Redirecionamento de porta pelo IPTables
1. Redirecionamento de porta pelo IPTables
poncior
(usa Debian)
Enviado em 30/09/2020 - 14:23h
Boa tarde galera, criei este tópico pois já pesquisei muito mas ainda não consegui encontrar uma solução para o meu problema, além de conhecer pouco sobre o assunto.A questão é a seguinte, tenho uma VPS e vamos dizer que ela tenha o IP 191.212.53.47, e em minha rede local uma máquina de IP 192.168.1.70. Gostaria de expor a porta 8123 da máquina em minha rede através do IP da VPS, que é fixo.
Anteriormente eu tinha uma política bem aberta no IPTables e estou tentando melhorar a segurança, em paralelo, quero deixar de usar o tunelamento SSH reverso e usar o forwarding do IPTables com a ajuda de uma VPN
A VPN tem a rede dinamica principal com a interface as0t0 na subrede 10.0.5.0/24, e a rede estática é a 10.5.5.0/24 (onde a máquina de dentro da minha rede está com o IP 10.5.5.2).
Como a VPS é o server do OpenVPN, ele está com o IP 10.0.5.1.
Se dou um ping da minha VPS até a 10.5.5.2, tudo ocorre normal, se eu faço um tracert ou um wget na porta desejada, tudo tranquilo, funcionando.
Porém, acessando via HTTP o endereço da http://VPS:8123 não existe um retorno.
Percebi também que quando executo os comandos do IPTables (Flush + Rules) o acesso via HTTP funciona normal, mas é só uma conexão acontecer na VPN ou um restart no OpenVPN AS que a tabela do IPTables ganha um monte de registros e o acesso via HTTP para de funcionar.
Suspeito que seja o retorno do 10.5.5.2 para o apache, pois como comentei acima, se executar na VPS:
wget 10.5.5.2:8123
O comando baixa um index.html correto, existe a conectividade.
Obs 1.: Já está liberado o IP Forwarding no sysctl
Obs 1.: Algumas Rules foram omitidas na tabela abaixo pois só dão ACCEPT em algumas portas no protocolo TCP/UDP
Podem me dar uma luz por favor?
IPTables Rules:
#!/bin/bash
# first cleanup everything
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
# default drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -P OUTPUT ACCEPT
# allow loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow ssh over eth0 from outside to system
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
# allow webserver
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
# Allow masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# System
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Forwards
iptables -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.27.224.0/20 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -j ACCEPT
iptables -A OUTPUT -o as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o as0t0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i as0t0 -s 172.27.224.0/20 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -i as0t0 -s 10.5.5.0/24 -d 0.0.0.0/0 -j ACCEPT
# Ports
iptables -A FORWARD -i eth0 -p tcp --dport 8123 -d 10.5.5.2 -j ACCEPT
iptables -A INPUT -i as0t0 -p tcp -s 10.5.5.2 --dport 8123 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to-destination 10.5.5.2:8123
# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Resultado IPTables após restart do OpenVPN
Chain INPUT (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere vps1234.publiccloud.com.br state NEW udp dpt:openvpn
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere vps1234.publiccloud.com.br state NEW tcp dpt:943
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:9090
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:9987
ACCEPT tcp -- anywhere anywhere tcp dpt:10011
ACCEPT tcp -- anywhere anywhere tcp dpt:30033
ACCEPT tcp -- 10.5.5.2 anywhere tcp dpt:8123
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 172.27.224.0/20 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT tcp -- anywhere 10.5.5.2 tcp dpt:8123
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
ACCEPT tcp -- anywhere anywhere tcp spt:9090
ACCEPT tcp -- anywhere anywhere tcp spt:webmin
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:9987
ACCEPT tcp -- anywhere anywhere tcp spt:10011
ACCEPT tcp -- anywhere anywhere tcp spt:30033
Chain AS0_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_DNS (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
RETURN all -- anywhere anywhere
Chain AS0_IN (5 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
AS0_U_INTERNAL_IN all -- 10.5.5.2 anywhere
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.5.5.0/24
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_DNS tcp -- anywhere anywhere state NEW tcp dpt:domain
AS0_DNS udp -- anywhere anywhere state NEW udp dpt:domain
AS0_IN all -- anywhere 191.212.53.0/24
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_U_INTERNAL_OUT all -- anywhere 10.5.5.2
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere mark match 0x2000000/0x2000000
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_U_INTERNAL_IN (1 references)
target prot opt source destination
AS0_IN_NAT all -- anywhere 10.0.5.0/24
AS0_IN_NAT all -- anywhere 191.212.53.0/24
AS0_IN_POST all -- anywhere anywhere
Chain AS0_U_INTERNAL_OUT (1 references)
target prot opt source destination
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT all -- 10.0.5.0/24 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: "
DROP all -- anywhere anywhere
ifconfig (VPS)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.5.1 netmask 255.255.255.0 destination 10.0.5.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 33 bytes 4102 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 8027 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 191.212.53.47 netmask 255.255.255.0 broadcast 191.212.53..255
ether 22:4f:cc:27:d2:59 txqueuelen 1000 (Ethernet)
RX packets 17463562 bytes 2335444365 (2.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6311788 bytes 1425763570 (1.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 123046 bytes 98937342 (94.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 123046 bytes 98937342 (94.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ifconfig (maquina na rede local)
enp2s0f2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.70 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c051:8794:97c4:7ac3 prefixlen 64 scopeid 0x20<link>
inet6 2804:d55:52e2:b800:8914:d08e:4895:4988 prefixlen 64 scopeid 0x0<global>
ether 80:ee:73:7d:7d:83 txqueuelen 1000 (Ethernet)
RX packets 2468025 bytes 216533800 (206.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13162807 bytes 1984356517 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 21451249 bytes 2170560228 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21451249 bytes 2170560228 (2.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.5.5.2 netmask 255.255.255.0 destination 10.5.5.2
inet6 fe80::cb53:8c05:d238:3cee prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 24 bytes 8027 (7.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4150 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6c:71:d9:d2:1b:52 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Patrocínio
Site hospedado pelo provedor RedeHost.
Destaques
Artigos
Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46
E a guerra contra bots continua
Tradução do artigo do filósofo Gottfried Wilhelm Leibniz sobre o sistema binário
Conheça o firewall OpenGFW, uma implementação do (Great Firewall of China).
Utilizando a interface V4L2 loopback com ffmpeg e OBS Studio
Dicas
Instalando o FreeOffice no LMDE 6
Anki: Remover Tags de Estilo HTML de Todas as Cartas
Colocando uma opção de redimensionamento de imagem no menu de contexto do KDE
Tópicos
Distribuição leve para iniciantes (0)
Assinar documento com certificado digital A1 (4)
NOTEBOOK COM KEEP-OS pedindo senha antes de inicializar o sistema (4)
Top 10 do mês
-
Xerxes
1° lugar - 66.213 pts -
Fábio Berbert de Paula
2° lugar - 54.361 pts -
Clodoaldo Santos
3° lugar - 40.678 pts -
Buckminster
4° lugar - 21.669 pts -
Sidnei Serra
5° lugar - 18.758 pts -
Alberto Federman Neto.
6° lugar - 16.499 pts -
Mauricio Ferrari
7° lugar - 16.362 pts -
Daniel Lara Souza
8° lugar - 16.157 pts -
Diego Mendes Rodrigues
9° lugar - 15.021 pts -
edps
10° lugar - 13.301 pts
Scripts
[Shell Script] Script para criar certificados de forma automatizada no OpenVpn
[Shell Script] Conversor de vídeo com opção de legenda
[C/C++] BRT - Bulk Renaming Tool
[Shell Script] Criação de Usuarios , Grupo e instalação do servidor de arquivos samba
[Shell Script] Tire screenshots com Scrot facilmente com Zscrot
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
