AbcLinuxu:/ Poradna / Linuxová poradna / Presmerovani portu ve Fireholu

Štítky: CentOS, databáze, distribuce, DNS, e-mail, Fedora, firehol, firewally, FTP, ICQ, IMAP, Instant messaging, Internet, iptables, Jabber, manuál, MySQL, NAT, router, rsync, server, sítě, SMTP, SSH, traffic, Ubuntu

Dotaz: Presmerovani portu ve Fireholu

15.4.2008 10:54 xzavrel | skóre: 8
Presmerovani portu ve Fireholu

Přečteno: 1048×

Odpovědět | Admin

Ahoj, mam Firehol na routeru. Je tam nainstalovane serverove ubuntu, drive jsem pouzival CentOs a firewall s pravidly nastavoval primo v iptables. Ve fireholu ale nejsem schopen nastavit presmerovani ssh na nestandardnim portu na pocitac ve vnitrni siti a manual me nepomaha :(

Nadefinuju novou sluzbu ssht:

server_ssht_ports="tcp/2222"
client_ssht_ports="default"

Pak natuju dovnitr site

nat to-destination 192.168.0.158 inface eth1 proto "tcp" dport 22

a naseledne route

route   ssht    accept  dst 192.168.0.158

Bude to tak, ze jsem neco nejspis nepochopil. Kdyz presmerovavam nejaky port na ten stejny port na danem pocitaci, tak to jede. viz oc4j.

Diky za kazdou radu

(Pro kverulanty, duvodem prechodu bylo sjednocovani domaci site na pouhe 2 distribuce XXXubuntu a Fedora. I pres vetsi vhodnost jinych pripadnych distribuci chci pouzivat prave tuto).

# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 5

# Accept all client traffic on any interface
# interface any world
# client all accept

DEFAULT_CLIENT_PORTS="1024:65535"

server_icq_ports="tcp/5190"
client_icq_ports="default"

server_dcpp_ports="tcp/1412"
server_dcpp_ports="udp/1413"
client_dcpp_ports="default"

server_oc4j_ports="tcp/8888"
client_oc4j_ports="default"

server_ssht_ports="tcp/2222"
client_ssht_ports="default"

nat to-destination 192.168.0.158 inface eth1 proto "tcp" dport 22

interface eth0 internal
        protection      strong  10/sec  10
        policy          drop
        server  ssh     accept # povolime ssh pripojeni k serveru z vnitrni site
        server  all     accept
        client  all     accept

interface eth1 external src not "192.168.0.254"
        protection      strong  10/sec  10
        policy  drop
        server  ssh     accept # povolime ssh pripojeni k serveru z vnejsi site
        server  mysql   accept
        server  http    accept
        server  dcpp    accept
#       server  oc4j    accept
        server  ssht    accept
        client  dcpp    accept
        client  all     accept

router  incoming inface eth1 outface eth0 # ktere sluzby uvnitr site budou pristupne zvenku, viz.
        masquerade      reverse
        client  all     accept
        server  oc4j    accept
        server  ssht    accept  dst 192.168.0.158
#        route  oc4j    accept  dst 192.168.0.3
        route   ssht    accept  dst 192.168.0.158

router  outgoing inface eth0 outface eth1 # ktere sluzby v internetu budou pristupne zevnitr site
        masquerade # chceme provadet preklad adres
        route   dns     accept
        route   smtp    accept
        route   pop3    accept
        route   pop3s   accept
        route   imap    accept
        route   imaps   accept
        route   http    accept
        route   https   accept
        route   ftp     accept
        route   rdp     accept
        route   icq     accept
        route   jabber  accept
        route   rsync   accept
        route   dcpp    accept
#       route   oc4j    accept
        route   ssht    accept
        route   all     accept

Nástroje: Začni sledovat (2) ?

Odpovědi

15.4.2008 14:36 msk | skóre: 27 | blog: msk
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

Nadefinuju novou sluzbu ssht:
server_ssht_ports="tcp/2222"
client_ssht_ports="default"
Pak natuju dovnitr site
nat to-destination 192.168.0.158 inface eth1 proto "tcp" dport 22
a naseledne route
route   ssht    accept  dst 192.168.0.158
server ssht accept dst 192.168.0.158

K comu je tam to dst?

Ja osobne to mam takto:

server_ktorrentweb_ports="tcp/4444"
client_ktorrentweb_ports="any"

interface XXX WORLD
  nat to-destination _ip_za_natom_ proto tcp dport 4444 dst _verejna_ipcka_

  client all accept
  server ktorrentweb accept

... a okolo toho este kadejake NAT-y.

15.4.2008 14:38 msk | skóre: 27 | blog: msk
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

Takze v skratke, skus vyhodit to dst u "server ssht accept" a vyhod "route ssht ..."

16.4.2008 09:38 xzavrel | skóre: 8
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

No, muj nejvetsi problem je, ze vlastne nevim, jak vzit pakety na portu 2222 a presmerovat je na jinou masinu na port 22. redirect-to podle toho jak to chapu ja funguje jen pro localhost. U to-destination zase nevim jak nastavit port :(

nat to-destination 1.1.1.1 proto tcp dport 25 dst 2.2.2.2 nat redirect-to 8080 proto tcp dport 80

16.4.2008 10:23 msk | skóre: 27 | blog: msk
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

nat to-destination !vnutorna_ip:port! proto tcp dport !verejny_port! dst !verejna_ip!

16.4.2008 11:12 xzavrel | skóre: 8
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

ach jo, tohle jsem taky zkousel, ale bez uspechu :( Musim delat porad neco spatne, ale vubec nevim co. Pritom, smerovani na stejny port z jednoho stroje na druhy me jelo normalne (port 8888). Konci to vzdycky takhle

ssh xxxxx.xxxxx.cz -p2222
ssh: connect to host xxxxx.xxxxx.cz port 2222: Connection timed out

Muj firehol.conf

version 5

# Accept all client traffic on any interface
# interface any world
# client all accept

DEFAULT_CLIENT_PORTS="1024:65535"

server_icq_ports="tcp/5190"
client_icq_ports="default"

server_dcpp_ports="tcp/1412"
server_dcpp_ports="udp/1413"
client_dcpp_ports="default"

server_ssht_ports="tcp/2222"
client_ssht_ports="any"

nat to-destination 192.168.0.158:22 inface eth1 proto "tcp" dport 2222

interface eth0 internal
        protection      strong  10/sec  10
        policy          drop
        server  ssh     accept # povolime ssh pripojeni k serveru z vnitrni site
        server  all     accept
        client  all     accept

interface eth1 external src not "192.168.0.254"
        protection      strong  10/sec  10
        policy  drop
        server  ssh     accept # povolime ssh pripojeni k serveru z vnejsi site
        server  mysql   accept
        server  http    accept
        server  dcpp    accept
        server  ssht    accept
        client  dcpp    accept
        client  all     accept

router  outgoing inface eth0 outface eth1 # ktere sluzby v internetu budou pristupne zevnitr site
        masquerade # chceme provadet preklad adres
        route   dns     accept
        route   smtp    accept
        route   pop3    accept
        route   pop3s   accept
        route   imap    accept
        route   imaps   accept
        route   http    accept
        route   https   accept
        route   ftp     accept
        route   rdp     accept
        route   icq     accept
        route   jabber  accept
        route   rsync   accept
        route   dcpp    accept
#       route   ssht    accept
        route   all     accept

16.4.2008 11:24 msk | skóre: 27 | blog: msk
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

ach jo, tohle jsem taky zkousel, ale bez uspechu
nat to-destination 192.168.0.158:22 inface eth1 proto "tcp" dport 2222

Ja som ale napisal:

nat to-destination !vnutorna_ip:port! proto tcp dport !verejny_port! dst !verejna_ip!

Cize:

nat to-destination 192.168.0.158:22 proto tcp dport 2222 dst ipcka_na_eth1

Ziadne dalsie route-to ani ine veci nepouzivam a funguje to.

18.4.2008 09:52 xzavrel | skóre: 8
Rozbalit Rozbalit vše Re: Presmerovani portu ve Fireholu

Toto bylo sice spravne

nat to-destination 192.168.0.158:22 proto tcp dport 2222 dst ipcka_na_eth1

ale je potreba mit jeste nadefinovany router pro presmerovani. Neco jako:

# Router for port-forwarded traffic coming from the Internet
router services inface ${if_internet} outface ${if_lan}
        protection full
        server all accept

Nevim, co bylo spatne na puvodnim:

#router incoming inface eth1 outface eth0 # ktere sluzby uvnitr site budou pristupne zvenku, viz.
#       masquerade      reverse
#       client  all     accept
#       server  oc4j    accept
#        route  oc4j    accept (tohle jsem zkousel mit zakomentovane i odkomentovane)

Jedine co me napada, ze tomu mohla vadit reverzni maskarada, ale proc potom jel forward na stejne porty a nesel jen na jine porty, to je me fakt zahadou.

Založit nové vlákno • Nahoru

Tiskni Sdílej: