Answer the question
In order to leave comments, you need to log in
D
D
Denis Sechin2016-12-27 17:05:42
Denis Sechin, 2016-12-27 17:05:42
Problems with medcom and iptables?
It is not possible to open ports for 465,993 on the gateway in iptables so that the medok can send reports, when sending, it writes a transmission error, telnet does not ring out the ports. There seems to be a rule, here is the config:
$ip -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip -A INPUT -i lo -j ACCEPT
$ip -A INPUT -p icmp -j ACCEPT
$ip -A INPUT -p tcp --dport 4491 -j ACCEPT
$ip -A INPUT -p tcp --dport 465 -j ACCEPT
$ip -A INPUT -p tcp --dport 993 -j ACCEPT
$ip -A INPUT -p udp --dport 53 -j ACCEPT
$ ip -A INPUT -i $LOCAL_IF -s $LOCAL_NET -j ACCEPT
$ip -A INPUT -i tun+ -j ACCEPT
$ip -A INPUT ! -i $EXTERNAL_IF -p tcp --dport 3128 -j ACCEPT
$ip -A INPUT ! -i $EXTERNAL_IF -p udp --dport 67:68 -j ACCEPT
$ip -A INPUT -j LOG --log-prefix INPUT_ -m limit --limit 5/min
$ip -A INPUT -j DROP
### FORWARD Rules
$ip -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$ip -A FORWARD -s 10.20.31.43 -d 87.240/16 -j DROP
#CP-pos
$ip -t nat -A POSTROUTING -s 10.20 .31.50 -o $EXTERNAL_IF -j MASQUERADE
$ip -A FORWARD -s 10.20.31.50 -d 213.133.168.141 -j ACCEPT
$ip -A FORWARD -s 10.20.31.50 -d 185.34.224.110 -j ACCEPT
$ip -A FORWARD -s 10.20.31.50 -d 212.109.37.162 -j ACCEPT
$ip -A FORWARD -s 10.20.31.50 -j DROP
#cam
$ip -A FORWARD -d 10.20.31.31 -p udp -m multiport --dports 8001 -j ACCEPT
$ip -A FORWARD -d 10.20.31.32 -p udp -m multiport --dports 8001 -j ACCEPT
$ip -A FORWARD -d 10.20.31.33 -p udp -m multiport --dports 8001 -j ACCEPT
$ip -A FORWARD -d 10.20.31.31 -p tcp -m multiport --dports 8000 -j ACCEPT
$ip -A FORWARD -d 10.20.31.32 -p tcp -m multiport --dports 8000 -j ACCEPT
$ip -A FORWARD -d 10.20.31.33 -p tcp -m multiport --dports 8000 -j ACCEPT
$ip -A FORWARD -d 10.20.31.31 -p tcp -m multiport --dports 80 -j ACCEPT
$ip -A FORWARD -d 10.20 .31.32 -p tcp -m multiport --dports 80 -j ACCEPT
$ip -A FORWARD -d 10.20.31.33 -p tcp -m multiport --dports 80 -j ACCEPT
#
$ip -A FORWARD -i $LOCAL_IF -s $LOCAL_NET -j ACCEPT
$ip -A FORWARD -s $WCS_NET2 -d 10.0.0.0/8 -j DROP
$ip -A FORWARD -s $WCS_NET2 ! -d 192.168/16 -j ACCEPT
$ip -A FORWARD -s $WCS_NET3 -d 10.0.0.0/8 -j DROP
$ip -A FORWARD -s $WCS_NET3 ! -d 192.168/16 -j ACCEPT
#### Plan #####
$ip -A FORWARD -s $WCS_NET -d 216.137.61.0/24 -j ACCEPT
$ip -A FORWARD -s $WCS_NET -d 54.224. 0.0/12 -p tcp --dport 80 -j ACCEPT
$ip -A FORWARD -s $WCS_NET -m multiport -p tcp --dports 53,5432,8291 -j ACCEPT
$ip -A FORWARD -s $WCS_NET -p udp --dport 53 -j ACCEPT
$ip -A FORWARD -s $WCS_NET -p icmp -j ACCEPT
# $ip -A FORWARD -s $WCS_NET -d 10.20.31.250 -j ACCEPT
$ip -A FORWARD -s $WCS_NET -d 10.0.0.0/8 -j DROP
$ip -A FORWARD -s $WCS_NET -j DROP
$ip -A FORWARD -i tun+ -j ACCEPT
$ip -A FORWARD -o tun+ -j ACCEPT
$ip -A FORWARD -j LOG --log-prefix FORWARD_ -m limit --limit 5/min
$ip -A FORWARD -j DROP
### NAT Prerouting
$ip -t nat -A PREROUTING -s $LOCAL_NET ! -d 192.168/16 -p tcp --dport 80 -j REDIRECT --to-port 3128
$ip -t nat -A PREROUTING -s $WCS_NET ! -d 192.168/16 -p tcp --dport 80 -j REDIRECT --to-port 3128
### NAT Postrouting
$ip -t nat -A POSTROUTING -d mail.shf.com.ua -o $EXTERNAL_IF - p tcp -m multiport --dports 80,443,465,993,995 -j MASQUERADE
#
$ip -t nat -A POSTROUTING -p icmp -s $LOCAL_NET -o $EXTERNAL_IF -j MASQUERADE
$ip -t nat -A POSTROUTING -p udp -s $LOCAL_NET -o $EXTERNAL_IF -j MASQUERADE
$ip -t nat -A POSTROUTING -s $LOCAL_NET -o $EXTERNAL_IF -p tcp -m multiport --dports 25,110,143,443,4446,5190,6642,6649,7780,30583,60606,4566,5432 -j MASQUERADE
$ip - nat -A POSTROUTING -s $WCS_NET -o $EXTERNAL_IF -j MASQUERADE
$ip -t nat -A POSTROUTING -s $WCS_NET2 -o $EXTERNAL_IF -j MASQUERADE
$ip -t nat -A POSTROUTING -s $WCS_NET3 -o $ EXTERNAL_IF -j MASQUERADE
#cam
$ip -t nat -A PREROUTING -p udp -d 94.179.145.78 --dport 8011 -j DNAT --to-destination 10.20.31.31:8001
$ip -t nat -A PREROUTING -p udp -d 94.179.145.78 --dport 8012 -j DNAT --to-destination 10.20.31.32:8001
$ip -t nat -A PREROUTING -p udp -d 94.179.145.78 --dport 8013 -j DNAT --to-destination 10.20.31.33:8001
$ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 --dport 8111 -j DNAT --to-destination 10.20.31.31:8000
$ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 - -dport 8112 -j DNAT --to-destination 10.20.31.32:8000
$ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 --dport 8113 -j DNAT --to-destination 10.20.31.33:8000
$ ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 --dport 8081 -j DNAT --to-destination 10.20.31.31:80
$ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 -- dport 8082 -j DNAT --to-destination 10.20.31.32:80
$ip -t nat -A PREROUTING -p tcp -d 94.179.145.78 --dport 8083 -j DNAT --to-destination 10.20.31.33:80
#CP -pos
$ip -t nat -A POSTROUTING -s 10.20.31.50 -o $EXTERNAL_IF -j MASQUERADE
#
#Radio
# $ip -t nat -A POSTROUTING -p tcp -s 10.20.31.200 --dport 8000 -o $EXTERNAL_IF -j MASQUERADE
#
#Evolution
$ip -t nat -A POSTROUTING -s 10.20.31.210 -p tcp - m multiport --dports 1212,1213,1214,1215 -o $EXTERNAL_IF -j MASQUERADE
}
#buh
$ip -t nat -A POSTROUTING -s 10.20.31.18 -p tcp -m multiport --dports 25,110,143 -o $EXTERNAL_IF - j MASQUERADE
2 answer(s)
@tamogavk
R
Ruslan Fedoseev, 2016-12-27 @tamogavk
465 and 993 are mail.
Attention to the question - where do you need to open these ports? you have them now open to you from the Internet
Similar questions
A
S
N
K
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question