Problemas de Redirecionamento no IPTABLES

jeffersonpsilva
(usa Debian)

Enviado em 06/04/2009 - 15:36h

Olá galera...

Seguinte, estou com um problema no IPTABLES usando o Debian 5.0 lenny, aonde acontece a seguinte situação:

Servidor firewall com duas interfaces ethernet:

Eth0: 189.xxx.x.xxx (IP VALIDO)
Eth1: 192.168.0.254 (REDE INTERNA)

O que eu preciso:

Que pacotes recebidos de determinadas portas por exemplo 3389 acessem o IP VALIDO e jogue para alguma outra estação da rede:

Exemplificando: Qdo o pacote vem pela porta 3389 no IP 189.xxx.x.xxx (valido) ele encaminhe para o IP: 192.168.0.100 (Que é uma estação Terminal Server na porta 3389).

Fiz a seguinte tentativa no IPTABLES:

iptables -t nat -A PREROUTING -p tcp -d 189.xx.x.xxx –dport 3389 -j DNAT –to 192.168.0.100 (Ip da Estação com o TS)

mas não deu certo :(

Alguem ai pode me dar um help ?

abraços!!

Marcus-RJ
(usa Arch Linux)

Enviado em 06/04/2009 - 16:24h

Tua tabela nat parece estar legal, verifique se nao ha um bloqueio por forward, input ou output.

Abs!

ST. RaLF
(usa Arch Linux)

Enviado em 06/04/2009 - 16:36h

Libera o FORWARD também.

dfsantos
(usa openSUSE)

Enviado em 06/04/2009 - 16:42h

Habilito o roteamento no kernel???? daaaaaaaaa parece ser [*****] mais vai saber....=D

jeffersonpsilva
(usa Debian)

Enviado em 06/04/2009 - 17:04h

Eu fiz o seguinte:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

iptables -I INPUT -p ALL -d 189.xxx.x.xxx -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 189.xx.x.xxx –dport 3389 -j DNAT –to 192.168.0.100

ST. RaLF
(usa Arch Linux)

Enviado em 06/04/2009 - 17:08h

Abaixo da linha do PREROUTING, adicine isto:
iptables -A FORWARD -p tcp -d 189.xx.x.xxx -–dport 3389 -j ACCEPT

jeffersonpsilva
(usa Debian)

Enviado em 06/04/2009 - 17:30h

Velho não funcionou também:

olha só dei um iptables -L

firewall:/etc/init.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 189.xx.xx.xxx

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 189.xx.xx.xxx tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

terranova
(usa Debian)

Enviado em 06/04/2009 - 17:53h

iptables -A FORWARD -p tcp -s 0/0 --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 3389 -j DNAT --to-destination 192.168.0.100:3389

Utilizo esta regra sem problemas no roteamento.

jeffersonpsilva
(usa Debian)

Enviado em 06/04/2009 - 18:49h

Olha eu ja tentei de tudo q podia, talves não estou vendo o erro de tanto ficar olhando esse script:

Segue abaixo meu SCRIPT:



#################################################################################################
#! /bin/sh #
# description: Inicializacao do iptables #
#################################################################################################


case "$1" in

start)
printf "Iniciando o servico de IPTables..."
echo

#############################################################################################

IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"

#############################################################################################

#eth0 = interface ligada a internet
#eth1 = interface ligada a rede

#############################################################################################

$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE ipt_LOG
$MODPROBE ipt_state
$MODPROBE ipt_MASQUERADE

#############################################################################################






echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p tcp -i eth0 --dport 3389 -d 192.168.0.2 -j ACCEPT

$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j DNAT --to-dest 192.168.0.2
$IPTABLES -A FORWARD -p udp -i eth0 --dport 3389 -d 192.168.0.2 -j ACCEPT





#############################################################################################

;;

stop)

printf "Parando o servico de IPTables..."
echo

################################################################################
#
# 1. Configuracao
#

IPTABLES="/sbin/iptables"

#
# 1.1. Restaurar as politicas padrao na tabela filter
#

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# 1.2. Restaurar as politicas padrao na tabela nat
#

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# 1.3. Restaurar as politicas padrao na tabela mangle
#

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# 1.4. Limpar todas as regras nas tabelas filter e nat
#

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
#
# 1.5. Excluir todas as cadeias que nao sao padrao nas tabelas filter e nat
#
#

$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

;;

################################################################################
################################################################################
################################################################################
*)

printf "Uso correto: iptables (start|stop)"
echo

;;

esac

exit 0

volcom
(usa Debian)

Enviado em 06/04/2009 - 19:10h

Amigo,

Tenho exatamente isso funcionando, coloque as seguintes linhas no seu Script de firewall:

########## Permite comunicacao com Terminal Server
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth1 --sport 1024: -d 0/0 -o eth0 --dport 3389 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -i eth0 --sport 3389 -d 192.168.1.0/24 -o eth1 --dport 1024: -j ACCEPT

######## Direciona o Acesso remoto para IP interno
iptables -A FORWARD -p tcp --sport 3389 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.1.24
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3389 -j DNAT --to-destination 192.168.1.24

Onde eth0 é a origem (Internet) e 192.168.1.24 é o destino (IP da estação/servidor).

Assim funciona direitinho!

Abraço...