Pessoal, alguém tem algum exemplo de script com multi ip de entrada?
Em 11 de agosto de 2014 17:23, Rudimar <corsar...@gmail.com> escreveu: > > Olha pessoal, > > alguma coisa não faz as regras iptables funcionar, instalei o squid e esta > funcionando pela porta 3128, mas mesmo dando > > iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -s 192.168.1.0/24 > -j REDIRECT --to 3128 > > não funciona > > :( > > > > > > > > > > > Em 11 de agosto de 2014 14:38, Rudimar <corsar...@gmail.com> escreveu: > > >> na verdade é 255.255.255.248 , eu ja tinha testado e voltei para padrão, >> voltei para .248 e teste e nada... >> >> outra coisa na interface >> network xxx.xxx.xxx.184/29 >> é valido por assim essa configuração? é a minha rede. >> >> >> eu havia instalado o webmin e removi, pode ter ficado algum >> configuração? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Em 11 de agosto de 2014 14:15, Anderson Eckhardt <ander.sama...@gmail.com >> > escreveu: >> >> Tem certeza que sua netmask é 255.255.255.0? Me parece muito para IP >>> válido... >>> >>> Em 11/08/2014, às 14:10, Rudimar <corsar...@gmail.com> escreveu: >>> >>> >>> bom galera, tentei as dicas mas não foi, não sei o que pode ser, >>> >>> >>> vou postar meu script fica mais fácil, >>> >>> >>> >>> #!/bin/bash >>> modprobe iptable_nat >>> modprobe iptable_filter >>> modprobe ipt_LOG >>> modprobe ipt_state >>> modprobe ipt_limit >>> >>> echo 1 > /proc/sys/net/ipv4/ip_forward >>> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts >>> >>> IPT="/sbin/iptables" >>> REDE="192.168.1.0/24" >>> LAN="eth1" >>> WAN="eth0" >>> >>> IP1="x.186" >>> IP2="x.187" >>> IP3="x.188" >>> IP4="x.189" >>> >>> >>> # Seta IPs nas interfaces virtuais >>> ifconfig eth0:0 x.186 netmask 255.255.255.0 >>> ifconfig eth0:1 x.187 netmask 255.255.255.0 >>> ifconfig eth0:2 x.188 netmask 255.255.255.0 >>> ifconfig eth0:2 x.189 netmask 255.255.255.0 >>> >>> # Arquivos de portas liberadas >>> PT_TCP="/etc/squid/PT_TCP" >>> PT_UDP="/etc/squid/PT_UDP" >>> >>> # Limpando Regras existentes >>> $IPT -F >>> $IPT -Z >>> >>> $IPT -t nat -F >>> $IPT -t mangle -F >>> $IPT -t filter -F >>> $IPT -t nat -Z >>> $IPT -t mangle -Z >>> $IPT -t filter -Z >>> >>> echo "Regras Zeradas." >>> >>> # Definindo Politicas Padrão >>> $IPT -P INPUT DROP >>> $IPT -P FORWARD DROP >>> $IPT -P OUTPUT ACCEPT >>> >>> # Habilitanto NAT >>> $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE >>> >>> # Liberando Input loopback >>> $IPT -A INPUT -i lo -j ACCEPT >>> >>> >>> >>> # Ativa Proxy Transparente >>> $IPT -t nat -A PREROUTING -i $LAN -s $REDE -p tcp --dport 80 -j REDIRECT >>> --to-port 3128 >>> # Forca o uso do proxy >>> #$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j DNAT --to >>> 192.168.0.253:80 >>> >>> # Liberando Conexoes Estabelecidas pela LAN >>> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >>> >>> >>> # Libera Resposta a ping WAN >>> $IPT -A INPUT -p icmp -i $WAN -j ACCEPT >>> >>> ######### Libera Acessos LAN_to_WAN ######### >>> >>> $IPT -A FORWARD -i $LAN -o $WAN -p icmp -j ACCEPT >>> >>> for i in `cat $PT_TCP`; do >>> $IPT -A FORWARD -i $LAN -o $WAN -p tcp --dport $i -j ACCEPT >>> done >>> >>> for i in `cat $PT_UDP`; do >>> $IPT -A FORWARD -i $LAN -o $WAN -p udp --dport $i -j ACCEPT >>> done >>> >>> # Bloqueia IPs >>> #IPT -A INPUT -s 81.35.253.20 -j DROP >>> >>> # Libera Porta para fora >>> #$IPT -A FORWARD -i $LAN -s 192.168.1.119 -o $WAN -p tcp --dport 5432 -j >>> ACCEPT >>> >>> # Libera PC Acesso geral LAN_to_WAN >>> #$IPT -A FORWARD -i $LAN -o $WAN -s 192.168.1.219 -j ACCEPT >>> >>> # Acessos LAN_to_Server >>> $IPT -A INPUT -p icmp -i $LAN -s $REDE -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 53 -i $LAN -s $REDE -j ACCEPT >>> $IPT -A INPUT -p udp --dport 53 -i $LAN -s $REDE -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 80 -i $LAN -s $REDE -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 3128 -i $LAN -s $REDE -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 2222 -i $LAN -s $REDE -j ACCEPT >>> >>> # Servicos WAN_to_Server >>> $IPT -A INPUT -p tcp --dport 2222 -i $WAN -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 80 -i $WAN -j ACCEPT >>> $IPT -A INPUT -p tcp --dport 3128 -i $WAN -j ACCEPT >>> >>> # Servicos WAN_to_LAN >>> $IPT -A INPUT -p tcp --dport 3389 -i $WAN -j ACCEPT >>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -j ACCEPT >>> >>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP1 -j DNAT >>> --to 192.168.1.2 >>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP2 -j DNAT >>> --to 192.168.1.3 >>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP3 -j DNAT >>> --to 192.168.1.4 >>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP4 -j DNAT >>> --to 192.168.1.5 >>> >>> >>> #Redirect para Servidor PostgreSQL SERVIDOR NOVO >>> $IPT -A INPUT -p tcp --dport 5432 -i $WAN -j ACCEPT >>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 5432 -j ACCEPT >>> $IPT -t nat -A PREROUTING -p tcp --dport 5432 -i $WAN -d $IP2 -j DNAT >>> --to 192.168.1.4 >>> >>> #Redirect para Servidor FTP >>> $IPT -A INPUT -p tcp --dport 21 -i $WAN -j ACCEPT >>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 21 -j ACCEPT >>> $IPT -t nat -A PREROUTING -p tcp --dport 21 -i $WAN -d $IP1 -j DNAT --to >>> 192.168.1.2 >>> >>> # Redireciona acessos internos ao $IP1 para o 192.168.1.2 >>> $IPT -A INPUT -p tcp --dport 84 -i $LAN -j ACCEPT >>> $IPT -A FORWARD -i $LAN -p tcp --dport 84 -j ACCEPT >>> $IPT -t nat -A PREROUTING -p tcp --dport 84 -i $LAN -d $IP1 -j DNAT --to >>> 192.168.1.2 >>> >>> # Desabilitando Filtro martian source >>> for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do >>> echo 0 > $eee >>> done >>> >>> # Libera uso do FTP >>> modprobe ip_conntrack_ftp >>> modprobe ip_nat_ftp >>> iptables -A OUTPUT -p tcp --dport 21 -m state --state >>> NEW,ESTABLISHED,RELATED -j ACCEPT >>> iptables -A INPUT -p tcp --sport 21 -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> iptables -A INPUT -p tcp --sport 20 -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> iptables -A OUTPUT -p tcp --dport 20 -m state --state >>> ESTABLISHED -j ACCEPT >>> iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state >>> ESTABLISHED -j ACCEPT >>> iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> >>> echo "Fim do Firewall." >>> >>> >>> >>> >>> Em 8 de agosto de 2014 18:38, paulo bruck <paulobru...@gmail.com> >>> escreveu: >>> >>>> mais alguns pontos para vc verificar. o firewall antes de tudo é um >>>> roteador. >>>> vc setou o ip_forward ? >>>> >>>> De uma olhada no arquivo /etc/sysctl.conf que normalmente no debian >>>> esta linha está comentada. >>>> >>>> reinicialize ioo seu firewall aos a modificação ou de o comando sysctl >>>> -w ou algo assim , estou longe de um terminal... >>>> >>>> Aproveite e coloque no começo do seu script: >>>> >>>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >>>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>> >>>> e aproveite para ler este doc que é o melhor que eu já ví até hoje >>>> sobre iptables: >>>> https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html >>>> >>>> []s >>>> >>>> >>>> >>>> Em 8 de agosto de 2014 14:48, Rudimar <corsar...@gmail.com> escreveu: >>>> >>>> tentei, >>>>> >>>>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -j ACCEPT >>>>> >>>>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP1 -j DNAT >>>>> --to 192.168.1.2 >>>>> $IPT -t filter -A FORWARD -p tcp --dport 3389 -i $WAN -d 192.168.1.2 >>>>> -j ACCEPT >>>>> >>>>> isso certo? mesma coisa... >>>>> >>>>> >>>>> >>>>> Em 6 de agosto de 2014 19:35, paulo bruck <paulobru...@gmail.com> >>>>> escreveu: >>>>> >>>>>> Toda regra de NAT obrigatoriamente tem que ter uma regra de FORWARD ( >>>>>> se for entre redes....) >>>>>> >>>>>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP3 -j DNAT >>>>>> --to 192.168.1.4 >>>>>> $IPT -t filter -A FORWARD -p tcp --dport 3389 -i $WAN -d 192.168.1.4 >>>>>> -j ACCEPT >>>>>> >>>>>> >>>>>> outra coisa que vc está confundindo é INPUT com FORWARD abaixo: >>>>>> # Servicos WAN_to_LAN >>>>>> $IPT -A INPUT -p tcp --dport 3389 -i $WAN -j ACCEPT >>>>>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -j ACCEPT >>>>>> >>>>>> INPUT é usado quando vc quer acessar algum serviço NO firewall. >>>>>> FORWARD é usado quando vc quer acessar serviço entre redes. >>>>>> >>>>>> >>>>>> ats >>>>>> >>>>>> Paulo Ricardo Bruck >>>>>> http://www.contatogs.com.br >>>>>> http://www.protejasuarede.com.br >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Em 6 de agosto de 2014 19:25, Rudimar <corsar...@gmail.com> escreveu: >>>>>> >>>>>> Galera preciso de ajuda, >>>>>>> >>>>>>> estou tentando fazer um firewall para a rede aqui e preciso de uma >>>>>>> ajuda. Para entender, esse é configuração do meu link (x é ip valido, >>>>>>> logicamente ocultei botando x): >>>>>>> >>>>>>> Rede: x.184/29 >>>>>>> x.184 - endereço da Rede >>>>>>> x.185 - Gateway >>>>>>> x.186 - livre para uso >>>>>>> x.187 - livre para uso >>>>>>> x.188 - livre para uso >>>>>>> x.191 - Broadcast >>>>>>> Máscara: 255.255.255.248 >>>>>>> >>>>>>> >>>>>>> ---------------------------------- >>>>>>> no /etc/network/interfaces botei assim: >>>>>>> >>>>>>> # Link >>>>>>> # The primary network interface >>>>>>> allow-hotplug eth0 >>>>>>> iface eth0 inet static >>>>>>> address x.186 >>>>>>> netmask 255.255.255.248 >>>>>>> network x.0 >>>>>>> broadcast x.191 >>>>>>> gateway x.185 >>>>>>> >>>>>>> #Rede local >>>>>>> allow-hotplug eth1 >>>>>>> iface eth1 inet static >>>>>>> address 192.168.1.100 >>>>>>> netmask 255.255.255.0 >>>>>>> network 192.168.1.0 >>>>>>> broadcast 192.168.1.255 >>>>>>> >>>>>>> -------------------------- >>>>>>> >>>>>>> quero direcionar ip/porta especifica para cada servidor, exemplo >>>>>>> terminal service >>>>>>> >>>>>>> ... >>>>>>> IPT="/sbin/iptables" >>>>>>> REDE="192.168.1.0/24" >>>>>>> LAN="eth1" >>>>>>> WAN="eth0" >>>>>>> IP1="x.186" >>>>>>> IP2="x.187" >>>>>>> IP3="x.188" >>>>>>> >>>>>>> >>>>>>> ifconfig eth0:0 x.186 netmask 255.255.255.248 >>>>>>> ifconfig eth0:1 x.187 netmask 255.255.255.248 >>>>>>> ifconfig eth0:2 x.188 netmask 255.255.255.248 >>>>>>> >>>>>>> >>>>>>> # Servicos WAN_to_LAN >>>>>>> $IPT -A INPUT -p tcp --dport 3389 -i $WAN -j ACCEPT >>>>>>> $IPT -A FORWARD -i $WAN -o $LAN -p tcp --dport 3389 -j ACCEPT >>>>>>> >>>>>>> # Direciona para cada Servidor >>>>>>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP1 -j >>>>>>> DNAT --to 192.168.1.2 >>>>>>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP2 -j >>>>>>> DNAT --to 192.168.1.3 >>>>>>> $IPT -t nat -A PREROUTING -p tcp --dport 3389 -i $WAN -d $IP3 -j >>>>>>> DNAT --to 192.168.1.4 >>>>>>> >>>>>>> ...... >>>>>>> >>>>>>> >>>>>>> O que falta fazer? pois não funciona... >>>>>>> >>>>>>> se acessar os ips externamente todos caem no firewall... >>>>>>> >>>>>>> squid.conf é só saída certo? >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Paulo Ricardo Bruck consultor >>>>>> tel 011 3596-4881/4882 011 98140-9184 (TIM) >>>>>> http://www.contatogs.com.br >>>>>> http://www.protejasuarede.com.br >>>>>> gpg AAA59989 at wwwkeys.us.pgp.net >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Paulo Ricardo Bruck consultor >>>> tel 011 3596-4881/4882 011 98140-9184 (TIM) >>>> http://www.contatogs.com.br >>>> http://www.protejasuarede.com.br >>>> gpg AAA59989 at wwwkeys.us.pgp.net >>>> >>> >>> >> >