Redirecionamento de portas

13. Re: Redirecionamento de portas

Danilo
dbcazon

(usa Ubuntu)

Enviado em 03/04/2014 - 10:28h

Bom dia,

Caros, aproveitando o tópico e já agradecendo pela ajuda!


Conheço pouco desse mundo mas desde que entrei na empresa tenho me virado na utilização do IpTables e Squid.

Minha dúvida em questão é a seguinte:
Tenho um redirecionamento feito nas regras do Firewall que está normal, mas quando reiniciava o servidor por queda de energia ou qq outra coisa eu tinha que voltar no terminal e dar o comando novamente.

Após um pouco de pesquisa eu vi que deveria salvar a regra dando o comando iptables-save.

O problema é que segundo quem acessa esse redirecionamento depois das 19h não consegue mais acessar e meu conhecimento até aqui não me mostra nas regras alguma que defina esse horário.
Enfim, o comando:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8887 -j DNAT --to-destination 192.168.0.3:8887

Tem mais algum comando ou neste mesmo que eu deveria adicionar ou modificar para ele não ter esse problema?
Tem algum modo de colocar esse redirecionamento para não aderir a mais nada, para ficar FULL e não ter mais dor de cabeça?

Obrigado


  


14. Re: Redirecionamento de portas

Perfil removido
removido

(usa Nenhuma)

Enviado em 03/04/2014 - 10:43h

Bom dia Colega,


Você esta usando aplicação em HTTP? Esta utilizando o squid para tratar esta requisição ? Descreva melhor o cenaŕio!


Att

Tiago Eduardo Zacarias
LPIC-1


15. Re: Redirecionamento de portas

Danilo
dbcazon

(usa Ubuntu)

Enviado em 03/04/2014 - 11:15h

thiago304 escreveu:

Bom dia Colega,


Você esta usando aplicação em HTTP? Esta utilizando o squid para tratar esta requisição ? Descreva melhor o cenaŕio!


Att

Tiago Eduardo Zacarias
LPIC-1



Bom dia,

Então, é um site hospedado em um servidor WS2008 na rede interna para testes.

A pessoa acessa o endereço com a porta(8887) e tem acesso a este site.
Nenhuma regra que ligue esta linha com o Squid, pelo menos não que eu consiga associar.
É simplesmente um redirecionamento feito no firewall para a estação em específico.
A unica coisa que tem, ai sim, no squid relacionada ao horário 19h em questão é para liberar o uso interno para qq site externo que vai das 19h as 23h59.. fora isso não tem mais nada.



16. Re: Redirecionamento de portas

Perfil removido
removido

(usa Nenhuma)

Enviado em 03/04/2014 - 11:24h

Publique seu Script de Firewall para dar uma analisada.


Tiago Eduardo Zacarias
LPIC-1


17. Re: Redirecionamento de portas

Danilo
dbcazon

(usa Ubuntu)

Enviado em 03/04/2014 - 11:50h

thiago304 escreveu:

Publique seu Script de Firewall para dar uma analisada.


Tiago Eduardo Zacarias
LPIC-1


#!/bin/bash
##################################################################
#################### Inicio Firewall ############################
##################################################################
/sbin/modprobe ip_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_queue

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_tables

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_nat

/sbin/modprobe iptable_mangle

/sbin/modprobe ipt_state

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_multiport

/sbin/modprobe ipt_mac

/sbin/modprobe ipt_string


## Limpando as Regras existentes #######

/sbin/iptables -F

/sbin/iptables -t nat -F

/sbin/iptables -t mangle -F

/sbin/iptables -X

/sbin/iptables -Z



## Definindo politica padr..o (Nega entrada e permite saida)

/sbin/iptables -P INPUT DROP

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P FORWARD ACCEPT



##################################################################
################# LOG de acesso externo para a rede interna ######
##################################################################

## Log SSH e Proxy

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24778 -j LOG

--log-prefix="Acesso RDP server003 " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24779 -j LOG

--log-prefix="Acesso SSH Firewall " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 24777 -j LOG

--log-prefix="Acesso SSH Zimbra " --log-level 4

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 25111 -j LOG

--log-prefix="Acesso Proxy " --log-level 4



### Ultra-surf

/sbin/iptables -A FORWARD -d 65.49.14.0/24 -j LOG --log-prefix "=UltraSurf= "

/sbin/iptables -A FORWARD -d 65.49.2.0/24 -j LOG --log-prefix "=UltraSurf= "



## Log HTTP porta 8888
(mudar para 8887)
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8888 -j LOG --

log-prefix="SERVER004 " --log-level 4



## acesso Local porta 80

/sbin/iptables -A INPUT -p tcp -s 192.168.0.0/255.255.255.0 -d 192.168.0.1 --

dport 80 -j ACCEPT



##################################################################
######################## Protege contra ataques diversos #########
##################################################################
###### Protege contra synflood

/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

echo 1 > /proc/sys/net/ipv4/tcp_syncookies



###### Protecao contra ICMP Broadcasting

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all



###### Prote.. Contra IP Spoofing

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter



###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes

danificados e etc.
#
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s

-j ACCEPT

#/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j

ACCEPT

#/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j

DROP

/sbin/iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit

1/s -j ACCEPT

/sbin/iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP

/sbin/iptables -A INPUT -m state --state INVALID -j DROP

/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL

FIN,URG,PSH -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP



## Limitando conex..es na porta 80 #######

/sbin/iptables -I INPUT -p tcp --dport 80 -i eth1 -m state --state NEW -m recent

--set


/sbin/iptables -I INPUT -p tcp --dport 80 -i eth1 -m state --state NEW -m recent

--update --seconds 1 --hitcount 10 -j DROP


#TeamViewer
#
/sbin/iptables -I FORWARD -m string --algo bm --string "teamviewer" -j DROP

#/sbin/iptables -I OUTPUT -m string --algo bm --string "teamviewer" -j DROP



##################################################################
######################### Fim da regras de contra ataques ########
##################################################################

## Impede navega....o sem proxy definido no navegador ##########
#

# Ignora redirecionamento para os enderecos da Amazon e xgen (Chat e Gerenciador

SOL)
#
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -s 192.168.0.77 -j

RETURN


# Webmail

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.0.0/24 -j RETURN




# Xgen


/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d 186.202.60.208 -j RETURN



# DB Sol

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 50.19.231.222 --dport 80

-j REDIRECT --to-port 25111



# Watz
#
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 170.20.249.224 --dport 80

-j REDIRECT --to-port 25111



# Xgen Chat


/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 187.61.5.194 --dport 80

-j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp ! -d 186.202.60.208 --dport 80

-j REDIRECT --to-port 25111



## Impede o uso de outro proxy externo que use a porta 3128

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --

to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --

to-port 25111

/sbin/iptables -A FORWARD -p tcp --dport 8080 -j DROP

/sbin/iptables -A OUTPUT -p tcp --dport 8080 -j DROP



## Estabelece rela....o de confian..a entre maquinas da rede local eth0(rede

local)

/sbin/iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



## liberando o INPUT externo para o firewall ##

#

# Portas ##
# 80 443 Sarg/webhtb

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8181 -j DNAT

--to-destination 192.168.0.1:80

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8182 -j DNAT

--to-destination 192.168.0.1:443



# SSH

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

24779,24777,1177,27777 -j ACCEPT



# Server005 (HTTP)

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 24778 -j ACCEPT



# Server004 (HTTP)

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

443,1313,8887,8889,8075 -j ACCEPT



# Srv004 (HTTP)

#/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 8888 -j ACCEPT




# vpn server

/sbin/iptables -A FORWARD -p tcp -i eth1 --dport 1723 -j ACCEPT

/sbin/iptables -A FORWARD -p 47 -i eth1 -j ACCEPT



# Cups web

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport 3305 -j ACCEPT



## Mail Server

/sbin/iptables -A INPUT -i eth1 -p tcp -m multiport --dport

25,110,7071,143,993,995,80 -j ACCEPT



# Proxy Externo

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.249.224 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.249.227 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 107.20.243.218 --dport 25111 -j

ACCEPT

/sbin/iptables -A INPUT -i eth1 -p tcp -m tcp -s 50.19.231.222 --dport 25111 -j

ACCEPT



## DNS ##
#
/sbin/iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

#/sbin/iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT

#/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 777 -j DNAT --to-

destination 200.221.2.45:80



##################################################################
########## Redirecionamento para maquinas de rede interna ########
##################################################################
# Server004(HTTP)

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8889

-j DNAT --to-destination 192.168.0.3:80

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1313 -j DNAT

--to-destination 192.168.0.3:1313

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --

to-destination 192.168.0.3:443

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8075

-j DNAT --to-destination 192.168.0.3:8075

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8887 -j DNAT

--to-destination 192.168.0.3:8887



# Srv004(HTTP)

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 8888 -j DNAT

--to-destination 192.168.0.106:80



## VPN

/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 1723 -j DNAT --to

192.168.0.3:1723

/sbin/iptables -A PREROUTING -t nat -p 47 -i eth1 -j DNAT --to 192.168.0.3



# Cups web

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3305

-j DNAT --to-destination 192.168.0.100:631



# Andre

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 27777 -j DNAT

--to-destination 192.168.0.7:22



## SSH Zimbra

(comentar) /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport

24777 -j DNAT --to-destination 192.168.0.112:22



## RDP

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1177 -j DNAT

--to-destination 192.168.0.2:3389



############## Testes ############################################


#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 1433 -j DNAT

--to-destination 192.168.0.4:1433

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 53 -j DNAT --to-

destination 192.168.0.112:53

#/sbin/iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to-

destination 192.168.0.112:53



## Mail Server

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport

25,110,7071,80,143,993,995 -j DNAT --to-dest 192.168.0.112


##################################################################
########################### Bloqueio Messenger e Proxy ###########
##################################################################
/sbin/iptables -A FORWARD -d 64.13.161.61 -p tcp --dport 443 -j DROP

/sbin/iptables -A FORWARD -d 213.13.146.15 -p tcp --dport 443 -j DROP

/sbin/iptables -A FORWARD -d 65.98.25.145 -p tcp --dport 443 -j DROP



### Messenger #######


## Karen

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:23:ae:b8:f2:ef

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Everton

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:0f:ea:9f:02:5a

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Caio

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:1a:4d:a9:21:21

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Gabriela

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:1a:4d:a5:55:e6

-p tcp --dport 1863 -j REDIRECT --to-port 25111

## Beatriz

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source b8:ac:6f:61:86:f6

-p tcp --dport 1863 -j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source F0:7B:CB:35:D0:9C

-p tcp --dport 1863 -j REDIRECT --to-port 25111

/sbin/iptables -t nat -A PREROUTING -i eth0 -m mac --mac-source 00:08:54:69:9B:28

-p tcp --dport 1863 -j REDIRECT --to-port 25111



##################################################################
################################ Bloqueio de entrada #############
##################################################################

/sbin/iptables -A INPUT -i lo -j ACCEPT

/sbin/iptables -A INPUT -i eth0 -j ACCEPT

/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

/sbin/iptables -A INPUT -i eth1 -j REJECT

## Liberar ping ##

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 >

/proc/sys/net/ipv4/icmp_echo_ignore_all



##################################################################
############################ Compartilhamento Internet ###########
##################################################################

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 >

/proc/sys/net/ipv4/ip_forward




echo "Firewall Basico Ativado"

##################################################################
######################################## Fim #####################
##################################################################



18. Re: Redirecionamento de portas

Danilo
dbcazon

(usa Ubuntu)

Enviado em 04/04/2014 - 10:26h

thiago304 escreveu:

Publique seu Script de Firewall para dar uma analisada.


Tiago Eduardo Zacarias
LPIC-1


Bom dia,

Tem algum log do IpTables que dê para analisar algum evento que tenha ocorrido? como por exemplo essa queda do redirecionamento da porta 8887 após as 19h.


19. Problema de Nat

Danilo
dbcazon

(usa Ubuntu)

Enviado em 08/04/2014 - 16:56h

Boa tarde,

Pessoal alguma possibilidade do que possa ser esse meu erro?



01 02



Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts