Terminal Service [RESOLVIDO]

henriquebh
(usa Debian)

Enviado em 07/01/2011 - 11:19h

Galera, estou com um problema aqui na empresa. E nao estou conseguindo resolver.
Preciso acessar via terminal service meu servidor Win2003. Tenho umas regras de Iptables aqui rodando no Debian 505.

Alguem poderia me ajudar?
A regra que eu coloquei aqui pra acessar o terminal é:

# Regras para Remote Desktop
# Aceitando as regras
iptables -A INPUT -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT

# Regras de forward para Remote Desktop
iptables -A FORWARD -i eth1 -d 0/0 -p tcp -m tcp --dport 3389 -j ACCEPT

# Redireciona a portas do - Remote Desktop
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.1:3389
iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 3389 -j DNAT --to 192.168.1.1

Aguardo.

alan-souza
(usa Slackware)

Enviado em 07/01/2011 - 11:50h

http://tinyurl.com/29an4fx

henriquebh
(usa Debian)

Enviado em 07/01/2011 - 13:38h

Segue meu conf

#!/bin/bash

iniciar(){
echo "Iniciando o Firewall .................................[ OK ]"
echo "...."
echo "..."
echo ".."
echo "."

# Carregando modulos
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

# Limpando as regras em memoria
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Libera conexoes ja estabilizadas.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Compartilhamento GVT
modprobe ip_tables
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

# Compartilhamento NET
#modprobe ip_tables
#modprobe iptable_nat
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables --append FORWARD --in-interface eth0 -j ACCEPT

# Liberar passar fora do proxy
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.22 -d 0/0 -j ACCEPT # Alexandre
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.23 -d 0/0 -j ACCEPT # Raquel
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.31 -d 0/0 -j ACCEPT # Auditorio
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.49 -d 0/0 -j ACCEPT # Roselia
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.58 -d 0/0 -j ACCEPT # Pesquisa
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.65 -d 0/0 -j ACCEPT # Evaldo
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.82 -d 0/0 -j ACCEPT # Alexandre
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.94 -d 0/0 -j ACCEPT # Edmarcio
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.106 -d 0/0 -j ACCEPT # Netbook AsusEeepc
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.114 -d 0/0 -j ACCEPT # Wireless Henrique
iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.117 -d 0/0 -j ACCEPT # Rede Henrique

echo "O Usuario Auditorio esta liberado sem proxy ..........[ OK ]"
echo "O Usuario Alexandre esta liberado sem proxy ..........[ OK ]"
echo "O Usuario Evaldo esta liberado sem proxy .............[ OK ]"
echo "O Usuario Henrique esta liberado sem proxy ...........[ OK ]"
echo "O Usuario Pesquisa esta liberado sem proxy ...........[ OK ]"
echo "O Usuario Raquel esta liberado sem proxy .............[ OK ]"
echo "O Usuario Roselia esta liberado sem proxy ............[ OK ]"

# EMAIL
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 25 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 110 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 465 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 587 -j ACCEPT
iptables -A FORWARD -p TCP -s 192.168.1.0/24 --dport 995 -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 465 -j ACCEPT
iptables -A FORWARD -p tcp --sport 587 -j ACCEPT
iptables -A FORWARD -p tcp --sport 995 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

# Bloquiar MSN
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1863 -j REJECT

# Habilitando Masquerade e forwarding
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

# STATE RELATED para Router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Rede interna tem acesso permitido
iptables -A INPUT -p tcp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1/255.255.255.255 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.0/245.255.255.0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/245.255.255.0 -j ACCEPT
iptables -A INPUT -p tcp -s 0.0.0.0/0.0.0.0 -j DROP
iptables -A INPUT -p udp -s 0.0.0.0/0.0.0.0 -j DROP

# Redirecionando trafego da porta 443 para o Squid
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 443 -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128

# Liberar Receita
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.0/24 -s 0.0.0.0/0.0.0.0 --dport 3456 -j ACCEPT

# Portas que estao abertas para a internet
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 221 -j ACCEPT

# Porta do Remote Desktop
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p udp --dport 3389 -j ACCEPT

# Bloquear pacotes ICMP
iptables -A INPUT -p icmp -j REJECT

# Librando algumas portas
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT

# Direciona todo o trafego da porta 80 para o Squid
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Bloqueando Gtalk
iptables -I INPUT -s chatenabled.mail.google.com -j DROP
iptables -A OUTPUT -d chatenabled.mail.google.com -j DROP
iptables -I FORWARD -s 0/0 -d chatenabled.mail.google.com -j DROP

# Loga tentativa de acesso a determinadas portas
iptables -A INPUT -p tcp --dport 22 -i eth0 -j LOG --log-prefix "FIREWALL: ssh: "
iptables -A INPUT -p tcp --dport 21 -i eth0 -j LOG --log-prefix "FIREWALL: ftp: "
iptables -A INPUT -p tcp --dport 23 -i eth0 -j LOG --log-prefix "FIREWALL: telnet: "
iptables -A INPUT -p tcp --dport 25 -i eth0 -j LOG --log-prefix "FIREWALL: smtp: "
iptables -A INPUT -p tcp --dport 80 -i eth0 -j LOG --log-prefix "FIREWALL: http: "
iptables -A INPUT -p tcp --dport 110 -i eth0 -j LOG --log-prefix "FIREWALL: pop3: "
iptables -A INPUT -p udp --dport 111 -i eth0 -j LOG --log-prefix "FIREWALL: rpc: "
iptables -A INPUT -p tcp --dport 113 -i eth0 -j LOG --log-prefix "FIREWALL: identd: "
iptables -A INPUT -p tcp --dport 137:139 -i eth0 -jLOG --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p udp --dport 137:139 -i eth0 -j LOG --log-prefix "FIREWALL: samba: "
iptables -A INPUT -p tcp --dport 161:162 -i eth0 -j LOG --log-prefix "FIREWALL: snmp: "
iptables -A INPUT -p tcp --dport 6881 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p udp --dport 6885 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p udp --dport 4444 -i eth0 -j LOG --log-prefix "FIREWALL: torrent: "
iptables -A INPUT -p tcp --dport 6667:6668 -i eth0 -j LOG --log-prefix "FIREWALL: irc: "
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j LOG --log-prefix "FIREWALL: squid: "
echo "Gerador de LOG's ativado .............................[ OK ]"

# Regras para Remote Desktop
# Liberacao de Portas de Servico
iptables -A INPUT -i eth1 -s 0/0 -p tcp --dport 3389 -j ACCEPT #liberando terminal service
iptables -t nat -A PREROUTING -s 0/0 -m tcp -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.1.1:3398

# Bloqueia Portas de 1025 a 65535
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 1025:65535 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 1025:65535 -j DROP

# Ultima da cadeia
iptables -A INPUT -p tcp --syn -j REJECT

echo "Ativacao de regras de firewall .......................[ OK ]"

}

parar(){
# Zerando o Firewall
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo "Desativacao de regras de firewall ....................[ OK ]"

}

case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Indique um dos parametros de configuracao 'start' ou 'stop' ou 'restart'"
esac

Obrigado

jbcastrorj
(usa Ubuntu)

Enviado em 24/04/2012 - 17:03h

Pessoal! o meu problema é o seguinte, preciso acessar o um servidor dentro da minha rede(eth0,172.17.1.1) via terminal service(porta 3389) pela internet(ppp0,ip dinamico com no-ip) e ñ estou conseguindo.
alguém poderia me dar uma luz?