Redirecionamento de Portas (Dúvida)
1. Redirecionamento de Portas (Dúvida)
mpc94
(usa Outra)
Enviado em 25/08/2016 - 22:19h
Fala galera, boa noite.Sou novato em Linux e estou tendo dificuldades na configuração de um forwarding.
A Empresa contratou um técnico p/ dar suporte em Linux mas não deu certo... ai estou assumindo.
Tenho um ddns na internet (exemplo.ddns.me) e queria que quando fosse usar o Windows p/fazer conexão remota com este endereço, o firewall redirecionasse p/ um servidor que tenho na Empresa (192.168.1.11:3390)
Como coloco essa regra no ufirewall?
Minha configuração lá está assim:
#!/bin/bash
##############################################
# Script de Firewall #
# Data: 2014-01-08 / Update: 2014-05-20 #
# Criado por Thiago Oliviera #
# Editado por Marcos Paulo #
##############################################
#CARREGA MODULOS
modprobe ip_nat_sip
modprobe ip_nat_ftp
modprobe ip_gre
modprobe ip_nat_pptp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack_proto_gre
#VARIAVEIS
RDP="192.168.1.250"
BD="192.168.1.11"
LOCAL="192.168.1.0/24"
MULTI="192.168.2.0/24"
LAN="eth1"
NET="eth0"
#Portas autorizadas a entrar no servidor pela LAN
LOCAL_PORTS="22,53,80"
IPT=`which iptables`
case $1 in
start)
echo "AGUARDE ENQUANTO O FIREWALL CARREGA...."
#ROTEAMENTO ENTRE INTERFACES
echo 1 > /proc/sys/net/ipv4/ip_forward
#TUNNING SYSCTL
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects > /dev/null &
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects > /dev/null &
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > /dev/null &
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all > /dev/null &
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > /dev/null &
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp > /dev/null &
echo 1 > /proc/sys/net/ipv4/conf/eth1/secure_redirects > /dev/null &
echo 0 > /proc/sys/net/ipv4/conf/eth1/bootp_relay > /dev/null &
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries > /dev/null &
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries > /dev/null &
echo 3 > /proc/sys/net/ipv4/tcp_retries1 > /dev/null &
echo 5 > /proc/sys/net/ipv4/tcp_retries1 > /dev/null &
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > /dev/null &
echo 3 > /proc/sys/net/ipv4/tcp_keepalive_probes > /dev/null &
echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl > /dev/null &
#limpando as chains
$IPT -F
$IPT -X
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
#DEFINE POLITICAS PADRAO
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
#Regras de INPUT
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i tun0 -j ACCEPT
$IPT -t filter -A INPUT -s $MULTI -j ACCEPT
#$IPT -t filter -A INPUT -p udp --dport 1194 -j ACCEPT
$IPT -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -t filter -A INPUT -m multiport -p tcp -s $LOCAL --dport $LOCAL_PORTS -j ACCEPT
$IPT -t filter -A INPUT -m multiport -p udp -s $LOCAL --dport $LOCAL_PORTS -j ACCEPT
$IPT -t filter -A INPUT -i $NET -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -i $LAN -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
$IPT -t filter -A INPUT -p tcp --syn -s $LOCAL -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -s $LOCAL -i $NET -j DROP
$IPT -t filter -A INPUT -s 10.0.0.0/8 -i $NET -j DROP
$IPT -t filter -A INPUT -s 172.16.0.0/16 -i $NET -j DROP
$IPT -t filter -A INPUT -s 192.168.0.0/24 -i $NET -j DROP
#REGRAS DE FORWARD E LIBERAR SITES BLOQUEADOS
$IPT -t filter -A FORWARD -i tun0 -j ACCEPT
#$IPT -t nat -A PREROUTING -d $net -p -tcp --dport 3390 -j DNAT --to 192.168.1.11:3390
#$IPT -t nat -A POSTROUTING -d 192.168.1.11:3390 -p -tcp --dport 3390 -j SNAT --to $net
$IPT -I FORWARD -d 192.168.1.108 -m string --algo bm --string "sulamericaparadiso.uol.com.br" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.108 -m string --algo bm --string "sulamericaparadiso.uol.com.br" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.137 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.137 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.156 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.156 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.189 -m string --algo bm --string "facebook.com" -j ACCEPT #mp-asus-note
$IPT -I FORWARD -s 192.168.1.189 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.189 -m string --algo bm --string "linkedin.com" -j ACCEPT #MP-asus-NOTE
$IPT -I FORWARD -s 192.168.1.189 -m string --algo bm --string "linkedin.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.201 -m string --algo bm --string "facebook.com" -j ACCEPT #mp-5s
$IPT -I FORWARD -s 192.168.1.201 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.140 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.140 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.114 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.114 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.140 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.140 -m string --algo bm --string "youtube.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "emprego" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "emprego" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -I FORWARD -d 192.168.1.249 -m string --algo bm --string "curriculum" -j ACCEPT
$IPT -I FORWARD -s 192.168.1.249 -m string --algo bm --string "curriculum" -j ACCEPT
# $IPT -I FORWARD -d 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
# $IPT -I FORWARD -s 192.168.1.145 -m string --algo bm --string "facebook.com" -j ACCEPT
$IPT -A FORWARD -p tcp --dport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --sport 443 -m string --string 'facebook.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --dport 443 -m string --string 'linkedin.com' --algo bm -j DROP
$IPT -A FORWARD -p tcp --sport 443 -m string --string 'linkedin.com' --algo bm -j DROP
#$IPT -A FORWARD -p tcp --dport 443 -m string --string 'youtube.com' --algo bm -j DROP
#$IPT -A FORWARD -p tcp --sport 443 -m string --string 'youtube.com' --algo bm -j DROP
#$IPT -A FORWARD -m mac --mac-source 00:26:18:F7:84:E0 -m string --string 'facebook.com' --algo bm -j ACCEPT
#PRIORIZA ENTRADA/SAIDA DE PACOTES ORIGINADOS NO FIREWALL
#$IPT -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay
#$IPT -t mangle -A FORWARD -s $LOCAL -d $SERVERS -m multiport -p tcp --dport 1433,139,445 -j TOS --set-tos Maximize-Throughput
#$IPT -t mangle -A FORWARD -s $LOCAL -d $SERVERS -m multiport -p udp --dport 137,138 -j TOS --set-tos Maximize-Throughput
#LIBERAR IP DO PROXY
$IPT -t nat -I PREROUTING -s 192.168.1.157 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.198 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.145 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.11 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.104 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.193 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.192 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.186 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.200 -j ACCEPT
$IPT -t nat -I PREROUTING -s 192.168.1.140 -j ACCEPT
$IPT -t nat -A PREROUTING -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT #Server Sistema
$IPT -t nat -A PREROUTING -s 192.168.1.150 -p tcp --dport 80 -j ACCEPT #Rafa Fat
$IPT -t nat -A PREROUTING -s 192.168.1.162 -p tcp --dport 80 -j ACCEPT #Bruno Gomes
$IPT -t nat -A PREROUTING -s 192.168.1.133 -p tcp --dport 80 -j ACCEPT #Paulo Contabil
$IPT -t nat -A PREROUTING -s 192.168.1.112 -p tcp --dport 80 -j ACCEPT #Thiago-MKT
#$IPT -t nat -A PREROUTING -s 192.168.1.183 -p tcp --dport 80 -j ACCEPT #MP-PC
$IPT -t nat -A PREROUTING -s 192.168.1.140 -p tcp --dport 80 -j ACCEPT #MP-TERRA
#HABILITA PROXY TRANSPARENTE
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to 3128
#NAT DE TODAS PORTAS
$IPT -t nat -A POSTROUTING -s $LOCAL -o $NET -j MASQUERADE
#DEFINIR MTU AUTOMATICAMENTE
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Setando uma valor para MTU (use com cuidado - em caso de voip use o valor de 128)
#IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128
#Redireciona a porta 1723 para VPN SERVER - VIA RADIO e Speedy
$IPT -t nat -A PREROUTING -i $NET -p tcp --dport 3389 -j DNAT --to $RDP:3389
$IPT -t nat -A POSTROUTING -s $RDP -p tcp --sport 3389 -j MASQUERADE
$IPT -t filter -A FORWARD -d $RDP -p tcp --dport 3389 -j ACCEPT
$IPT -t filter -A FORWARD -s $RDP -p tcp --sport 3389 -j ACCEPT
#Redireciona a porta 1723 para VPN SERVER - VIA RADIO e Speedy
#$IPT -t nat -A PREROUTING -i $NET -p tcp --dport 3390 -j DNAT --to $RDP:3389
#$IPT -t nat -A POSTROUTING -s $BD -p tcp --sport 3390 -j MASQUERADE
#$IPT -t filter -A FORWARD -d $BD -p tcp --dport 3390 -j ACCEPT
#$IPT -t filter -A FORWARD -s $BD -p tcp --sport 3390 -j ACCEPT
#RETORNO DOS PACOTES - FORWARD
$IPT -t filter -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "FIREWALL INICIADO COM SUCESSO [OK]"
#MASCARA A VPN COM NAT
$IPT -t nat -A POSTROUTING -s 10.1.1.0/24 -j MASQUERADE
;;
stop)
#DESABILITA ROTEAMENTO ENTRE INTERFACES
echo 0 > /proc/sys/net/ipv4/ip_forward
#limpando as chains
$IPT -F
$IPT -X
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
echo "FIREWALL PARADO COM SUCESSO [OK]"
;;
restart)
$0 stop
$0 start
;;
status)
iptables -nvL
;;
*)
echo "Voce deve usar: $0 {start|stop|restart|status}"
;;
O que estava em negrito foi o que tentei alterar agora e dá erro...
Se alguém puder me ajudar!!
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
