Answer the question
In order to leave comments, you need to log in
V
V
ValkoNytin2019-09-14 09:29:34
ValkoNytin, 2019-09-14 09:29:34
How to set up an ip-camera that sits in the subnet of the router after the debian8 server?
I am a happy owner of a debian8 server, set up iptables with grief in half, (probably postrouting) everything seems to work, but one of the subscribers wanted an ip-camera, and now I can’t figure out how to “forward” the port on the server and router or create a separate NAT. Due to my inexperience in the matter and the lack of time to study the issue, I ask you to help me or send me a link where there is some info for people like me. Thank you
1 answer(s)
@dronmaxman
My template is under the spoiler
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
## INTERFACES
@def $DEV_WAN = eth0;
@def $DEV_LOCAL = eth1;
@def $WAN_IP = 91.233.10.16;
@def $LAN_IP = 10.11.10.1;
# Проброс порта с натом трафика во внутренню сеть, необходимо если клиент ходит в интернет через другой gateway.
@def &FORWARD_SIPORT($proto, $sport, $dport, $dest) = {
table nat chain PREROUTING interface $DEV_LOCAL proto $proto dport $sport DNAT to "$dest:$dport";
table filter chain FORWARD interface $DEV_LOCAL outerface $DEV_PPTP daddr $dest proto $proto dport $dport ACCEPT;
table nat chain POSTROUTING daddr $dest proto $proto dport $dport SNAT to "$PPTP_IP";
}
# Проброс порта самый простой
@def &FORWARD_PORT($proto, $port, $dest) = {
table nat chain PREROUTING interface $DEV_WAN proto $proto dport $port DNAT to "$dest";
table filter chain FORWARD interface $DEV_WAN outerface $DEV_LOCAL daddr $dest proto $proto dport $port ACCEPT;
}
@def &LOG_DROP($table, $chain) = {
table $table chain $chain mod limit limit 2/min limit-burst 10 LOG log-prefix "[FERM] $CHAIN: " log-level warning;
table $table chain $chain REJECT;
}
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID LOG log-prefix '[FERM] INVALID FORWARD DROP: ';
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
protocol icmp ACCEPT;
interface $DEV_WAN {
# allow IPsec
proto udp dport (4500 500) ACCEPT;
proto (esp ah) ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow iperf3
proto (udp tcp) dport (5201 80 443 444) ACCEPT;
# allow openvpn
proto (udp tcp) dport 443 ACCEPT;
proto (udp tcp) dport 444 ACCEPT;
proto (udp tcp) dport 1194 ACCEPT;
proto (udp tcp) dport 41194 ACCEPT;
proto (udp tcp) dport 4444 ACCEPT;
}
interface $DEV_LOCAL {
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow RIP connections
proto udp dport route ACCEPT;
# allow Zabbix connections
proto tcp dport 10050 ACCEPT;
}
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
proto icmp ACCEPT;
## Разрешаем домашней сети ходить куда угодно
saddr 10.11.10.0/24 ACCEPT;
## Разрешаем домашней сети 2 ходить только в интернет
saddr 192.168.101.0/24 outerface $DEV_WAN ACCEPT;
}
}
table nat {
chain PREROUTING{
}
chain POSTROUTING {
# Маскарад
outerface $DEV_WAN MASQUERADE;
}
}
#RDP forward
&FORWARD_SIPORT((udp tcp), 3389, 3389, 10.10.16.157);
#Enable LOG
&LOG_DROP(filter, INPUT);
&LOG_DROP(filter, FORWARD);
. Everything fell into place for me when I saw the logic of iptables visually.
A
Andrey Barbolin, 2019-09-14 @dronmaxman
I recommend using an iptables add-on, such as ferm, for starters. It is very accessible and understandable allows you to write and apply the rules.
Just write rules in /etc/ferm/ferm.conf and apply them with
sudo ferm /etc/ferm/ferm.conf
There is also a revert option
--interactive
Apply the firewall rules and ask the user for confirmation. Reverts to the previous ruleset if there is no valid user response within 30 seconds (see --timeout). This is useful
for remote firewall administration: you can test the rules without fearing to lock yourself out.My template is under the spoiler
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
## INTERFACES
@def $DEV_WAN = eth0;
@def $DEV_LOCAL = eth1;
@def $WAN_IP = 91.233.10.16;
@def $LAN_IP = 10.11.10.1;
# Проброс порта с натом трафика во внутренню сеть, необходимо если клиент ходит в интернет через другой gateway.
@def &FORWARD_SIPORT($proto, $sport, $dport, $dest) = {
table nat chain PREROUTING interface $DEV_LOCAL proto $proto dport $sport DNAT to "$dest:$dport";
table filter chain FORWARD interface $DEV_LOCAL outerface $DEV_PPTP daddr $dest proto $proto dport $dport ACCEPT;
table nat chain POSTROUTING daddr $dest proto $proto dport $dport SNAT to "$PPTP_IP";
}
# Проброс порта самый простой
@def &FORWARD_PORT($proto, $port, $dest) = {
table nat chain PREROUTING interface $DEV_WAN proto $proto dport $port DNAT to "$dest";
table filter chain FORWARD interface $DEV_WAN outerface $DEV_LOCAL daddr $dest proto $proto dport $port ACCEPT;
}
@def &LOG_DROP($table, $chain) = {
table $table chain $chain mod limit limit 2/min limit-burst 10 LOG log-prefix "[FERM] $CHAIN: " log-level warning;
table $table chain $chain REJECT;
}
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID LOG log-prefix '[FERM] INVALID FORWARD DROP: ';
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
protocol icmp ACCEPT;
interface $DEV_WAN {
# allow IPsec
proto udp dport (4500 500) ACCEPT;
proto (esp ah) ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow iperf3
proto (udp tcp) dport (5201 80 443 444) ACCEPT;
# allow openvpn
proto (udp tcp) dport 443 ACCEPT;
proto (udp tcp) dport 444 ACCEPT;
proto (udp tcp) dport 1194 ACCEPT;
proto (udp tcp) dport 41194 ACCEPT;
proto (udp tcp) dport 4444 ACCEPT;
}
interface $DEV_LOCAL {
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow RIP connections
proto udp dport route ACCEPT;
# allow Zabbix connections
proto tcp dport 10050 ACCEPT;
}
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
proto icmp ACCEPT;
## Разрешаем домашней сети ходить куда угодно
saddr 10.11.10.0/24 ACCEPT;
## Разрешаем домашней сети 2 ходить только в интернет
saddr 192.168.101.0/24 outerface $DEV_WAN ACCEPT;
}
}
table nat {
chain PREROUTING{
}
chain POSTROUTING {
# Маскарад
outerface $DEV_WAN MASQUERADE;
}
}
#RDP forward
&FORWARD_SIPORT((udp tcp), 3389, 3389, 10.10.16.157);
#Enable LOG
&LOG_DROP(filter, INPUT);
&LOG_DROP(filter, FORWARD);
. Everything fell into place for me when I saw the logic of iptables visually.
Similar questions
C
O
W
S
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question