Problemas com o Forward

ronysrei
(usa CentOS)

Enviado em 13/11/2013 - 19:58h

Pessoal, preciso fazer uma coisa e não estou conseguindo...

Tenho um CentOS com 2 placas de rede... A interna eth0 e a externa eth1.

Tenho um serviço que quero que funcione apenas na placa de rede interna na porta 9091.

Esse serviço não deve aceitar conexões pela placa eth1!

Pela eth1, esse mesmo serviço deve funcionar na porta 9092.

Já tentei de tudo e não consegui...

Fiz assim:

iptables -A INPUT -p tcp -i eth0 --dport 9091 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 9092 -j REDIRECT --to-ports 9091

Mas isso não funciona, pois a conexão continua vindo pela placa de rede eth1.

Como resolvo?

Obrigado!

andrecanhadas
(usa Debian)

Enviado em 13/11/2013 - 23:15h

Vejamos:

iptables -A INPUT -p tcp -i eth0 --dport 9091 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 9091 -j DROP

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 9092 -j REDIRECT --to-ports 9091

 

Ou

iptables -A INPUT -p tcp --dport 9091 -j DROP

iptables -A INPUT -p tcp --dport 9092 -j DROP

iptables -A INPUT -p tcp -i eth0 --dport 9091 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 9092 -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 9092 -j REDIRECT --to-ports 9091

 

Apos isso poste a saida de :

iptables -L

 

ronysrei
(usa CentOS)

Enviado em 14/11/2013 - 01:06h

Amigo, isso aí não faz diferença nenhuma com o que eu já tinha feito... A primeira regra do meu firewall é para dar um drop em tudo.

andrecanhadas
(usa Debian)

Enviado em 14/11/2013 - 07:11h

Opa então posta seu firewall minha bola de cristal deve estar com defeito.

removido
(usa Nenhuma)

Enviado em 14/11/2013 - 08:11h

rs..... A minha bola de cristal ultimamente está abendando também.

ronysrei
(usa CentOS)

Enviado em 14/11/2013 - 13:52h

Desculpe-me, amigo.

Vou postar aqui o iptables -L... Os dados que eu havia falando são genéricos... Os dados reais são:
Serviço que pode rodar apenas na placa de rede interna (seth0) --> UDP 5060 - SIP
Na placa de rede externa (seth1), pode ser em qualquer porta, como a UDP 5075.

############################################################################################
############################################################################################
############################################################################################
Primeiro meu script de firewall:

#!/bin/bash
iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Libera SSH para qualquer lugar
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

# Libera tudo para a Interface LOCAL -- SETH0
iptables -A INPUT -i seth0 -j ACCEPT

# Libera os protocolos do voip
iptables -A INPUT -p udp -i seth0 -m udp --dport 5060 -j ACCEPT
iptables -t nat -A PREROUTING -i seth1 -p udp --dport 5075 -j REDIRECT --to-ports 5060

iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p tcp --dport 4431 -j ACCEPT

# Libera o ping
iptables -A INPUT -p icmp -j ACCEPT

iptables -t nat -A POSTROUTING -o seth1 -j MASQUERADE
iptables -A FORWARD -s 192.168.11.0/24 -j ACCEPT

# Libera 3389 para o Servidor
iptables -t nat -A PREROUTING -i seth1 -p tcp --dport 3389 -j DNAT --to 192.168.11.3
iptables -A FORWARD -p tcp -d 192.168.11.3 --dport 3389 -j ACCEPT

#Libera Forward Temporario
iptables -A FORWARD -j ACCEPT

/sbin/service iptables save

############################################################################################
############################################################################################
############################################################################################

Agroa o iptables -L

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:rockwell-csp2
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:sip
ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
ACCEPT tcp -- anywhere anywhere tcp dpt:4431
ACCEPT icmp -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.11.0/24 anywhere
ACCEPT tcp -- anywhere 192.168.11.3 tcp dpt:ms-wbt-server
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination

Chain fail2ban-ASTERISK (0 references)
target prot opt source destination

Chain fail2ban-SSH (0 references)
target prot opt source destination


############################################################################################
############################################################################################
############################################################################################
############################################################################################

service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination

Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4431
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 192.168.11.0/24 0.0.0.0/0
2 ACCEPT tcp -- 0.0.0.0/0 192.168.11.3 tcp dpt:3389
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
num target prot opt source destination

Chain fail2ban-ASTERISK (0 references)
num target prot opt source destination

Chain fail2ban-SSH (0 references)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5075 redir ports 5060
2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.11.3

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

############################################################################################
############################################################################################
############################################################################################
############################################################################################

Quer mais alguma info?

Obrigado novamente.

removido
(usa Nenhuma)

Enviado em 14/11/2013 - 14:50h

Eu faria com marcação de pacotes.

Abraço!

ronysrei
(usa CentOS)

Enviado em 14/11/2013 - 21:02h

Desculpe a ignorancia, Amarildo... Mas como faz?

removido
(usa Nenhuma)

Enviado em 15/11/2013 - 12:33h

Ex.:

http://www.vivaolinux.com.br/dica/Roteamento-com-marcacao-de-pacotes