{"id":215,"date":"2009-12-31T11:07:03","date_gmt":"2009-12-31T10:07:03","guid":{"rendered":"http:\/\/soi57.net\/articles\/?p=215"},"modified":"2020-09-08T15:55:44","modified_gmt":"2020-09-08T14:55:44","slug":"acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables","status":"publish","type":"post","link":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/","title":{"rendered":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables"},"content":{"rendered":"<p>La semana pasada tuve que <strong>mapear<\/strong> un puerto de una ip del <strong>firewall<\/strong> para que llegase a una m\u00e1quina de una subred interna que ten\u00eda como puerta de enlace una <strong>ip de la subred interna<\/strong> del firewall.  Accediendo desde afuera de nuestra red el puerto funcionaba sin problemas haciendo la redirecci\u00f3n con rinetd o con las siguientes reglas en <strong>iptables<\/strong>.<\/p>\n<blockquote><p>\niptables -A INPUT -i INTERFAZ_PUBLICO_FIREWALL -p tcp &#8211;dport PUERTO_PUBLICO_FIREWALL -j ACCEPT<br \/>\niptables -A PREROUTING -i INTERFAZ_PUBLICO_FIREWALL -t nat -p tcp &#8211;dport PUERTO_PUBLICO_FIREWALL -j DNAT &#8211;to IP_SERVICIO_RED_INTERNA:PUERTO_SERVICIO_RED_INTERNA<br \/>\niptables -A FORWARD -i INTERFAZ_PUBLICO_FIREWALL -p tcp -d IP_SERVICIO_RED_INTERNA &#8211;dport PUERTO_SERVICIO_RED_INTERNA -j ACCEPT<\/p><\/blockquote>\n<p>De esta manera todos los paquetes que vengan de Internet al <strong>puerto publico<\/strong> de mi <strong>firewall<\/strong> ir\u00e1n al <strong>puerto del servicio<\/strong> que est\u00e1 corriendo en la ip de la m\u00e1quina de la subred interna. El problema es cuando te intentas conectar desde un host de la <strong>misma red local<\/strong> a la que pertenece el servidor interno (conect\u00e1ndote a la ip p\u00fablica del firewall) . No se puede. Es un <strong>problema de enrutado<\/strong>: comenzaremos estudiando lo que ocurre en el caso normal. Veamos que ocurre paso a paso:<\/p>\n<li>El paquete deja la m\u00e1quina de la red interna para dirigirse a ip p\u00fablica del firewall.<\/li>\n<li>El paquete llega al cortafuegos.<\/li>\n<li>El paquete sufre la traducci\u00f3n <strong>DNAT<\/strong> y todas las acciones necesarias se toman en consecuencia, si bien al paquete no se le efect\u00faa ninguna traducci\u00f3n <strong>SNAT<\/strong> y mantiene la misma direcci\u00f3n IP de origen (es decir una ip de la red interna) <\/li>\n<li>El paquete sale del cortafuegos y alcanza la m\u00e1quina que est\u00e1 corriendo el servicio<\/li>\n<p>.<\/p>\n<li>El servidor interno intenta responder al paquete y observa en las tablas de enrutado que el<br \/>\n   paquete viene de una m\u00e1quina local de la misma red, por lo que intenta enviar el paquete<br \/>\n   directamente a la direcci\u00f3n IP de origen (que a partir de ese momento se convierte en la direcci\u00f3n IP<br \/>\n   de destino).<\/p>\n<li>\n<li> El paquete llega al cliente, que no sabe qu\u00e9 hacer puesto que el paquete devuelto no proviene del<br \/>\n   host al que envi\u00f3 la petici\u00f3n original. Por \u00e9llo el cliente desecha el paquete y contin\u00faa esperando la<br \/>\n   respuesta v\u00e1lida.<\/li>\n<h2>Soluci\u00f3n<\/h2>\n<p>Una soluci\u00f3n es hacer una traducci\u00f3n <strong>SNAT<\/strong> a todos los paquetes que entren al <strong>cortafuegos<\/strong> y a los que sabemos que tambi\u00e9n se les va a aplicar la traducci\u00f3n <strong>DNAT<\/strong>. Por ej., vamos a efectuar una traducci\u00f3n SNAT a los paquetes que entren al firewall y est\u00e9n destinados a la ip interna de nuestro servicio en el puerto correspondiente, de forma que parecer\u00e1 que provengan de la ip de la <strong>subred interna<\/strong> del <strong>firewall<\/strong>. \u00c9sto forzar\u00e1 al servidor interno a devolver los paquetes a trav\u00e9s del cortafuegos, que invertir\u00e1 la traducci\u00f3n <strong>DNAT<\/strong> y los reenviar\u00e1 al cliente. <\/p>\n<blockquote><p>\niptables -A INPUT -i INTERFAZ_PUBLICO_FIREWALL -p tcp &#8211;dport PUERTO_PUBLICO_FIREWALL -j ACCEPT<br \/>\niptables -t nat -A PREROUTING &#8211;dst IP_PUBLICA_FIREWALL -p tcp &#8211;dport PUERTO_PUBLICO_FIREWALL -j DNAT &#8211;to-destination IP_SERVIDOR_INTERNO:PUERTO_SERVICIO_INTERNO<br \/>\niptables -t nat -A POSTROUTING -p tcp &#8211;dst IP_SERVIDOR_INTERNO &#8211;dport IP_SERVICIO_INTERNO -j SNAT  &#8211;to-source IP_INTERNA_FIREWALL<br \/>\niptables -t nat -A OUTPUT &#8211;dst IP_PUBLICA_FIREWALL -p tcp &#8211;dport PUERTO_PUBLICO_FIREWALL -j DNAT &#8211;to-destination IP_SERVIDOR_INTERNO:PUERTO_SERVICIO_INTERNO<br \/>\niptables -A FORWARD -i INTERFAZ_PUBLICO_FIREWALL -p tcp -d IP_SERVIDOR_INTERNO &#8211;dport PUERTO_SERVICIO_INTERNO -j ACCEPT\n<\/p><\/blockquote>\n<p>No s\u00e9 si lo he explicado claro y si hay alguna forma mejor de hacerlo, pero a mi me ha funcionado.<\/p>\n<div style='text-align:left' class='yasr-auto-insert-visitor'><\/div>","protected":false},"excerpt":{"rendered":"<p>La semana pasada tuve que mapear un puerto de una ip del firewall para que llegase a una m\u00e1quina de una subred interna que ten\u00eda como puerta de enlace una &hellip; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"yasr_overall_rating":0,"yasr_post_is_review":"","yasr_auto_insert_disabled":"","yasr_review_type":"","footnotes":""},"categories":[699],"tags":[106,607,606,104,105],"class_list":["post-215","post","type-post","status-publish","format-standard","hentry","category-guias","tag-dnat","tag-firewall","tag-iptables","tag-puertos","tag-snat"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Acceder a servicio en ip publica mapeada a tu propia maquina con iptables<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables\" \/>\n<meta property=\"og:description\" content=\"La semana pasada tuve que mapear un puerto de una ip del firewall para que llegase a una m\u00e1quina de una subred interna que ten\u00eda como puerta de enlace una &hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\" \/>\n<meta property=\"og:site_name\" content=\"Android, administracion de sistemas y seo\" \/>\n<meta property=\"article:published_time\" content=\"2009-12-31T10:07:03+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-09-08T14:55:44+00:00\" \/>\n<meta name=\"author\" content=\"root\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\"},\"author\":{\"name\":\"root\",\"@id\":\"https:\/\/soi57.net\/blog\/#\/schema\/person\/9410e0a8d6f61a74f9f82f2229ab79d7\"},\"headline\":\"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables\",\"datePublished\":\"2009-12-31T10:07:03+00:00\",\"dateModified\":\"2020-09-08T14:55:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\"},\"wordCount\":641,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/soi57.net\/blog\/#organization\"},\"keywords\":[\"dnat\",\"firewall\",\"iptables\",\"puertos\",\"snat\"],\"articleSection\":[\"guias\"],\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\",\"url\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\",\"name\":\"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables\",\"isPartOf\":{\"@id\":\"https:\/\/soi57.net\/blog\/#website\"},\"datePublished\":\"2009-12-31T10:07:03+00:00\",\"dateModified\":\"2020-09-08T14:55:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/soi57.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/soi57.net\/blog\/#website\",\"url\":\"https:\/\/soi57.net\/blog\/\",\"name\":\"Android, administracion de sistemas y seo\",\"description\":\"soi57.net\/blog\",\"publisher\":{\"@id\":\"https:\/\/soi57.net\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/soi57.net\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/soi57.net\/blog\/#organization\",\"name\":\"Soi57.Net\",\"url\":\"https:\/\/soi57.net\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/soi57.net\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/soi57.net\/blog\/wp-content\/logo_soi57.net_half.jpg\",\"contentUrl\":\"https:\/\/soi57.net\/blog\/wp-content\/logo_soi57.net_half.jpg\",\"width\":342,\"height\":77,\"caption\":\"Soi57.Net\"},\"image\":{\"@id\":\"https:\/\/soi57.net\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/soi57.net\/blog\/#\/schema\/person\/9410e0a8d6f61a74f9f82f2229ab79d7\",\"name\":\"root\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/soi57.net\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6e87f10096d6c8f82a9bc2ddc0f3a223?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6e87f10096d6c8f82a9bc2ddc0f3a223?s=96&d=mm&r=g\",\"caption\":\"root\"},\"sameAs\":[\"http:\/\/soi57.net\"]},false]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/","og_locale":"es_ES","og_type":"article","og_title":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables","og_description":"La semana pasada tuve que mapear un puerto de una ip del firewall para que llegase a una m\u00e1quina de una subred interna que ten\u00eda como puerta de enlace una &hellip;","og_url":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/","og_site_name":"Android, administracion de sistemas y seo","article_published_time":"2009-12-31T10:07:03+00:00","article_modified_time":"2020-09-08T14:55:44+00:00","author":"root","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#article","isPartOf":{"@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/"},"author":{"name":"root","@id":"https:\/\/soi57.net\/blog\/#\/schema\/person\/9410e0a8d6f61a74f9f82f2229ab79d7"},"headline":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables","datePublished":"2009-12-31T10:07:03+00:00","dateModified":"2020-09-08T14:55:44+00:00","mainEntityOfPage":{"@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/"},"wordCount":641,"commentCount":2,"publisher":{"@id":"https:\/\/soi57.net\/blog\/#organization"},"keywords":["dnat","firewall","iptables","puertos","snat"],"articleSection":["guias"],"inLanguage":"es","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/","url":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/","name":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables","isPartOf":{"@id":"https:\/\/soi57.net\/blog\/#website"},"datePublished":"2009-12-31T10:07:03+00:00","dateModified":"2020-09-08T14:55:44+00:00","breadcrumb":{"@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/soi57.net\/blog\/acceder-a-servicio-en-ip-publica-mapeada-a-tu-propia-maquina-con-iptables\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/soi57.net\/blog\/"},{"@type":"ListItem","position":2,"name":"Acceder a servicio en ip publica mapeada a tu propia maquina con iptables"}]},{"@type":"WebSite","@id":"https:\/\/soi57.net\/blog\/#website","url":"https:\/\/soi57.net\/blog\/","name":"Android, administracion de sistemas y seo","description":"soi57.net\/blog","publisher":{"@id":"https:\/\/soi57.net\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/soi57.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/soi57.net\/blog\/#organization","name":"Soi57.Net","url":"https:\/\/soi57.net\/blog\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/soi57.net\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/soi57.net\/blog\/wp-content\/logo_soi57.net_half.jpg","contentUrl":"https:\/\/soi57.net\/blog\/wp-content\/logo_soi57.net_half.jpg","width":342,"height":77,"caption":"Soi57.Net"},"image":{"@id":"https:\/\/soi57.net\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/soi57.net\/blog\/#\/schema\/person\/9410e0a8d6f61a74f9f82f2229ab79d7","name":"root","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/soi57.net\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6e87f10096d6c8f82a9bc2ddc0f3a223?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6e87f10096d6c8f82a9bc2ddc0f3a223?s=96&d=mm&r=g","caption":"root"},"sameAs":["http:\/\/soi57.net"]},false]}},"yasr_visitor_votes":{"stars_attributes":{"read_only":false,"span_bottom":false},"number_of_votes":0,"sum_votes":0},"_links":{"self":[{"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/posts\/215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/comments?post=215"}],"version-history":[{"count":5,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/posts\/215\/revisions"}],"predecessor-version":[{"id":220,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/posts\/215\/revisions\/220"}],"wp:attachment":[{"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/categories?post=215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/soi57.net\/blog\/wp-json\/wp\/v2\/tags?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}