Releasing external access to a given port through IPTables [closed]

Navigation
-2

Currently I have two network cards on my Ubuntu 16.04 server, configured as follows in the interfaces file: 

auto lo eno1 enp2s0
iface lo inet loopback

#Rede Externa que vai para antena de Internet
iface eno1 inet static
address 192.168.0.100
netmask 255.255.255.0
gateway 192.168.0.1
network 192.168.0.0
broadcast 192.168.0.255
dns-nameservers 8.8.8.8

#Rede interna
iface enp2s0 inet static 
address 192.168.20.1
netmask 255.255.255.0
network 192.168.20.0
broadcast 192.168.20.255

I need to create a firewall rule, which will send packet to ip: ... 100 via port 6515, through a computer on my internal network (.20.239).

That is:

192.168.20.239:6515 ----- > 192.168.20.1:6515 (Server IP) ----- > 192.168.0.100:6515 (IP Antenna)

Can anyone help me?

I was testing the script below, however, I was able to just direct my internet to the internal network: 

#!/bin/bash

### BEGIN INIT INFO
# Provides:          compartilhar
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start compartilhar at boot time
# Description:       Enable service provided by compartilhar.
### END INIT INFO

# Interface da Internet:
ifinternet="eno1"

# Interface da rede local
iflocal="enp2s0"

iniciar(){
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $ifinternet -j MASQUERADE
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $iflocal -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 631 -j ACCEPT
iptables -A INPUT -p tcp --dport 6515 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
}

parar(){
iptables -F
iptables -F -t nat
}

case "$1" in
"start") iniciar ;;
"stop") parar ;;
"restart") parar; iniciar ;;
*) echo "Use os parâmetros start ou stop"
esac

Follow topology:

    
asked by anonymous 21.11.2017 / 20:01

1 answer

1

Good afternoon.

There are two rules you will need: one forward and one nat.

Nat's rule would look like this: 

iptables -t nat -A PREROUTING -p tcp -i enp2s0 --dport 6515 -j DNAT --to-destination 192.168.0.100:6515

The rule for forward: 

iptables -A FORWARD -p tcp -d 192.168.1.0/24 --dport 6515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

To run forward you need to activate your module with the following command: 

echo "1" > /proc/sys/net/ipv4/ip_forward

Edited

According to the surveys, this is the structure I imagine.

OBS: I'm assuming that your 192.168.20.0/24 network is in Nat, that is, below 192.168.0.100 and has no access routes to it.

As you want to access from outside in, you will need access to the company's gateways. At each gateway you will need to add a redirect as well as an access.

My tip is that you try to make this redirect first on the 192.168.0.0/24 network. For this, you will need to add these rules only on your Ubuntu (192.168.0.100). The machines in this network should send their requests to IP 192.168.0.100, destined for port 6515 (or another of their own). This, in turn, will redirect to your HardKey under port 6515.

Let's get down to the rules.

The input rule in 192.168.0.100 you already have in your script, I just added the interface: 

iptables -A -i eno1 INPUT -p tcp --dport 6515 -j ACCEPT

And the rule for redirect ( - dport 6515 here you can choose another port if necessary): 

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.100 --dport 6515 -j DNAT --to 192.168.20.239:6515
    
21.11.2017 / 20:14
Are API components in the aws package? [closed] Capturing information from plaintext and saving in variable [closed]