Redirecionamento de portas no IPTABLES [RESOLVIDO]

alisrios
(usa Debian)

Enviado em 21/12/2016 - 10:25h

Olá pessoal, sou iniciante no linux e estou com dificuldades em redirecionar a porta 80 de um servidor Windows Server 2012 R2 (IIS) para acesso externo. O problema é que o redirecionamento que fiz no meu script do firewall funciona externamente, porem, para efeito de testes, gostaria te acessá-lo da minha rede interna pelo ip externo. Por favor me ajudem. Segue meu script firewall.

#!/bin/bash

### BEGIN INIT INFO
# Provides: Script Firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Firewall
# Description: Script Firewall based on Iptables
### END INIT INFO

######################
# DECLARANDO AS VARIAVEIS #
######################

# Interface de rede ligada a internet
WAN="eth0";

# Interface de rede ligada a rede interna 1
LAN1="eth1";

# Interface de rede ligada a rede interna 2
LAN2="eth2";

# Rede interna 1
IP_REDE1="192.168.0.0/24";

# Rede interna 2
IP_REDE2="10.0.0.0/8";

# IP Local1
IP_LOCAL1="192.168.0.1";

# IP Local2
IP_LOCAL2="10.0.0.1";

# Loopback
IP_LOOPBACK="127.0.0.1";

# Portas liberadas TCP
PORTAS_TCP="20,21,53,80,8080,8085,9000,10000,443,445,137,138,139,2049"

# Portas liberadas UDP
PORTAS_UDP="53,67,68,137,138,139,2049,8085,9000,10000"

# Portas liberadas para a rede interna
PORTAS_REDE_INTERNA="20,21,22,25,110,143,80,8080,8085,9000,465,587,993,995,10000"

# Enderecos ips Rede AMR
IPS10="10.0.0.253,10.0.0.210,10.0.0.211,10.0.0.20,10.0.0.21"

# ENDERECOS IPS Rede Tecnica
IPS192="192.168.0.40,192.168.0.41,192.168.0.50,192.168.0.60,192.168.0.61,192.168.0.62,192.168.0.70,192.168.0.71,192.168.0.200,192.168.0.230"

#Declaracao de Modulos
#MODPROBE=/sbin/modprobe


###Inicio Scrit Firewall###

function start () {

######################
# CARREGANDO MODULOS #
######################

echo "Carregando os Modulos OK"

modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_tos
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_MARK
modprobe ip_nat_pptp
modprobe ip_conntrack
modprobe pptp
modprobe nf_conntrack_ftp
modprobe nf_conntrack_pptp
modprobe nf_nat_pptp
#modprobe ip_queue
modprobe ip_tables
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_mac
modprobe ipt_owner
modprobe iptable_filter

############################################################
# FUNCAO START #
# Esta funcao limpa as regras criadas anteriormente, e insere as regras listadas na funcao
###########################################################

echo "Limpando as regras do firewall OK"

# Limpa as regras da tabela filter
iptables -F
iptables -X
iptables -Z
# Limpa as regras da tabela nat
iptables -t nat -F
iptables -t nat -X
# Limpa as regras da tabela mangle
iptables -t mangle -F
iptables -t mangle -X

## DEFINE AS POLOTICAS PADROES DO IPTABLES COMO DROP #
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

## DEFINE AS POLOTICAS PADROES DO IPTABLES COMO ACCEPT #
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

# HABILITA O ROTEAMENTO NO KERNEL #
echo "1" > /proc/sys/net/ipv4/ip_forward

### Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

### Protecao contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


################################################################################################
####################### HABILITANDO A CONEXAO COM IP DINAMICO ##################################

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

################################################################################################

################################################################################################
################################## ANTI-BUGS RESPONSE ##########################################

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Forward traffic between DMZ and WAN
#iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Forward traffic between DMZ and WAN
#iptables -A FORWARD -i eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth2 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i eth0 -o eth2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Impedindo novamente as redes de se verem.
iptables -A FORWARD -s $IP_REDE1 -d $IP_REDE2 -j DROP
iptables -A FORWARD -s $IP_REDE2 -d $IP_REDE1 -j DROP

## REGRA PARA REDES DIFERENTES SE ENCHERGAREM
iptables -I FORWARD -s $IPS192 -d $IPS10 -j ACCEPT
iptables -I FORWARD -s $IPS10 -d $IPS192 -j ACCEPT

#iptables -I FORWARD -s 192.168.0.60 -d 10.0.0.210 -j ACCEPT
#iptables -I FORWARD -s 10.0.0.210 -d 192.168.0.60 -j ACCEPT

#iptables -I FORWARD -s 192.168.0.60 -d 10.0.0.211 -j ACCEPT
#iptables -I FORWARD -s 10.0.0.211 -d 192.168.0.60 -j ACCEPT

################################################################################################
##CRIA A IDA E VOLTA DO ACESSO NAS CHAINS INPUT, OUTPUT E FORWARD, ASSIM NÃO PRECISAMOS CRIAR A IDA E VOLTA NAS REGRAS
## Regras Padrao ### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.##
iptables -A INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -N VALID_CHECK
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP

##############
# REGRAS DE NAT #
##############

## Regra para o IP nao passar pelo Proxy##
#iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.60 -d 0/0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.116 -d 0/0 -j ACCEPT

## SonicWall TZ300
#iptables -t nat -A PREROUTING -i $LAN1 -s 192.168.0.249 -d 0/0 -j ACCEPT

## Server2012
#iptables -t nat -A PREROUTING -i $LAN2 -s 10.0.0.253 -d 0/0 -j ACCEPT

## Libera o site Tecvoz
#iptables -t nat -A PREROUTING -i $LAN1 -s 0/0 -d www.tecvozddns.com.br -j ACCEPT

## Configuração Sped
#iptables -t nat -I PREROUTING -d 200.198.232.62 -j RETURN
#iptables -t nat -I PREROUTING -d sped.fazenda.gov.br -j RETURN

## Liberar porta Caixa
#iptables -t nat -I PREROUTING -d 177.47.8.100 -p tcp --dport 443 -j ACCEPT
#iptables -I FORWARD -p tcp -d 177.47.8.100 --dport 443 -j ACCEPT
#iptables -t nat -I PREROUTING -d 177.47.8.100 -j RETURN
#iptables -A FORWARD -p tcp -s 0/0 -d caixa.gov.br -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 -d bb.com.br -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 -d bancobrasil.com.br -j ACCEPT
#iptables -A FORWARD -p tcp -s 0/0 -dport 443 -j ACCEPT

## COBCAIXA
#iptables -A FORWARD -s 192.168.0.5 -d 200.187.135.227 -p tcp --dport 21 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.5 -d 200.187.135.227 -p tcp --dport 20 -j ACCEPT


## Liberando site Caixa
##iptables -A PREROUTING -d ! 200.201.174.207 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#iptables -t nat -I PREROUTING -p tcp -d 200.201.174.0/24 --dport 2631 -j ACCEPT
#iptables -I FORWARD -p tcp -d 200.201.174.0/24 --dport 2631 -j ACCEPT
#iptables -t nat -I PREROUTING -p tcp -d 200.201.174.0/24 --dport 80 -j ACCEPT
#iptables -I FORWARD -p tcp -d 200.201.174.0/24 --dport 80 -j ACCEPT
#iptables -t nat -I PREROUTING -p tcp -d 200.201.166.0/24 --dport 80 -j ACCEPT
#iptables -I FORWARD -p tcp -d 200.201.166.0/24 --dport 80 -j ACCEPT

## Conectividade social
#iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -d 200.201.174.0/24 -j RETURN
#iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -d 200.201.173.0/24 -j RETURN
#iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 80 -d 200.201.166.0/24 -j RETURN


##Regra Site Consulturio Unimed
#iptables -t nat -I PREROUTING -d consultorio.unimedfesp.coop.br -j RETURN


## Bloqueio Internet
#iptables -A INPUT -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -A FORWARD -s 192.168.0.60 -j LOG --log-prefix "internet" --log-level alert #LOG DE ACESSO
#iptables -A FORWARD -s 192.168.0.60 -j DROP
#iptables -t nat -A POSTROUTING -s 192.168.0.60 -j ACCEPT

##Redirecionando porta 80 para 3128 squid
iptables -t nat -A PREROUTING -i $LAN1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $LAN2 -p tcp --dport 80 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i $LAN1 -p tcp --dport 443 -j REDIRECT --to-port 3143
#iptables -t nat -A PREROUTING -i $LAN2 -p tcp --dport 443 -j REDIRECT --to-port 3143


## Mascarando placa de rede interna 1 #Compartilhando a Internet WAN
#iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -t nat -A POSTROUTING -s $IP_REDE1 -o $WAN -j MASQUERADE
iptables -t filter -A FORWARD -s $IP_REDE1 -j ACCEPT
iptables -t filter -A FORWARD -d $IP_REDE1 -j ACCEPT

##Mascarando placa de rede interna 2 #Compartilhando a Internet WAN
#iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -t nat -A POSTROUTING -s $IP_REDE2 -o $WAN -j MASQUERADE
iptables -t filter -A FORWARD -s $IP_REDE2 -j ACCEPT
iptables -t filter -A FORWARD -d $IP_REDE2 -j ACCEPT

#PPPOE #Compartilhando a Internet PPPOE
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $IP_REDE1 -o ppp0 -j MASQUERADE

# Acesso remoto via RDP para um host RWindows

#SonicWall
#iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 5001 -j DNAT --to 192.168.0.249

#Server 2012
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 6000 -j DNAT --to 10.0.0.253:3389

#MaxManager
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 10.0.0.253

#Email Transmarca
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 5000 -j DNAT --to 192.168.0.250:3389

##Adserver
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 5600 -j DNAT --to 192.168.0.201:3389

#DVRS
#iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 8085 -j DNAT --to 192.168.0.200
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 9000 -j DNAT --to 192.168.0.200

#DVR teste
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 8085 -j DNAT --to 192.168.0.100
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 4550 -j DNAT --to 192.168.0.100
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 5550 -j DNAT --to 192.168.0.100

##Acesso VPN Windows Server
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 47 -j DNAT --to 192.168.0.249
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 500 -j DNAT --to 192.168.0.249
iptables -t nat -A PREROUTING -i $WAN -p tcp --dport 1723 -j DNAT --to 192.168.0.249

## VPN#regras para fazer o nat para ip externo na porta 1723 VPN
iptables -t nat -A PREROUTING -i $LAN2 -p tcp --dport 1723 -j DNAT --to-dest 192.168.0.249
iptables -A FORWARD -p tcp -i $LAN2 --dport 1723 -d 192.168.0.249 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -t nat -A PREROUTING -p gre -j DNAT --to 192.168.0.249

#para acessar FTP externo
iptables -A FORWARD -i $WAN -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN -p udp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $WAN --dport 21 -j DNAT --to $IP_LOCAL1:21
iptables -t nat -A PREROUTING -p udp -i $WAN --dport 21 -j DNAT --to $IP_LOCAL1:21


###############
# REGRAS DE INPUT #
###############

# BLOQUEIA O PING EXTERNO #
iptables -A INPUT -i $WAN -p icmp --icmp-type echo-request -j DROP

# Libera ping interno
iptables -A INPUT -p icmp -j ACCEPT

# Aceita ping apenas da rede interna
iptables -A INPUT -s $IP_REDE1 -p icmp --icmp-type 8 -j ACCEPT

## Libera portas internas TCP e UDP
iptables -A INPUT -p tcp -m multiport --dports $PORTAS_TCP -j ACCEPT
iptables -A INPUT -p udp -m multiport --dports $PORTAS_UDP -j ACCEPT

# Libera o squid a partir da rede interna
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 3143 -j ACCEPT

# Libera o acesso SSH de qualquer origem
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#iptables -A INPUT -p tcp -i $LAN1 -s $IP_REDE1 -d $IP_LOCAL1 --dport 22 -j ACCEPT

# Libera SSH Externo
#iptables -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT

#Libera SSH Rede Interna
#iptables -A INPUT -s $IP_REDE1 -p tcp --dport 22 -j ACCEPT

#iptables -A INPUT -i $WAN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

#iptables -A INPUT -i $WAN -p tcp -s $IP_REDE1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT



## Libera ftp
#iptables -A INPUT -i $LAN1 -p tcp --dport 21 -j ACCEPT

##SAMBA
#iptables -A INPUT -p tcp -s $IP_REDE1 --dport 137:139 -j ACCEPT
#iptables -A INPUT -p udp -s $IP_REDE1 --dport 137:139 -j ACCEPT

##WEBMIM
#iptables -A INPUT -p tcp -s $IP_REDE1 --dport 10001 -j ACCEPT

##APACHE
#iptables -A INPUT -p tcp -s $IP_REDE1 --dport 8080 -j ACCEPT

##CIFS
#iptables -A INPUT -p tcp --dport 445 -j ACCEPT

#DNS
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT

#NFS
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j ACCEPT

################
# REGRAS DE OUTPUT #
################

# Libera as portas constantes na variavel $PORTAS_TCP (para liberar mais portas, basta inserir as mesmas na variavel citada)
iptables -A OUTPUT -p tcp -m multiport --dports $PORTAS_TCP -j ACCEPT

# Libera as portas constantes na variavel $PORTAS_UDP (para liberar mais portas, basta inserir as mesmas na variavel citada)
iptables -A OUTPUT -p udp -m multiport --dports $PORTAS_UDP -j ACCEPT


#Libera as porta SSH
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

#Libera as portas individualmente
#iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Libera ping para qualquer lugar
iptables -A OUTPUT -p icmp -j ACCEPT


##################
# REGRAS DE FORWARD #
##################

##>> BLOQUEAR ACESSO AO MSN MESSENGER
#iptables -A FORWARD -s $IP_REDE1 -p tcp --dport 1863 -j REJECT
#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5223 -j REJECT

# Libera as portas constantes em na variavel $PORTAS_REDE_INTERNA (para liberar mais portas, basta inserir as mesmas na variavel citada)
iptables -A FORWARD -p tcp -m multiport --dports $PORTAS_REDE_INTERNA -j ACCEPT

iptables -A FORWARD -p tcp -m multiport --dports $PORTAS_TCP -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dports $PORTAS_UDP -j ACCEPT


#iptables -A FORWARD -p tcp --dport 22 -d $IP_REDE1 -j ACCEPT

# Libera ping
iptables -A FORWARD -p icmp -j ACCEPT

# FINAL DA FUNCAO START #

echo "COMPARTILHAMENTO DE INTERNET OK"
echo "FIREWALL OK"
}

function stop () {
##Parar Roteamento

######################
# CARREGANDO MODULOS #
######################

echo "Carregando os Modulos OK"

modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_multiport
modprobe iptable_mangle
modprobe ipt_tos
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_MARK
modprobe ip_nat_pptp
modprobe ip_conntrack
modprobe pptp
modprobe nf_conntrack_ftp
modprobe nf_conntrack_pptp
modprobe nf_nat_pptp
#modprobe ip_queue
modprobe ip_tables
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_mac
modprobe ipt_owner
modprobe iptable_filter

echo "Limpando as regras do firewall OK"

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# DEFINE AS POLiTICAS PADRROES DO IPTABLES COMO ACCEPT #
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


echo "1" > /proc/sys/net/ipv4/ip_forward
echo "FIREWALL PARADO"
echo "COMPARTILHAMENTO DE INTERNET PARADO"
}

case $1 in

start)
start
;;

stop)
stop
;;

restart)
stop
start
;;

*)
echo
echo "use start | stop | restart"
exit 0
;;
esac

rubensvital
(usa CentOS)

Enviado em 03/03/2017 - 11:07h

Estou com um problema parecido, só que não acesso meu servidro apache de fora, apesar de chegar nele.

Você já pensou em testar usando o Browser Tor?

souzacarlos
(usa Outra)

Enviado em 03/03/2017 - 19:41h

Boa noite
Para te ajudar então conforme pediu
Pra que isso?

## DEFINE AS POLOTICAS PADROES DO IPTABLES COMO DROP #
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

## DEFINE AS POLOTICAS PADROES DO IPTABLES COMO ACCEPT #
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

Ou vc utiliza o primeiro bloco onde vc bloqueia alguma coisa ou não coloca nada já que o default é ACCEPT
De qualquer vc tem um monte de regras ou erradas ou desnecessárias, partindo do principio que vc tá iniciando neste mundo concorda comigo que quanto menos linha de código tiver para tomar conta mais fácil será de gerenciar teu firewall?

Sobre teu problema agora: Você não esta conseguindo acesso ao teu firewall de dentro da tua rede é isso? Se sim posta a saída do teu firewall < iptables -L >
aguardo

Network Analyst - Consultor para empresas
contact skype: carlossouzainfo
21 99180-8165 (WhattsApp)

alisrios
(usa Debian)

Enviado em 04/03/2017 - 21:14h

Obrigado amigo pelas informações adicionais. Não é o acesso no meu firewall e sim ao meu servidor de IIS (Windows Server 2012). Eu tenho acesso externo no meu IIS. Eu gostraria, para efeito de testes, acessar o meu servidor de IIS pela minha rede interna (10.0.0.0/8) através do ip externo ex:200.200.200.200. Segue meu iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- 192.168.0.0/24 anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,domain,http,http-alt,8085,9000,webmin,https,microsoft-ds,netbios-ns,netbios-dgm,netbios-ssn,nfs
ACCEPT udp -- anywhere anywhere multiport dports domain,bootps,bootpc,netbios-ns,netbios-dgm,netbios-ssn,nfs,8085,9000,10000
ACCEPT tcp -- anywhere anywhere tcp dpt:3128
ACCEPT tcp -- anywhere anywhere tcp dpt:3143
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:nfs
ACCEPT udp -- anywhere anywhere udp dpt:nfs
ACCEPT gre -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1723

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.0.0.21 amr
ACCEPT all -- 10.0.0.21 192.168.0.200
ACCEPT all -- 10.0.0.21 192.168.0.71
ACCEPT all -- 10.0.0.21 192.168.0.70
ACCEPT all -- 10.0.0.21 192.168.0.62
ACCEPT all -- 10.0.0.21 192.168.0.61
ACCEPT all -- 10.0.0.21 192.168.0.60
ACCEPT all -- 10.0.0.21 192.168.0.50
ACCEPT all -- 10.0.0.21 192.168.0.41
ACCEPT all -- 10.0.0.21 192.168.0.40
ACCEPT all -- 10.0.0.20 amr
ACCEPT all -- 10.0.0.20 192.168.0.200
ACCEPT all -- 10.0.0.20 192.168.0.71
ACCEPT all -- 10.0.0.20 192.168.0.70
ACCEPT all -- 10.0.0.20 192.168.0.62
ACCEPT all -- 10.0.0.20 192.168.0.61
ACCEPT all -- 10.0.0.20 192.168.0.60
ACCEPT all -- 10.0.0.20 192.168.0.50
ACCEPT all -- 10.0.0.20 192.168.0.41
ACCEPT all -- 10.0.0.20 192.168.0.40
ACCEPT all -- 10.0.0.211 amr
ACCEPT all -- 10.0.0.211 192.168.0.200
ACCEPT all -- 10.0.0.211 192.168.0.71
ACCEPT all -- 10.0.0.211 192.168.0.70
ACCEPT all -- 10.0.0.211 192.168.0.62
ACCEPT all -- 10.0.0.211 192.168.0.61
ACCEPT all -- 10.0.0.211 192.168.0.60
ACCEPT all -- 10.0.0.211 192.168.0.50
ACCEPT all -- 10.0.0.211 192.168.0.41
ACCEPT all -- 10.0.0.211 192.168.0.40
ACCEPT all -- 10.0.0.210 amr
ACCEPT all -- 10.0.0.210 192.168.0.200
ACCEPT all -- 10.0.0.210 192.168.0.71
ACCEPT all -- 10.0.0.210 192.168.0.70
ACCEPT all -- 10.0.0.210 192.168.0.62
ACCEPT all -- 10.0.0.210 192.168.0.61
ACCEPT all -- 10.0.0.210 192.168.0.60
ACCEPT all -- 10.0.0.210 192.168.0.50
ACCEPT all -- 10.0.0.210 192.168.0.41
ACCEPT all -- 10.0.0.210 192.168.0.40
ACCEPT all -- server2012.amrtecnologia.local amr
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.200
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.71
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.70
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.62
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.61
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.60
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.50
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.41
ACCEPT all -- server2012.amrtecnologia.local 192.168.0.40
ACCEPT all -- amr 10.0.0.21
ACCEPT all -- amr 10.0.0.20
ACCEPT all -- amr 10.0.0.211
ACCEPT all -- amr 10.0.0.210
ACCEPT all -- amr server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.200 10.0.0.21
ACCEPT all -- 192.168.0.200 10.0.0.20
ACCEPT all -- 192.168.0.200 10.0.0.211
ACCEPT all -- 192.168.0.200 10.0.0.210
ACCEPT all -- 192.168.0.200 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.71 10.0.0.21
ACCEPT all -- 192.168.0.71 10.0.0.20
ACCEPT all -- 192.168.0.71 10.0.0.211
ACCEPT all -- 192.168.0.71 10.0.0.210
ACCEPT all -- 192.168.0.71 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.70 10.0.0.21
ACCEPT all -- 192.168.0.70 10.0.0.20
ACCEPT all -- 192.168.0.70 10.0.0.211
ACCEPT all -- 192.168.0.70 10.0.0.210
ACCEPT all -- 192.168.0.70 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.62 10.0.0.21
ACCEPT all -- 192.168.0.62 10.0.0.20
ACCEPT all -- 192.168.0.62 10.0.0.211
ACCEPT all -- 192.168.0.62 10.0.0.210
ACCEPT all -- 192.168.0.62 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.61 10.0.0.21
ACCEPT all -- 192.168.0.61 10.0.0.20
ACCEPT all -- 192.168.0.61 10.0.0.211
ACCEPT all -- 192.168.0.61 10.0.0.210
ACCEPT all -- 192.168.0.61 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.60 10.0.0.21
ACCEPT all -- 192.168.0.60 10.0.0.20
ACCEPT all -- 192.168.0.60 10.0.0.211
ACCEPT all -- 192.168.0.60 10.0.0.210
ACCEPT all -- 192.168.0.60 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.50 10.0.0.21
ACCEPT all -- 192.168.0.50 10.0.0.20
ACCEPT all -- 192.168.0.50 10.0.0.211
ACCEPT all -- 192.168.0.50 10.0.0.210
ACCEPT all -- 192.168.0.50 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.41 10.0.0.21
ACCEPT all -- 192.168.0.41 10.0.0.20
ACCEPT all -- 192.168.0.41 10.0.0.211
ACCEPT all -- 192.168.0.41 10.0.0.210
ACCEPT all -- 192.168.0.41 server2012.amrtecnologia.local
ACCEPT all -- 192.168.0.40 10.0.0.21
ACCEPT all -- 192.168.0.40 10.0.0.20
ACCEPT all -- 192.168.0.40 10.0.0.211
ACCEPT all -- 192.168.0.40 10.0.0.210
ACCEPT all -- 192.168.0.40 server2012.amrtecnologia.local
DROP all -- 192.168.0.0/24 10.0.0.0/8
DROP all -- 10.0.0.0/8 192.168.0.0/24
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 192.168.0.0/24
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere 10.0.0.0/8
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:fsp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,ssh,smtp,pop3,imap2,http,http-alt,8085,9000,urd,submission,imaps,pop3s,webmin
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,domain,http,http-alt,8085,9000,webmin,https,microsoft-ds,netbios-ns,netbios-dgm,netbios-ssn,nfs
ACCEPT udp -- anywhere anywhere multiport dports domain,bootps,bootpc,netbios-ns,netbios-dgm,netbios-ssn,nfs,8085,9000,10000
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere multiport dports ftp-data,ftp,domain,http,http-alt,8085,9000,webmin,https,microsoft-ds,netbios-ns,netbios-dgm,netbios-ssn,nfs
ACCEPT udp -- anywhere anywhere multiport dports domain,bootps,bootpc,netbios-ns,netbios-dgm,netbios-ssn,nfs,8085,9000,10000
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere

Chain VALID_CHECK (0 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE

souzacarlos
(usa Outra)

Enviado em 04/03/2017 - 22:10h

Boa noite
Cara vc tem que melhorar esse teu código tá muito louco, de qualquer forma a resposta é NÃO! Pense nas voltas de roteamento pra isso.


Network Analyst - Consultor para empresas
contact skype: carlossouzainfo
21 99180-8165 (WhattsApp)

alisrios
(usa Debian)

Enviado em 06/03/2017 - 17:08h

Valeu pela ajuda, vou tentar arrumar a minha bagunça deixando meu script mais limpo possível.

alisrios
(usa Debian)

Enviado em 06/03/2017 - 17:11h

Valeu galera pela ajuda. Fuçando pela internet e revendo minhas regras achei a solução criando essa regra para meu teste.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.253:80

souzacarlos
(usa Outra)

Enviado em 06/03/2017 - 17:20h

Boa tarde, olhe a pergunta e vc vai ver que não foi isso que vc pergontou!


Network Analyst - Consultor para empresas
contact skype: carlossouzainfo
21 99180-8165 (WhattsApp)