Freeing external access to a particular port through Iptables

Asked

Viewed 2,747 times

-2

I currently have two network card on my Ubuntu 16.04 server, configured as follows in the file interfaces:

auto lo eno1 enp2s0
iface lo inet loopback

#Rede Externa que vai para antena de Internet
iface eno1 inet static
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.1
network 192.168.0.0
broadcast 192.168.0.255
dns-nameservers 8.8.8.8

#Rede interna
iface enp2s0 inet static 
address 192.168.20.1
netmask 255.255.255.0
network 192.168.20.0
broadcast 192.168.20.255 

I need to create a firewall rule, which will send packets to ip: ...100 through port 6515, through a computer of my internal network (.20.239).

That is to say:

192.168.20.239:6515 ----> 192.168.20.1:6515 (IP Server) ----> 192.168.0.100:6515 (IP Antenna)

Could someone help me?

I was testing the script below, however, I was able to direct only my internet to the internal network:

#!/bin/bash

### BEGIN INIT INFO
# Provides:          compartilhar
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start compartilhar at boot time
# Description:       Enable service provided by compartilhar.
### END INIT INFO

# Interface da Internet:
ifinternet="eno1"

# Interface da rede local
iflocal="enp2s0"

iniciar(){
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $ifinternet -j MASQUERADE
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $iflocal -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -A INPUT -p tcp --dport 6515 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
}

parar(){
iptables -F
iptables -F -t nat
}

case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâmetros start ou stop"
esac

Follows topology:

inserir a descrição da imagem aqui

1 answer

1


Good afternoon.

There are two rules you will need: one from forward and the other from Nat.

The rule that Nat is responsible for would look like this:

iptables -t nat -A PREROUTING -p tcp -i enp2s0 --dport 6515 -j DNAT --to-destination 192.168.0.100:6515

The rule for forward:

iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 6515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

To operate the forward you need to activate your module with the following command:

echo "1" > /proc/sys/net/ipv4/ip_forward

Edited

According to the surveys, this is the structure I imagine.

OBS: I am assuming that your network 192.168.20.0/24 is in Nat, that is, below 192.168.0.100 and that it has no access routes to it.

Proposta da solução

As you wish to make an inside-out access, you will need access to the company’s gateways. Each gateway will need to add a redirect (redirect) as well as an access (input).

My tip is that you try this redirect first on the 192.168.0.0/24 network. To do this, you will need to add these rules only in your Ubuntu (192.168.0.100). The machines of this network must send their requests to the IP 192.168.0.100, destined to port 6515 (or another one of your choice). This in turn will redirect to your Hardkey, under port 6515.

Let’s go to the rules.

The rule of input in 192.168.0.100 you already have in your script, just added the interface:

iptables -A -i eno1 INPUT -p tcp --dport 6515 -j ACCEPT

And the rule for redirect (--dport 6515 Here you can choose another port if necessary):

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.100 --dport 6515 -j DNAT --to 192.168.20.239:6515
  • In this case, is being released access only shipping? To enable sending and receiving to this port, would have to add what?

  • I believe I took the question to another understanding and didn’t answer you accordingly. Port 6515 is on a 192.168.0.0/24 network device (ex: 192.168.0.50), correct? IP 192.168.20.239 can drop to this destination?

  • In fact, on the local network computer (192.168.20.0/24 -> 20.239) I have a Hardkeyusb that uses port 6515. On my local network I can access it from other computers, but from the server I can’t. I need to access it after the server too. I need this, so my internet antenna can share it with my External Ip to access Hardkey from outside the company.

  • I edited according to this last post. I believe I can help you now.

  • Thanks for your help, but I haven’t been able to communicate. In topology you treated Firewall as something separate, however, Firewall is inside the Ubuntu server. I put an image of my topology.

  • 1

    Your rules are ok. I believe that all that remains is to release the forward so that the two interfaces communicate. Add this line: iptables -A FORWARD --in-interface enp2s0 -j ACCEPT

Show 1 more comment

Browser other questions tagged

You are not signed in. Login or sign up in order to post.