2106 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 2106 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 2106 -j DNAT --to-destination 192.168.0.133:2106
iptables -t nat -A PREROUTING -p tcp --dport 9014 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 9014 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 9014 -j DNAT --to-destination 192.168.0.133:9014
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 7777 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.0.133:7777
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.0.133:3306
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Proteção contra IP Spoofing
iptables -A INPUT -s 172.16.0.0/16 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
#Anulando as respostas a ICMP 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#termina
echo "Iptables Pronto"
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
iptables -t nat -A PREROUTING -p tcp --dport 2106 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 2106 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 2106 -j DNAT --to-destination 192.168.0.133:2106
iptables -t nat -A PREROUTING -p tcp --dport 9014 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 9014 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 9014 -j DNAT --to-destination 192.168.0.133:9014
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 7777 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.0.133:7777
iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to-destination 192.168.0.133
iptables -A FORWARD -s 192.168.0.133 -p tcp --dport 3306 -j ACCEPT
iptables -t nat -A PREROUTING -d tfmelo.sytes.net -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.0.133:3306
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP
#Proteção contra IP Spoofing
iptables -A INPUT -s 172.16.0.0/16 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
iptables -A INPUT -s 192.168.0.0/24 -i ext_face -j DROP
#Anulando as respostas a ICMP 8 (echo reply)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#termina
echo "Iptables Pronto"
e nada, dou nmap no ip 192.168.0.133 e as portas estão abertas porem quando dou nmap no meu no-ip ele me retorna dizendo apenas que a porta 80 está liberada, porem o meu webserver é em outra maquina da rede (windows).
Alguem porfavor pode me ajudar *.*
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Compartilhando a tela do Computador no Celular via Deskreen
Como Configurar um Túnel SSH Reverso para Acessar Sua Máquina Local a Partir de uma Máquina Remota
Configuração para desligamento automatizado de Computadores em um Ambiente Comercial
Dicas
Como renomear arquivos de letras maiúsculas para minúsculas
Imprimindo no formato livreto no Linux
Vim - incrementando números em substituição
Efeito "livro" em arquivos PDF
Como resolver o erro no CUPS: Unable to get list of printer drivers
Tópicos
Melhores Práticas de Nomenclatura: Pastas, Arquivos e Código (3)
Preciso resolver um erro de DPKG (1)
Não to conseguindo resolver este problemas ao instalar o playonelinux (1)
Top 10 do mês
-
Xerxes
1° lugar - 67.414 pts -
Fábio Berbert de Paula
2° lugar - 51.954 pts -
Buckminster
3° lugar - 17.820 pts -
Mauricio Ferrari
4° lugar - 15.816 pts -
Alberto Federman Neto.
5° lugar - 14.586 pts -
Diego Mendes Rodrigues
6° lugar - 13.749 pts -
Daniel Lara Souza
7° lugar - 13.023 pts -
edps
8° lugar - 11.074 pts -
Alessandro de Oliveira Faria (A.K.A. CABELO)
9° lugar - 10.910 pts -
Andre (pinduvoz)
10° lugar - 10.784 pts
Scripts
[Python] Automação de scan de vulnerabilidades
[Python] Script para analise de superficie de ataque
[Shell Script] Novo script para redimensionar, rotacionar, converter e espelhar arquivos de imagem
[Shell Script] Iniciador de DOOM (DSDA-DOOM, Doom Retro ou Woof!)
[Shell Script] Script para adicionar bordas às imagens de uma pasta
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
