NAT não funciona com regras DROP.

1. NAT não funciona com regras DROP.

brenolacerda
(usa CentOS)

Enviado em 28/10/2015 - 10:58h

Olá pessoal,

Estou com um problema e já segui vários tutoriais mas não obtive um resultado satisfatório.
Após aplicar políticas de DROP para INPUT, OUTPUT, e FORWARD os encaminhamentos NAT para a rede interna deixaram de funcionar.
Já tentei várias regras para liberação no FORWARD, tentei DNAT, REDIRECT, entre outros. Mas nenhum deu certo! ;/

Existem vários NAT para diferentes portas, mas o problema acontece em todas.
Para enxugar o código eu deixei apenas o redirecionamento para acesso remoto
de uma máquina windows. acredito que conseguindo pra este, o resto funcionará normalmente.

Gostaria de ajuda de vocês.
Segue abaixo o script.



######################################

# Compartilhamento da Internet       #

modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



########################################

# Variaveis                            #

IF_EXT=eth0

IF_IN=eth1



IP_EXT=221.54.182.4

IP_IN=192.168.50.1

IP_CASERVER=192.168.50.200



PORTAS_DE_SERVICOS_1=80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222

PORTAS_DE_SERVICOS_2=34567,161,162,10050,10051





case "$1" in

start)



        echo "Firewall Ligado!"



########################################

# Definir politicas BLOQUEIO           #

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP





########################################

# REGRAS DE NAT                        #



#NAT - CAServer (Porta: 2020)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2020 -j DNAT --to 192.168.50.200:3389





# IMPUT ######################################################

#statefull

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT



#icmp (ping)

iptables -A INPUT -p icmp -j ACCEPT



#ntop

iptables -A INPUT -p tcp --dport 3000 -j ACCEPT

iptables -A INPUT -p udp --dport 3000 -j ACCEPT



#ssh

iptables -A INPUT -p tcp --dport 222 -j ACCEPT



#Zabbix

iptables -A INPUT -p tcp --dport 10050 -j ACCEPT

iptables -A INPUT -p tcp --dport 10051 -j ACCEPT



#

iptables -A INPUT -p tcp --dport 2020 -j ACCEPT





##############################################################

##############################################################

# OUTPUT #####################################################

#statefull

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT



#icmp (ping)

iptables -A OUTPUT -p icmp -j ACCEPT



#DNS

iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT



#NTP

iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT



#HTTP

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT



#HTTPS

iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT









##############################################################

##############################################################

# FORWARD ####################################################

#statefull

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT



#HTTP,HTTPS e outros serviços tradicionais para navegacao.

iptables -A FORWARD -p tcp -m multiport --dport $PORTAS_DE_SERVICOS_1 -i $IF_IN -j ACCEPT

iptables -A FORWARD -p udp -m multiport --dport $PORTAS_DE_SERVICOS_1 -i $IF_IN -j ACCEPT

iptables -A FORWARD -p tcp -m multiport --dport $PORTAS_DE_SERVICOS_2 -i $IF_IN -j ACCEPT

iptables -A FORWARD -p udp -m multiport --dport $PORTAS_DE_SERVICOS_2 -i $IF_IN -j ACCEPT



#whois

iptables -A FORWARD -p tcp --dport 43 -j ACCEPT



#ping para fora

iptables -A FORWARD -p icmp -i $IF_IN -j ACCEPT

iptables -A FORWARD -p icmp -o $IF_IN -j ACCEPT



#NTP

iptables -A FORWARD -p udp --dport 123 -o $IF_EXT -j ACCEPT



 ;;







stop)



        echo "Firewall Desligado!"



######################################

# Zerar Regras                       #

######################################

iptables -F

iptables -X

iptables -F -t nat

iptables -X -t nat

iptables -F -t mangle

iptables -X -t mangle

iptables -t nat -F

######################################

# Definir politicas ACEITA TUDO      #

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT



modprobe iptable_nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE





        ;;



restart)

        /etc/init.d/firewall.sh stop

        /etc/init.d/firewall.sh start



        ;;





*)

        echo "Use: /etc/init.d/firewall.sh {start | stop | restart}"

        exit 1

        ;;



esac

0 0

Quote

2. Re: NAT não funciona com regras DROP.

R3nan
(usa Debian)

Enviado em 28/10/2015 - 13:53h

seguinte, quando vc coloca FORWARD -P DROP (policita padrão dropando) ao fazer um nat, vc precisa liberar tambem o FORWARD para o ip internto, exemplo:

iptables -t nat -A PREROUTING -p tcp -d 200.200.200.200 --dport 2020 -j DNAT --to 192.168.50.200:3389
iptables -A FORWARD -p tcp -d 192.168.50.200 --dport 3389 -j ACCEPT

obs: no lugar de 200.200.200.200 vc coloca o seu ip externo

testa ai qualquer coisa volta aqui.

att
Renan

0 0

Quote

3. Re: NAT não funciona com regras DROP.

Buckminster
(usa Debian)

Enviado em 28/10/2015 - 15:03h

Isto aqui

IF_EXT=eth0
IF_IN=eth1

IP_EXT=221.54.182.4
IP_IN=192.168.50.1
IP_CASERVER=192.168.50.200

PORTAS_DE_SERVICOS_1=80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222
PORTAS_DE_SERVICOS_2=34567,161,162,10050,10051

deixe assim

IF_EXT="eth0"
IF_IN="eth1"

IP_EXT="221.54.182.4"
IP_IN="192.168.50.1"
IP_CASERVER="192.168.50.200"

PORTAS_DE_SERVICOS_1="80,443,8080,53,8081,20,21,22,3389,5432,25,465,995,222"
PORTAS_DE_SERVICOS_2="34567,161,162,10050,10051"

E isto aqui

# Definir politicas BLOQUEIO #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

deixe assim

# Definir politicas BLOQUEIO #
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

0 0

Quote