Имам Debian Router/Firewall и зад него Windows... На рутъра
си генерирах един firewall script с помощта на тази
програма: http://easyfwgen.morizot.net/gen
Преди да си сложа този скрипт си бях пренасочил Remote
Desktop (TCP / port 3389) към вътрешната мрежа и се свързвах
с Windows-a без проблем! Сега обаче не мога... Доста неща
променях по скрипта, тествах, но не мога да се свържа,
въпреки че следните 2 реда са в него...
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port
3389 --destination 192.168.0.2 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE
--destination-port 3389 -j DNAT --to-destination
192.168.0.2:3389
Пействам и резултата от "iptables --list"
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
bad_packets all -- anywhere anywhere
DROP all -- anywhere
ALL-SYSTEMS.MCAST.NET
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 192.168.0.255
ACCEPT all -- anywhere anywhere
state RELATED,ESTABLISHED
tcp_inbound tcp -- anywhere anywhere
udp_inbound udp -- anywhere anywhere
icmp_packets icmp -- anywhere anywhere
DROP all -- anywhere anywhere
PKTTYPE = broadcast
LOG all -- anywhere anywhere
limit: avg 3/min burst 3 LOG level warning prefix `INPUT
packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
bad_packets all -- anywhere anywhere
tcp_outbound tcp -- anywhere anywhere
udp_outbound udp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.2
tcp dpt:3389
LOG all -- anywhere anywhere
limit: avg 3/min burst 3 LOG level warning prefix `FORWARD
packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere
state INVALID
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.0.1 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere
limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT
packet died: '
Chain bad_packets (2 references)
target prot opt source destination
LOG all -- 192.168.0.0/24 anywhere
LOG level warning prefix `Illegal source: '
DROP all -- 192.168.0.0/24 anywhere
LOG all -- anywhere anywhere
state INVALID LOG level warning prefix `Invalid packet: '
DROP all -- anywhere anywhere
state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere
LOG tcp -- anywhere anywhere
tcp flags:!SYN,RST,ACK/SYN state NEW LOG level warning
prefix `New not syn: '
DROP tcp -- anywhere anywhere
tcp flags:!SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning
prefix `Stealth scan: '
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level
warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG
level warning prefix `Stealth scan: '
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere
tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth
scan: '
DROP tcp -- anywhere anywhere
tcp flags:SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth
scan: '
DROP tcp -- anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
RETURN tcp -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
LOG icmp -f anywhere anywhere
LOG level warning prefix `ICMP Fragment: '
DROP icmp -f anywhere anywhere
DROP icmp -- anywhere anywhere
icmp echo-request
ACCEPT icmp -- anywhere anywhere
icmp time-exceeded
RETURN icmp -- anywhere anywhere
Chain tcp_inbound (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere
tcp dpt:auth reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere
tcp dpt:www
ACCEPT tcp -- anywhere anywhere
tcp dpt:https
ACCEPT tcp -- anywhere anywhere
tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere
tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere
tcp dpts:62000:64000
ACCEPT tcp -- anywhere anywhere
tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere
tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere
tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere
tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere
tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere
tcp dpts:5000:5100
RETURN tcp -- anywhere anywhere
Chain tcp_outbound (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
Chain udp_inbound (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere
udp dpt:netbios-ns
DROP udp -- anywhere anywhere
udp dpt:netbios-dgm
REJECT udp -- anywhere anywhere
udp dpt:113 reject-with icmp-port-unreachable
ACCEPT udp -- anywhere anywhere
udp dpt:ntp
ACCEPT udp -- anywhere anywhere
udp dpt:domain
RETURN udp -- anywhere anywhere
Chain udp_outbound (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
Дано някой успее да открие грешката... благодаря
предварително!
|