Всем привет!Не удается "пробросить" порт 3389 средствами iptables для доступа к конкретному компьютеру по RDP за NAT.
Реализовал следующий скрипт:
#!/bin/bash
LO_IF="lo"
LO_NET="127.0.0.0/8"
INT_IF="eth0"
INT_NET="192.168.3.0/24"
EXT_IF="eth1"
EXT_IP="xxx.xxx.xxx.xxx"
# Delete all existing rules:
iptables -F
iptables -F FORWARD
iptables -t nat -F
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow loopback:
iptables -A INPUT -i $LO_IF -j ACCEPT
# Allow ping:
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allow SSH (5420):
iptables -A INPUT -p tcp --dport 5420 -j ACCEPT
# Allow HTTP(80),SSH(5420),SAMBA(139,445),MySQL(3306) and Squid(3128):
iptables -A INPUT -p tcp -i $INT_IF -m multiport --dports 80,139,445,3306,3128 -j ACCEPT
# Allow RDP (3389):
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $EXT_IP --dport 3389 -j DNAT --to-destination 192.168.3.254:3389
# Masquerade:
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP
# Defaults:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Не вижу открытого порта:
netstat -anp | grep 3389
Вывод iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:5420
ACCEPT tcp -- anywhere anywhere multiport dports http,netbios-ssn,microsoft-ds,3306,3128
ACCEPT tcp -- anywhere anywhere tcp dpt:rdp
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Вывод sysctl -a | grep forward:
error: permission denied on key 'vm.compact_memory'
error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
error: permission denied on key 'net.ipv6.route.flush'
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
Прошу помощи, заранее благодарю.