Страница 1 из 1

Открытие и проброс портов в iptables

Добавлено: 26 окт 2012, 09:05
timon_po
здравствуйте. У меня большая проблема. Недавно устрился на работу, а linux раньше практически не работал.

Я хочу открыть 22 порт на прокси сервере и сделать проброс этого же порта на внутренний сервер. В интернете находил много информации, ничего не помогло. Вот Вам содержимое iptables -L без изменений. Помогите пожалуйста.

[spoiler]iptables -L
Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded

Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain

Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:135
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:135
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Ifw all -- anywhere anywhere
ppp_in all -- anywhere anywhere
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ppp_fwd all -- anywhere anywhere
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain Ifw (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere set ifw_wl src
DROP all -- anywhere anywhere set ifw_bl src
IFWLOG all -- anywhere anywhere state INVALID,NEW psd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 1 hi-ports-weight: 2 IFWLOG prefix 'SCAN'

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
fw2loc all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere

Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth

Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds

Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (6 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
loc2fw all -- anywhere anywhere

Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere

Chain fw2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.3.40 91-149-157-87.hoster.by multiport dports telnet,fido
ACCEPT tcp -- anywhere hosting2.cityline.by multiport dports smtp,pop3
ACCEPT all -- anywhere anywhere

Chain net2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2allROP:'
DROP all -- anywhere anywhere

Chain ppp_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere
net2all all -- anywhere anywhere

Chain ppp_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere

Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 192.168.3.255 anywhere
DROP all -- 192.168.1.255 anywhere
DROP all -- 255.255.255.255 anywhere
DROP all -- base-address.mcast.net/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 192.168.3.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 192.168.3.255 anywhere
LOG all -- 192.168.1.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 192.168.1.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- base-address.mcast.net/4 anywhere[/spoiler]

Re: Открытие и проброс портов в iptables

Добавлено: 26 окт 2012, 12:10
mend0za
Может проще будет воспользоваться rinetd ?

Он гораздо понятнее и проще для этих целей, чем NAT в iptables

Re: Открытие и проброс портов в iptables

Добавлено: 31 окт 2012, 17:57
linux70
iptables -t nat -A PREROUTING -d 11.1.1.1.1 -p tcp --dport 22 -i eth0 -j DNAT --to-destination 192.168.0.20:22

но только на внешнем им надо перенести 22 порт (открытый sshd) на более другой тогда, а лучше пробросить не 22 порт внешний, а некий другой на 22 порт внутреннего компа

а вообще рекомендую Shorewall, но предварительно покурить маны придется, но окупится вполне