murilo_baqueta
(usa Ubuntu)
Enviado em 29/11/2011 - 16:01h
Galera, aqui na empresa onde eu trabalho foi implantado um sistema de camera DVR, neste aparelho é possivel acessar as cameras externamente pelo próprio browser.Para fazer isto basta configurar um ip no aparelho e uma porta.
Até ae tudo bem, porém no meu servidor eu libero a porta e libero o ip para não passar pelo proxy e redirecionei a porta do DVR para o ip do aparelho e não funciona o acesso externo nem a pau, segue ae as configuraçoes do meu iptables e ve o q esta de errado.
Internamente funciona uma beleza, mas preciso que funcione externamene
Obrigado
#!/bin/bash
echo " carregando modulos"
modprobe ip_conntrack
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
echo " Limpando regras anteriores"
iptables -F
iptables -Z
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t filter -X
iptables -t nat -X
iptables -t mangle -X
#echo " POLITICAS PADRÃO "
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
echo " fechando portas tcp/ping em arquivos de controle"
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo " Abre as portas 80, 21, 23, 25, 110, 22, 5900, 2222, 554"
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -p tcp --dport 23 -j ACCEPT
#iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 554 -j ACCEPT
#echo "Libera a porta 554 e radio uol para windows media player e xmms"
echo " fltrando portas de entrada "
echo " bloqueando portas baixas "
iptables -A INPUT -p tcp --dport 1:1023 -j LOG
iptables -A INPUT -p tcp --dport 1:20 -j DROP
iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p tcp --dport 1025 -j DROP
iptables -A INPUT -p tcp --dport 5000 -j DROP
iptables -A INPUT -p tcp --dport 6000 -j DROP
echo " filtrando sistema "
iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 --dport 587 -j DROP
iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 --dport 953 -j DROP
iptables -A INPUT -p tcp --dport 587 -j DROP
iptables -A INPUT -p tcp --dport 953 -j DROP
iptables -A INPUT -p tcp --dport 1024 -j DROP
echo " Proteção contra trinoo"
# -------------------------------------------------------
iptables -N TRINOO
iptables -A TRINOO -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trinoo: "
iptables -A TRINOO -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 27444 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 27665 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 31335 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 34555 -j TRINOO
iptables -A INPUT -p TCP -i eth0 --dport 35555 -j TRINOO
echo " Proteção contra tronjans"
# -------------------------------------------------------
iptables -N TROJAN
iptables -A TROJAN -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: trojan: "
iptables -A TROJAN -j DROP
iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 666 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 4000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6000 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 6006 -j TROJAN
iptables -A INPUT -p TCP -i eth0 --dport 16660 -j TROJAN
echo " Proteção contra worms"
# -------------------------------------------------------
iptables -A FORWARD -p tcp --dport 135 -i eth1 -j REJECT
echo "Proteção contra syn-flood"
# -------------------------------------------------------
iptables -A FORWARD -p tcp --syn -m limit --limit 2/s -j ACCEPT
echo " Proteção contra ping da morte"
# -------------------------------------------------------
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo " Proteção contra port scanners"
# -------------------------------------------------------
iptables -N SCANNER
iptables -A SCANNER -m limit --limit 15/m -j LOG --log-level 6 --log-prefix "FIREWALL: port scanner: "
iptables -A SCANNER -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL NONE -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL ALL -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -i eth0 -j SCANNER
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -i eth0 -j SCANNER
echo " maquinas liberadas"
###viviane###################
iptables -A FORWARD -s 192.168.0.2 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.2 -s 0/0 -j ACCEPT
#######danilo################
iptables -A FORWARD -s 192.168.0.23 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.23 -s 0/0 -j ACCEPT
######manfrim################
iptables -A FORWARD -s 192.168.0.17 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.17 -s 0/0 -j ACCEPT
######paulo##################
iptables -A FORWARD -s 192.168.0.40 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.40 -s 0/0 -j ACCEPT
######murilo#################
iptables -A FORWARD -s 192.168.0.34 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.34 -s 0/0 -j ACCEPT
######### DVR caneras ##########
iptables -A FORWARD -s 192.168.0.102 -d 0/0 -j ACCEPT
iptables -A FORWARD -d 192.168.0.102 -s 0/0 -j ACCEPT
echo "liberar porta radio online"
iptables -A FORWARD -p udp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 554 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.0.0/24 -s 0.0.0.0/0 --sport 554 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 554 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 0.0.0.0/0 --sport 554 -j ACCEPT
echo "liberar porta para acesso remoto servidor"
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 0.0.0.0/0 --sport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 8200 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0/24 -s 0.0.0.0/0 --sport 8200 -j ACCEPT
# Liberando as portas
#iptables -A INPUT -p tcp --destination-port 3389 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 3389 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 192.168.0.1:3
#iptables -A FORWARD -p tcp -i eth1 --dport 3389 -d 192.168.0.1 -j ACCEPT
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j DNAT --to-dest 192.168.0.1:3389
#iptables -A FORWARD -p udp -i eth1 --dport 3389 -d 192.168.0.1 -j ACCEPT
#iptables -A INPUT -p tcp --destination-port 8200 -j ACCEPT
#iptables -A INPUT -p udp --destination-port 8200 -j ACCEPT
iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
iptables -A INPUT -p udp --dport 8200 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.1.102 -d 0/0 -j ACCEPT
iptables -A FORWARD -p udp -d 0/0 -s 192.168.0.102 --dport 8200 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0 -d 0/0 --dport 8200 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.0.0 -s 0/0 --dport 8200 -j ACCEPT
iptables -A FORWARD -p tcp -s 200.158.63.94 -d 0/0 --dport 8200 -j ACCEPT
iptables -A FORWARD -p tcp -d 200.158.63.94 -s 0/0 --dport 8200 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8200 -j DNAT --to-dest 192.168.0.102
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 8200 -j DNAT --to-dest 192.168.0.102
iptables -A FORWARD -p tcp -i eth1 --dport 8200 -d 192.168.0.102 -j ACCEPT
iptables -A FORWARD -p udp -i eth1 --dport 8200 -d 192.168.0.102 -j ACCEPT
iptables -A INPUT -p tcp -d 200.158.63.94 --destination-port 8200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8200 -j DNAT --to 200.158.63.94
iptables -A INPUT -p tcp -d 192.168.0.102 --destination-port 8200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8200 -j DNAT --to 192.168.0.102
iptables -t nat -A PREROUTING -p tcp --dport 8200 -i eth0 -j DNAT --to 192.168.0.102
iptables -A FORWARD -p tcp --dport 8200 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 8200 -j ACCEPT
echo " POLITICAS PADRÃO "
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo " liberação locaweb"
iptables -t nat -A POSTROUTING -s 192.168.0.0 -d 200.234.210.12/16 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 200.234.210.12/16 -j ACCEPT
iptables -A FORWARD -d 200.234.210.12/16 -j ACCEPT
echo " liberação hostgator"
iptables -t nat -A POSTROUTING -s 192.168.0.0 -d 174.120.99.2/16 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 174.120.99.2/16 -j ACCEPT
iptables -A FORWARD -d 174.120.99.2/16 -j ACCEPT
echo " abrindo conexão para a rede"
iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
#echo " liberar porta para Radio on-line "
#echo " REDIRECIONAMENTO"
iptables -t nat -A PREROUTING -p udp -i eth0 --dport 8080 -j DNAT --to 192.168.0.0
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to 192.168.0.0
echo " trava o restante das portas"
iptables -A FORWARD -j LOG --log-prefix SPY-REDE_