svk_br
(usa RedHat)
Enviado em 21/09/2007 - 12:09h
Fala galera!! blz!?
Preciso de uma ajuda!!!
Tenho um fw com iptables e dentro da minha rede, há um servidor de aplicação que recebe todas as solicitações de FTP (Ativo e Passivo) internas e externas.
O problema é que na aplicação configurada neste servidor, há um registro que diz que esse servidor de FTP é o 200.xxx.xxx.100. Para que está acessando de fora, sem problemas tudo funciona perfeitamente.
Para quem está dentro da rede, há um problema. Se eu digitar o ip interno desse FTP (192.168.1.6), o user e pass do cliente é validado mas na hora da transferência de dados via FTP, a coisa empaca pois ele diz que não achou o server FTP 200.xxx.xxx.100.
Se eu colocar o IP 200.xxx.xxx.100 para conectar ao servidor, aí ele nem sai do lugar.
Já tentei configurar mil regras no iptables para fazer isso funcionar mas não consegui.
Alguém poderia me dizer onde estou errando?!.. abaixo segue meu script..
Obrigado pela força!!!
############################################
. /etc/init.d/functions
LAN_IP="192.168.1.1"
LAN_BCAST_ADRESS="255.255.255.0"
LAN_IFACE="eth1"
INET_IP="200.xxx.xxx.100"
INET_IFACE="eth0"
TEK="192.168.1.6"
HTTP_IP="192.168.1.1"
MAIL="xxx.xxx.xxx.xxx"
HOT="0/0"
VNC="192.168.1.6"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/sbin/iptables"
###########################################
#
# Load all required IPTables modules
#
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack
#CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -X
###########################################
##
# Chain Policies gets set up before any bad packets gets through
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# the allowed chain for TCP connections, utilized in the FORWARD chain
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules, utilized in the FORWARD chain
$IPTABLES -N icmp_packets
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we do not want.
$IPTABLES -N bad_tcp_packets
# $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
###########################################
# POSTROUTING chain in the nat table
#
# Enable IP SNAT for all internal networks trying to get out on the Interneta
# ATENCAO : A LINHA ABAIXO FAZ NAT !!! MAS E CONJUGADA COM A SECAO "LAN SECTION"
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
################################################################
#Regra para acesso ao VNC
$IPTABLES -A FORWARD -p TCP --dport 5800 -j ACCEPT
$IPTABLES -A FORWARD -p UDP --dport 5800 -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 5900 -j ACCEPT
$IPTABLES -A FORWARD -p UDP --dport 5900 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 5800 -j DNAT --to $VNC
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $INET_IP --dport 5800 -j DNAT --to $VNC
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 5900 -j DNAT --to $VNC
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $INET_IP --dport 5900 -j DNAT --to $VNC
#################################################
#Regra de acesso ao sistema TEK
$IPTABLES -A FORWARD -p TCP --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP --dport 211 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 20 -j DNAT --to $TEK
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 -j DNAT --to $TEK
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 211 -j DNAT --to $TEK
#####################################################
# Regra de acesso ao POP e SMTP
#$IPTABLES -A FORWARD -p TCP -d $MAIL --dport 25 -j ACCEPT
#$IPTABLES -A FORWARD -p TCP -d $MAIL --dport 110 -j ACCEPT
###################################################
# Regra de acesso DNS
$IPTABLES -A FORWARD -p TCP -s $HOT --dport 53 -j ACCEPT
#
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# LAN section
# ATENÇÂO : Estas linhas permitem que o nat seja feito somente ao proxy
$IPTABLES -A FORWARD -s $HTTP_IP -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Regra de acesso direto
$IPTABLES -A FORWARD -s 192.168.1.6 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.221 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.222 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.223 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.224 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.225 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.226 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.227 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.228 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.229 -j ACCEPT
#
# LOG all packets reaching here
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
###########################################################
#
# Firewall rules
# Rules applying to the firewall box
#
#
# INPUT chain
#
# Bad TCP packets we don't want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Packets from the Internet to this box
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Regra para permitir o SSH externo
$IPTABLES -A INPUT -p TCP --dport 22 -j ACCEPT
# DHCPD
$IPTABLES -A INPUT -p TCP --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport 67 -j ACCEPT
#FTP - TEK
$IPTABLES -I INPUT -m state --state NEW -j ACCEPT
#
# Packets from LAN or LOCALHOST
#
# From LAN Interface to LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
# From Localhost interface to Localhost IP
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
# All established and related packets incoming from the internet to the firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Logging rule
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
###########################################################
#
# OUTPUT chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#DHCPD
$IPTABLES -A OUTPUT -p TCP --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p UDP --dport 68 -j ACCEPT
#
# Allow ourself to send packets not spoofed everywhere
#
$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
#
# Logging rule
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"