iptables проброс портов
Форум — Admin
Зимой делал - работало, сейчас раскомментил строчки - работать не захотело. Пробрасываю порт для RDP и для доступа к файлам, не работает ни один. 192.168.1.1 - внутренний ip шлюза, 192.168.1.2 - внутренний ip сервера
rio@pooh:/etc$ sudo iptables-save
# Generated by iptables-save v1.4.12 on Wed Jun 26 09:22:54 2013
*mangle
:PREROUTING ACCEPT [2015:522008]
:INPUT ACCEPT [1487:368824]
:FORWARD ACCEPT [528:153184]
:OUTPUT ACCEPT [1384:3060563]
:POSTROUTING ACCEPT [1911:3213670]
COMMIT
# Completed on Wed Jun 26 09:22:54 2013
# Generated by iptables-save v1.4.12 on Wed Jun 26 09:22:54 2013
*filter
:INPUT DROP [47:2991]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i 192.168.1.201 -j DROP
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.2/32 -i 192.168.1.1 -j ACCEPT
-A FORWARD -d 192.168.1.2/32 -i 192.168.1.1 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
COMMIT
# Completed on Wed Jun 26 09:22:54 2013
# Generated by iptables-save v1.4.12 on Wed Jun 26 09:22:54 2013
*nat
:PREROUTING ACCEPT [171:27290]
:INPUT ACCEPT [14:740]
:OUTPUT ACCEPT [15:920]
:POSTROUTING ACCEPT [15:920]
-A PREROUTING -d внешний_ip/32 -p tcp -m tcp --dport 445 -j DNAT --to-destination 192.168.1.2:445
-A PREROUTING -d внешний_ip/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2:3389
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
-A OUTPUT -d внешний_ip/32 -p tcp -m tcp --dport 445 -j DNAT --to-destination 192.168.1.2:445
-A OUTPUT -d внешний_ip/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2:3389
-A POSTROUTING -d 192.168.1.2/32 -p tcp -m tcp --dport 445 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -d 192.168.1.2/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 26 09:22:54 2013