NAT não funciona com regras DROP.

1. NAT não funciona com regras DROP.

Breno Lacerda de Alustau Paiva
brenolacerda

(usa CentOS)

Enviado em 28/10/2015 - 10:58h

Olá pessoal,

Estou com um problema e já segui vários tutoriais mas não obtive um resultado satisfatório.
Após aplicar políticas de DROP para INPUT, OUTPUT, e FORWARD os encaminhamentos NAT para a rede interna deixaram de funcionar.
Já tentei várias regras para liberação no FORWARD, tentei DNAT, REDIRECT, entre outros. Mas nenhum deu certo! ;/

Existem vários NAT para diferentes portas, mas o problema acontece em todas.
Para enxugar o código eu deixei apenas o redirecionamento para acesso remoto
de uma máquina windows. acredito que conseguindo pra este, o resto funcionará normalmente.

Gostaria de ajuda de vocês.
Segue abaixo o script.


######################################
# Compartilhamento da Internet #
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

########################################
# Variaveis #
IF_EXT=eth0
IF_IN=eth1

IP_EXT=221.54.182.4
IP_IN=192.168.50.1
IP_CASERVER=192.168.50.200

PORTAS_DE_SERVICOS_1=80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222
PORTAS_DE_SERVICOS_2=34567,161,162,10050,10051


case "$1" in
start)

echo "Firewall Ligado!"

########################################
# Definir politicas BLOQUEIO #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


########################################
# REGRAS DE NAT #

#NAT - CAServer (Porta: 2020)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2020 -j DNAT --to 192.168.50.200:3389


# IMPUT ######################################################
#statefull
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#icmp (ping)
iptables -A INPUT -p icmp -j ACCEPT

#ntop
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -p udp --dport 3000 -j ACCEPT

#ssh
iptables -A INPUT -p tcp --dport 222 -j ACCEPT

#Zabbix
iptables -A INPUT -p tcp --dport 10050 -j ACCEPT
iptables -A INPUT -p tcp --dport 10051 -j ACCEPT

#
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT


##############################################################
##############################################################
# OUTPUT #####################################################
#statefull
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#icmp (ping)
iptables -A OUTPUT -p icmp -j ACCEPT

#DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

#NTP
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

#HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT




##############################################################
##############################################################
# FORWARD ####################################################
#statefull
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#HTTP,HTTPS e outros serviços tradicionais para navegacao.
iptables -A FORWARD -p tcp -m multiport --dport $PORTAS_DE_SERVICOS_1 -i $IF_IN -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dport $PORTAS_DE_SERVICOS_1 -i $IF_IN -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport $PORTAS_DE_SERVICOS_2 -i $IF_IN -j ACCEPT
iptables -A FORWARD -p udp -m multiport --dport $PORTAS_DE_SERVICOS_2 -i $IF_IN -j ACCEPT

#whois
iptables -A FORWARD -p tcp --dport 43 -j ACCEPT

#ping para fora
iptables -A FORWARD -p icmp -i $IF_IN -j ACCEPT
iptables -A FORWARD -p icmp -o $IF_IN -j ACCEPT

#NTP
iptables -A FORWARD -p udp --dport 123 -o $IF_EXT -j ACCEPT

;;



stop)

echo "Firewall Desligado!"

######################################
# Zerar Regras #
######################################
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -t nat -F
######################################
# Definir politicas ACEITA TUDO #
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


;;

restart)
/etc/init.d/firewall.sh stop
/etc/init.d/firewall.sh start

;;


*)
echo "Use: /etc/init.d/firewall.sh {start | stop | restart}"
exit 1
;;

esac






  


2. Re: NAT não funciona com regras DROP.

Renan Arantes
R3nan

(usa Debian)

Enviado em 28/10/2015 - 13:53h

seguinte, quando vc coloca FORWARD -P DROP (policita padrão dropando) ao fazer um nat, vc precisa liberar tambem o FORWARD para o ip internto, exemplo:

iptables -t nat -A PREROUTING -p tcp -d 200.200.200.200 --dport 2020 -j DNAT --to 192.168.50.200:3389
iptables -A FORWARD -p tcp -d 192.168.50.200 --dport 3389 -j ACCEPT

obs: no lugar de 200.200.200.200 vc coloca o seu ip externo

testa ai qualquer coisa volta aqui.

att
Renan


3. Re: NAT não funciona com regras DROP.

Buckminster
Buckminster

(usa Debian)

Enviado em 28/10/2015 - 15:03h

Isto aqui

IF_EXT=eth0
IF_IN=eth1

IP_EXT=221.54.182.4
IP_IN=192.168.50.1
IP_CASERVER=192.168.50.200

PORTAS_DE_SERVICOS_1=80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222
PORTAS_DE_SERVICOS_2=34567,161,162,10050,10051

deixe assim

IF_EXT="eth0"
IF_IN="eth1"

IP_EXT="221.54.182.4"
IP_IN="192.168.50.1"
IP_CASERVER="192.168.50.200"

PORTAS_DE_SERVICOS_1="80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222"
PORTAS_DE_SERVICOS_2="34567,161,162,10050,10051"

E isto aqui

# Definir politicas BLOQUEIO #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

deixe assim

# Definir politicas BLOQUEIO #
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts