Acesso a vpn discada
1. Acesso a vpn discada
landsoft
(usa Debian)
Enviado em 09/10/2015 - 10:39h
Olá a Todos,Tenho um firewall Linux Debia 8.2, estou tendo o seguinte problema.
Não consigo acessar uma vpn discando do Windows através do firewall.
Se eu conectar à máquina Windows diretamente na internet acessa sem problemas, alguém tem ideia do que pode estar acontecendo?
Minha regra de Firewall.
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall.sh
# Required-Start: $local_fs $remote_fs $network $syslog
# Required-Stop: $local_fs $remote_fs $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start firewall.sh at boot time
# Description: Enable service provided by firewall.sh.
### END INIT INFO
#
# Configuração Rede e Internet
#
NET="eth0"
#Configuração da rede Local
LAN_IP="192.168.110.1"
LAN_IP_RANGE="192.168.110.0/24"
LAN="eth1"
VPN="ppp0"
# Configuração do Localhost
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Configuração Iptables
IPTABLES="/sbin/iptables"
#
# Configuração necessária
#
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Configuração dos módulos
#
/sbin/depmod -a
#
# Módulos necessários
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp ports=21,9000
/sbin/modprobe ip_nat_ftp ports=21,9000
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_nat_pptp
/sbin/modprobe ip_conntrack
/sbin/modprobe pptp
start_firewall() {
#Limpa Regras
iptables -F
iptables -Z
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#Bloqueio Ultrasurf Tem que ser a primeira regra
$IPTABLES -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "
# Liberar DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Proteção contra Syn-flood:
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#Port scanner suspeito:
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#Ping da morte:
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
#Bloqueia Scan
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Proteção contra IP spoofing
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#Proteção Contra Worms
$IPTABLES -A FORWARD -p tcp --dport 135 -i $LAN -j REJECT
#Não responder a PINGS da internet
#iptables -A INPUT -i $NET -p icmp --icmp-type 8 -j DROP
#Vamos descartar pacotes inválidos:
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#Servidor de VPN
$IPTABLES -A INPUT -p tcp -i $NET -s 0/0 -d 0/0 --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p GRE -i $NET -j ACCEPT
$IPTABLES -A INPUT -i ppp+ -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -j ACCEPT
#$IPTABLES -A INPUT -i $VPN+ -j ACCEPT
#$IPTABLES -A FORWARD -i $VPN+ -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1198 -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
#$IPTABLES -A FORWARD -i $VPN -o $LAN -p tcp --dport 445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# Terminal service Servidor
#
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 3389 -j DNAT --to 192.168.110.12
#webserver
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 8080 -j DNAT --to 192.168.110.30
# Cameras
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5546 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5546 -j DNAT --to 192.168.3.49
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5547 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5547 -j DNAT --to 192.168.3.49
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5548 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5548 -j DNAT --to 192.168.3.49
$IPTABLES -A FORWARD -i $NET -o $LAN -p tcp --dport 5549 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -i $NET --dport 5549 -j DNAT --to 192.168.3.49
#Portas Principais
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp --dport 14222 -j ACCEPT
#Webmin DHCP
$IPTABLES -A INPUT -p tcp --dport 12000 -j ACCEPT
# Sem essa Regra o squid não Funciona
$IPTABLES -A INPUT -p tcp --dport 3128 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 3306 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8000 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 8000 -j ACCEPT
#
#Regra de proxy transparente
#
$IPTABLES -t nat -A PREROUTING -i $LAN -s $LAN_IP_RANGE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $LAN -s $LAN_IP_RANGE -p tcp --dport 443 -j REDIRECT --to-port 3128
#
# chain POSTROUTING ( NAT - mascaramento )
#
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $NET -j MASQUERADE
#
# Fechando o Resto
#
$IPTABLES -A INPUT -p tcp --syn -j DROP
}
#Fim Script
stop_firewall() {
# Remove all existing rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X
#Regra de NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $NET -j MASQUERADE
}
case "$1" in
stop) echo -n "Stopping Firewall: iptables"
stop_firewall
echo "."
;;
start) echo -n "Starting Firewall: iptables"
start_firewall
echo "."
;;
restart) echo -n "Re-starting Firewall: iptables"
stop_firewall
start_firewall
dmesg -n4
echo "."
;;
*)
echo "Usage: local-firewall {stop|start|restart}"
exit 1
;;
esac
exit 0
A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.
Site hospedado por:
