hallo rekan2,
saya ada kesulitan dengan konfigurasi IP tables.
Topologi jaringan
Internet
|
|
Modem ADSL ( IP 192.168.1.1 )
|
|
Server Linux ( eth0=192.168.1.2, eth1=192.168.2.2 )
|
|
|
+--------+----------------------+
| |
CCTV ( 192.168.2.100 ) Client lain (192.168.2...)
Distro yang digunakan centos 5.3 final
Goal :
- Setting supaya cctv bisa di akses dari internet, menggunakan nama domain
- Setting supaya cctv bisa di akses dari local, menggunakan nama domain
Yang sudah di lakukan
- CCTV sudah bisa di akses dari internet menggunakan nama domain
contoh.com:10001
- di modem adsl sudah di set port forward untuk port 10001 ke ip
192.168.1.2 untuk seterusnya di forward lagi ke ip 192.168.2.100
- Di server linux sudah saya install dnsmasq, dan dari client local
sudah bisa ping dan akses ke contoh.com
Yang masih belum ketemu solusinya
- Dari jaringan lokal (192.168.2.0) masih belum bisa akses ke cctv (
192.168.2.100) dengan menggunakan nama domain contoh.com:10001, kalau
langsung dengan ip local 192.168.2.100:10001 bisa di akses
saya sudah coba juga pasang rule di prerouting dan postrouting dengan
nat, tapi masih belum bisa akses juga.
jadi mungkin yang saya mau seperti ini
- Jika ada paket dari jaringan 192.168.2.0 yang masuk melalui eth1 dan
tujuan port 10001, maka akan di forward ke 192.168.2.100:10001
konfigurasi awal iptables saya generate menggunakan easy firewall
generator, dan saya modifikasi secukupnya
thanks,
Bambang
hasil output dari iptables-save
---------------------------------------------------------------------------
# Generated by iptables-save v1.3.5 on Mon Apr 20 10:11:20 2009
*filter
:INPUT DROP [15:2897]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -d 192.168.2.255 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"INPUT packet died: "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.2.100 -i eth0 -p tcp -m tcp --dport 10001 -j ACCEPT
-A FORWARD -d 192.168.2.17 -i eth0 -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.2.2 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"OUTPUT packet died: "
-A bad_packets -s 192.168.2.0/255.255.255.0 -i eth0 -j LOG
--log-prefix "Illegal source: "
-A bad_packets -s 192.168.2.0/255.255.255.0 -i eth0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG
--log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG
--log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 8765 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Mon Apr 20 10:11:20 2009
# Generated by iptables-save v1.3.5 on Mon Apr 20 10:11:20 2009
*nat
:PREROUTING ACCEPT [9404:874346]
:POSTROUTING ACCEPT [188:20273]
:OUTPUT ACCEPT [2525:166618]
-A PREROUTING -s ! 192.168.2.0/255.255.255.0 -i eth0 -p tcp -m tcp
--dport 10001 -j DNAT --to-destination 192.168.2.100:10001
-A PREROUTING -s ! 192.168.2.0/255.255.255.0 -i eth0 -p tcp -m tcp
--dport 5500 -j DNAT --to-destination 192.168.2.17:5500
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.2
COMMIT
# Completed on Mon Apr 20 10:11:20 2009
# Generated by iptables-save v1.3.5 on Mon Apr 20 10:11:20 2009
*mangle
:PREROUTING ACCEPT [281775:80948524]
:INPUT ACCEPT [187449:35070531]
:FORWARD ACCEPT [94326:45877993]
:OUTPUT ACCEPT [200649:51915053]
:POSTROUTING ACCEPT [293857:97752066]
COMMIT
# Completed on Mon Apr 20 10:11:20 2009
--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke [email protected]
Arsip dan info milis selengkapnya di http://linux.or.id/milis
