Direcionamento de Portas

FerdOUT
(usa Outra)

Enviado em 01/09/2014 - 15:44h

Olá pessoal, recentemente em minha empresa foram instaladas algumas câmeras. O DVR dessas câmeras possui uma porta mobile, sendo assim, posso acessá-las pelo celular, e também, acesso remoto a essas câmeras via software. Porém, para isso preciso fazer um direcionamento de portas, que tentei fazer mas não obtive sucesso.
O que preciso é o seguinte:
Vamos supor que o ip externo de toda a minha rede aqui é o 172.50.138.218. No software desktop ou mesmo no aplicativo, eu precisaria acessar meu DVR usando este ip externo.
O ip deste DVR é o 192.168.0.9. Ou seja, eu precisava que, quando fosse requisitado a porta 8080 no ip 172.50.138.218, o servidor me redireciona-se para o ip 192.168.0.9:8080.
Como posso fazer isto?
Lembrando que a distribuição que estou usando é o Fedora (sem interface gráfica).
Obrigado.

FerdOUT
(usa Outra)

Enviado em 03/09/2014 - 06:39h

Ninguem?

Ignorante
(usa Slackware)

Enviado em 03/09/2014 - 11:59h

Como está sua rede?

Vejo que tens 2 redes 192.xxx.xxx.xxx e 172.xxx.xxx.xxx, poderia explicar como está, e postar seu firewall para nós ver?

l0g1in
(usa FreeBSD)

Enviado em 04/09/2014 - 09:44h

iptables -t nat -A PREROUTING -d 172.50.138.218 -p tcp --dport 8080 -j DNAT --to 192.168.0.9:8080

iptables -t nat -A PREROUTING -p tcp -d 172.50.138.218 --dport 8080 -j DNAT --to 192.168.0.9:8080

Testa ai.

Abraços[];

FerdOUT
(usa Outra)

Enviado em 04/09/2014 - 16:55h

Olá pessoal, boa tarde;
Os comandos acima não deram certo ;z
Continuo sem conseguir acessar;
Pediram pra mim colocar meu firewall aqui, porém eu não sei como copiar o código, estou usando o Putty. Alguém pode me orientar?

Ignorante
(usa Slackware)

Enviado em 04/09/2014 - 17:45h

selecione-o, e quando clicar com o botão direito do mouse, ele automaticamente copia ai é só colar em qualquer lugar

FerdOUT
(usa Outra)

Enviado em 05/09/2014 - 08:10h

#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Inicialização da Firewall
#
# config: /etc/sysconfig/iptables

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"

function status()
{
${IPTABLES} -L
}

function carrega_modulos()
{
# $MODPROBE ip_tables
# $MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_nat_ftp
# $MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
}

function stop()
{
${IPTABLES} --flush
${IPTABLES} -t mangle --flush
${IPTABLES} -t nat --flush

${IPTABLES} -F
${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -F -t mangle
${IPTABLES} -t mangle -X
${IPTABLES} -t nat -X
${IPTABLES} -X
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
}

function start()
{
stop
carrega_modulos

###############################VARIAVEIS DE REDE############################
ETHInternet=eth1
IPInternet=187.50.138.218

ETHLocal=eth0
RedeLocal=192.168.0.0/24
IPLocal=192.168.0.1

ETHWireless=eth2
RedeWireless=192.168.2.0/24
IPWireless=192.168.2.1

echo "IP Internet: "$IPInternet
echo "IP Local: "$IPLocal
echo "IP Wireless: "$IPWireless

##############################HABILITA MONITORAMENTO EXTERNO##################
MONITORA=SIM
IP_MONITORA=192.168.0.4
IP_MONITORA=192.168.0.9

##############################POLITICAS DE ACESSO############################
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P OUTPUT ACCEPT

####################ATIVANDO ROTEAMENTO#####################################
echo 1 > /proc/sys/net/ipv4/ip_forward

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >$i
done
###########################REGRAS DE INPUT#################################

${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

####################TRAFEGO DE LOOOPBACK E INDO PRO LOOPBACK#################

${IPTABLES} -A INPUT -i lo -j ACCEPT

##############TRAFEGO REDE INTERNA##########################################

${IPTABLES} -A INPUT -i $ETHLocal -j ACCEPT
${IPTABLES} -A FORWARD -i $ETHLocal -o $ETHWireless -j DROP

##################TRAFEGO DA REDE WIRELESS#####################################

${IPTABLES} -A INPUT -i $ETHWireless -j ACCEPT
${IPTABLES} -A FORWARD -i $ETHWireless -o $ETHLocal -j DROP

####################SERVICOS ESPECÍFICOS######################################

${IPTABLES} -A INPUT -p icmp --icmp-type echo-request -s 0/0 -j ACCEPT ##Serviço de Ping
${IPTABLES} -A INPUT -p udp --dport domain -j ACCEPT #DNS
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 1999 -j ACCEPT ##SSH
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 3389 -j ACCEPT ##Terminal Server
${IPTABLES} -A INPUT -p tcp -s 0/0 --dport 1723 -j ACCEPT ##VPN
${IPTABLES} -A INPUT -p 47 -j ACCEPT ##VPN

${IPTABLES} -A INPUT -j ACCEPT

#########################CRIA LOG##############################################

LOG_FLOOD="2/s"
SYN_FLOOD="4/s"
PING_FLOOD="2/s"
LOG_LEVEL="debug"

#################SSH, TELNET, FTP

${IPTABLES} -A INPUT -p tcp --dport ssh -j LOG --log-level "warning" --log-prefix "Firewall - sshDENIED"
${IPTABLES} -A INPUT -p tcp --dport telnet -j LOG --log-level "warning" --log-prefix "Firewall - telnetDENIED"
${IPTABLES} -A INPUT -p tcp --dport ftp -j LOG --log-level "warning" --log-prefix "Firewall - ftpDENIED"
########################REGRAS DE FORWARD####################################

${IPTABLES} -A FORWARD -o $ETHLocal -m state --state INVALID -j DROP
${IPTABLES} -A FORWARD -o $ETHLocal -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.0.254:3389 ######Direciona acesso ao Servidor 2003
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth2 --dport 3389 -j DNAT --to 192.168.0.254:3389 ######Direciona acesso ao Servidor 2003
${IPTABLES} -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.0.253:3389 ######Direciona acesso ao Servidor 2012
${IPTABLES} -t nat -A PRETOUTING -p tcp -i eth1 --dport 8080 -j DNAT --to 192.168.0.9:8080

######################## permitindo conexao externas com impressoras #############################################################
####################### impressora Departamento Pessoal #########################################################################
${IPTABLES} -t nat -A PREROUTING -d $IPInternet -p tcp -m tcp --dport 54925 -j DNAT --to-destination 192.168.0.133:54925
${IPTABLES} -t nat -A POSTROUTING -d 192.168.0.133 -s 0/0 -p tcp --dport 54925 -j SNAT --to $IPInternet:54925

#############################REGRAS AUXILIARES###############################

#############################MELHORA SSH#####################################
${IPTABLES} -t nat -A PREROUTING -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay

##########################HTTP E NAT########################################

###################CONECTIVIDADE SOCIAL - IP DA REDE INTERNA PARA PROXY TRANSP#####
${IPTABLES} -A FORWARD -s 192.168.0.43/24 -d 0/0 -p tcp --dport 80 -j ACCEPT

##########################LIBERANDO ACESSO DE SERVIDORES PARA ATUALIZACAO################
${IPTABLES} -A FORWARD -s 192.168.0.4/24 -d 0/0 -j ACCEPT


${IPTABLES} -A FORWARD -s 192.168.0.9/24 -d 0/0 -j ACCEPT
###############################REGRA PARA REDIRECIONAMENTO DE IP PARA O DVR 2#############################
iptables -t nat -A PREROUTING -d 187.50.138.218 -p tcp --dport 8080 -j DNAT --to 192.168.0.9:8080
iptables -t nat -A PREROUTING -p tcp -d 187.50.138.218 --dport 8080 -j DNAT --to 192.168.0.9:8080
iptables -t nat -A PREROUTING -d 187.50.138.218 -p tcp --dport 34599 -j DNAT --to 192.168.0.9:34599
iptables -t nat -A PREROUTING -p tcp -d 187.50.138.218 --dport 34599 -j DNAT --to 192.168.0.9:34599
################################ACESSO EXTERNO IMPRESSORA DP###############################################

${IPTABLES} -t nat -A PREROUTING -d $IPInternet -p tcp -m tcp --dport 10000 -j DNAT --to-destination 192.168.0.133:80
${IPTABLES} -t nat -A POSTROUTING -d 192.168.0.133 -s 0/0 -p tcp --dport 80 -j SNAT --to $IPInternet:10000
##########################PERMITE ACESSO POR IP##########################
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -j ACCEPT

#########################BLOQUEIA PACOTES REQUISITADOS NA PORTA 80##########################

###########DIRECIONA REDE WIRELESS E LOCAL PARA DESTIN INTERNET####################
${IPTABLES} -t nat -A POSTROUTING -s $RedeLocal -j SNAT --to $IPInternet
${IPTABLES} -t nat -A POSTROUTING -s $RedeWireless -j SNAT --to $IPInternet

##################################FIM#########################################
}
case "$1" in
"start")
start
echo "Iniciando Firewall"
;;

"stop")
stop
echo "Parando Firewall"
sleep 2
echo "ok."
;;

"restart")
echo "Reiniciando Firewall"
sleep 1
echo "ok."
stop; start
;;
*)
##########################PERMITE ACESSO POR IP##########################
${IPTABLES} -A FORWARD -s 192.168.0.0/24 -j ACCEPT

#########################BLOQUEIA PACOTES REQUISITADOS NA PORTA 80##########################

###########DIRECIONA REDE WIRELESS E LOCAL PARA DESTIN INTERNET####################
${IPTABLES} -t nat -A POSTROUTING -s $RedeLocal -j SNAT --to $IPInternet
${IPTABLES} -t nat -A POSTROUTING -s $RedeWireless -j SNAT --to $IPInternet

##################################FIM#########################################
esac

FerdOUT
(usa Outra)

Enviado em 05/09/2014 - 08:12h

Lembrando que neste código já tem os comandos que me foram orientados anteriormente. (#####REGRA PARA REDIRECIONAMENTO DE IP PARA DVR2#########)

l0g1in
(usa FreeBSD)

Enviado em 06/09/2014 - 09:45h

Testai

${IPTABLES} -t nat -A PREROUTING -d $IPInternet -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.9:8080

Verifica se a porta 8080 está aberta


netstat -ntlp | grep 8080

FerdOUT
(usa Outra)

Enviado em 08/09/2014 - 11:23h

Olá pessoal, testei a porta no site http://ping.eu/port-chk/, o teste me retornou que ela está aberta.