Port Forwarding

[iRonix]

Dobrý den,

Řeším jeden problém, na GW ubuntu povoluji na FW:

EXTERNAL_IF="eth0" # External Internet interface

# TeamSpeak3
iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p udp --dport 9987 -j DNAT --to 10.25.0.40:9987
iptables -A FORWARD -i $EXTERNAL_IF -p udp -d 10.25.0.40 --dport 9987 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Povolí TS3
iptables -A INPUT -p udp -i $EXTERNAL_IF --dport 9987 -j ACCEPT
iptables -A INPUT -p udp -i $EXTERNAL_IF --sport 9987 -j ACCEPT
iptables -A INPUT -p tcp -i $EXTERNAL_IF --dport 30033 -j ACCEPT
iptables -A INPUT -p tcp -i $EXTERNAL_IF --sport 30033 -j ACCEPT
iptables -A INPUT -p tcp -i $EXTERNAL_IF --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp -i $EXTERNAL_IF --sport 10011 -j ACCEPT

Ten druhý server jsem přidával i do VLANy, to funguje viz:

eth0      Link encap:Ethernet  HWaddr 00:1d:09:0d:7c:11
          inet addr:10.25.0.40  Bcast:10.25.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:9ff:fe0d:7c11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:394637 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43495 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:179490057 (179.4 MB)  TX bytes:3923433 (3.9 MB)

eth0.30   Link encap:Ethernet  HWaddr 00:1d:09:0d:7c:11
          inet addr:10.30.0.12  Bcast:10.30.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:9ff:fe0d:7c11/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:330067 errors:0 dropped:10 overruns:0 frame:0
          TX packets:43178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:167594669 (167.5 MB)  TX bytes:3518771 (3.5 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:313 errors:0 dropped:0 overruns:0 frame:0
          TX packets:313 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:83160 (83.1 KB)  TX bytes:83160 (83.1 KB)

Problém je ten, že port forwarding nefunguje, ani na síti 10.25.0.0 ani 10.30.0.0, lokálně se dostanu, ale jakmile jdu z veřejné IP, tak mě to nepustí, na Routeru jsem do FW pravidel přidal UDP a TCP porty a směruji je na server s linuxem kde běží default GW, ta by to měla směřovat přímo na server, kdy mi běží služba.

Nevíte někdo?

Děkuji moc.

[ntz_reloaded]

ukaz na cely ten firewall .... eg vypis z `iptables-save', nicmene:

1) udp neni RELATED iirc
2) delat ve FORWARDU -m state mi pripada nesmysl, mozna je to zpusobeno tim
3) pro tcp ma smysl mit RELATED,ESTABLISHED a rozlisovat na NEW (a hlavne pouzivat --ctstate a ne state) eg:

Kód: [Vybrat]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
4) --to a.b.c.d:x != --to-destination a.b.c.d:x

5) nepouzivej ten zlozvyk s promenyma ve skriptech s VELKEJMA_PISMENAMA, velkejma pismenama jsou normalne promenne prostredi

[ntz_reloaded]

1) uzavirej vypisy do tagu code - ten # v editoru

2) dej nam vystup z iptables-save jak jsem chtel

3) -m conntrack --ctstate urcite funguje

[ntz_reloaded]

navic je ten celej vypis uplne nesmyslnej ..

[iRonix]

Kód: [Vybrat]

# Generated by iptables-save v1.4.12 on Tue Jun 30 17:38:46 2015
*mangle
:PREROUTING ACCEPT [42853755:35842411264]
:INPUT ACCEPT [11465395:11548588783]
:FORWARD ACCEPT [31388354:24293821929]
:OUTPUT ACCEPT [6608772:1336363561]
:POSTROUTING ACCEPT [37996852:25629665722]
COMMIT
# Completed on Tue Jun 30 17:38:46 2015
# Generated by iptables-save v1.4.12 on Tue Jun 30 17:38:46 2015
*nat
:PREROUTING ACCEPT [177:15311]
:INPUT ACCEPT [10:1845]
:OUTPUT ACCEPT [4:252]
:POSTROUTING ACCEPT [178:10036]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.30.0.43:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5060 -j DNAT --to-destination 10.30.0.35:5060
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5061 -j DNAT --to-destination 10.30.0.35:5061
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5062 -j DNAT --to-destination 10.30.0.35:5062
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5063 -j DNAT --to-destination 10.30.0.35:5063
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5443 -j DNAT --to-destination 10.30.0.35:443
-A PREROUTING -i eth0 -p udp -m udp --dport 3478 -j DNAT --to-destination 10.30.0.35:3478
-A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.30.0.43:21
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4333 -j DNAT --to-destination 10.30.0.42:4333
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 10.30.0.49:5555
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4433 -j DNAT --to-destination 10.30.0.43:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2383 -j DNAT --to-destination 10.30.0.43:2383
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.30.0.43:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 10.30.0.50:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 10.30.0.10:443
-A PREROUTING -i tun0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 10.30.0.10:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5544 -j DNAT --to-destination 10.30.0.49:5544
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.30.0.30:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.35.0.25:8888
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.30.0.30:110
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.30.0.30:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.30.0.30:443
-A PREROUTING -i eth3 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.30.0.44:8080
-A PREROUTING -i eth0 -p udp -m udp --dport 9987 -j DNAT --to-destination 10.25.0.40:9987
-A POSTROUTING -s 172.16.21.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jun 30 17:38:46 2015
# Generated by iptables-save v1.4.12 on Tue Jun 30 17:38:46 2015
*filter
:INPUT DROP [1:229]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [853:187692]
:syn_flood - [0:0]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5444 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5062 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5063 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9987 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 9987 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 30033 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 30033 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10011 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 10011 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4333 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4433 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2383 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5544 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth3 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i tun0 -o eth2 -j ACCEPT
-A FORWARD -i tun0 -o eth3 -j ACCEPT
-A FORWARD -i tun1 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o tun1 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i eth3 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5061 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5062 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5063 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 3478 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.42/32 -i eth0 -p tcp -m tcp --dport 4333 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.49/32 -i eth0 -p tcp -m tcp --dport 5555 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 2383 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.50/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.10/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.10/32 -i tun0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.49/32 -i eth0 -p tcp -m tcp --dport 5544 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.35.0.25/32 -i eth0 -p tcp -m tcp --dport 8888 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.44/32 -i eth3 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A syn_flood -m limit --limit 1/sec -j RETURN
-A syn_flood -j DROP
COMMIT
# Completed on Tue Jun 30 17:38:46 2015


[iRonix]

Když spustím TS3 klienta, zadám IP adresu, tak mě to nenasměruje na TS3 server, jednoduše to napíše error.

[ntz_reloaded]

co je tedy presne z problem ?

okay, ted jsem se podival na ten firewall podrobneji ... podle me je spatne, je tam naprosto spatne pouzite to -m state --state (opakuji, ma byt -m conntrack --ctstate) .. ty zacinas tim, ze povolujes urcite veci **bez state a potom to tam nesmyslne najednou vpalis doprostred ... pokud pouzivas ten state, tak to musis mit vsude, eg u me:

Kód: [Vybrat]

*nat
:PREROUTING ACCEPT [12801:1823033]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [52046:3255652]
:POSTROUTING ACCEPT [52046:3255652]
-A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.255.10:3389
-A POSTROUTING -s 192.168.255.0/24 -j MASQUERADE


*filter
:INPUT DROP [1924:160573]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1493954:141612644]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0,wlan0 -p tcp -m tcp --dport 445 -j DROP
-A INPUT -i eth0,wlan0 -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 139 -j ACCEPT
-A FORWARD -s 192.168.255.0/24 -j ACCEPT
-A FORWARD -d 192.168.255.0/24 -j ACCEPT
^^ muj jednoduchej firewall na workstejsne (a vybiram to jen od hvezdicky po konec chainu, aby se ti to lepe cetlo a lepe chapalo):

- dovolim celej localhost a vsechna icmp
- dovolim RELATED,ESTABLISHED
- tady zahazuju natvrdo vse co chci zahodit at se mi to neplete pred ostatnima pravidlama (eg zahazuju na inputu vse co jde pres fyzicka rozhrani pac mi normalne bezi samba na 0.0.0.0
- tady si povolim vse bez state kvuli PREROUTINGU (ale podle me to neni potreba - tady mam asi nejakej zlozvyk) na kterej mam forwadovano 3389
- a potom uz ***VSE musis prohanet tim --state jinak to nema smysl

[iRonix]

To jsem z toho jelen ...

Kód: [Vybrat]

# Generated by iptables-save v1.4.12 on Tue Jun 30 18:26:18 2015
*mangle
:PREROUTING ACCEPT [42964970:35870010450]
:INPUT ACCEPT [11499645:11554738767]
:FORWARD ACCEPT [31465319:24315271131]
:OUTPUT ACCEPT [6640459:1346537358]
:POSTROUTING ACCEPT [38105500:25661288359]
COMMIT
# Completed on Tue Jun 30 18:26:18 2015
# Generated by iptables-save v1.4.12 on Tue Jun 30 18:26:18 2015
*nat
:PREROUTING ACCEPT [307:23464]
:INPUT ACCEPT [15:2359]
:OUTPUT ACCEPT [9:574]
:POSTROUTING ACCEPT [150:11256]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.30.0.43:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5060 -j DNAT --to-destination 10.30.0.35:5060
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5061 -j DNAT --to-destination 10.30.0.35:5061
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5062 -j DNAT --to-destination 10.30.0.35:5062
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5063 -j DNAT --to-destination 10.30.0.35:5063
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5443 -j DNAT --to-destination 10.30.0.35:443
-A PREROUTING -i eth0 -p udp -m udp --dport 3478 -j DNAT --to-destination 10.30.0.35:3478
-A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.30.0.43:21
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4333 -j DNAT --to-destination 10.30.0.42:4333
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 10.30.0.49:5555
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4433 -j DNAT --to-destination 10.30.0.43:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2383 -j DNAT --to-destination 10.30.0.43:2383
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8081 -j DNAT --to-destination 10.30.0.43:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4443 -j DNAT --to-destination 10.30.0.50:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 10.30.0.10:443
-A PREROUTING -i tun0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 10.30.0.10:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5544 -j DNAT --to-destination 10.30.0.49:5544
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.30.0.30:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 10.35.0.25:8888
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.30.0.30:110
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.30.0.30:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.30.0.30:443
-A PREROUTING -i eth3 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.30.0.44:8080
-A PREROUTING -i eth0 -p udp -m udp --dport 9987 -j DNAT --to-destination 10.25.0.40:9987
-A POSTROUTING -s 172.16.21.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jun 30 18:26:18 2015
# Generated by iptables-save v1.4.12 on Tue Jun 30 18:26:18 2015
*filter
:INPUT DROP [1:229]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3549:2060063]
:syn_flood - [0:0]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5444 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5062 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5063 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9987 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 9987 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 30033 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 30033 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10011 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 10011 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4333 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 4433 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 2383 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5544 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8888 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1195 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth3 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth1 -j ACCEPT
-A FORWARD -i tun0 -o eth2 -j ACCEPT
-A FORWARD -i tun0 -o eth3 -j ACCEPT
-A FORWARD -i tun1 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o tun1 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i eth3 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5061 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5062 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 5063 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.35/32 -i eth0 -p tcp -m tcp --dport 3478 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.42/32 -i eth0 -p tcp -m tcp --dport 4333 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.49/32 -i eth0 -p tcp -m tcp --dport 5555 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 2383 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.43/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.50/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.10/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.10/32 -i tun0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.49/32 -i eth0 -p tcp -m tcp --dport 5544 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.35.0.25/32 -i eth0 -p tcp -m tcp --dport 8888 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 143 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.30/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.30.0.44/32 -i eth3 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.25.0.40/32 -i eth0 -p udp -m udp --dport 9987 -m conntrack --ctstate NEW -j ACCEPT
-A syn_flood -m limit --limit 1/sec -j RETURN
-A syn_flood -j DROP
COMMIT
# Completed on Tue Jun 30 18:26:18 2015


[ntz_reloaded]

no a co je tada za otazku ?

[iRonix]

Proč mi to z veřejné IP nepřesměruje na server, kde běží služba.

[ntz_reloaded]

Odkud a kam a jaky pravidlo ?

[ntz_reloaded]

Odkud a kam a jaky pravidlo ?

ale ono je to uplne jedno, protoze ten tvuj firewall je uplne zmatenej. Podivej se prosim jeste jednou na moje pravidla a na tu logiku, jak jsou poskladana

[ntz_reloaded]

Jeste se zeptam na jednu vec .... ty ten firewall jako generujes nejakym skriptem ?

[iRonix]

Jojo, mám firewall.sh a ten pouštím

[ntz_reloaded]

Je to na tom videt, protoze clovek, co je schopen udelat ta pravidla by je nikdy neposkladal takovym zpusobem

[iRonix]

Ten server jsem zdědil od týpka co netušil a nějak to nabouchal, chtěl jsem to předělat, teď tam budu místo toho dávat mikrotik a rozjedu to celé na tom, vlastně, celkově nová síť + servery.

Ale díky za pomoc.