Redirecionamento de porta pelo IPTables

1. Redirecionamento de porta pelo IPTables

Ricardo Poncio
poncior

(usa Debian)

Enviado em 30/09/2020 - 14:23h

Boa tarde galera, criei este tópico pois já pesquisei muito mas ainda não consegui encontrar uma solução para o meu problema, além de conhecer pouco sobre o assunto.
A questão é a seguinte, tenho uma VPS e vamos dizer que ela tenha o IP 191.212.53.47, e em minha rede local uma máquina de IP 192.168.1.70. Gostaria de expor a porta 8123 da máquina em minha rede através do IP da VPS, que é fixo.
Anteriormente eu tinha uma política bem aberta no IPTables e estou tentando melhorar a segurança, em paralelo, quero deixar de usar o tunelamento SSH reverso e usar o forwarding do IPTables com a ajuda de uma VPN
A VPN tem a rede dinamica principal com a interface as0t0 na subrede 10.0.5.0/24, e a rede estática é a 10.5.5.0/24 (onde a máquina de dentro da minha rede está com o IP 10.5.5.2).
Como a VPS é o server do OpenVPN, ele está com o IP 10.0.5.1.

Se dou um ping da minha VPS até a 10.5.5.2, tudo ocorre normal, se eu faço um tracert ou um wget na porta desejada, tudo tranquilo, funcionando.
Porém, acessando via HTTP o endereço da http://VPS:8123 não existe um retorno.
Percebi também que quando executo os comandos do IPTables (Flush + Rules) o acesso via HTTP funciona normal, mas é só uma conexão acontecer na VPN ou um restart no OpenVPN AS que a tabela do IPTables ganha um monte de registros e o acesso via HTTP para de funcionar.

Suspeito que seja o retorno do 10.5.5.2 para o apache, pois como comentei acima, se executar na VPS:
wget 10.5.5.2:8123 

O comando baixa um index.html correto, existe a conectividade.
Obs 1.: Já está liberado o IP Forwarding no sysctl
Obs 1.: Algumas Rules foram omitidas na tabela abaixo pois só dão ACCEPT em algumas portas no protocolo TCP/UDP

Podem me dar uma luz por favor?

IPTables Rules:

#!/bin/bash
# first cleanup everything
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X

# default drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -P OUTPUT ACCEPT

# allow loopback device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow ssh over eth0 from outside to system
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT

# allow webserver
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT

# Allow masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# System
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

# Forwards
iptables -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

# OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.27.224.0/20 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.5.5.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -j ACCEPT
iptables -A OUTPUT -o as0t0 -j ACCEPT
iptables -A FORWARD -i as0t0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o as0t0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i as0t0 -s 172.27.224.0/20 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -i as0t0 -s 10.5.5.0/24 -d 0.0.0.0/0 -j ACCEPT

# Ports
iptables -A FORWARD -i eth0 -p tcp --dport 8123 -d 10.5.5.2 -j ACCEPT
iptables -A INPUT -i as0t0 -p tcp -s 10.5.5.2 --dport 8123 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8123 -j DNAT --to-destination 10.5.5.2:8123

# Logging
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP


Resultado IPTables após restart do OpenVPN

Chain INPUT (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere vps1234.publiccloud.com.br state NEW udp dpt:openvpn
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere vps1234.publiccloud.com.br state NEW tcp dpt:943
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:9090
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT udp -- anywhere anywhere udp dpt:openvpn state NEW
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:9987
ACCEPT tcp -- anywhere anywhere tcp dpt:10011
ACCEPT tcp -- anywhere anywhere tcp dpt:30033
ACCEPT tcp -- 10.5.5.2 anywhere tcp dpt:8123
LOGGING all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 172.27.224.0/20 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT tcp -- anywhere 10.5.5.2 tcp dpt:8123

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
ACCEPT tcp -- anywhere anywhere tcp spt:9090
ACCEPT tcp -- anywhere anywhere tcp spt:webmin
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:9987
ACCEPT tcp -- anywhere anywhere tcp spt:10011
ACCEPT tcp -- anywhere anywhere tcp spt:30033

Chain AS0_ACCEPT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain AS0_DNS (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
RETURN all -- anywhere anywhere

Chain AS0_IN (5 references)
target prot opt source destination
ACCEPT all -- anywhere 10.0.5.1
AS0_U_INTERNAL_IN all -- 10.5.5.2 anywhere
AS0_IN_POST all -- anywhere anywhere

Chain AS0_IN_NAT (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere

Chain AS0_IN_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere 10.5.5.0/24
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_DNS tcp -- anywhere anywhere state NEW tcp dpt:domain
AS0_DNS udp -- anywhere anywhere state NEW udp dpt:domain
AS0_IN all -- anywhere 191.212.53.0/24
AS0_IN all -- anywhere link-local/16
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere

Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere

Chain AS0_OUT (2 references)
target prot opt source destination
AS0_U_INTERNAL_OUT all -- anywhere 10.5.5.2
AS0_OUT_POST all -- anywhere anywhere

Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere

Chain AS0_OUT_POST (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere mark match 0x2000000/0x2000000
DROP all -- anywhere anywhere

Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere

Chain AS0_U_INTERNAL_IN (1 references)
target prot opt source destination
AS0_IN_NAT all -- anywhere 10.0.5.0/24
AS0_IN_NAT all -- anywhere 191.212.53.0/24
AS0_IN_POST all -- anywhere anywhere

Chain AS0_U_INTERNAL_OUT (1 references)
target prot opt source destination
ACCEPT all -- 10.5.5.0/24 anywhere
ACCEPT all -- 10.0.5.0/24 anywhere
ACCEPT all -- 10.5.5.0/24 anywhere
AS0_OUT_POST all -- anywhere anywhere

Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level warning prefix "IPTables-Dropped: "
DROP all -- anywhere anywhere


ifconfig (VPS)

as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.5.1 netmask 255.255.255.0 destination 10.0.5.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 200 (UNSPEC)
RX packets 33 bytes 4102 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 8027 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 191.212.53.47 netmask 255.255.255.0 broadcast 191.212.53..255
ether 22:4f:cc:27:d2:59 txqueuelen 1000 (Ethernet)
RX packets 17463562 bytes 2335444365 (2.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6311788 bytes 1425763570 (1.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 123046 bytes 98937342 (94.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 123046 bytes 98937342 (94.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


ifconfig (maquina na rede local)

enp2s0f2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.70 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::c051:8794:97c4:7ac3 prefixlen 64 scopeid 0x20<link>
inet6 2804:d55:52e2:b800:8914:d08e:4895:4988 prefixlen 64 scopeid 0x0<global>
ether 80:ee:73:7d:7d:83 txqueuelen 1000 (Ethernet)
RX packets 2468025 bytes 216533800 (206.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13162807 bytes 1984356517 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 21451249 bytes 2170560228 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21451249 bytes 2170560228 (2.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.5.5.2 netmask 255.255.255.0 destination 10.5.5.2
inet6 fe80::cb53:8c05:d238:3cee prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 24 bytes 8027 (7.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4150 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 6c:71:d9:d2:1b:52 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0



  






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner
Linux banner
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts