Beste
Ik zou met het programma radmin/ssh toegang willen hebben tot mijn pc met ipadress 192.168.3.xx maar dit lukt niet. Voor ssh kom ik enkel tot op mijn server en niet verder, radmin werkt al helemaal niet hoe moet ik dit oplossen
ik heb de volgende configuratie ISP => router die als IP 192.168.0.1 heeft ingang server 192.168.0.122 uitgang server 192.168.3.22 draadloze switch met ip naar 192.168.3.xx
Op mijn server draait de volgende volgende iptable config:
#!/bin/sh
> IPTABLES=/sbin/iptables
> MODPROBE=/sbin/modprobe
> INT_NET=192.168.3.0/24
> IFACE=192.168.3.22
> EXT_NET=192.168.0.122
> WAN=eth0
> LAN=eth1
> LIMITED=192.168.3.128/25
> ACCESS=192.168.3.0/25
>
>
> ###flush excisting rules and set chain policy setting to DROP
>
> echo "[+] Flushing excisting iptables rules....."
>
> $IPTABLES -F
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> ### load connection-tracking modules
>
> $MODPROBE ip_conntrack
> $MODPROBE iptable_nat
> $MODPROBE ip_conntrack_ftp
> $MODPROBE ip_nat_ftp
>
> #### INPUT CHAIN ####
>
> echo "[+] Setting up INPUT chain..."
>
> ### state tracking rules
>
> $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP
> INVALID " --log-ip-options --log-tcp-options
>
> $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT
> -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
> ### ACCEPT rules
>
> $IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j
> ACCEPT $IPTABLES -A INPUT -p udp -m state --state RELATED,ESTABLISHED
> -j ACCEPT $IPTABLES -A INPUT -i $LAN -p tcp -d $INT_NET --dport 22 -m
> state --state NEW -j ACCEPT $IPTABLES -A INPUT -i $WAN -p tcp -d
> $EXT_NET --dport 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT
> -i $LAN -p tcp -d $INT_NET --dport 4899 -m state --state NEW -j ACCEPT
> $IPTABLES -A INPUT -i $WAN -p tcp -d $EXT_NET --dport 4899 -m state
> --state NEW -j ACCEPT
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ####
> DHCP #### $IPTABLES -A INPUT -p tcp -m tcp --dport 67:68 -j ACCEPT
> $IPTABLES -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT $IPTABLES -A
> INPUT -p udp -m udp --dport 53 -j ACCEPT ####samba#### $IPTABLES -A
> INPUT -p udp -m udp -s 192.168.3.22 --dport 137 -j ACCEPT $IPTABLES -A
> INPUT -p udp -m udp -s 192.168.3.22 --dport 138 -j ACCEPT $IPTABLES -A
> INPUT -m state --state NEW -m tcp -p tcp -s 192.168.3.22 --dport 139
> -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -m tcp -p tcp -s
> 192.168.3.22 --dport 445 -j ACCEPT ### Antispoofing rules
>
> #$IPTABLES -A INPUT -i $LAN -s ! $INT_NET -j LOG --log-prefix "SPOOFED
> PKT " --log-ip-options --log-tcp-options #$IPTABLES -A INPUT -i $LAN
> -s ! $INT_NET -j DROP
>
> ### default INPUT LOG rule
>
> $IPTABLES -A INPUT -i !lo -j LOG --log-prefix "DROP "
> --log-ip-options --log-tcp-options
>
> ##### OUTPUT chain #####
>
> echo "[+] Setting up OUTPUT chain..."
>
> ### State tracking tools
>
> $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP
> INVALID " --log-ip-options --log-tcp-options
>
> $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A
> OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ### ACCEPT rules for allowing connections out
>
> $IPTABLES -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j
> ACCEPT #### ftp #### $IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m
> state --state NEW -j ACCEPT #### ssh #### $IPTABLES -A OUTPUT -p tcp
> --dport 22 --syn -m state --state NEW -j ACCEPT ####radmin####
> $IPTABLES -A OUTPUT -p tcp --dport 4899 --syn -m state --state NEW -j
> ACCEPT #### SMTP #### $IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m
> state --state NEW -j ACCEPT #### WHOIS #### $IPTABLES -A OUTPUT -p tcp
> --dport 43 --syn -m state --state NEW -j ACCEPT #### http ####
> $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j
> ACCEPT #### DHCP #### $IPTABLES -A OUTPUT -p tcp --dport 67:68 --syn
> -m state --state NEW -j ACCEPT #### secure port 443 #### #$IPTABLES -A
> OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT ####
> HTTPS #### #$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state
> --state NEW -j ACCEPT $IPTABLES -A OUTPUT -p udp -m state --state
> RELATED,ESTABLISHED -j ACCEPT #### DNS #### $IPTABLES -A OUTPUT -p udp
> --dport 53 -m state --state NEW -j ACCEPT #### DHCP#### $IPTABLES -A
> OUTPUT -p udp --dport 67:68 -m state --state NEW -j ACCEPT #### echo
> request #### $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j
> ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
>
>
> ### Default OUTPUT LOG rule
>
> $IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP "
> --log-ip-options --log-tcp-options
>
> ##### FORWARD CHAIN #####
>
> echo "[+] Setting up FORWARD chain..."
>
> ### state tracking rules
>
> $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "
> DROP INVALID " --log-ip-options --log-tcp-options
>
> $IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A
> FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
> ### ACCEPT rules
>
> $IPTABLES -A FORWARD -i $LAN -o $WAN -s $ACCESS -j ACCEPT $IPTABLES -A
> FORWARD -i $WAN -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ##### access restrictions for unknown hosts ###### $IPTABLES -A
> FORWARD -i $LAN -o $WAN -s $LIMITED -m tcp -p tcp --dport 110 -j
> ACCEPT $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -m tcp -p tcp
> --dport
> 25 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -m tcp -p tcp --dport
> 80 -j ACCEPT $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -m udp
> -p udp --dport 110 -j ACCEPT $IPTABLES -A FORWARD -i $LAN -o $WAN -s
> $LIMITED -m udp -p udp --dport
> 25 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -m udp -p udp --dport
> 80 -j ACCEPT $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -m udp
> -p udp --dport
> 53 -j ACCEPT
> $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -j LOG --log-prefix "
> dropped "
> $IPTABLES -A FORWARD -i $LAN -o $WAN -s $LIMITED -j DROP
>
> ### Antispoofing Rules
>
> #$IPTABLES -A FORWARD -i $LAN -s ! $INT_NET -j LOG --log-prefix
> "Spoofed pkg "
> #$IPTABLES -A FORWARD -i $LAN -s ! $INT_NET -j DROP ##### NAT rules
> #####
>
> echo "[+] Setting up NAT rules..."
>
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $WAN -j DNAT --to
> $IFACE:80 #$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i $WAN
> -j DNAT --to $INT_NET:443 $IPTABLES -t nat -A PREROUTING -p udp
> --dport 53 -i $WAN -j DNAT --to
> $IFACE:53
> $IPTABLES -t nat -A PREROUTING -p tcp -i $WAN --dport 5001 -j DNAT
> --to $EXT_NET:22 $IPTABLES -t nat -A PREROUTING -p tcp -i $WAN --dport
> 4899 -j DNAT --to $EXT_NET:4899
>
> $IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE ##### IP
> FORWARDING #####
>
> echo "[+] Enabling IP Forwarding..."
> echo 1 > /proc/sys/net/ipv4/ip_forward
poort 4899 is de standaard poort voor Radmin die natuurlijk gewijzigd dient te worden
alvast bedankt voor jullie hulp