Liberar IP externo

edumeira2009
(usa Debian)

Enviado em 29/12/2009 - 12:33h

Boa tarde,

Preciso liberar 2 IPs externo na minha rede, tenho um squid 2.7 no Debian 5, os ips são 74.53.101.194 porta 2038 e o 67.19.108.194 porta 2038, ai eu não sei se faz no Firewall ou no Squid.

Obrigado

renato_pacheco
(usa Debian)

Enviado em 29/12/2009 - 13:02h

Depende. Normalmente vc libera pelo firewall. Só não entendi como q é o acesso: é d fora pra dentro ou vice-versa?

edumeira2009
(usa Debian)

Enviado em 29/12/2009 - 13:11h

Tenho que liberar a entrada e saida desses Ips, para a rede toda.

renato_pacheco
(usa Debian)

Enviado em 29/12/2009 - 13:31h

Bom, liberar a saída é tranquilo, basta liberar a porta (acredito q esteja liberada já, mas não custa por a regra aki):

iptables -A OUTPUT -p tcp --dport 2038 -j ACCEPT

Para entrada será necessário qual máquina vai usufruir dessa porta, pois devemos fazer um DNAT nelas. Vou por a regra geral e depois vc adapta:

iptables -t nat -A PREROUTING -p tcp --dport 2038 -j DNAT --to-destination <IP>:2038

edumeira2009
(usa Debian)

Enviado em 29/12/2009 - 14:19h

não funcionou

renato_pacheco
(usa Debian)

Enviado em 29/12/2009 - 14:35h

Depende muito d como vc inseriu esses comandos. Se vc inserir em uma ordem incorreta, não funciona msm. Dae vc terá q postar o seu iptables aki pra gente verificar em qual linha devemos inserir.

edumeira2009
(usa Debian)

Enviado em 29/12/2009 - 16:58h

meu firewall

#!/bin/bash

#####FIREWALL-PETRONET-INFORMATICA##########

firewall_start(){

# Abre para uma faixa de endereços da rede local
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT

# Abre uma Porta


iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp --dport 8245 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -j ACCEPT
#### CAMERAS
iptables -A INPUT -p tcp --dport 3550 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 4550 -j ACCEPT
iptables -A INPUT -p tcp --dport 5550 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j ACCEPT

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 8217 -j ACCEPT

### TERMINAL SERVICE ###
iptables -A INPUT -p tcp --dport 3392 -j ACCEPT
iptables -A INPUT -p tcp --dport 3393 -j ACCEPT
iptables -A INPUT -p tcp --dport 3398 -j ACCEPT
iptables -A INPUT -p tcp --dport 3397 -j ACCEPT
iptables -A INPUT -p tcp --dport 3396 -j ACCEPT


iptables -A INPUT -p tcp --dport 491 -j ACCEPT
iptables -A INPUT -p tcp --dport 11111 -j ACCEPT
##GOGLOBAL###
iptables -A INPUT -p tcp --dport 9217 -j ACCEPT
iptables -A INPUT -p tcp --dport 9218 -j ACCEPT
iptables -A INPUT -p tcp --dport 7057 -j ACCEPT
iptables -A INPUT -p tcp --dport 7058 -j ACCEPT
iptables -A INPUT -p tcp --dport 3391 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 2038 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2038 -j DNAT --to-destination 192.168.0.27:2038

# Ignora Pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Protege contra IP Spoofing
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter

# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Protege contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Protege contra Portscanners, ping of death, ataques DoS, etc.
iptables -A INPUT -m state --state INVALID -j DROP

# Regra para programas graficos funcionarem
iptables -A INPUT -i lo -j ACCEPT

######################REDIRECIONAMENTOS##########################


iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 5269 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5269 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8245 -j DNAT --to 192.168.0.21
iptables -t nat -A POSTROUTING -d 192.168.0.21 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8245 -j DNAT --to 192.168.0.21
iptables -t nat -A POSTROUTING -d 192.168.0.21 -j SNAT --to 192.168.0.1

###CAMERAS###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8081 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8081 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

###CAMERA###-1
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3350 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3350 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1


iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1


###CAMERA###-2
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 4550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

###CAMERA###-3
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 5550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

###CAMERA###-4
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 6550 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

###MARCIO###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3392 -j DNAT --to 192.168.0.19
iptables -t nat -A POSTROUTING -d 192.168.0.19 -j SNAT --to 192.168.0.1

###LEVY###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3393 -j DNAT --to 192.168.0.25
iptables -t nat -A POSTROUTING -d 192.168.0.25 -j SNAT --to 192.168.0.1

###FABIO###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3398 -j DNAT --to 192.168.0.36
iptables -t nat -A POSTROUTING -d 192.168.0.36 -j SNAT --to 192.168.0.1

###PEDRO###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3397 -j DNAT --to 192.168.0.171
iptables -t nat -A POSTROUTING -d 192.168.0.171 -j SNAT --to 192.168.0.1

###GHILHERME###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3396 -j DNAT --to 192.168.0.168
iptables -t nat -A POSTROUTING -d 192.168.0.168 -j SNAT --to 192.168.0.1

###CHAT-INTERNO###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9090 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

###CHAT-INTERNO-USER###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 5222 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

###TERMINAL SERVICE Servidor antigo###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to 192.168.0.170
iptables -t nat -A POSTROUTING -d 192.168.0.170 -j SNAT --to 192.168.0.1

###TERMINAL SERVICE INTEGRA###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3390 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

###PORTA 8217###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8217 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1

###PORTA 8217-INTERNA###
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8217 -j DNAT --to 192.168.0.253
iptables -t nat -A POSTROUTING -d 192.168.0.253 -j SNAT --to 192.168.0.1


###############MAQUINA-1###########################

###GO-GLOBAL####
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9217 -j DNAT --to 192.168.0.166
iptables -t nat -A POSTROUTING -d 192.168.0.166 -j SNAT --to 192.168.0.1

###GO-GLOBAL-PORTA7057####
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 7057 -j DNAT --to 192.168.0.166
iptables -t nat -A POSTROUTING -d 192.168.0.166 -j SNAT --to 192.168.0.1

###############MAQUINA-2###########################

###GO-GLOBAL####
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 9218 -j DNAT --to 192.168.0.58
iptables -t nat -A POSTROUTING -d 192.168.0.58 -j SNAT --to 192.168.0.1

###GO-GLOBAL-PORTA7057####
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 7058 -j DNAT --to 192.168.0.58
iptables -t nat -A POSTROUTING -d 192.168.0.58 -j SNAT --to 192.168.0.1

#########################GO_GLOBAL_INTERNO#############################################


###############MAQUINA-1###########################

###GO-GLOBAL####
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 9217 -j DNAT --to 192.168.0.166
iptables -t nat -A POSTROUTING -d 192.168.0.166 -j SNAT --to 192.168.0.1

###GO-GLOBAL-PORTA7057####
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 7057 -j DNAT --to 192.168.0.166
iptables -t nat -A POSTROUTING -d 192.168.0.166 -j SNAT --to 192.168.0.1

###############MAQUINA-2###########################

###GO-GLOBAL####

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 9218 -j DNAT --to 192.168.0.58
iptables -t nat -A POSTROUTING -d 192.168.0.58 -j SNAT --to 192.168.0.1

###GO-GLOBAL-PORTA7057####
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 7058 -j DNAT --to 192.168.0.58
iptables -t nat -A POSTROUTING -d 192.168.0.58 -j SNAT --to 192.168.0.1

###Mauqina cameras-nova###
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3391 -j DNAT --to 192.168.0.254
iptables -t nat -A POSTROUTING -d 192.168.0.254 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8888 -j DNAT --to 192.168.0.59
iptables -t nat -A POSTROUTING -d 192.168.0.59 -j SNAT --to 192.168.0.1

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8888 -j DNAT --to 192.168.0.59
iptables -t nat -A POSTROUTING -d 192.168.0.59 -j SNAT --to 192.168.0.1


#####################FIM-REDIRECIONAMENTOS############################


###BLOQUEA TUDO QUE NAO ESTEJA DESCRITO ACIMA###
iptables -A INPUT -p tcp --syn -j DROP

echo "O Firewall esta sendo carregado..."
sleep 1
#echo "OK"
sleep 1
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

case "$1" in
"start")
firewall_start
echo "O Firewall esta sendo ativado"
;;
"stop")
firewall_stop
echo "O Firewall esta sendo desativado"
sleep 2
#echo "OK."
;;
"restart")
echo "O Firewall esta sendo ativado"
sleep 1
#echo "OK."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac

renato_pacheco
(usa Debian)

Enviado em 29/12/2009 - 22:55h

Ah, tá entendi. Vc pode usar os exemplos q vc tem pra liberar as portas d comunicação das suas máquinas internas, só q d uma forma diferente. Ex.:

iptables -t nat -A PREROUTING -s 74.53.101.194 -p tcp -i eth1 --dport 2038 -j DNAT --to 192.168.0.253
iptables -t nat -A PREROUTING -s 67.19.108.194 -p tcp -i eth1 --dport 2038 -j DNAT --to 192.168.0.253

Seu squid é transparente? Se for, libere o INPUT da porta 2038, se não for transparente, libere o FORWARD da porta 2038, ok?

Acredito q nessa condição vc consiga liberar. Outra coisa é a ordem. Vc pode inseri-las naquelas linhas d prerouting e postrouting.

catadolfi
(usa CentOS)

Enviado em 05/07/2012 - 16:55h

Estou com um problema, não estou conseguindo liberar uma camera Ip para acesso externo, sendo que tenho um proxy squid rodando com duas placas de rede eth0 (internet) e eth1 (rede local), a camera que quero acessar de fora é 172.30.115.172 porta 8082.


-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.30.115.100
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.30.115.100
-A PREROUTING -i eth0 -p tcp -m tcp --dport 35001 -j DNAT --to-destination 172.30.115.188
############### - Cameras IPs
-A INPUT -p tcp --dport 8082 -j ACCEPT
-A PREROUTING -p tcp -i eth1 --dport 8082 -j DNAT --to 172.30.115.100
-A POSTROUTING -d 172.30.115.55 -j SNAT --to 172.30.115.1
-A PREROUTING -p tcp -i eth0 --dport 8082 -j DNAT --to 172.30.115.100
-A POSTROUTING -d 172.30.115.55 -j SNAT --to 172.30.15.11
############### - Compartilha internet
-A POSTROUTING -j MASQUERADE
############### - Libera gmail para upload de arquivos
-A PREROUTING -p tcp -s mail.google.com -d 0/0 --dport 80 -j ACCEPT
############### - Redireciona por 80/8080/443/563/21 para 3128 (squid)
-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 3128
-A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
-A PREROUTING -i eth1 -p tcp --dport 563 -j REDIRECT --to-port 3128
-A PREROUTING -i eth1 -p tcp --dport 21 -j REDIRECT --to-port 3128
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -s 172.30.115.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp --dport 443 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 3580 -j ACCEPT
-A FORWARD -i eth1 -p udp -m udp --dport 3580 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport 35001 -j ACCEPT
-A FORWARD -i eth1 -p udp -m udp --dport 35001 -j ACCEPT
-A FORWARD -d 172.30.115.0/24 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 172.30.115.0/24 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 172.30.115.0/24 -i eth0 -p tcp -m tcp --dport 35001 -j ACCEPT
-A OUTPUT -p tcp --dport 3580 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp --dport 23 -j ACCEPT

Está meio bagunçado, por favor me deem uma luz.

joaoaraujo
(usa openSUSE)

Enviado em 31/10/2013 - 12:01h

cara faz assim:
-A PREROUTING -p tcp -m tcp -i eth0 --dport (porta) -j DNAT --to-destination ip_interno_da camera:(porta)

a porta tem que ser igual a configurada na câmera, ai você acessa pelo seu ip externo:(porta)
pelo menos pra minha câmera funciona assim

px
(usa Debian)

Enviado em 31/10/2013 - 13:04h

Pá de Platina neles!

http://img695.imageshack.us/img695/7623/ogaaainm3rrjcjps65ygphf.jpg

joaoaraujo
(usa openSUSE)

Enviado em 31/10/2013 - 14:11h

kkkkkkkkkkkk..é nóis no Linux \o/