LINUX.ORG.RU
решено ФорумAdmin

[IPTABLES]Проброс порта

 


0

1

Собственно имеем: 192.168.1.254 - локальный ip роутера (eth1) 192.168.1.136 - адрес веб-сервера 10.0.46.7 - ip в провайдеровской локальной сети (eth0) Нужно пробросить 80 порт на ip провайдеровской локалки

root@router:/etc/init.d# cat rc.firewall 

#!/bin/bash

IPTABLES="/sbin/iptables"

############### Config #######
LNETS="eth1"

DESKTOP="192.168.1.50"
DESKTOP_OPEN_PORT="9000"

DESKTOP2="192.168.1.136"
DESKTOP2_OPEN_PORT="9000"

DESKTOP3="192.168.1.136"
DESKTOP3_OPEN_PORT="80"

HOME_MASKS="192.168.1.0/24"

PROVIDER="eth0"
PROVIDER_IP="10.0.46.7"
PROVIDER_MASK="10.0.0.0/8"
INET="ppp+"
WHITE_IP="77.xxxxxxx"

OPEN_PORTS="22"
###################

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe nf_nat_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack_proto_gre
modprobe nf_nat_proto_gre
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING

############ DELETE IF ALL WORKING FINE ######
#$IPTABLES -A INPUT -j ACCEPT
#####################################

#mtu for vpn magick command, mega debian epic fail
$IPTABLES -o $INET -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

# DENY SECTIONS
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP

# local interface, allow all
$IPTABLES -A INPUT -i lo -j ACCEPT

# ALLOW PACKETS IF CONNECTION ESTABLISHED
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# access from white ip
$IPTABLES -A INPUT -s $WHITE_IP -j ACCEPT

# access from home net
for i in $HOME_MASKS; do
   $IPTABLES -A INPUT -s $i -j ACCEPT
done

# defence for ssh for server
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 20 -j DROP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT

# open ports for server
$IPTABLES -A INPUT -p tcp --syn -m multiport --destination-ports $OPEN_PORTS -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT

######### FORWARD ##########
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#forward each home eth to provider eth and ppp+
for i in $LNETS; do
   $IPTABLES -A FORWARD -i $INET -o $i -j ACCEPT
   $IPTABLES -A FORWARD -i $i -o $INET -j ACCEPT
   $IPTABLES -A FORWARD -i $i -o $PROVIDER -j ACCEPT
   #forward each home eth to other home eth
   for j in $LNETS; do
       if [ "$i" != "$j" ] ; then
           $IPTABLES -A FORWARD -i $i -o $j -j ACCEPT
           $IPTABLES -A FORWARD -i $j -o $i -j ACCEPT
       fi
   done
done

###########################

######### LOCAL NAT ########
for i in $HOME_MASKS; do
   $IPTABLES -t nat -A POSTROUTING -s $i -d $PROVIDER_MASK -j SNAT --to-source $PROVIDER_IP
done
############################

######### INET NAT #########
for i in $HOME_MASKS; do
   $IPTABLES -t nat -A POSTROUTING -s $i -j SNAT --to-source $WHITE_IP
done
############################

########## FORWARD PORTS #########
for i in $DESKTOP_OPEN_PORT; do
   $IPTABLES -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to $DESKTOP:$i
   $IPTABLES -A FORWARD -p tcp -d $DESKTOP --dport $i -j ACCEPT
done

for i in $DESKTOP2_OPEN_PORT; do
   $IPTABLES -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to $DESKTOP2:$i
   $IPTABLES -A FORWARD -p tcp -d $DESKTOP2 --dport $i -j ACCEPT
done

for i in $DESKTOP3_OPEN_PORT; do
   $IPTABLES -t nat   -A PREROUTING -p tcp  --dport $i -j DNAT --to $DESKTOP3:$i
   $IPTABLES -A FORWARD  -p tcp -d $DESKTOP3 --dport $i -j ACCEPT
done

# ssh for destop with defence

# ping
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# deny other ICMP packets
$IPTABLES -A INPUT -p icmp -j DROP

# other reject

$IPTABLES -A FORWARD -j DROP
iptables -nvL 
root@router:/etc/init.d# iptables -vnL
Chain INPUT (policy ACCEPT 17 packets, 964 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x12/0x12 state NEW 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1301  138K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       77.94.162.96         0.0.0.0/0           
  999 59951 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 recent: UPDATE seconds: 20 name: DEFAULT side: source 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 recent: SET name: DEFAULT side: source 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 multiport dports 22 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   420 TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 tcpmss match 800:1536 TCPMSS clamp to PMTU 
    1   153 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
 3073 2564K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    9   448 ACCEPT     all  --  ppp+   eth1    0.0.0.0/0            0.0.0.0/0           
   23  2417 ACCEPT     all  --  eth1   ppp+    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.50        tcp dpt:9000 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.136       tcp dpt:9000 
   12   720 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.136       tcp dpt:80 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 3046 packets, 2550K bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@router:/etc/init.d#

При таком раскладе все компы в локалке при переходе на 80 порт любого сервера идут на 192.168.1.136 :( В iptables я не очень силён, поэтому жду ответа уважаемых ЛОРовцев

iptables -nvL не нужен

нужен вывод

iptables -t nat -nvL

fix:

for i in $DESKTOP3_OPEN_PORT; do
$IPTABLES -t nat -A PREROUTING -p tcp -d $DESKTOP3 --dport $i -j DNAT --to $DESKTOP3:$i
$IPTABLES -A FORWARD -p tcp -d $DESKTOP3 --dport $i -j ACCEPT
done

HBiT
()

Вместо 

$IPTABLES -t nat   -A PREROUTING -p tcp  --dport $i -j DNAT --to $DESKTOP3:$i
Вставить 
$IPTABLES -t nat   -A PREROUTING -p tcp -i eth0 -d 10.0.46.7 --dport $i -j DNAT --to $DESKTOP3:$i

Yur4eg ★★
()
Ответ на: комментарий от Yur4eg 
root@router:/etc/init.d# iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 4 packets, 381 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9000 to:192.168.1.50:9000 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9000 to:192.168.1.136:9000 
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            10.0.46.7           tcp dpt:80 to:192.168.1.136:80 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.1.0/24       10.0.0.0/8          to:10.0.46.7 
    0     0 SNAT       all  --  *      *       192.168.1.0/24       0.0.0.0/0           to:77.xxxxxxx 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.46.7           tcp dpt:80 to:192.168.1.136 
root@router:/etc/init.d# 
root@router:/etc/init.d# cat rc.firewall
#!/bin/bash

IPTABLES="/sbin/iptables"

############### Config #######
LNETS="eth1"

DESKTOP="192.168.1.50"
DESKTOP_OPEN_PORT="9000"

DESKTOP2="192.168.1.136"
DESKTOP2_OPEN_PORT="9000"

DESKTOP3="192.168.1.136"
DESKTOP3_OPEN_PORT="80"

HOME_MASKS="192.168.1.0/24"

PROVIDER="eth0"
PROVIDER_IP="10.0.46.7"
PROVIDER_MASK="10.0.0.0/8"
INET="ppp+"
WHITE_IP="77.xxxxxxx"

OPEN_PORTS="22"
###################

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe nf_nat_pptp
modprobe nf_conntrack_pptp
modprobe nf_conntrack_proto_gre
modprobe nf_nat_proto_gre
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_LOG

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING

############ DELETE IF ALL WORKING FINE ######
#$IPTABLES -A INPUT -j ACCEPT
#####################################

#mtu for vpn magick command, mega debian epic fail
$IPTABLES -o $INET -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 800:1536 -j TCPMSS --clamp-mss-to-pmtu

# DENY SECTIONS
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP

# local interface, allow all
$IPTABLES -A INPUT -i lo -j ACCEPT

# ALLOW PACKETS IF CONNECTION ESTABLISHED
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# access from white ip
$IPTABLES -A INPUT -s $WHITE_IP -j ACCEPT

# access from home net
for i in $HOME_MASKS; do
   $IPTABLES -A INPUT -s $i -j ACCEPT
done

# defence for ssh for server
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 20 -j DROP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT

# open ports for server
$IPTABLES -A INPUT -p tcp --syn -m multiport --destination-ports $OPEN_PORTS -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT

######### FORWARD ##########
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#forward each home eth to provider eth and ppp+
for i in $LNETS; do
   $IPTABLES -A FORWARD -i $INET -o $i -j ACCEPT
   $IPTABLES -A FORWARD -i $i -o $INET -j ACCEPT
   $IPTABLES -A FORWARD -i $i -o $PROVIDER -j ACCEPT
   #forward each home eth to other home eth
   for j in $LNETS; do
       if [ "$i" != "$j" ] ; then
           $IPTABLES -A FORWARD -i $i -o $j -j ACCEPT
           $IPTABLES -A FORWARD -i $j -o $i -j ACCEPT
       fi
   done
done

###########################

######### LOCAL NAT ########
for i in $HOME_MASKS; do
   $IPTABLES -t nat -A POSTROUTING -s $i -d $PROVIDER_MASK -j SNAT --to-source $PROVIDER_IP
done
############################

######### INET NAT #########
for i in $HOME_MASKS; do
   $IPTABLES -t nat -A POSTROUTING -s $i -j SNAT --to-source $WHITE_IP
done
############################

########## FORWARD PORTS #########
for i in $DESKTOP_OPEN_PORT; do
   $IPTABLES -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to $DESKTOP:$i
   $IPTABLES -A FORWARD -p tcp -d $DESKTOP --dport $i -j ACCEPT
done

for i in $DESKTOP2_OPEN_PORT; do
   $IPTABLES -t nat -A PREROUTING -p tcp --dport $i -j DNAT --to $DESKTOP2:$i
   $IPTABLES -A FORWARD -p tcp -d $DESKTOP2 --dport $i -j ACCEPT
done

for i in $DESKTOP3_OPEN_PORT; do
#   $IPTABLES -t nat   -A PREROUTING -p tcp  --dport $i -j DNAT --to $DESKTOP3:$i
$IPTABLES -t nat   -A PREROUTING -p tcp -i eth0 -d 10.0.46.7 --dport $i -j DNAT --to $DESKTOP3:$i
   $IPTABLES -A FORWARD  -p tcp -d $DESKTOP3 --dport $i -j ACCEPT
done

# ssh for destop with defence

# ping
$IPTABLES -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
# deny other ICMP packets
$IPTABLES -A INPUT -p icmp -j DROP

# other reject

$IPTABLES -A FORWARD -j DROP

root@router:/etc/init.d# 
jon@localhost ~ $ nmap -P0 10.0.46.7

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-01 16:45 MSK
Nmap scan report for 10.0.46.7
Host is up (0.0095s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
jon@localhost ~ $

Что не так?

the-jon
() автор топика
Ответ на: комментарий от the-jon

Проблема решена, добавил 

$IPTABLES -t nat -A PREROUTING -p tcp -d 10.0.46.7 --dport 80 -j DNAT --to 192.168.1.136:80
$IPTABLES -A FORWARD -p tcp -d 10.0.46.7 --dport 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d 192.168.1.136 --dport 80 -j DNAT --to 192.168.1.136:80
$IPTABLES -A FORWARD -p tcp -d 192.168.1.136 --dport 80 -j ACCEPT
всё открыто, всё работает, всем учавствовавшим - спасибо :)

the-jon
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin