Ïðèâåòñòâóþ,íóæíà òâîÿ ïîìîùü.

Ïðîáëåìêà ñëåäóþùàÿ:
Åñòü 2 íåçàâèñèìûå ñåòè, ñêàæåì "A" è "B". Ðàçäàâàòü èíòåðíåò. Èíòåðíåò "èäåò" ÷åðåç ìåñòíóþ ëîêëüíóþ ñåòü, Ïðèñâàèâàåòñÿ IP ÷åðåç DHCP.

×òî ÿ äåëàþ.
÷åðåç îáîëî÷êó íàñòðàèâàþ.
WAN - êëèåíò DHCP (âîçìîæíî çäåëàòü åñëè îòâåòà îò ñåðâåðà íåò òî ïî óìîë÷àíèþ âûñòàâëÿëñÿ îïðåäåëëåííûé IP)
LAN - 10.0.9.1/255.255.255.0 - "A"

×åðåç òåëíåò
LAN "B"
robocfg vlan 2 ports "1 5t" vlan 0 ports "2 3 4 5t"
vconfig add eth0 2
ifconfig vlan2 10.0.8.1 broadcast 10.0.8.255 netmask 255.255.255.0 up

âñå âðîäå ïîäíèìàåòñÿ íî â èíòåðåíò ÷åðåç vlan2 íå âûõîäèò.
À òàê æå íå ìîãó ïîäñîåäèíèòüñÿ ïî òåëíåòó èç ñåòè LAN "B".

À ÷òî äàëüøå äåëàòü ?
Êàê ÿ ïîíåìàþ íàäî ïðîïèñûâàòü ïðàâèëà, íî êàêèå?

PS: Â ïîèñêå ÿ èñêàë ïîõîæóþ çàäà÷ó, íî âñå õîòÿò íàñòðàèâàòü 2 WAN èíòåðôåéñà.

Çàìåòèë, ÷òî ïîñëå óñòàíîâëåíèÿ ñåññèè pppd âñå ïðàâèëà netfilter âîçâðàùàþòñÿ ê íàáîðó ïîñëå çàãðóçêè. Ýòî áàã èëè ôè÷à?

Êàê ÿ ïîíÿë, ïîñëå ðåêîííåêòà âñå òàáëèöû î÷èùàþòñÿ è çàïóñêàåòñÿ çàíîâî post-firewall?

Äîáàâüòå ýòî â FAQ ÷òî ëè..

Óãó. Èìåííî ïîýòîìó è áûë ïðèäóìàí post-firewall. Âðîäå âåùü î÷åâèäíàÿ: ìåíÿåòñÿ âíåøíèé àäðåñ, çíà÷èò íóæíî îáíîâèòü è ïðàâèëà â ôàåðâîëå, òàì âåäü àäðåñà ìåñòàìè èñïîëüçóþòñÿ.

Óãó. Èìåííî ïîýòîìó è áûë ïðèäóìàí post-firewall. Âðîäå âåùü î÷åâèäíàÿ: ìåíÿåòñÿ âíåøíèé àäðåñ, çíà÷èò íóæíî îáíîâèòü è ïðàâèëà â ôàåðâîëå, òàì âåäü àäðåñà ìåñòàìè èñïîëüçóþòñÿ.
Ó ìåíÿ îí íå ìåíÿåòñÿ, ïîýòîìó â ýòîì íàïðàâëåíèè êàê-òî íå ïîäóìàë. :) Äà è â VSERVER íåò íè îäíîé ññûëêè íà wan ip.

À â PREROUTING ? :)

À â PREROUTING ? :)
Ïðåðîóòèíãó - ïðåðîóòèíãîâî. :) Ìåíÿ óäèâèëà î÷èñòêà èìåííî VSERVER. Áûâàåò, íóæíî ÷òî-íèáóäü ïðîáðîñèòü âðåìåííî, íåîõîòà èëè íåò âðåìåíè ïðàâèòü post-firewall. È âèäèøü ïîñëå ðåêîííåêòà ïîëíûé ñþðïðèç. Òóò íà ìîé âçëÿä íå âñ¸ òàê î÷åâèäíî.

Îáíàðóæèë ñåãîäíÿ ó ñåáÿ ñòðàííóþ ñòðî÷êó â iptables. Íå ïîéìó, îòêóäà îíà è êàêîâ å¸ "ôèçè÷åñêèé ñìûñë":

-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE

Åñòü èäåè?

Íè÷åãî ñòðàííîãî. Îíà íóæíà åñëè Âû îáðàùàåòåñü ïî âíåøíåìó àäðåñó íà âèðóòàëüíûé ñåðâåð èç âíóòðåííåé ñåòè.

Åñòü èäåè?
Åñëè èíòåðåñóåò ïîäðîáíîå òåõíè÷åñêîå îïèñàíèå ïðîáëåìû è ñïîñîáà ðåøåíèÿ ñì. http://www.opennet.ru/docs/RUS/iptables/#DNATTARGET

Íè÷åãî ñòðàííîãî. Îíà íóæíà åñëè Âû îáðàùàåòåñü ïî âíåøíåìó àäðåñó íà âèðóòàëüíûé ñåðâåð èç âíóòðåííåé ñåòè.
Äåéñòâèòåëüíî. Êàê-òî íè ðàçó íå ïðèõîäèëî â ãîëîâó, ÷òî ê ëîêàëüíûì õîñòàì ìîæíî îáðàùàòüñÿ ÷åðåç NAT. :) Ñïàñèáî çà ðàçúÿñíåíèå.

Ïðîøèâêà WL500gp-1.9.2.7-8.19.trx
Êàê ìîæíî ìåíÿòü ïðàâèëà êîòîðûå çàáèòû ïî óìîë÷àíèþ (ìîæåò åñòü ôàéë)?
Èëè åäèíñòâåííûé ñïîñîá ìåíÿòü ïðàâèëè IPTables ÷åðåç /usr/local/sbin/post-firewall – (èñïîëíÿåòñÿ âñÿêèé ðàç, ïîñëå òîãî êàê óñòðîéñòâî ìåíÿåò âíóòðåííèå ïðàâèëà ñ ïîìîùüþ êîìàíä iptables, ñ òåì, ÷òîáû Âû ìîãëè âíåñòè ñâîè èçìåíåíèÿ â firewall)?

À â ÷¸ì, ñîáñòâåííî, ïðîáëåìà?

Ó ìåíÿ, íàïðèìåð, òàê:



# Default policy
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -D INPUT -m state --state INVALID -j DROP
iptables -I INPUT 1 -m state --state INVALID -j logdrop
iptables -F logdrop
iptables -A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP

+ êó÷à ñòðî÷åê äëÿ ñåðâèñîâ.

Ïðîáëåìû äåéñòâèòåëüíî íåò.
Ïðîñòî õî÷åòñÿ ïîíÿòü, ãäå òî æå äîëæíû áûòü íàñòðîéêè, êîòîðûå èçíà÷àëüíî â ïðîøèâêå… È ãëàâíîå õî÷åòñÿ ïîíÿòü ìîæíî ëè èõ ìåíÿòü? :confused:
P.S. È ñïàñèáî ÷òî îòêëèêíóëèñü…

Âî ïåðâûõ, åñòü êîììàíäà iptables-save
Âî âòîðûõ, ïðè çàãðóçêå ïî óñòàíîâêàì âåá-ìîðäû ãåíåðÿòñÿ ôàéëû /tmp/filter_rules è /tmp/nat_rules , êîòîðûå çàòåì çàëèâàþòñÿ ñ ïîìîùüþ iptables-restore

Ïîäíÿë SSH ñåðâåð, êàê îïèñàíî â íàñòðîéêå ðîóòåðà ñ íóëÿ, ðàçðåøèë â iptables äîñòóï ïî WAN
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
âñå çàðàáîòàëî, õîòÿ ìíå íå î÷åíü ïîíÿòíî, ïî÷åìó äàííîå ïðàâèëî ðàçðåøàåò äîñòóï èìåíî ïî WAN...
(ò.å. äî òîãî êàê åãî ïðîïèñàë, ÿìîã òîëêüî èç LAN ëåçòü ïî SSH, íî âåäü ýòî-òî òîæå INPUT ?)

Íî òóò ïîíÿë, ÷òî íà ðàáîòå ó ìåíÿ çàêðûò 22 ïîðò:(

êàê ìîæíî íà ðîóòåðå ïðîïèñàòü ïåðåêèäûâàíèå ïàêåòîâ ïðèõîäÿùèõ ÈÌÅÍÍÎ ÏÎ WAN íà êàêîé-íèòü 8081 ïîðò íà ïîðò 22?
èëè ìîæíî â íàñòðîéêàõ SSH ñåðâåðà èçìåíèòü ïîðò äëÿ âíåøíåãî èíòåðôåéñà?

iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
èëè
dropbear -p 22 -p 8081

ê ñîæàëåíèþ, íè âûïîëíåíèå êîìàíäû
dropbear -p 22 -p 8081
íè ïðîïèñûâàíèÿ
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22 â post-firewall ñ ïîñëåäóþùåé ïåðåçàãðóçêîé íå ïîìîãëè...
ssh òàê è ñîåäèíÿòåòñÿ èçâíå è èç ëîêàëêè ïî 22 ïîðòó
à íàäî ÷òî áû èçìíå ïî 8081 ,à èç ëîêàëêè ïî 22...

òàê, êîíêðåòèçèðóþ.

Ïî ïåðâîìó âàðèàíó îáðàùåíèå èç wan ê ïîðòó 8081 äîëæíî ïðèâåñòè ê ïåðåáðîñó íà 22é ïîðò, íà êîòîðîì ssh ñåðâåð ñèäèò ïî óìîë÷àíèþ.

Âòîðîé âàðèàíò çàäàåò dropbear ñëóøàòü íà äâóõ ïîðòàõ, ïðè ýòîì äîñòóï íà 8081 èç wan äîëæåí áûòü ðàçðåøåí:
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

_â_îáîèõ_ñëó÷àÿõ_ ïðàâèëî iptables -I INPUT -p tcp --dport 22 -j ACCEPT äîëæíî îòñóòñòâîâàòü.

Âñå äåéñòâèÿ ñ iptables äîëæíû áûòü çàïèñàíû â post-firewall

Åñëè ïî ïðåæíåìó íå ïîìîæåò --- ïðèâåäèòå âûâîä ñëåäóþùèõ êîììàíä
iptables -L
iptables -L -t nat
netstat -na | grep LISTEN

òàê, êîíêðåòèçèðóþ.

Ïî ïåðâîìó âàðèàíó îáðàùåíèå èç wan ê ïîðòó 8081 äîëæíî ïðèâåñòè ê ïåðåáðîñó íà 22é ïîðò, íà êîòîðîì ssh ñåðâåð ñèäèò ïî óìîë÷àíèþ.

Âòîðîé âàðèàíò çàäàåò dropbear ñëóøàòü íà äâóõ ïîðòàõ, ïðè ýòîì äîñòóï íà 8081 èç wan äîëæåí áûòü ðàçðåøåí:
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

_â_îáîèõ_ñëó÷àÿõ_ ïðàâèëî iptables -I INPUT -p tcp --dport 22 -j ACCEPT äîëæíî îòñóòñòâîâàòü.

Âñå äåéñòâèÿ ñ iptables äîëæíû áûòü çàïèñàíû â post-firewall

Åñëè ïî ïðåæíåìó íå ïîìîæåò --- ïðèâåäèòå âûâîä ñëåäóþùèõ êîììàíä
iptables -L
iptables -L -t nat
netstat -na | grep LISTEN

Ñïàñèáî! Äîìà ïîïðîáóþ...
íî ïî ïîâîäó iptables ÿ íå î÷åíü ïîíèìàþ ãäå óêàçûâàåòñÿ ÷òî ïðàâèëà ñîçäàåòñÿ äëÿ èíòðåôåñà WAN à íå LAN?

à ïî ïîâîäó âòîðîãî ñïîñîáà âîïðîñ â òîì, ÷òî êîìàíäó dropbear -p 22 -p 8081 íàäî ïðîñòî âûïîëíèòü èëè ãäå-òî ïðîïèñàòü? ò.å. êàê ñäåëàòü ÷òî áû ïîñëå ïåðåçàãðóçêè îíà îñòàëàñü â ñèëå
?

1) ïî óìîë÷àíèþ ôàéðâîë â ýòèõ ïðîøèâêàõ ñèäèò íà wan, à â lan åãî íåò. Ýòî íóæíî ïðîñòî ïðèíÿòü êàê óòâåðæäåíèå, íå òðåáóþùåå äîêàçàòåëüñòâà.
2) â post-boot

â post-firewall ïðîïèñàë
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

ñîõðàíèëñÿ è äàæå ïåðåçàãðóçèëñÿ, íî ýòî íå ïîìîãëî:(

áóäó ýêñïåðèìåíòèðîâàòü äàëüøå...

â post-firewall ïðîïèñàë
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

ñîõðàíèëñÿ è äàæå ïåðåçàãðóçèëñÿ, íî ýòî íå ïîìîãëî:(

áóäó ýêñïåðèìåíòèðîâàòü äàëüøå...

Íå ïîíèìàþ â ÷åì ïðîáëåìà, ïðåäûäóùèå ñîâåòû âïîëíå õîðîøè, âîò ìîé âàðèàíò:
post-boot

dropbear -p 443 > /dev/null 2>&1
post-firewall

iptables -P INPUT DROP
#remove last default rule
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -j DROP

ïîòîì ñîõðàíÿåìñÿ è ïåðåãðóæàåìñÿ

/sbin/flashfs save && /sbin/flashfs commit && /sbin/flashfs enable && reboot

Âñå. SSH âèñèò íà 443 ïîðòó, êîòîðûé ñîááñíî îòêðûò âåçäå.

ñïàñèáî çà ñîâåò, ÿ èõ òîæå ïîïðîáó...
íî íà äàííûé ìîìåíò
post-firewall ñîäåðæèò:



#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i -p tcp --dport 8081 -j DNAT --to-destination :
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT


íî
iptables -L
âîçâðàùàåò:


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
DROP all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere



iptables -L -t nat


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 213.xxxxx<ìîé âíåøíèé IP>
VSERVER all -- anywhere 10.16.81.233
NETMAP udp -- anywhere 213.xxxxx<ìîé âíåøíèé IP> udp spt:6112 192.168.0.0/24

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 192.168.0.0/24 anywhere udp dpt:6112 213.141.140.91/32
MASQUERADE all -- !213.xxxxx<ìîé âíåøíèé IP> anywhere
MASQUERADE all -- !10.16.81.233 anywhere
MASQUERADE all -- 192.168.0.0/24 192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (2 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:59627 to:192.168.0.147:59627
DNAT udp -- anywhere anywhere udp dpt:59627 to:192.168.0.147:59627


netstat -na | grep LISTEN


tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1028 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1029 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1030 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1031 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1032 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1033 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1034 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1035 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1036 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5431 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3838 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::23 :::* LISTEN


ò.å., íà ñêîëüêî ÿ ïîíèìàþ, post-firewall ó ìåíÿ íå ñðàáîòàë?
åñëè òàê, òî ïî÷åìó ýòî ìîæåò áûòü?

ñïàñèáî çà ñîâåò, ÿ èõ òîæå ïîïðîáó...
íî íà äàííûé ìîìåíò
post-firewall ñîäåðæèò:



#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i -p tcp --dport 8081 -j DNAT --to-destination :
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT


ò.å., íà ñêîëüêî ÿ ïîíèìàþ, post-firewall ó ìåíÿ íå ñðàáîòàë?
åñëè òàê, òî ïî÷åìó ýòî ìîæåò áûòü?
Ìåíÿ ñìóùàþò êëþ÷èêè -I, -t íàäî ÷èòàòü ìàí ïî èïòàáëåñ :)
À âîîáøå 22 ïîðò îòêðûò âñå íîðìàëüíî.
ÊÎãäà ÿ ñåáå äåëàë ôòï ÿ äåëàë íåìíîãî ïî äðóãîìó :

#FTP Server Local 21, remote 6667
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j ACCEPT

âðîäå ðàáîòàëî :)

ÿ òîëüêî ÷òî çàìåòèë ñâîþ íåâíèìàòåëüíîñòü, al37919 ñîâåòîâàë íàïèñàòü

iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22

òîãäà êàê ó ìåíÿ:


iptables -t nat -A PREROUTING -i -p tcp --dport 8081 -j DNAT --to-destination :

ïðàâäà, ÿ íå ïîíèìàþ ÷òî çàí÷àò $1 è $4...

ñòðîêó

iptables -I INPUT -p tcp --dport 22 -j ACCEPT
ÿ ââåë â ñîîòâåòñòâèè ñ ðóêîâîäñòâîì ïî íàñòðîéêó ðîóòåðà ñ íóëÿ...
Ê ñîæàëåíèþ,ñ ëèíóõîì òîëüêî ðàçáèðàþñü...

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

îçíà÷àåò, ÷òî


iptables -I INPUT -p tcp --dport 22 -j ACCEPT

çàïóùåíî (ò.å. post-firewall âûïîëíÿåòñÿ). Êðîìå òîãî, ýòî îçíà÷àåò, ÷òî 22é ïîðò â wan îòêðûò (âû êàæåòñÿ ïèøåòå, ÷òî ýòî íå òî, ÷òî âû õîòèòå).

âòîðàÿ ñòðîêà äåéñòâèòåëüíî ïðèâåäåíà ñ îøèáêîé, ïîýòîìó îíà íå âûïîëíÿåòñÿ, ñëåäîâ òðåòüå ñòðîêè òîæå íå îáíàðóæåíî. Âîçìîæíî post-firewall âûëåòàåò ïîñëå ïåðâîãî îøèáî÷íîãî ïðàâèëà iptables (õîòÿ ñòðàííîâàòî ýòî.)

$1 è $4 --- ýòî ïàðàìåòðû, êîòîðûå ïåðåäàþòñÿ post-firewall ïðè åãî çàïóñêå. ×òîáû óçíàòü ÷åìó ðàâíû ýòè ïàðàìåòðû äîáàâüòå ê post-firewall òàêóþ ñòðîêó:


echo "$0 $1 $2 $3 $4 $5 $6" > /tmp/post-firewall.log
è ïîñìîòðèòå ñîäåðæèìîå ôàéëà /tmp/post-firewall.log

Êðîìå òîãî, â íà÷àëå post-firewall íóæíî äîáàâèòü ñëåäóþùåå (äëÿ îòìåíû ïîñëåäíåãî ïðàâèëà â öåïî÷êå INPUT, êîòîðîå äðîïàåò âñå):

iptables -P INPUT DROP
iptables -D INPUT -j DROP

P.S. È, â çàêëþ÷åíèå, ìîé ïåðâûé âàðèàíò ñêîðåå âñåãî íå ïîéäåò, ò.ê. îí ñêîðåå âñåãî ïîòðåáóåò íàëè÷èÿ ïðàâèëà:

iptables -À INPUT -p tcp --dport 22 -j ACCEPT
êîòîðîå îòêðîåò 22é ïîðò è íàðóæó òîæå (à ýòî êàæåòñÿ íå òî ÷òî íàäî? )...

Íó, íà ïåðâûõ ïîðàõ ìíå íàäî áûëî îòêðûòü äð ïîðò äëÿ ssh íå ðàäè áåçîïàñòíîñòè, à ðàäè òîãî, ÷òî áû ÿ ìîã ñ ðàáîòû, ãäå 22 ïîðò çàêðûò, ñòó÷àòüñÿ ê ñâîåìó ðîóòåðó... íî ïî÷èòàâ è ïîäóìàâ ïîáîëüøå, ðåøèë, ÷òî äåéñòâèòåëüíî ëó÷øå çàêðûòü 22 ïîðò...
ìîæåò òîãäà äåéñòâèòåëüíî íóæíî ïðîñòî îòêðòü äðóãîé ïîðò â iptables è â dropbear óêàçàòü ÷òî á ñëóøàë åãî.... ?

Ïîïðîáîâàë. êàê ñêàçàë Max128:


âîò ìîé âàðèàíò:
post-boot

dropbear -p 443 > /dev/null 2>&1
post-firewall

iptables -P INPUT DROP
#remove last default rule
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -j DROP

ïîòîì ñîõðàíÿåìñÿ è ïåðåãðóæàåìñÿ

/sbin/flashfs save && /sbin/flashfs commit && /sbin/flashfs enable && reboot

Âñå. SSH âèñèò íà 443 ïîðòó, êîòîðûé ñîááñíî îòêðûò âåçäå.
SSH, äåéñòâèòåëüíî ïîâèñ íà 443 ïîðòó (è ëîêàëüíî ÿ ïî íåìó ïîäêëþ÷àëñÿ), íî http://www.pcflank.com/scanner1.htm ãîâîðèò ÷òî 443 ïîðò çàêðûò...

iptables -L


Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
DROP all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere


iptables -L -t nat


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 213.141.140.91
VSERVER all -- anywhere 10.16.81.233
NETMAP udp -- anywhere 213.xxxx udp spt:6112 192.168.0.0/24

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 192.168.0.0/24 anywhere udp dpt:6112 213.141.140.91/32
MASQUERADE all -- !213.xxxx anywhere
MASQUERADE all -- !10.16.81.233 anywhere
MASQUERADE all -- 192.168.0.0/24 192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (2 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:59627 to:192.168.0.147:59627
DNAT udp -- anywhere anywhere udp dpt:59627 to:192.168.0.147:59627


netstat -na | grep LISTEN


tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5431 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3838 0.0.0.0:* LISTEN
tcp 0 0 :::23 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 1451 /var/run/pptp/255.255.255.255:10.10.9.53


ÿ ïðîäå ïîíèìàþ, ÷òî ïîñëåäíèé ëèñòèíã ãîâîðèò, êàêèå ïîðòû ñëóøàþòñÿ, ò.å. ïîäòâåðæäàåò, ÷òî äðîïáèð ðàáîòàåò íà 443 ïîðòó...
Íî, ê ñîæàëåíèþ, ÿ ïîêà òàê è íå ðàçîáðàëñÿ, êàê ïîíèìàòü iptables -L è iptables -L -t nat, íî íå íàéäÿ òàì 443 ïîðò ìîãó ïîíÿòü, ÷òî ôàåðâîë åãî íå ïðîïóñêàåò... à âîò ïî÷åìó...:(

Ïîïðîáîâàë. êàê ñêàçàë Max128:

SSH, äåéñòâèòåëüíî ïîâèñ íà 443 ïîðòó (è ëîêàëüíî ÿ ïî íåìó ïîäêëþ÷àëñÿ), íî http://www.pcflank.com/scanner1.htm ãîâîðèò ÷òî 443 ïîðò çàêðûò...
(
íåâåðíàÿ ìåòîäèêà òåñòèðîâàíèÿ èìõî :) òåñò ïðîâåðÿò îòêðûòûå ÍÀ ÊÎÌÏÅ ïîðòû à íå íà ðîóòåðå :)
ðåêêîìåíäóþ ïðîâåðèòü ñíàðóæè âñåòàêè
íàïðèìåð ïî ãïðñó :)

Chain INPUT (policy DROP)
ãîâîðèò, ÷òî

iptables -P INPUT DROP
âûïîëíåíî. Ñ äðóãîé ñòîðîíû íèêàêèõ ïðèçíàêîâ âûïîëíåíèÿ

iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
íå íàáëþäàåòñÿ...

ïîäòâåðæäàåò, ÷òî äðîïáèð ðàáîòàåò íà 443 ïîðòó
ñîâåðøåííî ñïðàâåäëèâî

Íî, ê ñîæàëåíèþ, ÿ ïîêà òàê è íå ðàçîáðàëñÿ, êàê ïîíèìàòü iptables -L è iptables -L -t nat
ó iptables åñòü òðè òàáëèöû filter (ïî óìîë÷àíèþ), nat è mangle (ýêçîòèêà).
Âîîáùå, õîðîøåå îïèñàíèå iptables åñòü çäåñü: http://www.opennet.ru/docs/RUS/iptables/

ÈÌÕÎ â ïåðâóþ î÷åðåäü íàäî ðàçîáðàòüñÿ ïî÷åìó ÷àòü post-fw âûïîëíÿåòñÿ, à ÷àñòü íåò. Îäèí èç âàðèàíòîâ òàêîé --- ââîäèòü êîìàíäû ñ êîíñîëè è ñðàçó êîíòðîëèðîâàòü, ÷òî ïðàâèëî äîáàâëåíî è êóäà.

ýòî âíåøíèé òåñò

ïîïðîáîâàë èçâíå, ïî 443 ïîðòó òàê è íå óäàëîñü ñîåäèíèòüñÿ....:(
à êàê ìîæíî ïîýòàïíî ïðîâåðÿòü, ÷òî iptables âûïîëíÿåò, à ÷òî íåò?

Âû ìîæåòå âûïîëíÿòü âñå êîìàíäû ïî íàñòðîéêå iptables èç êîíñîëè (íå ÷åðåç post-firewall + ïåðåçàãðóçêà) â ïðîöåññå îòëàäêè. Òîãäà âû óâèäèòå âñå ñîîáùåíèÿ îá îøèáêàõ è ïîñëå êàæäîé êîìàíäû ñìîæåòå ïðîâåðÿòü òàáëèöó. Íàäî òîëüêî íå çàáûâàòü ïîäìåíÿòü $1 ... íà ñîîòâ çíà÷åíèÿ.

+ Î÷åíü ðåêîìåíäóþ õîòÿ áû ïî äèàãîíàëè ïðîáåæàòüñÿ ïî óêàçàííîìó âûøå äîêóìåíòó ïî iptables íà opennet ÷òî áû ïðåäñòàâëÿòü ÷òî îçíà÷àåò -I -A -L è ïð. Òàì åñòü íåïëîõèå ïðèìåðû.

Äà, ñïàñèáî çà ñññûëêó, îáÿçàòåëüíî èçó÷ó, äðóãîé âîïðîñ ,÷òî ïîíèìàòü ÷òî îçíà÷àþò êîììàäíû è ïèñàòü èõ -ýòî ðàçíûå âåùè :))
íî, äóìàþ, ñî âðåìåíèåì, ðåøó è ýòó çàäà÷ó:)

Åñòü ïàðà âîïðîñîâ:

1) ìîæíî ëè ñîçäàòü îäíî ïðàâèëî äëÿ äâóõ ïðîòîêîëîâ (tcp+udp);
2) òî æå ñàìîå äëÿ íåñìåæíîé ãðóïïû ïîðòîâ.

Åñòü ïàðà âîïðîñîâ:

1) ìîæíî ëè ñîçäàòü îäíî ïðàâèëî äëÿ äâóõ ïðîòîêîëîâ (tcp+udp);
2) òî æå ñàìîå äëÿ íåñìåæíîé ãðóïïû ïîðòîâ.

1. Èìõî íåò
2. --dports xx,xy,xz

1. Èìõî íåò
2. --dports xx,xy,xz

2) íå ïðèíèìàåò:

[routah:root] iptables -A INPUT -p tcp --dports 1,2,3,4 -j ACCEPT
iptables v1.2.7a: Unknown arg `--dports'

2) íå ïðèíèìàåò:

çàí÷èò èäåì âñå âìåñòå ÷èòàòü ìàíóàë ïî iptables :) òåì áîëåå îí òóò åñòü äåòî

À êàêóþ ñòðî÷êó íàäî ïðîïèñàòü è â êàêîì ôàéëå, ÷òî áû â Firewall çàêðûòü ïîðò FTP äëÿ äîñòóïà èç WAN, êîòîðûé îòêðûò ïî óìîë÷àíèþ.


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp

À êàêóþ ñòðî÷êó íàäî ïðîïèñàòü è â êàêîì ôàéëå, ÷òî áû â Firewall çàêðûòü ïîðò FTP äëÿ äîñòóïà èç WAN, êîòîðûé îòêðûò ïî óìîë÷àíèþ.

â /usr/local/sbin/post-firewal

iptables -A INPUT -p tcp -m tcp -i vlan1 --dport 21 -j DROP
iptables -A INPUT -p tcp -m tcp -i ppp0 --dport 21 -j DROP

Íå ñðàáîòàåò, ïîðÿäîê îáõîäà ïðàâèë äðóãîé.

Èäåîëîãè÷åñêè ïðàâèëüíåå óäàëèòü èìåþùóþñÿ ñ ðàçðåøåíèåì:

iptables -D INPUT -p tcp -m tcp --dport 21 -j ACCEPT

Ëèáî îòêëþ÷èòü èç âåáìîðäû ftp è çàïóñêàòü âðó÷íóþ.

post-boot

dropbear -p 2120 > /dev/null 2>&1
/opt/bin/dbhub

post-mount

mount -obind /tmp/harddisk/opt /opt
post-firewall

iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 2120 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 411 -j ACCEPT
iptables -A INPUT -j DROP

Êòî-íèáóäü ïîäñêàæåò - ïîñëå ïåðåçàãðóçêè ðîóòåðà ïðàâèëà ïåðåñòàþò ðàáîòàòü :( ò.å. íå ñòàðòóþò ? Äðîïáåàð çàïóñêàåòñÿ è ðàáîòàåò íîðìàëüíî, íî ïðàâèëî îòêðûâàþùåå ïîðò ïðè çàãðóçêå íå ñðàáàòûâàåò ... ïðîøèâêà ïîñëåäíÿÿ.

Íó òàê íèêòî è íå ïîäñêàæåò ???

ñìîòðåòü âûâîä iptables -L

ñìîòðåòü âûâîä iptables -L

À ÷åãî òàì ñìîòðåòü ? åñòåñòâåííî ïîñëå ïåðåçàãðóçêè ðîóòåðà ýòèõ ïðàâèë ìîèõ â òàáëèöå íåò :(, ÿ íàâåðíîå ÷åòî íå òàê äåëàþ...

çíà÷èò post-firewall íå âûïîëíÿåòñÿ

À ïîñëå ïåðåçàãðóçêè post-firewall ñîæäåðæèò âñå èçìåíåíèÿ?
post-farewall òî÷íî èñïîëíÿåìûé? ïåðâàÿ ñòðîêà êàêàÿ â ýòîì ôàéëå?
åñëè âïîëíÿòü êîìàíäû, êîòîðûå ïðîïèñàíû â post-farewall, âðó÷íóþ, îíè ñðàáàòûâàþò? (ëó÷øå ïðîâåðÿòü êîïèðóÿ òî, ÷òî íàïèñàíî â ôàéëå, ÷òî áû ïðîâåðèòü è ñèíòàêñèñ)

Äà post-firewall ïîñëå ïåðåçàãðóçêè ñîõðàíÿåò èçìåíåíèÿ, èñïîëíÿåìûé ëè îí ÿ åñëè ÷åñòíî íå çíàþ :( è íå çíàþ êàê ïðîâåðèòü ýòî.
ïåðâàÿ ñòðîêà #!/bin/sh
äà ñòðî÷êè êîòîðûå â í¸ì êîïè-ïàñòîì ñðàáàòûâàþò áåç ïðîáëåì, íè êàêèõ áîëüøå èäåé ÷òî ìîæåò áûòü ? Òîëüêî âîò åù¸ ïðîáëåìà 1-2 ðàçà â ñóòêè ýòè ïðàâèëà ñëåòàþò ñàìè ïî ñåáå äàæå åñëè ðîóòåð íå ïåðåçàãðóæàëñÿ :( è ñàìîå îáèäíîå - ñëåòàþò òîëüêî äëÿ wan äëÿ lana âñ¸ ïàøåò, è â iptables -L ýòè ïðàâèëà òàêæå ñóùåñòâóþò (êîãäà ñëåòåëè), íî íå âûïîëíÿþòñÿ, äîïóñòèì - ÿ çàìåòèë ÷òî ïðàâèëà ñëåòåëè - çàãîíÿþ èõ ÷åðåç êîìàíäíóþ ñòðîêó ñíîâà, âûâîæó îïÿòü iptables -L è âèæó êàê ýòè ïðàâèëà óñïåøíî çàäóáëèðîâàëèñü â òàáëèöå - áðåä êàêîéòî.
ÿ óæå âñþ ãîëîâó ñëîìàë ÷òî ìîæåò áûòü òàêîå :(, îòêëþ÷åíèé ýë-âà ïðè ýòîì íåò ...
Ñàìè ïðàâèëà âûãëÿäÿò òàê:
iptables -I INPUT -p tcp --dport 411 -j ACCEPT
iptables -I INPUT -p tcp --dport 2120 -j ACCEPT
è òîæå ñàìîå
iptables -A INPUT -p tcp --syn --dport 411 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 2120 -j ACCEPT
èëè íå òîæå ñàìîå? âîáùåì ïðîáîâàë èòàê è ýäàê.

Äà post-firewall ïîñëå ïåðåçàãðóçêè ñîõðàíÿåò èçìåíåíèÿ, èñïîëíÿåìûé ëè îí ÿ åñëè ÷åñòíî íå çíàþ :( è íå çíàþ êàê ïðîâåðèòü ýòî.

ïîñëå êîìàíäû
chmod +x /usr/local/sbin/post-firewall
ýòîò ôàéë ñòàíåò èñïîíÿåìûì...

Ïðèâåò. ß õî÷ó â ýêñï. öåëÿõ ñäåëàòü òàê, ÷òîáû íà 9901 ïîðòó ó ìåíÿ îòêðûâàëàñü ñòðàíè÷êà ÿíäåêñà, è ÷òîáû ê ýòîìó ïîðòó ìîæíî áûëî ïîäêëþ÷èòüñÿ ñíàðóæè. Íå ïîëó÷àåòñÿ. Ìîæåò áûòü ýòî ïîòîìó, ÷òî ó ïàêåòîâ èñòî÷íèê íå ìåíÿåòñÿ, è èõ ïðîâàéäåð íå ïóñêàåò?
Ìîé âíåøíèé èíòåðôåéñ vlan1


iptables -i vlan1 -I INPUT -p tcp --dport 9900:9999 -j ACCEPT
iptables -t nat -I PREROUTING -i vlan1 -p tcp --dport 9901 -j DNAT --to 213.180.204.8:80

Ïðèâåò. ß õî÷ó â ýêñï. öåëÿõ ñäåëàòü òàê, ÷òîáû íà 9901 ïîðòó ó ìåíÿ îòêðûâàëàñü ñòðàíè÷êà ÿíäåêñà, è ÷òîáû ê ýòîìó ïîðòó ìîæíî áûëî ïîäêëþ÷èòüñÿ ñíàðóæè. Íå ïîëó÷àåòñÿ. Ìîæåò áûòü ýòî ïîòîìó, ÷òî ó ïàêåòîâ èñòî÷íèê íå ìåíÿåòñÿ, è èõ ïðîâàéäåð íå ïóñêàåò?
Ìîé âíåøíèé èíòåðôåéñ vlan1


iptables -i vlan1 -I INPUT -p tcp --dport 9900:9999 -j ACCEPT
iptables -t nat -I PREROUTING -i vlan1 -p tcp --dport 9901 -j DNAT --to 213.180.204.8:80

×èòàåì âíèìàòåëüíî http://www.opennet.ru/docs/RUS/iptables/#DNATTARGET
Äåëî â òîì ÷òî àäðåñ ïîëó÷àòåëÿ Âû çàìåíèëè, à àäðåñ îòïðàâèòåëÿ íåò, ïàêåò óøåë ÿíäåêñó è îò îòâåò îòïðàâèë íå Âàøåìó àñóñó, à ðåàëüíîìó îòïðàâèòåëþ ïàêåòà. Íóæíî åùå ñäåëàòü SNAT, â óêàçàííîì âûøå ðóêîâîäñòâå ýòî âñå õîðîøî îïèñàíî.
×òî-òî âðîäå

iptables -t nat -A POSTROUTING -p tcp --dst 213.180.204.8 --dport 80 \
-j MASQUERADE

ïîëó÷àåòñÿ ïðîáðàñûâàòü ïîðòû ëèáî èçíóòðè íàðóæó, ëèáî ñíàðóæè âíóòðü. À ñíàðóæè íàðóæó íå ïîëó÷àåòñÿ.

ïîëó÷àåòñÿ ïðîáðàñûâàòü ïîðòû ëèáî èçíóòðè íàðóæó, ëèáî ñíàðóæè âíóòðü. À ñíàðóæè íàðóæó íå ïîëó÷àåòñÿ.
À Âû ÷èòàëè IPTables Tutorial, ïðîáîâàëè îïèñàííûé ðåöåïò?
Îáðàùàþ âíèìàíèå íà òî, ÷òî íóæíû äâà ïðàâèëà -- ïåðâîå äëÿ çàìåíû àäðåñà ïîëó÷àòåëÿ ïàêåòà (DNAT) è âòîðîå äëÿ çàìåíû àäðåñà îòïðàâèòåëÿ (SNAT).
Ó ìåíÿ ðàáîòàåò

iptables -i vlan1 -I INPUT -p tcp --dport 9900 -j ACCEPT
iptables -t nat -I PREROUTING -i vlan1 -p tcp --dport 9900 -j DNAT --to IP-àäðåñ-ñàéòà:80
iptables -t nat -I POSTROUTING -p tcp --dst IP-àäðåñ-ñàéòà --dport 80 -j MASQUERADE

Ïðèâåò All
Èçâèíÿþñü çà ãëóïûé âîïðîñ.

Ó ìåíÿ ñëåäóþùàÿ ïðîáëåìà: ÿ ïîëó÷èë âíåøíèé IP, ñîîòâåòñòâåííî ñ êîìïà çà ïðåäåëàìè ìîåé ëîêàëüíîé ñåòè îí ïèíãóåòñÿ, à âîò âíóòðè ñàìîé ëîêàëüíîé ñåòè íåò. Èç-çà ýòîãî âîçíèêàþò ïðîáëåìû: íàïðèìåð îòëàæèâàÿ web ñàéò íà ñâî¸ì êîìïå âíóòðè ñåòè èä¸ò çàïðîñ íà ïîëó÷åíèå ðèñóíêà ïî âíåøíåìó IP, ñîîòâåòñòâåííî URL íå íàõîäèòñÿ è ðèñóíîê íå ãðóçèòüñÿ.

Êàê ÿ ïîíÿë ïîèñêàâ ïî ýòîìó ôîðóìó ïðîáëåìà ñ NAT.

Ïîìîãèòå ïîæàëóéñòî åãî íàñòðîèòü èëè ïîäåëèòåñü ññûëêîé íà îïèñàíèå ðåøåíèÿ ìîåé ïðîáëåìû (ÿ äóìàþ îíà âîçíèêàåò äîâîëüíî ÷àñòî è óæå ãäå-òî îïèñàíî ÷òî íóæíî äåëàòü â òàêîé ñèòóàöèè).

Çàðàíåå ñïàñèáî :)

P.S.
Åñëè äëÿ ðåøåíèÿ íåîáõîäèìà äîïîëíèòåëüíàÿ èíôîðìàöèÿ, òî ÿ ãîòîâ å¸ ïðåäîñòàâèòü.

Ïðèâåò All
Èçâèíÿþñü çà ãëóïûé âîïðîñ.

Ó ìåíÿ ñëåäóþùàÿ ïðîáëåìà: ÿ ïîëó÷èë âíåøíèé IP, ñîîòâåòñòâåííî ñ êîìïà çà ïðåäåëàìè ìîåé ëîêàëüíîé ñåòè îí ïèíãóåòñÿ, à âîò âíóòðè ñàìîé ëîêàëüíîé ñåòè íåò. Èç-çà ýòîãî âîçíèêàþò ïðîáëåìû: íàïðèìåð îòëàæèâàÿ web ñàéò íà ñâî¸ì êîìïå âíóòðè ñåòè èä¸ò çàïðîñ íà ïîëó÷åíèå ðèñóíêà ïî âíåøíåìó IP, ñîîòâåòñòâåííî URL íå íàõîäèòñÿ è ðèñóíîê íå ãðóçèòüñÿ.

Êàê ÿ ïîíÿë ïîèñêàâ ïî ýòîìó ôîðóìó ïðîáëåìà ñ NAT.

Ïîìîãèòå ïîæàëóéñòî åãî íàñòðîèòü èëè ïîäåëèòåñü ññûëêîé íà îïèñàíèå ðåøåíèÿ ìîåé ïðîáëåìû (ÿ äóìàþ îíà âîçíèêàåò äîâîëüíî ÷àñòî è óæå ãäå-òî îïèñàíî ÷òî íóæíî äåëàòü â òàêîé ñèòóàöèè).

Çàðàíåå ñïàñèáî :)

P.S.
Åñëè äëÿ ðåøåíèÿ íåîáõîäèìà äîïîëíèòåëüíàÿ èíôîðìàöèÿ, òî ÿ ãîòîâ å¸ ïðåäîñòàâèòü.
À ïî÷åìó íà ñàéòå æåñòêèå ññûëêó ïî IP?? ðàçâå ïî-÷åëîâå÷åñêè íåëüçÿ ñäåëàòü? Òîãäà è èçíóòðè îí áóäåò ïî âíóòðåííåìó àäðåñó ðàáîòàòü.

À ïî÷åìó íà ñàéòå æåñòêèå ññûëêó ïî IP?? ðàçâå ïî-÷åëîâå÷åñêè íåëüçÿ ñäåëàòü? Òîãäà è èçíóòðè îí áóäåò ïî âíóòðåííåìó àäðåñó ðàáîòàòü.

Ïîòîìó êàê ïðèëîæåíèå ïîä Facebook. È îòíîñèòåëüíûå URL Facebook íå õàâàåò, åìó íóæíû ïîëíûå. Ñîîòâåòñòâåííî è îí è ÿ äîëæíû ýòè âíåøíèå IP âèäåòü. Íàñòðîèòü òàê ÷òîáû îí âèäåë âíåøíèå, à ÿ âíóòðåííèå ÿ òîæå íå ìîãó. Äà äàæå åñëè è ñìîãó òî ïðè êàæäîì äåïëîå ïðèëîæåíèÿ ïðèéä¸òñÿ ïåðåëîïà÷èâàòü âñå ëîêàëüíûå àäðåñà.
Âîáùåì ÈÌÕÎ ïðîùå ðàçîáðàòüñÿ ðàç è íàâñåãäà ñ âíåøíèì IP.

---

ß âîò òóò åù¸ ññûëêó íàøîë: http://wl500g.info/showthread.php?t=12348
Ïðî÷èòàë åãî è ÷àñòü ñòàòüè íà opennet, íî òàê è íå ïîíÿë ÷òî êîíêðåòíî íàäî ñäåëàòü, à ýêñïåðåìåíòèðîâàòü áîþñü...

Ïðàâèëî ñ POSTROUTING ó ìåíÿ åñòü:


*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 10.125.20.203 -j VSERVER
-A VSERVER -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.1.13:5000
-A POSTROUTING -o vlan1 ! -s 10.125.20.203 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

Ñîîòâåòñòâåííî çäåñò 192.168.1.13 ýòî êîìï â ëîêàëüíîé ñåòè.

ÈÌÕÎ íàäî âñåãî ëèøü âûïîëíèòü íà ðîóòåðå êîìàíäó (ñóäÿ ïî ñòàòüå íà opennet):

iptables -t nat -A POSTROUTING -p tcp --dst 192.168.1.13 --dport 5000 -j SNAT --to-source 192.168.1.1

Òàê?

Âîáùåì âñ¸ òå ïðåäïîëîæåíèÿ ÷òî ÿ íàïèñàë äî ýòîãî íå âåðíû :( Ïðî÷èòàâ ìàíóàë ïî iptables è ïîñìàòðåâ íà òàáëèöó nat ÿ ïðèøåë ê ñëåäóþùåìó ïðàâèëó êîòîðîå ðåøàåò ìîþ ïðîáëåìó:


iptables -t nat -A PREROUTING -d <EXTERNAL_IP> -j VSERVER

ò.å. âñå ïàêåòû êîòîðûå èäóò íà <EXTERNAL_IP> ïåðåäàþòñÿ â öåïî÷êó VSERVER êîòîðàÿ â ñâîþ î÷åðåäü ïåðåäà¸ò èõ íà êîìïüþòåðû â ìîåé ëîêàëüíîé ñåòè(â òîì ÷èñëå è íà ìîé êîìï åñëè îí ïðîïèñàí â VSERVER).

Âîáùåì ïîëó÷èëîñü òî ÷òî ìíå íàäî :)

âñåì ïðèâåò.
äîìà íà ðîóòåðå êàê ðàç ñòîèò ýòà ïðîøèâêà. âîïðîñ òàêîé: ìîæíî ëè (è åñëè ìîæíî, òî êàê?) ïåðåíàïðàâëÿòü çàïðîñ èç ñåòè ñ îäíîãî ñàéòà íà äðóãîé. ëó÷øå, ïîïðîáóþ îáúÿñíèòü íà ïðèìåðå. â äîìàøíåé ñåòè åñòü íåêîå óñòðîéñòâî, êîòîðîå îáðàùàåòñÿ ê ñàéòó (ïî èìåíè). Íóæíî, ÷òîáû ðîóòåð àâòîìàòè÷åñêè ïåðåàäðåñîâûâàë ýòîò çàïðîñ ê äðóãîìó ñàéòó. Âîçìîæíî ëè ýòî? ãäå ïî÷èòàòü ïðèìåðû? íóæíî èìåííî ïî èìåíè. Ïðèìåðîâ ïîêà íèãäå íå íàøåë... :-(

âñåì ïðèâåò.
äîìà íà ðîóòåðå êàê ðàç ñòîèò ýòà ïðîøèâêà. âîïðîñ òàêîé: ìîæíî ëè (è åñëè ìîæíî, òî êàê?) ïåðåíàïðàâëÿòü çàïðîñ èç ñåòè ñ îäíîãî ñàéòà íà äðóãîé. ëó÷øå, ïîïðîáóþ îáúÿñíèòü íà ïðèìåðå. â äîìàøíåé ñåòè åñòü íåêîå óñòðîéñòâî, êîòîðîå îáðàùàåòñÿ ê ñàéòó (ïî èìåíè). Íóæíî, ÷òîáû ðîóòåð àâòîìàòè÷åñêè ïåðåàäðåñîâûâàë ýòîò çàïðîñ ê äðóãîìó ñàéòó. Òî åñòü íóæíî, ÷òîáû ðîóòåð ìîäèôèöèðîâàë http çàïðîñ. Âîçìîæíî ëè ýòî? ãäå ïî÷èòàòü ïðèìåðû? íóæíî èìåííî ïî èìåíè. Ïðèìåðîâ ïîêà íèãäå íå íàøåë... :-(

Transparent proxy ñ ôèëüòðàöèåé. Íàâåðíîå ìîæíî ïðèêðóòèòü. Ãîâîðþ ÷èñòî òåîðåòè÷åñêè - èùèòå, ìîæåò, è îáðÿùèòå ;-)

óæå íî÷üþ ïîíÿë (òîâàðèùè îáúÿñíèëè), ÷òî iptables òîëüêî äëÿ ìàíèïóëÿöèè çàãîëîâêàìè ïàêåòîâ, íî íå äëÿ ìîäèôèêàöèè http çàïðîñîâ.
âîò åùå êàê âàðèàíò - ìîæåò, ìîæíî ñðåäñòâàìè âñòðîåííîãî âåá-ñåðâåðà ïåðåàäðåñàöèþ äåëàòü íà âíåøíèé ñåðâåð? íó òî åñòü åñëè áû òàì ðàáîòàë php è ìîæíî áû áûëî çàëèòü php ôàéë â âåá-êàòàëîã ðîóòåðà - íàâåðíîå, çàäà÷à áûëà áû ðåøåíà. òàêîå âîçìîæíî?

Ïåðâîå, ÷òî ïðèõîäèò íà óì - ïîñòàâèòü ïðîçðà÷íûé ïðîêñè íà ðîóòåðå, òóò ïðîáåãàëî íåñêîëüêî. squid íîðìàëüíî âñòàåò íà ðîóòåð, îí íàâåðíÿêà ìîæåò ìîäèôèöèðîâàòü ëþáûå http-çàãîëîâêè.

Êàê âàðèàíò - íàñòðîèòü ôàéë hosts â óñòðîéñòâå íà ñâÿçêó âíåøíåãî dns ñ âíóòðåííèì ip è íà ñåðâåðå ñ ýòèì ip íàñòðîèòü virtual hosts â íàñòðîéêàõ Web ñåðâåðà. Íî ýòî äëÿ ñëó÷àÿ åñëè íóæíî ïåðåíàïðàâëÿòü èìåííî íà ñâîé ñàéò. À åñëè íà ÷óæîé, òîãäà ÷åðåç ïðîêñè.

Áîþñü ÷òî squid äëÿ ìåíÿ ñëîæåí è íåâîçìîæåí (ó ìåíÿ ïîñòàâëåíà ïðîøèâêà íà äðóãîé ðîóòåð). Âïðî÷åì, êàê è ëþáîé äðóãîé ïàêåò - ýëåìåíòàðíî íå õâàòèò ïàìÿòè.
Ôàéëû íàñòðîåê âåá-ñåâåðà íå ïîçâîëèò ìåíÿòü ïðîâàéäåð :-(
Ñåé÷àñ ïîäóìàë î äðóãîì: âñòðîåííûé âåá-ñåðâåð ïîääåðæèâàåò php èëè cgi ñêðèïòû?
Åñëè ïîääåðæèâàåò php - êàê óçíàòü, ãäå íàõîäèòñÿ âåá-ïàïêà, êàê â íåå ïîìåñòèòü ñâîé ôàéë ñ åãî ñîõðàíåíèåì ïîñëå ïåðåçàãðóçêè ðîóòåðà?
Åñëè ïîääåðæèâàåò cgi - âäîáàâîê â ïðåäûäóùèì äâóì âîïðîñàì - êàê äîáàâèòü â íàñòðîéêè ñåðâåðà åùå îäíó cgi-ïàïêó è êàê çàñòàâèòü ñåðâåð îáðàáàòûâàòü php ôàéë êàê åñëè áû ýòî áûë ôàéë cgi?

äîáðûé äåíü!
åñòü êóñîê ïðàâèë â òàáëèöå nat:
Chain VSERVER (2 references)
num target prot opt source destination
1 DNAT tcp -- anywhere anywhere tcp dpt:webcache to:192.168.1.1:80
2 DNAT tcp -- anywhere anywhere tcp dpt:57698 to:192.168.171.1:57698
3 DNAT tcp -- anywhere anywhere tcp dpt:5190 to:192.168.1.2:5190
4 DNAT tcp -- anywhere anywhere tcp dpt:46928 to:192.168.171.1:46928

ìíå íóæíî ïðèáèòü 2 è 4 ïðàâèëî èç ïîëüçîâàòåëüñêîé öåïî÷êè äåëàþ iptables -t nat -D VSERVER 2, iptables -t nat -D VSERVER 4 îòëè÷íî ïðàâèë íåò.
âñå áû õîðîøî íî ïðàâèëà ïîñëå ðåñòàðòà ðîóòåðà ïîÿâëÿþòñÿ çàãàäî÷íûì îáðàçîì âíîâü.
Êàê ÿ ïðîáîâàë èãðàòüñÿ óäàëÿë íàïðÿìóþ èç vi ïóòåì ðåäàêòèðîâàíèÿ ôàéëà /tmp/nat_rules ñ ïîñëåäóþùèìè êîìàíäàìè
flashfs save
flashfs commit
flashfs enable

ïðîáîâàë äåëàòü iptables-save ïðàâäà êóäà îí ñîõðàíÿåò ÿ òàê è íå ïîíÿë èëè ýòî òîêà âûâîä íà êîíñîëü, ïåðåíàïðàâëåíèå > â ôàéë ÿ íå äåëàë.

Ñîáñòâåííî âîïðîñ îòêóäà áåðåò íàñòðîéêè ïðàâèë iptables ïðè ñòàðòå êîðîáêè ñ êàêîãî ôàéëà ñ÷èòûâàåò âèäèìî iptables-restore?
È êàê æå ìíå ïî èòîãó ïðèáèòü ýòè 2 ïðàâèëà èç ðàçðÿäà ïîëòåðãåéñò?
Êàê âàðèàíò óæå ðàñìàòðèâàþ ñîõðàíåíèå íîâûõ ïðàâèë iptables-save > fileblabla c ïîñëåäóþùèì âîñòàíîâëåíèåì èç cat fileblabla | iptables-restore -c ïðîïèñàííûõ â /usr/local/sbin/post-firewall

P.S. äàéòå ïðàâèëüíûé áóáåí :rolleyes:

Ôàéëû /tmp/*_rules ãåíåðèðóþòñÿ ïðîøèâêîé ïîñëå ïîäíÿòèÿ èíòåðôåéñîâ íà îñíîâå äàííûõ èç âåá-ìîðäû è âíóòðåííèõ óñòàíîâîê, à çàòåì èìïîðòèðóþòñÿ ñ ïîìîùüþ iptables-restore. Ñîõðàíÿòü ýòè ôàéëû ñìûñëà íåò, ò.ê. êàæäûé ðàç îíè ñîçäàþòñÿ çàíîâî.
iptables-save íå ïîìîæåò ïî ýòîé æå ïðè÷èíå.
Âàì íóæíî ïðîñòî óäàëèòü íåíóæíûå ïðàâèëà èç òàáëèöû Virtual Server List íà ñòðàíèöå NAT Setting - Virtual Server â âåá-ìîðäå.

 òîì òî è äåëî, ÷òî â âåá ìîðäå òàêèõ ïðàâèë äàâíî íåò, òîêà ïðàâèëà îñòàëèñü ïî ôàêòó, à â âåá ìîðäå íå îòðàæàþòñÿ ñðåäè äðóãèõ.

Ïîñìîòðèòå

nvram show|grep forw
òàì UPnP ïðîïèñûâàåò ïðîáðîñ ïîðòîâ è èíîãäà êðèâî óäàëÿåò.È îòêëþ÷èòå åãî â âåáìîðäå.

Ïîñìîòðèòå

nvram show|grep forw
òàì UPnP ïðîïèñûâàåò ïðîáðîñ ïîðòîâ è èíîãäà êðèâî óäàëÿåò.È îòêëþ÷èòå åãî â âåáìîðäå.

Î ñïàñèáî áîëüøîå èìåííî Âû äàëè õîðîøóþ íàâîäêó êóäà êîïàòü.
ñäåëàë ïîëó÷èë òî ÷òî èñêàë
nvram show|grep forw
forward_port0=57698-57698>192.168.171.1:57698-57698,tcp,on,PURPLE_UPNP_PORT_FORWARD
forward_port1=5190-5190>192.168.1.2:5190-5190,tcp,on,PURPLE_UPNP_PORT_FORWARD
forward_port2=46928-46928>192.168.171.1:46928-46928,tcp,on,PURPLE_UPNP_PORT_FORWARD
size: 15272 bytes (17496 left)

íó äàëüøå ïîèñêîâ ïî ôîðóìó ñëîâî nvram è î ÷óäî nvram unset forward_portX

Âñåõ áëàãîäàðþ çà ïîìîùü, óäà÷è! :)

òîëüêî ÷òî ïîñòàâèë dd-wrt mega generic ïðîøèâêó. Î÷åíü íå íðàâèòñÿ êàê íàñòðîåí iptables ïî äåôîëòó òàì. Ïðèëàãàþ öåïî÷êó INPUT.
×òî çà äåëà ñ ïåðâûìè äâóìÿ ðàçðåøåííèìè ñàáíåòàìè? È ïî÷åìó íåñêîëüêî ïîâòîðÿþùèõñÿ ñòðîê ñ dpt 520?
ß õî÷ó ïîñëåäîâàòü ñîâåòó èç åòîé ñòàòüè:
http://www.dd-wrt.com/wiki/index.php/Firewall_Builder
è ñäåëàòü ìîþ ñîáñòâåííóþ êîíôèãóðàöèþ íà jffs

Ìîæåò êòî-íèáóäü ïîäåëèòñÿ õîðîøåé áàçîâîé iptables êîíôèãóðàöèåé? èëè ïðèäåòñÿ ïîëüçîâàòüñÿ firewall builder?

Åùå âîïðîñ, åñëè ÿ òàê ñäåëàþ, ñìîãó ëè ÿ ïî ïðåæíåìó ïîëüçîâàòüñÿ âåá-èíòåðôåéñîì ÷òîáû íàïðèìåð äîáàâèòü port forwarding, èëè âñå ïðèäåòñÿ ÷åðåç êîíñîëü äîáàâëÿòü??


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 194.231.229.20 0.0.0.0/0
ACCEPT 0 -- 212.65.2.116 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
logaccept tcp -- 0.0.0.0/0 192.168.123.254 tcp dpt:22
logdrop icmp -- 0.0.0.0/0 0.0.0.0/0
logdrop 2 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
logdrop 0 -- 0.0.0.0/0 0.0.0.0/0

Íåðåïðåçåíòàòèâíûé âûâîä iptables. Íóæíî èñïîëüçîâàòü êëþ÷ -v èëè âîîáùå çàïóñêàòü iptables-save, åñëè òàêîâîé â ýòîé ïðîøèâêå èìååòñÿ.

Ïðîøó ïîìîùè â ñîçäàíèè ïðàâèë â iptables. Äëÿ áëîêèðîâêè Êîíòàêòà, ICQ, Mail.

äî êîëå áóäóò çàäàâàòü òóïûå âîïðîñû!!!!
óäàëèòå òåìó

http://bifrost.heimdalls.com

Íàñêîëüêî ðåàëüíî ïîðòèðîâàòü òàêóþ øòóêó?
ß ïîñìîòðåë ó íèõ íà ñàéòå ,òàì íå ñîâñåì ïîíÿòíî ïëàòíîå îíî èëè íåò.
Ñàìà àïëèêàöèÿ âðîäå íà ïåðëå.
Íóæíî òîëüêî iptables > 1.23 , iproute2 è àïà÷.
Ïî ìîåìó ñèëüíî óïðîñòèò ðàáîòó ñ ôàéðâîëëîì.

License cost is currently $25US for home use, or $100US for commercial use.

OMG $25?! è ÷òî òàêàÿ íåðåàëüíî âåëèêàÿ ìåãàóòèëèòà?!

Ðàáîòó ñ ôàéðâîëëîì ïðåäåëüíî óïðîñòèò íå íàâîðà÷èâàíèå âåá-ìîðäû, êîòîðàÿ òîëüêî ìàñêèðóåò ðåàëüíûå íàñòðîéêè, à ïðî÷òåíèå http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Angel-il , òàì íå ñîâñåì ïîíÿòíî íóæíî ëè ïëàòèòü èëè íåò.
Ñàì àâòîð ãîâîðèò ÷òî ìîæíî èñïîëüçîâàòü è áåç ëèöåíçèè.
Êðîìå òîãî åñëè ïîñìîòðèòå îíî íå îáíîâëÿëîñü ñ 2003 ãîäà.
Âîçìîæíî åñëè îáðàòèòüñÿ ê àâòîðó îí áóäåò çàèíòåðåñîâàí ïîìî÷ü.

Àëåêñàíäð , íèêòî íå ãîâîðèò ÷òî íå íàäî èçó÷àòü ðàáîòó iptables , íî ÿ ïîëàãàþ ÷òî òàêàÿ âåáìîðäà âñå æå óïðîñòèò ðàáîòó ñ äåâàéñîì .
Âñå òàêè óäîáíåå ðàáîòàòü ñ ôàéðâîëëîì êîãäà ìîæíî ïîñìîòðåòü ðóëû êàê óäîáíûé ñïèñîê , ÷åì ñèäåòü è ñêðóëèòü ââåðõ âíèç iptables -L :)

Äà çíàíèå - ñèëà:-) íà îïåííåòå åñòü õîðîøèå ñòàòüè ïî íàñòðîéêå iptables.
à ìîæíî ñäåëàòü òàê:
ñêà÷àòü ñ http://www.fwbuilder.org ïðîãó
â ASUS# iptables-save > some_file_dump.conf
ñêà÷èâàåòå. ïîäãðóæàåòå â ïðîãó è êðóòèòå ðàç óæ òàê õî÷òñÿ â ãðàôè÷åñêîì èíòåðôåéñå, ïðàâäà ÿ äóìàþ ÷òî âñå òàêè íàãðÿäíåå â ñòàíäàðòíîì iptables -t nat -L -n -v -x è äàìï íàñòðîåê.

âêðàòöå - irc ñåðâåð ñëóøàåò lan ïîðò ðîóòåðà - 172.16.99.1
âíåøíèé èï 81.88.216.132

åñëè ñåðâåðó ñêàçàòü ñëóøàòü âñå èï, òî èçâíå îí âñå ðàâíî íå äîñòóïåí..
åñòü ëè êàêîå-íèáóäü ïðàâèëî iptables, êîòîðîå ðàçðåøèò èçâíå (ñ âíåøíåãî èï èç èíòåðíåòà) êîíåêòèòñÿ ê âíóòðåííåìó ñåðâåðó 172.16.99.1 ïî ïîðòó 6667?

è åù¸ - êàê ðàñøàðèòü àëüòåðíàòèâíûé ïîðò 443 ñ íàðóæè (ñ àäðåñà 81.88.216.132) íà ïîðò 6667 âíóòðè? çàðàíåå ñïàñèáî!

âêðàòöå - irc ñåðâåð ñëóøàåò lan ïîðò ðîóòåðà - 172.16.99.1
âíåøíèé èï 81.88.216.132

åñëè ñåðâåðó ñêàçàòü ñëóøàòü âñå èï, òî èçâíå îí âñå ðàâíî íå äîñòóïåí..
åñòü ëè êàêîå-íèáóäü ïðàâèëî iptables, êîòîðîå ðàçðåøèò èçâíå (ñ âíåøíåãî èï èç èíòåðíåòà) êîíåêòèòñÿ ê âíóòðåííåìó ñåðâåðó 172.16.99.1 ïî ïîðòó 6667?

NAT Setting - Virtual Server çàïîëíèòå íà ðîóòåðå



è åù¸ - êàê ðàñøàðèòü àëüòåðíàòèâíûé ïîðò 443 ñ íàðóæè (ñ àäðåñà 81.88.216.132) íà ïîðò 6667 âíóòðè? çàðàíåå ñïàñèáî!

òàìæåæ òîêà â ïîðò ðýéíäæ ñòàâèòüñÿ 443 à â ëîêàë ïîðò 6667

íó èëè êàê àëüòåðíàòèâà ÷åðåç
iptables -i vlan1 -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination <âíóòðåííèé IP>:6667
íó è åñòåññíî íå çàáûòü äîáàâèòü ïðàâèëî íà îòêðûòèå äàííîãî ïîðòà è ôîðâàðäèíã =)

Ðóòåð ó ìåíÿ äàâíî, íî âîò âíåøíèé àäðåñ ïîÿâèëñÿ íåäàâíî è ñðàçó æå íà÷àëè ïîäáèðàòü ïàðîëè íà ssh (ó ìåíÿ ëîã íà âèíòå è îí êàê-òî ðàçðîññÿ äî íåïðèëè÷íûõ 50 ìåòðîâ çà íåñêîëüêî äíåé). Ðåøèë ÿ äîáàâèòü áëîêèðîâêó áðóòà ÷åðåç ipt_recent è ïîñìîòðåë âíèìàòåëüíî íà äåôîëòíûå iptables (åñëè â post-firewall íè÷åãî íå ïèñàòü). Ñðàçó æå ïîÿâèëèñü âîïðîñ.
×òî òàì äåëàþò öåïî÷êè logdrop, logaccess, SECURITY, MAC? Îíè õîòü êîãäà-íèáóäü èñïîëüçóþòñÿ (åñëè ÷åãî-íèáóäü íàñòðîèòü ïî äðóãîìó â âåáèíòåðôåéñå)? Ó ìåíÿ îíè íèêóäà íå ïîäêëþ÷åíû.

logaccept è logdrop èñïîëüçóþòñÿ, åñëè âêëþ÷èòü â âåá-ìîðäå ëîããèðîâàíèå ïàêåòîâ (Logged packets type) - Accepted, Dropped èëè Both.
SECURITY èñïîëüçóåòñÿ, åñëè âêëþ÷èòü çàùèòó îò DoS-àòàê (Enable DoS protection).
MAC (ñàì íå ïðîâåðÿë, íî áóäåò ëîãè÷íî, ÷òî) èñïîëüçóåòñÿ, åñëè âêëþ÷èòü ôèëüòðàöèþ ïî MAC (Internet Firewall - MAC Filter).

Ðóòåð ó ìåíÿ äàâíî, íî âîò âíåøíèé àäðåñ ïîÿâèëñÿ íåäàâíî è ñðàçó æå íà÷àëè ïîäáèðàòü ïàðîëè íà ssh (ó ìåíÿ ëîã íà âèíòå è îí êàê-òî ðàçðîññÿ äî íåïðèëè÷íûõ 50 ìåòðîâ çà íåñêîëüêî äíåé). Ðåøèë ÿ äîáàâèòü áëîêèðîâêó áðóòà ÷åðåç ipt_recent è ïîñìîòðåë âíèìàòåëüíî íà äåôîëòíûå iptables (åñëè â post-firewall íè÷åãî íå ïèñàòü). Ñðàçó æå ïîÿâèëèñü âîïðîñ.
×òî òàì äåëàþò öåïî÷êè logdrop, logaccess, SECURITY, MAC? Îíè õîòü êîãäà-íèáóäü èñïîëüçóþòñÿ (åñëè ÷åãî-íèáóäü íàñòðîèòü ïî äðóãîìó â âåáèíòåðôåéñå)? Ó ìåíÿ îíè íèêóäà íå ïîäêëþ÷åíû.
À ÷òî ìåøàåò ñúåõàòü SSH íà íåñòàíäàðòíûé ïîðò?
Âñÿêèå "êóëõàöêåðû" ñðàçó èäóò ëåñîì.
Ó ìåíÿ çà âñå âðåìÿ íè ðàçó íèêòî íå ëîìèëñÿ ïî SSH, à âîò íà ïî÷òîâûå ïîðòû - ïîñòîÿííî - âèäèìî îñîáî ãðàìîòíûõ, êòî çíàåò ÷òî òàêîå nmap íàïðèìåð, ìàëî. È õîðîøî.

ALL, çäîàâñòâóé.

Ïîäñêàæè, ïîæàëóéñòà, ÷òî çà 2 ñòðîêb â öåïî÷êå INPUT iptables:
3 ACCEPT all -- anywhere anywhere state NEW
4 ACCEPT all -- anywhere anywhere state NEW

Îñòàëüíîå âðîäå áû âñ¸ íóæíîå, à ýòî... Ïîäñêàæèòå, ïîæàëóéñòà.  èíåòå ÷àñòî òîæå âèäåë, íî åäèíñòâåííûé ñìûñë ïðàâèëà, êîòîðûé ìíå óäàëîñü ñëîæèòü â íåãî - ýòî ðàçðåøåíèå âõîäÿùèõ íîâûõ ïàêåòîâ áåç ñèí-ôëàãà ïî ëþáîìó ïîðòó/ïðîòîêîëó.
Çà÷åì?? Èëè ÿ íåïðàâèëüíî ïîíèìàþ ïðàâèëî?

ALL, çäîàâñòâóé.
...
3 ACCEPT all -- anywhere anywhere state NEW
...


Ñòðàííî íî îäíà 4-ÿ ñòðîêà äóáëèðóåò 3-þ.
À ïî ñóòè: ïðèíèìàòü (ACCEPT) íîâûå (state NEW) ñîåäèíåíèÿ, ïî ëþáîìó ïîðòó/ïðîòîêîëó (proto all) ñî âñåõ àäðåñîâ.

Äàëüøå ÷èòàåì http://iptables-tutorial.frozentux.net/


...
 ïðåäåëàõ iptables, ñîåäèíåíèå ìîæåò èìåòü îäíî èç 4-õ áàçîâûõ ñîñòîÿíèé:
NEW, ESTABLISHED, RELATED è INVALID. Ïîçäíåå ìû îñòàíîâèìñÿ íà êàæäîì èç íèõ
áîëåå ïîäðîáíî.
Äëÿ óïðàâëåíèÿ ïðîõîæäåíèåì ïàêåòîâ, îñíîâûâàÿñü íà èõ ñîñòîÿíèè, èñïîëüçóåòñÿ
êðèòåðèé --state.
...

Less, ñïàñèáî çà îòâåò!
Íî óêàçàííóþ èíôîðìàöèþ ÿ íàø¸ë. Ïîÿñíèòå, ïîæàëóéñòà: ïðàâèëüíî ëè ÿ ïîíèìàþ, ÷òî ïî ýòèì ïðàâèëàì âñå âõîäÿùèå ñîåäèíåíèÿ (íîâûå, íî áåç SYN) áóäóò ðàçðåøåíû, â ò.÷. ñíàðóæè? Èëè íåïðàâèëüíî?
Íóæíà ýòà ñòðî÷êà èëè íåò?

íàñ÷åò äóáëèðîâàíèÿ --- ïîñìîòðèòå iptables -L --verbose

Ýòè äâå ñòðî÷êè ðàçëè÷àþòñÿ, íî, êàê ïðàâèëüíî çàìåòèëè âûøå, âû ýòîãî íå óâèäèòå áåç îïöèè --verbose (èëè, ñîêðàù¸ííî, -v), êàê íå óâèäèòå áåç íå¸ è ìíîãèå äðóãèå äåòàëè.

Less, ñïàñèáî çà îòâåò!
Íî óêàçàííóþ èíôîðìàöèþ ÿ íàø¸ë. Ïîÿñíèòå, ïîæàëóéñòà: ïðàâèëüíî ëè ÿ ïîíèìàþ, ÷òî ïî ýòèì ïðàâèëàì âñå âõîäÿùèå ñîåäèíåíèÿ (íîâûå, íî áåç SYN) áóäóò ðàçðåøåíû, â ò.÷. ñíàðóæè? Èëè íåïðàâèëüíî?
Íóæíà ýòà ñòðî÷êà èëè íåò?

Ñìîòðèòå ïî ññûëêå óêàçàíîé â ïðåäûäóùåì ïîñòå



Ïðèçíàê NEW ñîîáùàåò î òîì, ÷òî ïàêåò ÿâëÿåòñÿ ïåðâûì äëÿ äàííîãî ñîåäèíåíèÿ. Ýòî îçíà÷àåò, ÷òî ýòî ïåðâûé ïàêåò â äàííîì ñîåäèíåíèè, êîòîðûé óâèäåë ìîäóëü òðàññèðîâùèêà. Íàïðèìåð åñëè ïîëó÷åí SYN ïàêåò ÿâëÿþùèéñÿ ïåðâûì ïàêåòîì äëÿ äàííîãî ñîåäèíåíèÿ, òî îí ïîëó÷èò ñòàòóñ NEW. Îäíàêî, ïàêåò ìîæåò è íå áûòü SYN ïàêåòîì è òåì íå ìåíåå ïîëó÷èòü ñòàòóñ NEW. Ýòî ìîæåò ïîðîäèòü îïðåäåëåííûå ïðîáëåìû â îòäåëüíûõ ñëó÷àÿõ, íî ìîæåò îêàçàòüñÿ è âåñüìà ïîëåçíûì, íàïðèìåð êîãäà æåëàòåëüíî "ïîäõâàòèòü" ñîåäèíåíèÿ, "ïîòåðÿííûå" äðóãèìè áðàíäìàóýðàìè èëè â ñëó÷àÿõ, êîãäà òàéìàóò ñîåäèíåíèÿ óæå èñòåê, íî ñàìî ñîåäèíåíèå íå áûëî çàêðûòî.

al37919, Poer, Less, ñïàñèáî!

Äåéñòâèòåëüíî, âñ¸ îêàçàëîñü ïðîñòî: ïîíèìàë ÿ ïðàâèëüíî, íî áåç verbose íå áûëî âèäíî èíòåðôåéñ. :)
Ñïàñèáî, âîïðîñ çàêðûò!

Ñ Linux'îì òîëüêî íà÷èíàþ çíàêîìèòüñÿ, ïîýòîìó âîçíèê âîïðîñ. Ïîñòàâèë ñåðâàê lighttpd, êðóòèòñÿ îí íà 8081 ïîðòó, à çàòåì ADOS. Èç ëîêàëêè âñå îòëè÷íî. Âñå îòêðûâàåòñÿ. Ò.å. ïðèõîäèòñÿ íàáèðàòü <ip-router>:8081/ados. ×òî íå î÷åíü íðàâèòñÿ. Õî÷åòñÿ, ÷òîáû íóæíî áûëî íàáèðàòü â ñòðîêå áðàóçåðà ïîëüçîâàòåëÿì àäðåñ âèäà <ip-router>/ados. Íî íà 80 ïîðòó êðóòèòñÿ ïîõîæå âñòðîåííûé ñåðâàê â ïðîøèâêó äëÿ äîñòóïà ê Web-èíòåðôåéñó íàñòðîéêè ðîóòåðà. Âîò òåïåðü âîïðîñ. Êàêèì îáðàçîì íóæíî çàäàòü ïðàâèëà ÷åðåç iptables ÷òîáû:
1) Íàáèðàòü â ñòðîêå áðàóçåðà àäðåñ âèäà <ip-router>/ados
2) Îòêðûòü äîñòóï ê âåá-ñåðâåðó èç WAN. È ÷òîáû òàêæå íàáèðàòü â ñòðîêå áðàóçåðà àäðåñ âèäà <ip-router>/ados.

P.S. Ìîæåò êòî ïîïîâåòóåò êíèãè, ñòàòüè ãäå äåòàëüíî îáñóæäàåòñÿ ñòðóêòóðà è ìåõàíèçì ðàáîòû iptables. Ò.å. êàêèå òàáëèöû çà ÷òî îòâå÷àþ è ò.ä.

http://www.opennet.ru/docs/RUS/iptables/

Ñïàñèáî, áóäó ðàçáèðàòüñÿ :)

Óæå 2 äíÿ ñèæó, íè êàê íå ïîëó÷àåñòñÿ íàñòðîèòü. :( Ìîæåò êòî ïîìîæåò ïðÿìûì ñîâåòîì? :) Êòî-íèáóäü óæå ñòàëêèâàëñÿ íàâåðíî ñ òàêîé ïðîáëåìîé...

Âî-ïåðâûõ, äóìàþ åñòü ñìûñë ïåðåíåñòè âñòðîåííûé httpd íà äðóãîé ïîðò íå íà 80. Òîãäà òû ñìîæåøü çàïóñòèòü ñâîé lighttpd íà 80 ïîðòó è âîîáùå íå ïàðèòüñÿ ñ ðåäèðåêòîì...

âåñü äåíü òîæå ñàìîå ïûòàþñü ñäåëàòü ÷òî è òîïèêñòàðòåð
õî÷ó ïàêåòû èç WAN ïåðåíàïðàâëÿòü ñ 80 ïîðòà íà 8081
à ñ ëîêàëüíîãî êîìïüþòåðà ïðè ýòîì íå ðåäèðåêòèòü ÷òîáû áûë äîñòóï ê âåá èíòåðôåéñó ïî 80 ïîðòó
äåëàþ âîò òàê:
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 80 -j REDIRECT --to-ports 8081

â ðåçóëüòàòå ëþáîé àäðåñ â áðàóçåðå âåäåò íà ðîóòåð..
÷òî íå òàê?

âåñü äåíü òîæå ñàìîå ïûòàþñü ñäåëàòü ÷òî è òîïèêñòàðòåð
õî÷ó ïàêåòû èç WAN ïåðåíàïðàâëÿòü ñ 80 ïîðòà íà 8081
à ñ ëîêàëüíîãî êîìïüþòåðà ïðè ýòîì íå ðåäèðåêòèòü ÷òîáû áûë äîñòóï ê âåá èíòåðôåéñó ïî 80 ïîðòó
äåëàþ âîò òàê:
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 80 -j REDIRECT --to-ports 8081

â ðåçóëüòàòå ëþáîé àäðåñ â áðàóçåðå âåäåò íà ðîóòåð..
÷òî íå òàê?

À ïî÷åìó ïåðåíîñ íå óñòðàèâàåò âåá-ìîðäû íà äðóãîé ïîðò?

Не могу найти файл конфига для встроенного web-сервера. Поиск по маске *.conf его не выдает... :(
Искал httpd.conf

P.S. Задание правил через iptables делал как swetlov - результат такой же...
Так что придется все таки переносить стандартную веб-морду.

âåñü äåíü òîæå ñàìîå ïûòàþñü ñäåëàòü ÷òî è òîïèêñòàðòåð
õî÷ó ïàêåòû èç WAN ïåðåíàïðàâëÿòü ñ 80 ïîðòà íà 8081
à ñ ëîêàëüíîãî êîìïüþòåðà ïðè ýòîì íå ðåäèðåêòèòü ÷òîáû áûë äîñòóï ê âåá èíòåðôåéñó ïî 80 ïîðòó
äåëàþ âîò òàê:
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i wan+ -p tcp --dport 80 -j REDIRECT --to-ports 8081

â ðåçóëüòàòå ëþáîé àäðåñ â áðàóçåðå âåäåò íà ðîóòåð..
÷òî íå òàê?
Âûäåëåííîå êðàñíûì - ýòî ÷òî òàêîå? :eek:
È ïî-õîðîøåìó, íàäî íå to-ports óêàçàòü, à -to-destination, ÷òîáû ðîóòåðó íå ìó÷èòüñÿ ñ âûáîðîì.
Íàïðèìåð òàê:

iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 8081 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80
Òóò ñíà÷àëà ðàçðåøàåì ïðèåì íà ïîðòó 8081, à ïîòîì ïåðåíàïðàâëÿåì ïîðò (ÿ â êóðñå, ÷òî ðåàëüíàÿ ïîñëåäîâàòåëüíîñòü âûïîëíåíèÿ êîìàíä îáðàòíàÿ, äëÿ âîñïðèÿòèÿ òàê ïðîùå îáúÿñíèòü).

Êðàñíîå âûäåëåíèå ýòî ppp0 äîëæíî áûëî áûòü, íî ÷òî òî íå âûøëî 8(

Ñåé÷àñ ïðîáóþ âîò òàê:

iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8081

Ïàêåò ïðèøåäøèé ñ ppp0 íà ïîðò 80 ïåðåíàïðàâëÿåòñÿ íà ïîðò 8081..
íå ðàáîòàåò íè òàê íè òàê:


iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to-ports 8081

âñå ñâåðÿë ñ ìàíóàëîì, íå ïîíèìàþ â ÷åì äåëî..

# allow http access from wan & lan
iptables -t nat -I VSERVER 1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
iptables -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT

# allow http access from wan & lan
iptables -t nat -I VSERVER 1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081
iptables -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT

Ïîïðîáîâàë òàê, ìíå íå ïîìîãëî... :( Áóäó åùå ðàçáèðàòüñÿ...

iptables -t nat -A VSERVER -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.1.1:8081

òàê ðàáîòàåò..
ñ 80ûì íåò
ãäå ñîáàêà çàðûòà?

ïðåäëàãàþ ñâîé âàðèàíò:


iptables -I INPUT -p tcp --dport 8081 -j ACCEPT
iptables -t nat -A PREROUTING -i ! $3 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8081


ïðè ðó÷íîì òåñòèðîâàíèè $3 çàìåíèòü íà br0

ïðè ýòîì ñòðîêè òèïà ýòîé

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
áûòü íå äîëæíî

à âîîáùå, åùå ïðîâàéäåð ìîæåò áëîêèðîâàòü 80é ïîðò

Ïîïðîáîâàë òàê, ìíå íå ïîìîãëî... :( Áóäó åùå ðàçáèðàòüñÿ...
ïåðâûìè ñòðî÷êàìè â post-firewall åùå äîëæíû áûòü


# set default input rule
iptables -P INPUT DROP
# remove last default rule
iptables -D INPUT -j DROP

èíà÷å äîáàâëÿåìûå â êîíåö âõîäÿùèå ïðàâèëà (iptabled -A INPUT ...) ïðîñòî íå áóäóò ðàáîòàòü

ýò òî÷íî. È âîîáùå, âî-ïåðâûõ, äîáàâëÿòü ïðàâèëà íàäî ñíà÷àëà âðó÷íóþ --- íà ãðóáûå îøèáêè iptables áóäåò ñðàçó ðóãàòüñÿ. Âî-âòîðûõ, äîáàâèâ ïðàâèëî, íàäî ïðîâåðÿòü êóäà îíî ïîïàëî è ïîïàëî ëè âîîáùå êóäà-íèáóäü:

iptables -L
iptables -L -t nat

Вот полное содержание моего post-firewall из /usr/local/sbin/



#!/bin/sh
# set default input rule
iptables -P INPUT DROP
# remove last default rule
iptables -D INPUT -j DROP
# allow http access from wan & lan
iptables -t nat -A VSERVER -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.1:8081
iptables -A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT

У роутера ip=10.0.0.1

Захожу с телефона -> облом. :(

Выполняю эти команды вручную -> заходит... :)
Посмотрел по iptables -L -t nat -> В VSERVER нет правила. Когда добавляешь вручную - правило есть.

Что не так в моем post-firewall?

Âûïîëíÿþ ýòè êîìàíäû âðó÷íóþ -> çàõîäèò... :)
Ïîñìîòðåë ïî iptables -L -t nat ->  VSERVER íåò ïðàâèëà. Êîãäà äîáàâëÿåøü âðó÷íóþ - ïðàâèëî åñòü.
×òî íå òàê â ìîåì post-firewall?
Âñå òàê, ïðîñòî íå âêëþ÷åíî "Enable Virtual Server" íà ñòðàíèöå NAT Settings / Virtual Server

Ñóïåð! :) Ñïàñèáî âñåì îòêëèêíóâøèìñÿ!

à ÷òîáû åãî íå âêëþ÷àòü íóæíî ñëîâî VSERVER çàìåíèòü íà PREROUTING, ÷òî óæå ïðåäëàãàëîñü

iptables -L -nv èëè ïðîñòî iptables -L ïîêàçûâàåò ïóñòóþ òàáëèöó


Chain INPUT (policy ACCEPT 16030 packets, 1325K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 15511 packets, 2359K bytes)
pkts bytes target prot opt in out source destination

÷òî äåëàþ íåòàê?

Âûïîëíèòå êîìàíäó è ïîñìîòðèì

iptables-save

À âîîáùå ó Âàñ íåòó ïðàâèë â òàáëèöå, âîçìîæíî áûëà êîàíäà

iptables -F

à ìîæåò íàäî ïðîñòî âêëþ÷èòü ôàéðâîëë â âåá-ìîðäå?

À âû ýòó êîìàíäó íà ðîóòåðå âûïîëíÿëè? Èëè íà êîìïå? Óæ î÷åíü ñìóùàþò ìåíÿ öèôðû:


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Èëè îí ó âàñ íå â home gateway ðåæèìå?

âñå íàñòðîéêè ñòàíäàðòíûå. ðîóòåð ðàáîòàåò â ðåæèìå Access Point. èëè ðàçâå â ýòîì ðåæèìå ôàåðâîë íå ïàøåò? ðàçíèöà òà êàêàÿ, òàì ëèíóêñ êðóòèòñÿ è ïî èäåå iptables äîëæåí ðàáîòàòü. â ðåæèìå Access Point â âåáèíòåðôåéñå íåòó òàêîé îïöèè Firewall. à ðåæèì Home Gateway ìíå íåçà÷åì. iptables âñåðàâíî äîëæåí ðàáîòàòü.
åùå â ðåæèìå Home Gateway áûëè ïðîáëåìû ñî ñêà÷èâàíèåì ôàéëîâ è ÷åðåç ipkg è ÷åðåç wget. ïðîñòî âñòàåò ïîñëå íåñêîëüêèõ ñåêóíä çàêà÷êè è âñå. è íå òîëüêî ó ìåíÿ.
âñå êîìàíäû âûïîëíÿþ íà ðîóòåðå=))))

iptables -F íèêòî íå ãîâîðèë.

iptables-save ïîêàçûâàåò

# Generated by iptables-save v1.2.7a on Sun Mar 8 20:48:38 2009
*nat
:PREROUTING ACCEPT [1502:71854]
:POSTROUTING ACCEPT [7527:451934]
:OUTPUT ACCEPT [7527:451934]
COMMIT
# Completed on Sun Mar 8 20:48:38 2009
# Generated by iptables-save v1.2.7a on Sun Mar 8 20:48:38 2009
*mangle
:PREROUTING ACCEPT [99344:8314507]
:INPUT ACCEPT [98096:8275535]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [97473:10290295]
:POSTROUTING ACCEPT [97473:10290295]
COMMIT
# Completed on Sun Mar 8 20:48:38 2009
# Generated by iptables-save v1.2.7a on Sun Mar 8 20:48:38 2009
*filter
:INPUT ACCEPT [98100:8275695]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [97482:10291363]
COMMIT
# Completed on Sun Mar 8 20:48:38 2009

:FORWARD ACCEPT [0:0] à âîò ýòî äåéñòâèòåëüíî î÷åíü èíòåðåñíî. â Home Gateway ïåðåêëþ÷àòüñÿ ÷òîëè? äûê îïÿòü êîñÿêè ñî ñêà÷èâàíèåì áóäóò...

Íó ñìîòðèòå: â Home Gateway ðåæèìå òðàôèê ëîêàëüíîé (âàøåé äîìàøíåé) ïîäñåòè îáñëóæèâàåòñÿ ñâè÷åì (âñòðîåííûì â ðîóòåð), à òðàôèê ìåæäó ïîäñåòÿìè îáñëóæèâàåòñÿ ñàìèì ðîóòåðîì.  ðåæèìå Access Point âòîðàÿ ôóíêöèÿ îòêëþ÷àåòñÿ è ðîóòåð ñòàíîâèòñÿ òàêèì æå êëèåíòîì, êàê è âñå îñòàëüíûå â ñåòè, ò.å. îò íåãî îñòà¸òñÿ ñâè÷ è áåñïðîâîäíîé èíòåðôåéñ, ñîåäèí¸ííûé ïðîãðàììíî ñ òåì æå ñâè÷åì.

ñ ñàìîãî íà÷àëà êîãäà ïîøëè êîñÿêè ïðè çàêà÷êàõ ÿ íàøåë íà ôîðóìå ÷òî íàäî ïðîñòî ïåðåêëþ÷èòü ðîóòåð â ðåæèì Access Point è âñå ñðàçó ñòàíåò íîðìàëüíî. ÿ òàê è ñäåëàë. è âñå äåéñòâèòåëüíî ñòàëî ðàáîòàòü è âñå çàêà÷èâàåòñÿ è ipkg íîðìàëüíî âñå êà÷àåò è ò.ä. à òóò âåäü âîò êàêàÿ øòóêà äåéñòâèòåëüíî.

à êòî èíåò òî ðàçäàåò?

à êòî èíåò òî ðàçäàåò?

àäñë ìîäåì

çíà÷èò íà íåì è íàäî ôàéðâîë âàÿòü

íà àäñë ìîäåìå ïîíÿòíî ìîæíî ïîðòû îòêðûâàòü, àéïèøíèêè ðàçðåøàòü è ïðî÷èå øòóêè. íî õîòåëîñü áû ÷òîáû âñå ÷òî èäåò íà ðîóòåð ðàçðóëèâàëîñü ñèëàìè ñàìîãî ðîóòåðà. òî åñòü çàïðåùàëîñü/ðàçðåøàëîñü è ò.ä. äëÿ ÷åãî òàì iptables è ñóùåñòâóåò. è âðîäå êàê äîëæåí íà ñóùåñòâóþùåì èíòåðôåéñå ðàáîòàòü. íî íà INPUT è OUTPUT òîæå íåò ïðàâèë (íå ïîêàçûâàåò). õîòÿ î÷åâèäíî ÷òî òðàôôèê åñòü è òàì è òàì.

Chain INPUT (policy ACCEPT 110K packets, 9286K bytes)
Chain OUTPUT (policy ACCEPT 108K packets, 11M bytes)
íó êàê ìèíèìóì äëÿ ssh òî÷íî ïðàâèëî ðàáîòàåò âåäü.

Íó iptables-òî ðàáîòàåò. Ïðîñòî åìó ïðàâèëà íèêàêèå íå ïðîïèñàíû è âåñü òðàôèê ïî óìîë÷àíèþ ðàçðåø¸í. Åñëè íóæíî - ïðîïèøèòå ñàìè, post-boot âàì â ïîìîùü (íå óâåðåí, ÷òî post-firewall â ðåæèìå Access Point âûçûâàåòñÿ êîãäà-ëèáî).

Íó iptables-òî ðàáîòàåò. Ïðîñòî åìó ïðàâèëà íèêàêèå íå ïðîïèñàíû è âåñü òðàôèê ïî óìîë÷àíèþ ðàçðåø¸í. Åñëè íóæíî - ïðîïèøèòå ñàìè, post-boot âàì â ïîìîùü (íå óâåðåí, ÷òî post-firewall â ðåæèìå Access Point âûçûâàåòñÿ êîãäà-ëèáî).

ïîõîäó âñå òàê è åñòü íà ñàìîì äåëå. áóäåì ïðîáîâàòü.

ðîóòåð ðàáîòàåò â ðåæèìå Access Point. êàê â òàêîì ñëó÷àå ñäåëàòü ÷òîáû ðàáîòàë iptables? ïðîïèñûâàþ íàïðèìåð ñàìûå ïðîñòûå ïðàâèëà â post-boot (ïîòîìó êàê ãîâîðÿò ÷òî post-firewall â ýòîì ðåæèìå íå îòðàáàòûâàåò)

iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
flashfs save && flashfs commit && flashfs enable && reboot
ïîñëå ÷åãî âîîáùå íèêàê íå ïóñêàåò, íå ÷åðåç ssh, íå ÷åðåç telnet, íèêàê âîîáùå. èëè çäåñü áåç âàðèàíòîâ è íàäî ïåðåêëþ÷àòüñÿ â ðåæèì Home Gateway (â êîòîðîì ïîíÿòíî ÷òî âñå áóäåò çàìå÷àòåëüíî)?

êñòàòè, êàê ïåðåêëþ÷èòñÿ â Home Gateway? â âåáèíòåðôåéñå ïåðåêëþ÷àþ âñå îê âðîäå ïîêàçûâàåò, íî âèäíî ÷òî íà ñàìîì äåëå íè÷åãî íå ñðàáàòûâàåò è ïîñëå ïåðåçàãðóçêè âñå îïÿòü êàê áûëî â ðåæèìå Access Point.

åñëè Finish è Save&Restart è âçàïðàâäó íå ïîìîãàþò, òî ìîæíî ñáðîñèòü íàñòðîéêè â äåôîëò. Ïî óìîë÷àíèþ ðåæèì = home gateway

À çà÷åì iptables â ðåæèìå Access Point? Íå íóæåí îí.  ýòîì ðåæèìå âñå eth èíòåðôåéñû è wlan ñáðèäæåâàíû.

åñëè Finish è Save&Restart è âçàïðàâäó íå ïîìîãàþò, òî ìîæíî ñáðîñèòü íàñòðîéêè â äåôîëò. Ïî óìîë÷àíèþ ðåæèì = home gateway

òàì åñòü òîëüêî Apply. ïîñëå ÷åãî îí ïåðåêèäûâàåò íà ïåðâûé øàã Quick Wizard - âûáîð time zone.
çíà÷èò âàðèàíò òîãäà ÷åðåç âåáèíòåðôåéñ çàêèíóòü òîëüêî ñîäåðæèìîå ôëýøà, à îñòàëüíîå âñå ïðèäåòñÿ íàñòðîèòü ñ íóëÿ.


À çà÷åì iptables â ðåæèìå Access Point? Íå íóæåí îí.  ýòîì ðåæèìå âñå eth èíòåðôåéñû è wlan ñáðèäæåâàíû.

êàê çà÷åì? íó è ÷òî ÷òî ñáðèäæåâàíû. iptables âñåðàâíî äîëæåí âèñåòü íà ñóùåñòâóùåì èíòåðôåéñå è óïðàâëÿòü òðàôôèêîì - ðàçðåøàòü/çàïðåùàòü è ò.ä. åñëè ñóùåñòâóåò èíòåðôåéñ - çíà÷èò äîëæåí áûòü ôàåðâîë, êîòîðûì íàäî çûêðûâàòü íàôèê âñå ÷òî âîçìîæíî. íó à äàëåå óæå ðàçðóëèâàòü. äðóãîé âîïðîñ - ïî÷åìó iptables êàê-òî ñòðàííî ðàáîòàåò âåðíåå âîîáùå íå ðàáîòàåò â ðåæèìå Access Point?

Åñòü 2 counter-strike server íà ðàçíûé ïîðòàõ, îäíîì ip îïóáëèêîâàííûé ÷åðåç WL500gp âîò òàêèì âîò ìàêàðîì:
http://savepic.ru/466936.jpg

Åñòü ïðîáëåìà: ñåðâåðà ïåðèîäè÷åñêè íåäîñòóïåíû, ÷òî âèäíî èç ìîíèòîðèíãà http://www.cs.yukhnov.ru/monitor/
Ëþäåé óæå èãðàþùèõ íå âûêèäûâàåò, íî ïîäêëþ÷èòñÿ ê ñåðâåðó òðóäíî, ïèøåò, ÷òî îí íå äîñòóïåí.  ìîíèòîðèíãå òîæå ïåðèîäè÷åñêè offline:confused:

Âîò ëîã:

Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=81.243.218.33 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=50 ID=39119 PROTO=UDP SPT=4222 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=87.116.229.39 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=122 ID=29440 PROTO=UDP SPT=1246 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=77.241.45.102 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=44168 PROTO=UDP SPT=4988 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=77.241.45.102 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=44169 PROTO=UDP SPT=4989 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=216.165.55.148 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=51 ID=620 PROTO=UDP SPT=50105 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=201.243.51.133 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=19284 PROTO=UDP SPT=49602 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=83.10.9.192 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=117 ID=5594 PROTO=UDP SPT=1194 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=83.10.9.192 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=117 ID=5595 PROTO=UDP SPT=1194 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=95.133.224.169 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=117 ID=52473 PROTO=UDP SPT=28211 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=201.26.4.73 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=7266 PROTO=UDP SPT=1243 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=195.182.194.1 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=21160 PROTO=UDP SPT=56304 DPT=27015 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=92.100.123.3 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=119 ID=45026 PROTO=UDP SPT=2794 DPT=27016 LEN=33
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=212.1.94.99 DST=192.168.1.21 LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=35361 PROTO=UDP SPT=10958 DPT=27015 LEN=20
Mar 10 20:01:43 kernel: DROP IN=ppp0 OUT=br0 SRC=80.108.162.149 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=481 PROTO=UDP SPT=1041 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=77.241.45.102 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=44170 PROTO=UDP SPT=4990 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=77.241.45.102 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=44171 PROTO=UDP SPT=4991 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=89.34.16.215 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=115 ID=58306 PROTO=UDP SPT=1445 DPT=27015 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=94.178.183.145 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=118 ID=14994 PROTO=UDP SPT=2303 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=89.178.240.161 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=121 ID=60380 PROTO=UDP SPT=2529 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=94.31.237.5 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=119 ID=25854 PROTO=UDP SPT=1051 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=79.118.177.35 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=20680 PROTO=UDP SPT=1195 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=81.30.195.109 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=28563 PROTO=UDP SPT=62380 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=95.71.7.39 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=119 ID=15882 PROTO=UDP SPT=1546 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=81.236.253.32 DST=192.168.1.21 LEN=53 TOS=0x10 PREC=0x20 TTL=118 ID=8750 PROTO=UDP SPT=58170 DPT=27016 LEN=33
Mar 10 20:01:44 kernel: DROP IN=ppp0 OUT=br0 SRC=81.236.253.32 DST=192.168.1.21 LEN=53 TOS=0x10 PREC=0x20 TTL=118 ID=8813 PROTO=UDP SPT=58170 DPT=27015 LEN=33

Ïîäñêàæèòå, ÷òî íå òàê?

À ÷òî íå òàê, âñ¸ òàê.
Ïàêåòû äðîïàåò ïðåäïîëîæûòåëüíî âîò åòî ïðàâèëî:

-A SECURITY -p udp -m limit --limit 5/sec -j RETURN

Íî òàê êàê Âû íå ïîêàçàëè ïðàâèëà

iptables-save

Ìû ìîæåì òîëüêî äîãàäûâàòüñÿ...

Ëèáî äîáàâòå ïðàâèëî â öåïî÷êó FORWARD ëèáî â SECURITY.

Âîò ïðàâèëà:

[kom1@WL root]$ iptables-save
# Generated by iptables-save v1.2.7a on Tue Mar 10 21:36:19 2009
*nat
:PREROUTING ACCEPT [6242:1251443]
:POSTROUTING ACCEPT [32422:1719192]
:OUTPUT ACCEPT [727:44423]
:VSERVER - [0:0]
-A PREROUTING -d âûäåëëåííûé èï -j VSERVER
-A PREROUTING -d 10.27.67.222 -j VSERVER
-A PREROUTING -d âûäåëëåííûé èï -p udp -m udp --sport 6112 -j NETMAP --to 192.168
1.0/24
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 6112 -j NETMA
--to âûäåëëåííûé èï/32
-A POSTROUTING -s ! âûäåëëåííûé èï -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 10.27.67.222 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0
-j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 15055 -j DNAT --to-destination 192.168.1.22:15
55
-A VSERVER -p udp -m udp --dport 15055 -j DNAT --to-destination 192.168.1.22:15
55
-A VSERVER -p tcp -m tcp --dport 29636 -j DNAT --to-destination 192.168.1.22:29
36
-A VSERVER -p udp -m udp --dport 14436 -j DNAT --to-destination 192.168.1.22:14
36
-A VSERVER -p tcp -m tcp --dport 8500 -j DNAT --to-destination 192.168.1.22:850

-A VSERVER -p udp -m udp --dport 29636 -j DNAT --to-destination 192.168.1.22:29
36
-A VSERVER -p tcp -m tcp --dport 29426 -j DNAT --to-destination 192.168.1.22:29
26
-A VSERVER -p udp -m udp --dport 29426 -j DNAT --to-destination 192.168.1.22:29
26
-A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.21:27
15
-A VSERVER -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.21:27
15
-A VSERVER -p tcp -m tcp --dport 27020 -j DNAT --to-destination 192.168.1.21:27
20
-A VSERVER -p udp -m udp --dport 27020 -j DNAT --to-destination 192.168.1.21:27
20
-A VSERVER -p tcp -m tcp --dport 21380 -j DNAT --to-destination 192.168.1.21:22
-A VSERVER -p udp -m udp --dport 21380 -j DNAT --to-destination 192.168.1.21:22
-A VSERVER -p tcp -m tcp --dport 21381 -j DNAT --to-destination 192.168.1.21:59
0
-A VSERVER -p udp -m udp --dport 21381 -j DNAT --to-destination 192.168.1.21:59
0
-A VSERVER -p tcp -m tcp --dport 27016 -j DNAT --to-destination 192.168.1.21:27
16
-A VSERVER -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.1.21:27
16
-A VSERVER -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.21:21
-A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.21:27
15
-A VSERVER -p tcp -m tcp --dport 27016 -j DNAT --to-destination 192.168.1.21:27
16
-A VSERVER -j DNAT --to-destination 192.168.1.21
COMMIT
# Completed on Tue Mar 10 21:36:19 2009
# Generated by iptables-save v1.2.7a on Tue Mar 10 21:36:19 2009
*mangle
:PREROUTING ACCEPT [11979785:1146731919]
:INPUT ACCEPT [14621:2209339]
:FORWARD ACCEPT [11960817:1143415849]
:OUTPUT ACCEPT [14743:4566681]
:POSTROUTING ACCEPT [11903476:1145211130]
COMMIT
# Completed on Tue Mar 10 21:36:19 2009
# Generated by iptables-save v1.2.7a on Tue Mar 10 21:36:19 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [1444:69594]
:OUTPUT ACCEPT [14657:4551695]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p 2 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -d 224.0.0.0/240.0.0.0 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-p
tu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j logdrop
-A FORWARD -i ! br0 -o vlan1 -j logdrop
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j
RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/se
-j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j logdrop
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-seque
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence
-log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Tue Mar 10 21:36:19 2009

ß â linux íîâè÷åê:(

Íàøåë:

-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN

Óâåëè÷èòü âðåìÿ?

Äîáàâòå


iptables -I FORWARD 3 -i vlan7 -p tcp --dport 27015 -d 192.168.1.21 -j ACCEPT
iptables -I FORWARD 4 -i vlan7 -p udp --dport 27015 -d 192.168.1.21 -j ACCEPT



iptables -I FORWARD 3 - îçíà÷àåò ÷òî ïðàâèëî áóäåò ïîä ¹3 â öåïî÷êå FORWARD ïîñëå åòèõ ïðàâèë

-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j logdrop

iptables -I FORWARD 3 -i vlan7 -p tcp --dport 27015 -d 192.168.1.21 -j ACCEPT
iptables -I FORWARD 4 -i vlan7 -p udp --dport 27015 -d 192.168.1.21 -j ACCEPT

reboot

Ðåçóëüòàò:

Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=81.88.114.134 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=38699 PROTO=UDP SPT=4321 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=193.110.113.78 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=1964 PROTO=UDP SPT=1429 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=201.27.46.211 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=41740 PROTO=UDP SPT=60451 DPT=27016 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28316 PROTO=UDP SPT=27005 DPT=27016 LEN=37
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=122.162.115.157 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=114 ID=1057 PROTO=UDP SPT=1074 DPT=27016 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28317 PROTO=UDP SPT=27005 DPT=27016 LEN=37
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=81.88.114.134 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=38700 PROTO=UDP SPT=4322 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=89.200.227.100 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=14652 PROTO=UDP SPT=2077 DPT=27016 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28318 PROTO=UDP SPT=27005 DPT=27016 LEN=37
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=189.73.252.57 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=115 ID=41779 PROTO=UDP SPT=2470 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=81.88.114.134 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=38703 PROTO=UDP SPT=4324 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=78.58.80.253 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=122 ID=56840 PROTO=UDP SPT=1647 DPT=27015 LEN=33
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28320 PROTO=UDP SPT=27005 DPT=27016 LEN=37
Jan 1 03:00:16 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28321 PROTO=UDP SPT=27005 DPT=27016 LEN=37
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=193.110.113.78 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=120 ID=2120 PROTO=UDP SPT=1429 DPT=27016 LEN=33
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=55 TOS=0x00 PREC=0x00 TTL=120 ID=28322 PROTO=UDP SPT=27005 DPT=27016 LEN=35
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=95.37.107.80 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=119 ID=45746 PROTO=UDP SPT=1638 DPT=27016 LEN=33
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=77.54.79.15 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=106 ID=7567 PROTO=UDP SPT=1150 DPT=27016 LEN=33
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=55 TOS=0x00 PREC=0x00 TTL=120 ID=28323 PROTO=UDP SPT=27005 DPT=27016 LEN=35
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=201.27.46.211 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=41775 PROTO=UDP SPT=60451 DPT=27015 LEN=33
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=77.54.79.15 DST=192.168.1.21 LEN=53 TOS=0x00 PREC=0x00 TTL=106 ID=7579 PROTO=UDP SPT=1150 DPT=27015 LEN=33
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=81.88.114.134 DST=192.168.1.21 LEN=51 TOS=0x00 PREC=0x00 TTL=120 ID=38712 PROTO=UDP SPT=27005 DPT=27015 LEN=31
Jan 1 03:00:17 kernel: DROP IN=ppp0 OUT=br0 SRC=95.52.123.154 DST=192.168.1.21 LEN=57 TOS=0x00 PREC=0x00 TTL=120 ID=28324 PROTO=UDP SPT=27005 DPT=27016 LEN=37

Îáÿñíþ ó Âàñ WAN èíòåðôåéñîì åñòü ppp0 ÿ äàë Âàì ïðèìåð.

À òåïåðü ïî ñóòè äîáàâòå â ôàéë /usr/local/sbin/post-firewall


# Äëÿ ñåðâåðà cs1
iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 27015 -j DNAT --to-destination 192.168.1.21:27015
iptables -t nat -I PREROUTING -i ppp0 -p udp --dport 27015 -j DNAT --to-destination 192.168.1.21:27015
iptables -I FORWARD 3 -i ppp0 -p tcp --dport 27015 -d 192.168.1.21 -j ACCEPT
iptables -I FORWARD 4 -i ppp0 -p udp --dport 27015 -d 192.168.1.21 -j ACCEPT
# Äëÿ ñåðâåðà cs2
iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 27016 -j DNAT --to-destination 192.168.1.21:27016
iptables -t nat -I PREROUTING -i ppp0 -p udp --dport 27016 -j DNAT --to-destination 192.168.1.21:27016
iptables -I FORWARD 5 -i ppp0 -p tcp --dport 27016 -d 192.168.1.21 -j ACCEPT
iptables -I FORWARD 6 -i ppp0 -p udp --dport 27016 -d 192.168.1.21 -j ACCEPT


Íå çàáóäüòå âûïîëíèòü flashfs save && flashfs commit && flashfs enable

Èçâèíèòå çà ãëóïûé âîïðîñ, à ìîæåò Âàì íóæåí ðåæèì Router?

ðîóòåð ðàáîòàåò â ðåæèìå Access Point. êàê â òàêîì ñëó÷àå ñäåëàòü ÷òîáû ðàáîòàë iptables? ïðîïèñûâàþ íàïðèìåð ñàìûå ïðîñòûå ïðàâèëà â post-boot (ïîòîìó êàê ãîâîðÿò ÷òî post-firewall â ýòîì ðåæèìå íå îòðàáàòûâàåò)

iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
flashfs save && flashfs commit && flashfs enable && reboot
ïîñëå ÷åãî âîîáùå íèêàê íå ïóñêàåò, íå ÷åðåç ssh, íå ÷åðåç telnet, íèêàê âîîáùå. èëè çäåñü áåç âàðèàíòîâ è íàäî ïåðåêëþ÷àòüñÿ â ðåæèì Home Gateway (â êîòîðîì ïîíÿòíî ÷òî âñå áóäåò çàìå÷àòåëüíî)?

êñòàòè, êàê ïåðåêëþ÷èòñÿ â Home Gateway? â âåáèíòåðôåéñå ïåðåêëþ÷àþ âñå îê âðîäå ïîêàçûâàåò, íî âèäíî ÷òî íà ñàìîì äåëå íè÷åãî íå ñðàáàòûâàåò è ïîñëå ïåðåçàãðóçêè âñå îïÿòü êàê áûëî â ðåæèìå Access Point.

Åù¸ áû îí âàñ ïóñòèë, ñ òàêèìè-òî ïðàâèëàìè. Âû çàïðåòèëè âåñü âõîäÿùèé òðàôèê êðîìå ïåðâîãî (syn) ïàêåòà tcp-ñîåäèíåíèÿ íà 22 ïîðò. Ïåðâûé ïàêåò îí ïðîïóñêàåò, à îñòàëüíûå ñáðàñûâàåò. Òàêèå äåëà. Ïîäñêàçêà:


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


À ïåðåêëþ÷åíèå ðåæèìîâ èùèòå íà ñòðàíèöå System Setup - Operation Mode.

çà ïîäñêàçêó êîíå÷íî ñïàñèáî. åñëè íå âäàâàòüñÿ â îïöèè iptables, ñõîäó, åùå êîãäà ñ ñàìîãî íà÷àëà âñå íàñòðàèâàë âñòðåòèë ïðàâèëî

iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
ýòî ÿêîáû äëÿ òîãî, ÷òîáû ssh íàðóæó îòêðûòü. åãî è ïðîïèñàë.
à âîò òàêîå ïðàâèëî íèæå - çäåñü ïîäîáíîãî íèãäå íå âñòðå÷àë

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
íó ýòîãî òàê, îòâëåêëèñü íåìíîãî. à ðàçâå íå äîñòàòî÷íî áóäåò ïðîñòî

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

À ïåðåêëþ÷åíèå ðåæèìîâ èùèòå íà ñòðàíèöå System Setup - Operation Mode.
íåò íó ñ ýòèì òî âñå ïîíÿòíî=) òîëüêî ïðîñòîå ïåðåêëþ÷åíèå ðåæèìà íå ñðàáàòûâàåò.

ivantest, ïðÿìîå ïåðåêëþ÷åíèå ðåæèìà ñðàáàòûâàåò, åñëè Âû ïîòðóäèòåñü ïîñëå ïåðåêëþ÷åíèÿ è íàæèìàíèÿ "Apply" çàéòè íà ëþáóþ ñòðàíèöó â íàñòðîéêàõ, ãäå åñòü êíîïêà "Finish" è òàêè íàæàòü ýòó êíîïêó.

à âîò òàêîå ïðàâèëî íèæå - çäåñü ïîäîáíîãî íèãäå íå âñòðå÷àë

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


Ýòî ïîòîìó ÷òî îíî ïî óìîë÷àíèþ â ðîóòåðå åñòü (â ðåæèìå home gateway). À ó âàñ òàáëèöû ÷èñòûå è íè÷åãî íåò. Ýòè 2 ïðàâèëà, â îáùåì-òî, ïåðâûì äåëîì äîáàâëÿþò:


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP

Ïåðâîå ðàçðåøàåò ïðîõîæäåíèå ïàêåòîâ, ñâÿçàííûõ ñ óñòàíîâëåííûìè ñîåäèíåíèÿìè (òàêèõ ïàêåòîâ - áîëüøèíñòâî). Âòîðîå îòáðàñûâàåò ïàêåòû, ïðèíàäëåæíîñòü êîòîðûõ íåâîçìîæíî îïðåäåëèòü.
À âîò ïîñëå óæå äîáàâëÿþò ïðàâèëà, ñâÿçàííûå ñ óñòàíîâëåíèåì íîâûõ ñîåäèíåíèé.




íó ýòîãî òàê, îòâëåêëèñü íåìíîãî. à ðàçâå íå äîñòàòî÷íî áóäåò ïðîñòî

iptables -A INPUT -p tcp --dport 22 -j ACCEPT


Ýòîãî áóäåò äîñòàòî÷íî, íî ýòèì âû ëèøèòå ôàåðâîëë îäíîé èç ñàìûõ áîëüøèõ ôè÷ - íàáëþäåíèÿ çà ñîñòîÿíèåì ñîåäèíåíèé.

Ïîñîâåòóéòå ïîæàëóéñòà êàê íàñòðîèòü ôàåðâîëë äëÿ çàùèòû îò àòàê òèïà SYN ping è òàê äàëåå

Êîãäàòî äàâíî ñêà÷àë ñ èíåòà (îòêóäà òî÷íî íå ïîìíþ...)

à âêëþ÷èòü â âåá èíòåðôåéñå Enable DoS protection íå êàòèò?

Êîãäàòî äàâíî ñêà÷àë ñ èíåòà (îòêóäà òî÷íî íå ïîìíþ...)

Îñîáåííî õîðîøî â ýòîì ñêðèïòå ñìîòðèòñÿ ñòðî÷êà


echo 0 > /proc/sys/net/ipv4/ip_forward

(ó íàñ ðîóòåð èëè êàê?)

Îñîáåííî õîðîøî â ýòîì ñêðèïòå ñìîòðèòñÿ ñòðî÷êà


echo 0 > /proc/sys/net/ipv4/ip_forward

(ó íàñ ðîóòåð èëè êàê?)

À ÿ ÷òî ñêàçàë ÷òî ñêðèïò ïîä ðîóòåð íàïèñàí, èëè ÷òî ýòî ïàíàöåÿ?
Âûëîæûë òàê êàê ñêà÷àë! :mad:

À âîîáùå îò "ïðàâèëüíîãî" DDoS-a çàùèòû ôàêòè÷èñêè íåòó òîëüêî èíòåðôåéñ â down ñ IP êîòîðûé áîìáÿò (âàðèàíò áëîêèðîâêè ïîäñåòåé ñ êîòîðûõ áîìáÿò îïÿòü æå íå âûõîä, åñëè ýòî "áîò ñåòü").

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

Íå ñîâñåì îò àòàê,íî òîæå ïîëåçíî.

Âèäåë ãäå-òî íà ôîðóìå òðåä ïðî çàùèòó SSH îò ïåðåáîðà ïàðîëåé, î ïåðåíàïðàâëåíèè ïîðòîâ è ïðî÷èõ èíòåðåñíîñòÿõ.. ñåé÷àñ íàéòè íå ìîãó, âûëîæèòå ñþäà, ïîæàëóéñòà, åñëè ó êîãî ñîõðàíèëîñü..:rolleyes:

Âèäåë ãäå-òî íà ôîðóìå òðåä ïðî çàùèòó SSH îò ïåðåáîðà ïàðîëåé, î ïåðåíàïðàâëåíèè ïîðòîâ è ïðî÷èõ èíòåðåñíîñòÿõ.. ñåé÷àñ íàéòè íå ìîãó, âûëîæèòå ñþäà, ïîæàëóéñòà, åñëè ó êîãî ñîõðàíèëîñü..:rolleyes:

Ñìîòðåòü òóò (http://wl500g.info/showthread.php?t=11436&page=1)

À ðàçâå âîò ýòîãî íå äîñòàòî÷íî



$iptables-save
...
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
...

, êîãäà óñòàíàâëèâàåøü â âåá ìîðäå
Internet Firewall - Basic Config/Enable Firewall? - YES
Internet Firewall - Basic Config/Enable DoS protection? - YES

À ðàçâå âîò ýòîãî íå äîñòàòî÷íî



$iptables-save
...
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
...

, êîãäà óñòàíàâëèâàåøü â âåá ìîðäå
Internet Firewall - Basic Config/Enable Firewall? - YES
Internet Firewall - Basic Config/Enable DoS protection? - YES

Äëÿ ÷åãî íå äîñòàòî÷íî? Òî ÷òî Âû óêàçàëè çàùèòà îò flood-à (ïåðâûå äâå ñòðî÷êè îò SYN, FYN, 3-udp, 4-icmp).

Àãà, ïîíÿòíî flood - ðàçíîâèäíîñòü DoS àòàêè http://ru.wikipedia.org/wiki/DDoS.

ýòè 4 ñòðîêè è åñòü çàùèòà îò DoS

à âîò ýòî:


Âèäåë ãäå-òî íà ôîðóìå òðåä ïðî çàùèòó SSH îò ïåðåáîðà ïàðîëåé, î ïåðåíàïðàâëåíèè ïîðòîâ è ïðî÷èõ èíòåðåñíîñòÿõ.. ñåé÷àñ íàéòè íå ìîãó, âûëîæèòå ñþäà, ïîæàëóéñòà, åñëè ó êîãî ñîõðàíèëîñü..

íàçûâàåòñÿ brute force

è îò íåå çàùèòó ìîæíî ñäåëàòü âðó÷íóþ, ïî ññûëêå Less, ëèáî åñëè èñïîëüçóåòñÿ 1.9.2.7-d ñòàðøå r156, òî ýòó çàùèòó ìîæíî âêëþ÷èòü è â âåá-èíòåðôåéñå

Ðåáÿò, ïîìîãèòå.
äàíî:
íà ðîóòåð ïîñòåäâòâîì ssh òóííåëÿ ïðèõîäèò ïîðò 8877
íà ðîóòåðå "ñëóøàåòñÿ" ïîðò 8877 òîëüêî íà 127.0.0.1
íà ðîóòåðå, íà 192.168.1.1 ýòîò æå ïîðò íå "ñëóøàåòñÿ"

âîò âûâîä netstat -lnt | grep 8877

netstat -lnt | grep 8877
tcp 0 0 127.0.0.1:8877 0.0.0.0:* LISTEN
tcp 0 0 ::1:8877 :::* LISTEN
èç êîíñîëè íà ðîóòåðå òåëíåòîì íà 127,0,0,1 8877 òîæå çàõîäèòñÿ.
íàñòðîéêè iptables ñòàíäàðòíûå äåôîëòíûå ñ ïðîøèâêîé îò Îëåãà 10.7

Õî÷ó ñäåëàòü òàê, ÷òîáû ðàáîòàëî ïåðåíàïðàâëåíèå ñ 192.168.1.1:8877 íà 127.0.0.1:8877 èç LAN ñåòè, ñ ëþáîãî èç êîìïîâ èç äèàïàçîíà (192.168.1.2-192.168.1.255) áûë äîñòóï ê 192.168.0.1 8877 ïðòó íà ðîóòåðå.

êàê íàçíà÷èòü ïåðåíàïðàâëåíèå ñ 192.168.1.1:8877 íà 127.0.0.1:8877

ïðîáîâàë

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1 --dport 8877 -j DNAT --to-destination 127.0.0.1:8877
ðåçóëüòàò íîëü. òåëíåòîì íà 192.168.1.1. 8877 íå çàéäåøü.

åùå ðàç âîïðîñ - êàê íàçíà÷èòü ïåðåíàïðàâëåíèå ñ 192.168.1.1:8877 íà 127.0.0.1:8877

Âîò òàê

iptables -A INPUT -p tcp -d 192.168.1.1 --dport 8877 -j ACCEPT

Òîëüêî ñòðàííî ÷òî íå ïóñêàåò ñ âíóòðè ñåòè.

Äàéòå âûâîä

iptables-save -t filter

Âîò òàê

iptables -A INPUT -p tcp -d 192.168.1.1 --dport 8877 -j ACCEPT

Òîëüêî ñòðàííî ÷òî íå ïóñêàåò ñ âíóòðè ñåòè.

Äàéòå âûâîä

iptables-save -t filter

ïîïðîáîâàë òî ÷òî âû ïîñîâåòûâàëè - íå ïîìîãëî.
âîò ptables-save -t filter

# Generated by iptables-save v1.2.7a on Wed Mar 25 09:27:08 2009
*filter
:INPUT DROP [8:2029]
:FORWARD ACCEPT [12:624]
:OUTPUT ACCEPT [883:111623]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22888 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 8877 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Mar 25 09:27:08 2009

Äàæå åñëè ïîëèòèêó äëÿ INPUT äåëàþ ACCEPT âñå ðàâíî íå ðàáîòàåò.


telnet 192.168.1.1 8877
telnet: Unable to connect to remote host (192.168.1.1): Connection refused

ïðîáîâàë SNAT â îáðàòíóþ ñòîðîíó. íå ïîìîãëî


iptables -t nat -I POSTROUTING -p tcp -s 127.0.0.1 --sport 8877 -j SNAT --to-source 192.168.1.1:8877

âîò òàêîé âîò âûâîä iptables -L -t nat


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere my_router tcp dpt:8877 to:127.0.0.1:8877
VSERVER all -- anywhere brv.vzletka.net
VSERVER all -- anywhere brv.vzletka.net

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- localhost.localdomain anywhere tcp spt:8877 to:192.168.1.1:8877
MASQUERADE all -- !brv.vzletka.net anywhere
MASQUERADE all -- !brv.vzletka.net anywhere
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (2 references)
target prot opt source destination

ïî ïðåæíåìó íå ìîãó äîáèòüñÿ öåëè
æäó ïîìîùè

×òî ó Âàñ íà òîì ïîðòó?

SNAT, DNAT - ýòî èçâðàò èìõî.

Ïîïðîáóéòå îòêëþ÷èòü firewall, îòêëþ÷èòå êàáåëü îò WAN ïîðòà è íàáåðèòå

iptables -t nat -F
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

È ïðîòåñòèðóéòå åñëè ðàáîòàåò, óæå õîðîøî.

Ïåðåãðóçèòå ðîóòåð ïðàâèëà âîñòàíîâëÿòñÿ.

Îòïèøûòåñü.

Ðàçîáðàëñÿ ñàì.
Ñïàñèáî âñåì êòî îòîçâàëñÿ.

Îáúÿñíÿþ:
ïðîáëåìà ñîñòîÿëà â òîì ÷òî íà ðîóòåðå èíòåðôåéñ 127.0.0.1 ñëóøàë ïîðò 8877
à èíòåðôåéñ 192.168.1.1 òîòæå ïîðò íå ñëóøàë.

Ïîýòîìó ÿ ïûòàëñÿ íàñòðîèòü ïåðåíåçíà÷åíèå ïîðòîâ.

Âîðîñ:
÷òî ñèäåëî ó ìåíÿ íà 127.0.0.1:8877
Îòâåò îáðàòíûé ññø òóííåëü, îòïðàâëåííûé ñ êîìïà íà ðàáîòå.
òèïà òàê

ssh -R *:8877:work_comp:4555 home_comp

Îêàçàëîñü ÷òî íåñìîòðÿ íà *:8877 â êîìàíäå çàïóñêà ññø (íàçíà÷åíèå ïîðòà 8877 íà ÂÑÅ èíòåðôåéñû ðîóòåðà) , ñåðâåð dropbear íå óìååò íàçíà÷àòü ïðèøåäøèé ïî ññø òóííåëþ ïîðò, âñåì èíòåðôåéñàì ðîóòåðà.

Ïðîáëåìó ðåøèë ïîñòàâèâ sshd. îí ïîëíîöåííî óìååò íàçíà÷àòü ïðèøåäøèé ïî ññø òóííåëþ ïîðò, ëþáîìó èíòåðôåéñó ðîóòåðà.

Имеется роутер wl500gp v2 с белым ip адресом.

Во внутренний сети на адресе 192.168.0.99 порт 8081 сидит сервер обновлений нод.

В virtual server добавил правило, чтобы можно было обновляться из вне.

Все работает, но обновиться можно с любого компа из вне, а хочется чтоб только с определенного адреса. Содержание post-firewall:

#!/bin/sh
iptables -P INPUT DROP
# remove last default rule
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 24853 -j ACCEPT
iptables -A INPUT -p 91.143.0.5 -s --dport 8081 -j ACCEPT


Хочу обновляться только вот с этого адреса 91.143.0.5, но обновляется с любых внешних :(
Спасибо большое и не пинайте сильно, я только начинаю разбираться.

iptables -A INPUT -p 91.143.0.5 -s --dport 8081 -j ACCEPT

-p ÏÐÎÒÎÊÎË, à íå IP
-s ÈÑÒÎ×ÍÈÊ, à íå ïóñòî

èç INPUT ýòî ÷óäî ìîæåòå óáðàòü ñðàçó è èç âèðòóàëüíîãî ñåðâåðà ïðàâèëî òîæå óáåðèòå

ïîïðîáóéòå òàêîé âàðèàíò:

iptables -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081

èç INPUT ýòî ÷óäî ìîæåòå óáðàòü ñðàçó è èç âèðòóàëüíîãî ñåðâåðà ïðàâèëî òîæå óáåðèòå

ïîïðîáóéòå òàêîé âàðèàíò:

iptables -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081

Íå ïîëó÷àåòñÿ. Ïîñëå òîãî êàê óáðàë ïðàâèëî èç âèðòóàëüíîãî ñåðâåðà äîñòó÷àòüñÿ äî ìàøèíû â ëîêàëüíîé ñåòè íå ìîæåò.
post-firewall
#!/bin/sh
iptables -P INPUT DROP
# remove last default rule
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 24853 -j ACCEPT
iptables -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081

à ÷òî êàæåò iptables-save

à ÷òî êàæåò iptables-save

# Generated by iptables-save v1.2.7a on Wed Apr 1 15:15:59 2009
*nat
:PREROUTING ACCEPT [1479:109695]
:POSTROUTING ACCEPT [308:15578]
:OUTPUT ACCEPT [133:9992]
:VSERVER - [0:0]
-A PREROUTING -d 213.87.34.89 -j VSERVER
-A POSTROUTING -s ! 213.87.34.89 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.5:80
-A VSERVER -p tcp -m tcp --dport 11406 -j DNAT --to-destination 192.168.0.59:114 06
COMMIT
# Completed on Wed Apr 1 15:15:59 2009
# Generated by iptables-save v1.2.7a on Wed Apr 1 15:15:59 2009
*mangle
:PREROUTING ACCEPT [22324:5034014]
:INPUT ACCEPT [3577:458506]
:FORWARD ACCEPT [18649:4567102]
:OUTPUT ACCEPT [2891:849025]
:POSTROUTING ACCEPT [21614:5441992]
COMMIT
# Completed on Wed Apr 1 15:15:59 2009
# Generated by iptables-save v1.2.7a on Wed Apr 1 15:15:59 2009
*filter
:INPUT DROP [328:30453]
:FORWARD ACCEPT [814:46287]
:OUTPUT ACCEPT [2164:525133]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.0.5 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 24853 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

Âûïîëíè
iptables -L -nv è
iptables -t nat -L -nv

Ðåçóëüòàòû â ñòóäèþ.
 çàâèñèìîñòè îò òîãî ÷òî ó òåáÿ åñòü íàäî áóäåò ïèñàòü ïðèâèëà Forward è POSTROUTING ïèñàòü

sorry äîëæíî áûòü òàê:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081
âîîáùå, ïðè êîììàíäû iptables ìîæíî ââîäèòü âðó÷íóþ è ãðóáûå îøèáêè îíà ñàìà äîëæíà óêàçûâàòü.

sorry äîëæíî áûòü òàê:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081
âîîáùå, ïðè êîììàíäû iptables ìîæíî ââîäèòü âðó÷íóþ è ãðóáûå îøèáêè îíà ñàìà äîëæíà óêàçûâàòü.

Âî ýòî áëèæå ê òåëó :)

Ïîïðîáóé åùå òàê ÷èñòûé ôîðâàðä.

iptables -I FORWARD -p tcp -m tcp --dport 8081 -s 91.143.0.5 -d 192.168.0.99 -j ACCEPT

sorry äîëæíî áûòü òàê:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 8081 -s 91.143.0.5 -j DNAT --to-destination 192.168.0.99:8081
âîîáùå, ïðè êîììàíäû iptables ìîæíî ââîäèòü âðó÷íóþ è ãðóáûå îøèáêè îíà ñàìà äîëæíà óêàçûâàòü.

Ñïàñèáî. Âñå ïîëó÷èëîñü.

Âî ýòî áëèæå ê òåëó :)

Ïîïðîáóé åùå òàê ÷èñòûé ôîðâàðä.

iptables -I FORWARD -p tcp -m tcp --dport 8081 -s 91.143.0.5 -d 192.168.0.99 -j ACCEPT

À âîò òàê ïîïðîáîâàë - íå ïîëó÷èëîñü.

Äîáðûé äåíü!
Íà ðîóòåðå íàñòðîåí âåá-ñåðâåð íà ïîðòå $P1; Õî÷ó äîáàâèòü ïðàâèëî â iptables, ÷òî áû ñîåäèíåíèÿ íà íåêîòîðûé âíåøíèé àäðåñ, $REMOTE_ADDR ïî ïîðòó http ïåðåíàïðàâëÿëèñü íà ëîêàëüíûé âåá-ñåðâåð íà ïîðò $P1; Ò.å. êîãäà ïîëüçîâàòåëü èç âíóòðåííèé ñåòè (èëè ñ ñàìîãî ðîóòåðà) îáðàùàëñÿ íà $REMOTE_ADDR, òî ïîëó÷àë ñòðàíèöó-çàòû÷êó ñ ëîêàëüíîãî âåá-ñåðâåðà.

Íà÷àë ðàçáèðàòüñÿ ñ iptables, ñâàðãàíèë òàêîå ïðàâèëî:
iptables -t nat -I OUTPUT 1 -p tcp -d $REMOTE_ADDR --dport 80 -j REDIRECT --to 127.0.0.1:$P1
äëÿ ïàêåòîâ ñ ñàìîãî ðîóòåðà

Äîëæíî áûòü òàêîå


iptables -t nat -I PREROUTING -o vlan1 -d $REMOTE_ADDR -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:$P1

Äîëæíî áûòü òàêîå


iptables -t nat -I PREROUTING -o vlan1 -d $REMOTE_ADDR -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:$P1


Íà ýòî ãîâîðèò: iptables v1.2.7a: Can't use -o with PREROUTING

È ñîãëàñíî ýòîìó ìàíóàëó http://www.opennet.ru/docs/RUS/iptables/ ïàêåòû îò ëîêàëüëíûõ ïðèëîæåíèé âîîáùå íà ïîïàäàþò â öåïî÷êó PREROUTING òàáëèöû nat.

iptables -I FORWARD -i br0 -p tcp -s ip --dport 80 -j DROP
äîáàâëÿåò ïðàâèëî
iptables -D FORWARD -i br0 -p tcp -s ip --dport 80 -j DROP
ïðàâèëî óäàëÿåòñÿ


iptables -I FORWARD -m time --timestart 9:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -i br0 -p tcp -m mac --mac-source mac --dport 80 -j
DROP
Äîáàâëÿåò ïðàâèëî íî óäàëèòü ÿ åãî íå ìîãó. ×òî íå ïðàâèëüíî?

Òîò æå ïðèíöûï iptables -D

×òî ó Âàñ êîíêðåòíî íå ïîëó÷àåòñÿ, ÷òî ïèøåò â îòâåò (îøûáêà).

iptables -D FORWARD -m time --timestart 9:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -i br0 -p tcp -m mac --mac-source 00:00:00:35:47:00 --dport 80 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?)


×àñòü iptables -L -n

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 TIME from 09:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri MAC 00:00:00:35:47:00 tcp dpt:80

÷òîáû ïîëó÷èòü ïðàâèëî â òîì âèäå â êîòîðîì iptables ïîëàãàåò, ÷òî îíî áûëî äîáàâëåíî ñäåëàéòå iptables-save

-A FORWARD -i br0 -p tcp -m time --timestart 09:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -m mac --mac 00:00:00:35:47:00 -m tcp --dport 80 -j DROP

Ñòðî÷êà èç iptables-save

-A FORWARD -i br0 -p tcp -m time --timestart 09:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -m mac --mac 00:00:00:35:47:00 -m tcp --dport 80 -j DROP

Ñòðî÷êà èç iptables-save

Òàê óäàëÿéòå

iptables -D FORWARD -i br0 -p tcp -m time --timestart 09:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -m mac --mac 00:00:00:35:47:00 -m tcp --dport 80 -j DROP

Òàê è óäàëÿþ , íå óäàëÿåòñÿ. Ñíà÷àëà ïèøó ïðàâèëî ñ -I ïîòîì ïîâòîðÿþ ñòðî÷êó âñòàâëÿÿ -D.

Ñàìûé óíèâåðñàëüíûé ñïîñîá ýòî âûâåñòè âñå ïðàâèëà
iptables -vL $CHAIN --line-number

À ïîòîì óäàëèòü iptables -D $CHAIN $LINE_NUMBER

Òàê óäàëÿåòñÿ, íî õîòåëîcü áû ïðîñòî ñêðèïò çàïóñêàòü íà óäàëåíèå.
Êàê áû ýòî ñäåëàòü ëó÷øå?

iptables -D FORWARD -m time --timestart 9:00:00 --timestop 16:00:00 --days Mon,Tue,Wed,Thu,Fri -i br0 -p tcp -m mac --mac-source 00:00:00:35:47:00 --dport 80 -j DROP
iptables: Bad rule (does a matching rule exist in that chain?)


×àñòü iptables -L -n

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 TIME from 09:00:00 to 16:00:00 on Mon,Tue,Wed,Thu,Fri MAC 00:00:00:35:47:00 tcp dpt:80
À ãäå ïðàâèëî äîáàâëåíèÿ áûëî ïðîïèñàíî?

Ïî ðàçíîìó ïðîáîâàë.È â post-firewall. È ðóêàìè ïðîáîâàë.

ýòî ñäåëàòü óæå ãîðàçäî ïðîùå, ïðèìåðíî òàê:

iptables -D FORWARD `iptables -nvL FORWARD --line-number | awk '/Mon,Tue,Wed,Thu,Fri/{print $1}'`

Íå ðàáîòàåò - ãäå òî îøèáêà.

îòëàäèòü ýòî --- óæå âàøà çàáîòà. Äîáåéòåñü, ÷òîáû ðàáîòàëî ñíà÷àëî ýòî (âîçìîæíî íàäî ìåíÿòü óñëîâèå ïîñëå awk ìåæäó / è /):
iptables -nvL FORWARD --line-number | awk '/Mon,Tue,Wed,Thu,Fri/{print $1}

Âìåñòî "--line-number" ëó÷øå ïèñàòü "--line-numbers", õîòÿ iptables è òàê ïîíèìàåò.

iptables -nvL FORWARD --line-number | awk '/Mon,Tue,Wed,Thu,Fri/{print $1}'

Òàê âûâîäèò ñïèñîê ïðàâèë. Íî âðîäå íå ïîíèìàåò ìíîãî ïðàâèë.

Êàê ñäåëàòü ÷òîáû íåñêîëüêî ïðàâèë óüèâàëîñü òèïà
iptables -D FORWARD 1-30
1-30 íå ðàáîòàåò.Êàê ñäåëàòü ïåðå÷èñëåíèå?

Ïðåäûñòîðèÿ òåìû: http://wl500g.info/showthread.php?t=19213&page=3

Îñòàþòñÿ âîïðîñû î ïðîèñõîæäåíèè âûäåëåííûõ ñòðîê:

1) Ïî÷åìó ðàçëè÷àåòñÿ destination â INPUT-ïðàâèëàõ ñîçäàííûõ âðó÷íóþ (äëÿ ssh) è ñïåöèàëüíûì ïóíêòîì âåáìîðäû (äëÿ http)?


[myself@usb-router root]$ iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
6076 606K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
495 29700 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
2585 952K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.10.2 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
1899 155K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 9106 packets, 1605K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0



2) Îòêóäà áåðóòñÿ ýòè ñòðîêè ïîñëå ïåðåçàãðóçêè ðîóòåðà? Â ïðåäûäóùåé òåìå áûëî âûñêàçàíî ïðåäïîëîæåíèå, ÷òî ýòî îñòàòêè uPnP. Êàêèì îáðàçîì îíè óìóäðÿþòñÿ ñîõðàíÿòüñÿ ïîñëå ïåðåçàãðóçîê è ïåðåêîíôèãóðàöèè èíòåðôåéñîâ èç âåáìîðäû?


[myself@usb-router root]$ iptables -L -nvt nat
Chain PREROUTING (policy ACCEPT 2017 packets, 167K bytes)
pkts bytes target prot opt in out source destination
1 48 VSERVER all -- * * 0.0.0.0/0 10.10.11.254

Chain POSTROUTING (policy ACCEPT 530 packets, 31808 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * vlan1 !10.10.11.254 0.0.0.0/0 to:10.10.11.254
0 0 SNAT all -- * br0 10.10.10.0/24 10.10.10.0/24 to:10.10.10.2

Chain OUTPUT (policy ACCEPT 530 packets, 31808 bytes)
pkts bytes target prot opt in out source destination

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.10.10.2:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:18830 to:10.10.11.129:18830
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18830 to:10.10.11.129:18830
1 48 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.10.10.2:22
[myself@usb-router root]$

Âäîãîíêó

Ïîìåíÿë âõîäÿùèé ïîðò äëÿ ssh. Ïðè÷åì ïðàâèëî NAT èçìåíèë èç âåáìîðäû, à INPUT ïîäðåäàêòèðîâàë â post-firewall èç êîíñîëè.
Ðåçóëüòàò: ÍÅ ÐÀÁÎÒÀÅÒ. Ïî÷åìó????


[myself@usb-router root]$ iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
449 30310 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 420 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
132 41131 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22322 flags:0x16/0x02
1 48 ACCEPT tcp -- * * 0.0.0.0/0 10.10.10.2 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
32 2714 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 845 packets, 637K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[myself@usb-router root]$ iptables -L -nvt nat
Chain PREROUTING (policy ACCEPT 205 packets, 16445 bytes)
pkts bytes target prot opt in out source destination
4 192 VSERVER all -- * * 0.0.0.0/0 10.10.11.254

Chain POSTROUTING (policy ACCEPT 50 packets, 3002 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * vlan1 !10.10.11.254 0.0.0.0/0 to:10.10.11.254
0 0 SNAT all -- * br0 10.10.10.0/24 10.10.10.0/24 to:10.10.10.2

Chain OUTPUT (policy ACCEPT 50 packets, 3002 bytes)
pkts bytes target prot opt in out source destination

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
1 48 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.10.10.2:80
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:18830 to:10.10.11.129:18830
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18830 to:10.10.11.129:18830
3 144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22322 to:10.10.10.2:22

1) Ïî÷åìó ðàçëè÷àåòñÿ destination â INPUT-ïðàâèëàõ ñîçäàííûõ âðó÷íóþ (äëÿ ssh) è ñïåöèàëüíûì ïóíêòîì âåáìîðäû (äëÿ http)?
http://www.google.de/search?q=man+iptables

2) Îòêóäà áåðóòñÿ ýòè ñòðîêè ïîñëå ïåðåçàãðóçêè ðîóòåðà? Â ïðåäûäóùåé òåìå áûëî âûñêàçàíî ïðåäïîëîæåíèå, ÷òî ýòî îñòàòêè uPnP. Êàêèì îáðàçîì îíè óìóäðÿþòñÿ ñîõðàíÿòüñÿ ïîñëå ïåðåçàãðóçîê è ïåðåêîíôèãóðàöèè èíòåðôåéñîâ èç âåáìîðäû?
îíè õðàíÿòñÿ â nvram. Âûêëþ÷èòå upnp, ëèáî íå ñìîòðèòå òàáëèöû iptables

Ïîìåíÿë âõîäÿùèé ïîðò äëÿ ssh. Ïðè÷åì ïðàâèëî NAT èçìåíèë èç âåáìîðäû, à INPUT ïîäðåäàêòèðîâàë â post-firewall èç êîíñîëè.
Ðåçóëüòàò: ÍÅ ÐÀÁÎÒÀÅÒ. Ïî÷åìó????
http://www.google.de/search?q=man+iptables

Âñå âîïðîñû íåñîäåðæàòåëüíûå è ñòî ðàç îáñóæäåííûå. Èñêàòü ðåøåíèÿ âû íå õîòèòå. Ïî âñåì âîïðîñàì èìååì òî, ÷òî ïðîïèñàíî. Âî òðåòüåì ñëó÷àå åñëè ïðàâèëî íàïèñàíî íåïðàâèëüíî, òî ðåçóëüòàò áóäåò çàêîíîìåðíî íåïðàâèëüíûé (íî ïðè ýòîì èìåííî òàêîé, êîòîðûé ïðîïèñàí).

Âû ñâîþ íåóâàæèòåëüíóþ ïîçèöèþ ïî îòíîøåíèè ê ôîðóìó âïîëíå ÿñíî ñôîðìóëèðîâàëè â òåìå, êîòîðóþ ÿ çàêðûë. Îäíàêî, ïðè ýòîì âû íå ïîñòåñíÿëèñü ïðèéòè ñþäà ñî ñâîèìè ïðîáëåìàìè. Ïîëàãàþ çðÿ --- ýòî áóäåò òðàòà âðåìåíè îäèíàêîâî ïóñòàÿ äëÿ îáîèõ ñòîðîí.

×èñòî ïî ÷åëîâå÷åñêè ðåêîìåíäóþ ïî÷èòàòü ðóêîâîäñòâî ïî iptables, èìåþùåìó "áåçóìíûé, îòâðàòèòåëüíî äîêóìåíòèðîâàííûé ñèíòàêñèñ", ëèáî êîïèòü íà ñòîëü ëþáèìóþ âàìè öèñêó.

Äà, ÿ çëîé ñåãîäíÿ. Íî åñëè áóäóò íîâûå ïîïòûêè ïðîäîëæåíèÿ "ïàòîïñèõîëîãè÷åñêîãî" ôëåéìà --- óäàëþ òåìó íàõðåí áåç âñÿêîãî äàëüíåéøåãî ïðåäóïðåæäåíèÿ.

Ýòî òàê ñêàçàòü íà ïåðñïåêòèâó.

http://www.google.de/search?q=man+iptables

Ïî÷åìó áû Âàì, êàê ìîäåðàòîðó çäåøíåãî ôîðóìà, íå ïðèêðûòü åãî íàõðåí, âûâåñèâ âìåñòî íåãî ëþáåçíî ïðåäîñòàâëåííóþ Âàìè ññûëêó?

äàéòå ÊÎÍÊÐÅÒÍÓÞ ññûëêó ñ îòâåòîì íà ÌÎÉ âîïðîñ.
Âîïðîñ íå î çíà÷åíèè destination (ñåòêè èëè àäðåñà) - à î òîì, ÷üå ïðàâèëî ÏÐÀÂÈËÜÍÅÅ: àâòîðà ïðîøèâêè(âåáìîðäû) èëè òåõ, êòî çäåñü ïîðåêîìåíäîâàë ìíå ïîäïðàâèòü post-firewall



îíè õðàíÿòñÿ â nvram. Âûêëþ÷èòå upnp, ëèáî íå ñìîòðèòå òàáëèöû iptables

Ñïàñèáî. Ëè÷íî äëÿ ìåíÿ äîñòàòî÷íî áûëî ïåðâîãî ïðåäëîæåíèÿ èç äâóõ. Íå ñ÷èòàéòå îêðóæàþùèõ òóïåå ñåáÿ. Íî ãäå ïî Âàøåé ññûëêå îá ýòîì íàïèñàíî? :spy: Ïîäîçðåâàþ, ÷òî íèãäå.

Ôîðóìû äëÿ òîãî è ñóùåñòâóþò, ÷òîáû äåëèòüñÿ êîíêðåòíûì îïûòîì è ÊÎÍÊÐÅÒÍÛÌÈ ññûëêàìè.



Åñëè æå Âû õîòåëè ìíå óêàçàòü íà ñóùåñòâîâàíèå ìàíîâ è íåçåìíóþ ìóäðîñòü îíûõ - òî ÿ â êóðñå. Íî ïîâòîðþñü: äîêóìåíòàöèÿ â âèäå ìàíîâ, ñîïðîâîæäàåìàÿ êîðäåáàëåòîì îòñûëàëüùèêîâ ê íåé - îòâðàòèòåëüíà! Îñîáåííî íà ôîíå èíòåðàêòèâíîé ñïðàâêè netsh èëè ios.



ëèáî êîïèòü íà ñòîëü ëþáèìóþ âàìè öèñêó.


Ýòî è åñòü ÷óâñòâî íåïîëíîöåííîñòè, êîòîðîå êóëüòèâèðóåòñÿ ëèíóêñîèäàìè â íîâûõ àäåïòàõ.

Èçâèíèòå, íî ÿ íà ýòî íå ïîâåäóñü. Íèêñàìè ïîìàëåíüêî ïîëüçóþñü, âñ¸ áîëåå ïëîòíî è êâàëèôèöèðîâàííî - íî íèêàê íå îðãàçìèðóþ ïî ïîâîäó îíûõ, è íå ñîáèðàþñü óïîäîáëÿòüñÿ.


À ñîëíå÷íûå âàøè ñâÿùåííûå ìàíû ñî âðåìåíåì èçó÷ó, êóäû æ ÿ äåíóñü - íî æåëåçêè òèïà òîïè÷íîãî ðîóòåðà ïîêóïàþòñÿ èìåííî äëÿ áûñòðîãî ñòàðòà è ïðàêòè÷åñêîãî èçó÷åíèÿ ïðåäìåòà â íå ñèëüíî êðèòè÷íûõ ïåñî÷íèöàõ.  òîì ÷èñëè è òåìè ëþäüìè, äëÿ êîòîðûõ íåïðèåìëåìî èçó÷åíèå ñâÿùåííûõ ìàíîâ â êà÷åñòâå ïðåðåêâèçèòà ëþáîé äåÿòåëüíîñòè.

Åñëè Âû âèäèòå ñâîþ ôóíêöèþ êàê çäåøíåãî ìîäåðàòîðà â ôîðìèðîâàíèè îïðåäåë¸ííîãî ñêëàäà ëè÷íîñòè â íüþáàõ - òî âûõîäèò, ÷òî ÿ, ê ñîæàëåíèþ, ïðàâ.  ñëó÷àå óäàëåíèÿ òåìû ïîæàëóþñü Îëåãó. Åñëè òîãî ýòî íå âîçìóòèò - îòòðÿñó ïðàõ.


îíè õðàíÿòñÿ â nvram. Âûêëþ÷èòå upnp, ëèáî íå ñìîòðèòå òàáëèöû iptables


Âèíîâàò, ëè÷íî ìíå òîæå íåäîñòàòî÷íî áûëî ïåðâîãî ïðåäëîæåíèÿ: âî âòîðîé ÷àñòè òàêæå åñòü âåñüìà íåîæèäàííûé ñìûñë.

uPnP - âûõîäèò, ìåõàíèçì, ÊÎÍÊÓÐÈÐÓÞÙÈÉ ñ iptables. ß ýòîãî íå çíàë, è â "ìàíàõ" îá ýòîì íå íàïèñàíî.

ß ïðàâèëüíî ïîíÿë, ÷òî íàïðèìåð óäàë¸ííîå àäìèíèñòðèðîâàíèå ïîìèìî iptables íå îðãàíèçîâàòü? Òîãäà âûêëþ÷àòü uPnP ëþäÿì ñ çàïðîñàìè âðîäå ìîèõ - ÍÅÎÁÕÎÄÈÌÎ.

ß ñþäà ïðèøåë áîëåå ðàäè òîãî, ÷òîáû îïðåäåëèòüñÿ ñ ìîòèâàöèåé ê âûáîðó ñòðàòåãèè, à íå ÷òîáû ïîðàññïðàøèâàòü î êîíêðåòíûõ êëþ÷èêàõ. Íà ýòó ïîñëåäíþþ òåìó äåéñòâèòåëüíî åñòü ìàíû - íî äëÿ ñïîêîéíîãî îçíàêîìëåíèÿ ñ íèìè íàäî çàïóñòèòü øåëåçÿêó "â ïåðâîì ïðèáëèæåíèè".

Îòâåòà íà çàäàííûé âî âòîðîì ñîîáùåíèè òåìû âîïðîñ çäåñü ïî-ïðåæíåìó íå ïðîçâó÷àëî. Ñãîäèòñÿ ÊÎÍÊÐÅÒÍÀß ññûëêà, äàòü êîòîðóþ ïðîùå, ÷åì ôëåéìèòü (÷èòàòü ìíå â î÷åðåäíîé ðàç ìîðàëü).

 êà÷åñòâå êîíêðåòíîé ññûëêè ñîéä¸ò è óêàçàíèå ïîèñêîâîãî çàïðîñà. ÊÎÍÊÐÅÒÍÎÃÎ.

Ýòî ÿ îïÿòü, ïðî íåäîñòóïíîñòü ssh ïî ïîðòó 22322.

Äëÿ ñòðàäàþùèõ ëîæíîé òåëåïàòèåé óòî÷íþ: íèêàêîé ïðîâàéäåð íå ìîã íè÷åãî ìíå çàêðûòü, ò.ê. âñå øíóðêè è WAN, è LAN ðàñïîëîæåíû ñåé÷àñ öåëèêîì â ðàäèóñå äâóõ ìåòðîâ îò ìîåé çàäíèöû.

(Ýòî ÿ ïîïûòàëñÿ ïîñëåäîâàòü ìóäðîìó ñîâåòó è ñàìîñòîÿòåëüíî ïîèñêàòü èãîëêó â ñòîãå ñåíà. Íàø¸ë: http://wl500g.info/showpost.php?p=69225&postcount=31)


Âîïðîñ àêòóàëåí. Âûâîä iptables âî âòîðîì ñîîáùåíèè òåìû.

Òàê âàì ÷òî íàäî òî?
Åñëè ïî ssh â ðîóòåð ïîëó÷èòü äîñòóï, â ïðîøèâêå 1.9.2.7-d ssh äîñòóï íàñòðàèâàåòñÿ èç web èíòåðôåéñà íà íóæíûé ïîðò.
Åñëè âðó÷íóþ, òî çàïóñêàåì dropbear ðó÷êàìè è äîñòàòî÷íî îäíîãî ïðàâèëà â INPUT


iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp --syn --dport 22322 -j ACCEPT

Åñëè âàì íóæíî ïðîêèíóòü ssh íà äðóãîé êîìïüþòåð, òî:
1. íàñòðàèâàåòå VSERVER â web èíòåðôåéñå (src:22322 dst:10.10.10.10:22) èëè âêëþ÷àåòå VSERVER è ïðîïèñûâàåòå ïðàâèëî, ÷òîáû ïðè ïåðåïðîøèâêå ïîðò íàçíà÷åíèÿ (22) íå ñòàë ðàâåí âõîäÿùåìó ïîðòó (22322)


iptables -t nat -A VSERVER -p tcp -m tcp --dport 22322 -j DNAT --to-destination 10.10.10.10:22

2. óñòàíàâëèâàåòå Port Forwarding default policy â ACCEPT
3. óñòàíàâëèâàåòå Packets(WAN to LAN) not specified will be â ACCEPT, èëè â DROP è äîáàâëÿåòå â òàáëèöó (dst:dst:10.10.10.10:22), èëè ïðîïèñûâàåòå


iptables -I FORWARD -d 10.10.10.10 -p tcp -m tcp --dport 22 -j ACCEPT


Ðåçþìèðóþ: âñå ìîæíî áûëî íàñòðîèòü ÷åðåç web èíòåôåéñ è âñå òàê æå ìîæíî áûëî íàñòðîèòü ðóêàìè ñ èñïîëüçîâàíåì ìàíóàëîâ (è ïðèìåðîâ) ïî iptables, ïëþñ êîíå÷î, ïîèñê.
Âîïðîñû äîñòóïà, ïðîáðîñà ïîðòîâ îáñóæäàëèñü ãîðàçäî áîëåå ÷åì 1 ðàç.

p.s åñòü åùå îäèí ñïîñîá ïðîêèäûâàíèÿ ïîðòîâ - âêëþ÷àåì upnp è â ñâîéñòâàõ ñîåäèíåíèÿ "Ïîäêëþ÷åíèå ê Èíòåðíåòó" äåëàåì âñå, ÷òî õîòèì

theMIROn
Ñïàñèáî! Íàäî ìíå âîò ÷òî:

ó ìåíÿ çàðàáîòàë SSH äîñòóï ê ðîóòåðó ïî ñõåìå WAN:22 -> LAN:22, ñóêöåñ ñòîðè â ïðåäûäóùåé òåìå (ññûëêà â ïåðâîì ñîîáùåíèè ýòîé òåìû). Òåïåðü ÿ ïîïûòàëñÿ ïîìåíÿòü ñõåìó íà WAN:22322 -> LAN:22

Òåïåðåøíÿÿ âûäà÷à iptables âî âòîðîì ñîîáùåíèè ýòîé òåìû, telnet WAN 22322 ñíàðóæè íå ðàáîòàåò. ß õî÷ó óçíàòü, ïî÷åìó. Ïðîøèâêà 1.9.2.7-10

äåëàþ îäíîâðåìåííî îáà ïðàâèëà: ðàáîòàþò îáà
óäàëÿþ ïðàâèëî äëÿ WAN:22 - ïåðåñòàþò ðàáîòàòü îáà


äåëàþ òàê (óìåþ òîëüêî òàê): DNAT ïðàâèëî ÷åðåç âåáìîðäó, INPUT ïðàâèëî ÷åðåç äîáàâëåíèå èëè óäàëåíèå âòîðîé ñòðî÷êè

iptables -I INPUT 5 -p tcp -m tcp --dport 22322 --syn -j ACCEPT
iptables -I INPUT 5 -p tcp -m tcp --dport 22 --syn -j ACCEPT

(àíòèôëåéì: ðàçóìååòñÿ, ïîòîì flashfs áëà-áëà-áëà è ïåðåçàãðóçêà)


theMIROn
î òîíêîì óïðàâëåíèè èïòàáëåñîì, ðó÷íîì ïðîêèäûâàíèè ïîðòîâ è ïðî÷. ðå÷ü ïîêà íå èäåò: ìíå áû ñàìèì ðîóòåðîì íàó÷èòüñÿ óïðàâëÿòü íàäåæíî, áåç íåïðåäñêàçóåìûõ ôîêóñîâ (èëè, íà õóäîé êîíåö, çíàòü èõ â ëèöî è óìåòü îáõîäèòü).

ß âåäü ïðàâèëüíî ïîíèìàþ, ÷òî îáû÷íûé Vserver íà âíóòðåííèé êîìï äåëàåòñÿ îäèíàêîâî, èç âåáìîðäû, èëè ÷åðåç UPnP - è ðåçóëüòàò ñòàáèëåí è íå çàâèñèò îò íàñòðîåê èïòàáëåñ äëÿ ñàìîãî ðîóòåðà?

×òîáû íå ðàçâîäèòü ïîìîéêó, ïðåäëàãàþ ýòó òåìó ïðèñîåäèíèòü ê ðàíåå îòêðûòîé òåìå gP v1: àäìèíèñòðàòèâíûé äîñòóï èç WAN (http://wl500g.info/showthread.php?t=19213), ñíÿâ áëîêèðîâêó ñ íåå, è ïîçâîëèòü àâòîðó ïîðåçâèòüñÿ ââîëþ - ïðîñòî íå îáðàùàòü âíèìàíèÿ.


 ñëó÷àå óäàëåíèÿ òåìû ïîæàëóþñü Îëåãó.

×òî êàñàåòñÿ æàëîá, òî ëþáåçíûé LevT, æàëóéòåñü - Îëåã âûïèøåò Âàì íåäåëüíûé îòïóñê, ÿ òàê ïîëàãàþ.

ps: îòïóñê äëÿ òîãî, ÷òîáû ïîÿâèëîñü âðåìÿ íå òîëüêî ïèñàòü, íî è ïî÷èòàòü, è ïîäóìàòü.

Îòâåòà íà çàäàííûé âî âòîðîì ñîîáùåíèè òåìû âîïðîñ çäåñü ïî-ïðåæíåìó íå ïðîçâó÷àëî. Ñãîäèòñÿ ÊÎÍÊÐÅÒÍÀß ññûëêà, äàòü êîòîðóþ ïðîùå, ÷åì ôëåéìèòü (÷èòàòü ìíå â î÷åðåäíîé ðàç ìîðàëü).

 êà÷åñòâå êîíêðåòíîé ññûëêè ñîéä¸ò è óêàçàíèå ïîèñêîâîãî çàïðîñà. ÊÎÍÊÐÅÒÍÎÃÎ.

Âîò âàì êîíêðåòíàÿ ññûëêà: Êàê ïðàâèëüíî çàäàâàòü âîïðîñû (http://ln.com.ua/~openxs/articles/smart-questions-ru.html). Ïîòðóäèòåñü, ïðî÷èòàéòå. Âåäü ïîíÿòü âàñ ñ êàæäûì ñîîáùåíèåì ñòàíîâèòñÿ âñ¸ ñëîæíåå è ñëîæíåå.

Ïîòðóäèòåñü, ïðî÷èòàéòå. Âåäü ïîíÿòü âàñ ñ êàæäûì ñîîáùåíèåì ñòàíîâèòñÿ âñ¸ ñëîæíåå è ñëîæíåå.

ß ýòîò òåêñò ÷èòàë âïåðâûå åù¸ â ÔÈÄÎ...

×òîáû ïîíÿòü, â ÷¸ì ñîñòîèò àêòóàëüíûé âîïðîñ, äîñòàòî÷íî ïðî÷åñòü äâà ïîñëåäíèõ ñîîáùåíèÿ (11:43) è (16:12). Âñ¸ íàïèñàííîå âûøå ìîæíî èãíîðèðîâàòü.

Ñòàíäàðòíàÿ ïðîöåäóðà îñâàèâàíèÿ íîâîãî ìåëêèìè øàæêàìè.

WAN:22 -> LAN:22 íàêîíåö ðàáîòàåò
èñïðàâëÿþ: WAN:22322 -> LAN:22 - íå ðàáîòàåò
èñïðàâëÿþ: (è WAN:22 -> LAN:22, è WAN:22322 -> LAN:22 îäíîâðåìåííî) - ðàáîòàþò îáà ïîðòà
èñïðàâëÿþ: òîëüêî WAN:22322 -> LAN:22 - íå ðàáîòàåò íå òîëüêî 22, íî è 22322 ïîðò.

Êàê èìåííî èñïðàâëÿþ, ÿ íåîäíîêðàòíî ïîâòîðÿë: ïîñëåäíèé ðàç â 16:12
Äèàãíîñòè÷åñêóþ âûäà÷ó iptables â ñîñòîÿíèè "íå ðàáîòàåò" ÿ ïðèâîäèë ââåðõó, âî âòîðîì ñîîáùåíèè òåìû.

Ãí LevT, îòñòàíüòå îò ðîóòåðà è íàøåãî ìîçãà. Âñå ÷òî íåîáõîäèìî íàïèñàíî âûøå, ìíå íåñëîæíî ïîâòîðèòü â êàðòèíêàõ.
Âêëþ÷èòå íà ðîóòåðå upnp è ñäåëàéòå âîò òàê.

1) Èçâèíèòå, íî ó ìåíÿ ïîä ðóêîé òîëüêî ñåðâåð, 64-áèòíûé. Êàæåòñÿ, òàì íåò UPnP êëèåíòà.

2) Âû óâåðåíû, ÷òî ñ ïîìîùüþ êëèåíòñêîé âèíäû ìîæíî ýôôåêòèâíî óïðàâëÿòü òðàíñëÿöèåé íà ðîóòåðå áåç òåõ âûâèõîâ è çàêèäîíîâ, ÷òî ÿ óñïåë ïðîíàáëþäàòü â êîíñîëè è âåáìîðäå?  òîì ÷èñëå è òðàíñëÿöèåé ê LAN èíòåðôåéñó ñàìîãî ðîóòåðà?

3) Êàê äîëæåí âûãëÿäåòü ðàáî÷èé âàðèàíò iptables -L -nv && iptables -L -nvt nat ñ âêëþ÷¸ííîé òðàíñÿëöèåé WAN:22322 -> LAN:22 ?
Èëè ïðè óïðàâëåíèè ÷åðåç UPnP âûâîä èïòàáëåñ âîîáùå íåðåëåâàíòåí?

1) Èçâèíèòå, íî ó ìåíÿ ïîä ðóêîé òîëüêî ñåðâåð, 64-áèòíûé. Êàæåòñÿ, òàì íåò UPnP êëèåíòà.
âñå òàì åñòü. îòêðîéòå äëÿ ñåáÿ ãóãë
http://www.msfn.org/board/index.php?showtopic=77022&st=20&start=20


2) Âû óâåðåíû, ÷òî ñ ïîìîùüþ êëèåíòñêîé âèíäû ìîæíî ýôôåêòèâíî óïðàâëÿòü òðàíñëÿöèåé íà ðîóòåðå áåç òåõ âûâèõîâ è çàêèäîíîâ, ÷òî ÿ óñïåë ïðîíàáëþäàòü â êîíñîëè è âåáìîðäå?  òîì ÷èñëå è òðàíñëÿöèåé ê LAN èíòåðôåéñó ñàìîãî ðîóòåðà?
ÿ óâåðåí ÷òî íè÷åãî èç ïðåäëîæåííîãî íè â ýòîé, íè â ïðåäûäóùåé òåìå íå áûëî ïîïðîáîâàíî.

Àãà, ÿ íå õîäèë íè â ãóãëü, íè â ìàí èïòàáëåñ...

Ïðèïîìèíàþ, ÷òî ÿ âèäåë åäèíñòâåííûé îòâåò, êîòîðûé ìíå ñåé÷àñ ïðåäñòàâëÿåòñÿ "ãîðÿ÷èì" è ïî ñóùåñòâó.  ïðåäûäóùåé òåìå åãî óæå íåò. Óäàë¸í ìîäåðàòîðîì?

Òàì áûëî íàïèñàíî, êàê çàïóñêàòü dropbear íà íåñòàíäàðòíîì ïîðòó. Ïî-ìîåìó, ýòî èìåííî òî, ÷òî ìíå íóæíî. Åñëè òàê - òî íàïîìíèòå ïëèç ñèíòàêñèñ è ôàéë, êóäà ïðîïèñûâàòü êîìñòðîêó.

Òàì áûëî íàïèñàíî, êàê çàïóñêàòü dropbear íà íåñòàíäàðòíîì ïîðòó. Ïî-ìîåìó, ýòî èìåííî òî, ÷òî ìíå íóæíî. Åñëè òàê - òî íàïîìíèòå ïëèç ñèíòàêñèñ è ôàéë, êóäà ïðîïèñûâàòü êîìñòðîêó.

Âîò ýòî òî÷íî ìîæíî íàéòè ïîèñêîì ïî "dropbear ïîðò". http://wl500g.info/showthread.php?p=140244

íàøåë, â post-boot

dropbear -p 22322

ïîêà íå çàðàáîòàëî - íî ïåðåâåñèòü dropbear ÿâíî áûëî íåîáõîäèìî.
Ùà ïîïðîáóþ ïîñòàâèòü nmap è ïîãëÿäåòü, ÷òî âûøëî....


Update.

Êàê áû ÿ åãî ïîñòàâèë, ãû-ãû....
Äåìîí ïåðåâåñèëñÿ, íî äîñòóïà èç WAN ê íåìó ïî-ïðåæíåìó íåò.

À äàâàéòå ïî ïîðÿäêó:

×òî âàì íóæíî ïîëó÷èòü?
×òî êîíêðåòíî âû ïûòàëèñü ñäåëàòü, ÷òîáû äîñòè÷ü æåëàåìîãî?
×òî êîíêðåòíî íå ïîëó÷èëîñü?

Ñïàñèáî áîëüøîå.

ß äóìàþ, ÷òî òåïåðü óæå äîñòàòî÷íî íàáèë ðóêó, ÷òîáû ñàìîñòîÿòåëüíî ïðîéòè ïî ýòîìó õàâ-òó: http://wl500g.info/showthread.php?t=12833


Çäåñü õîòåëîñü áû çàêðûòü òåîðåòè÷åñêèé âîïðîñ. Âûøå ìíå áûë äàí ñîâåò "èëè âûêëþ÷èòü UPnP, èëè íå ãëÿäåòü â iptables", òîëüêî ÷òî ñîâåòîâàëè ôàêòè÷åñêè òî æå ñàìîå: âêëþ÷èòü UPnP è íå ãëÿäåòü â iptables.

ß ïðàâèëüíî ïîíèìàþ, ÷òî iptables è UPnP - âçàèìíî íåçàâèñèìûå ñèñòåìû óïðàâëåíèÿ ðîóòåðîì, òî÷íåå åãî ïîäñèñòåìîé NAT? Ìåæäó UPnP è èïòàáëåñ ïðåäëàãàåòñÿ âûáèðàòü, â ÷àñòíîñòè, ïîòîìó, ÷òî ñëåäû UPnP â iptables ïðîÿâëÿþòñÿ - íî ýòî òîëüêî ñáèâàåò ñ òîëêó íüþáîâ.

Îòâåòû íà âîïðîñû áûëè, óâû, êðàéíå àíãàæèðîâàííûìè è çàøîðåííûìè.

Åäèíñòâåííûé ïðàâèëüíûé îòâåò (ìîäåðàòîðà) áûë óäàë¸í èì ñàìèì - íàäåþñü, ÷òî ïî íåäîðàçóìåíèþ, à íå ïî ïîáóæäåíèþ âðàæäåáíîñòè. Òåì áîëåå, ÷òî îí äåéñòâèòåëüíî áûë âðîäå êàê íå ïî ïðåäûäóùåé òåìå. À â ýòîé òåìå àâòîð îòâåòà ñåãîäíÿ óæå íå ïîÿâëÿëñÿ: íàäåþñü, ÷òî îí îòâåòèë áû îäíîñëîæíî è ïðåñåê ôëåéì.

Ïîíÿòíî, ÷òî ïîñëå èñïðàâëåíèÿ òàêîãî êîñÿêà, êàê íåâåðíî ïîâåøåííûé äåìîí - âñå âûâîäû íàäî ïåðåòðÿõèâàòü çàíîâî, à ýêñïåðèìåíòû ïîâòîðÿòü. ×åì ÿ ñåé÷àñ è çàéìóñü.

Îòâå÷ó ÿ îäíîñëîæíî è êîðîòêî:
1. Ó÷èòåñü ÏÐÀÂÈËÜÍÎ ôîðìóëèðîâàòü âîïðîñû, íå ðàñïûëÿÿñü ñðàçó íà íåñêîëüêî íàïðàâëåíèé.
2. Âû ïîäõîäèòå ê ðåøåíèþ Âàøèõ çàäà÷ ñ êàêîãî-òî áîêà, â ðåçóëüòàòå è âîçíèêàþò âîïðîñû, ñòàâÿùèå òó÷ó íàðîäà â òóïèê.
3. Âñå, êòî áóäóò òåõíè÷åñêèå âîïðîñû ïåðåâîäèòü íà ëè÷íîñòè - ñòàíóò ÷èòàòåëÿìè, ïîêà íåðâû íå óñïîêîÿò. Ýòîò ïóíêò íå êîíêðåòíî àâòîðó òåìû.

Îòâå÷ó ÿ îäíîñëîæíî è êîðîòêî:
2. Âû ïîäõîäèòå ê ðåøåíèþ Âàøèõ çàäà÷ ñ êàêîãî-òî áîêà, â ðåçóëüòàòå è âîçíèêàþò âîïðîñû, ñòàâÿùèå òó÷ó íàðîäà â òóïèê.



Íåïîíèìàíèå - îòòîãî, ÷òî ó ìåíÿ íåñòàíäàðòíûå çàïðîñû. Íè â êîåì ñëó÷àå ÿ íå ïðîøó ïîìîùè "òùàòåëüíî íàñòðîèòü ðîóòåð" ïîä îïðåäåëåííûå çàäà÷è.

Ìîÿ öåëü - 1) äîñòàòî÷íî áûñòðî è 2) äîñòàòî÷íî ä¸øåâî íàó÷èòüñÿ èì óïðàâëÿòü 3) äîñòàòî÷íî êà÷åñòâåííî. (Óïðàâëÿòü - çíà÷èò óìåòü ðåøàòü åùå íå âîçíèêøèå çàäà÷è, è ñàìîñòîÿòåëüíî èõ ñòàâèòü)

Èëè äàæå åù¸ êðó÷å: ÿ âïîëíå ãîòîâ ê íåóäà÷å. Íàñòîÿùàÿ ìîÿ öåëü - îïðåäåëèòü ãðàíèöû âîçìîæíîãî: âîò òàêîå-òî êà÷åñòâî óïðàâëåíèÿ äîñòèæèìî òîëüêî ñ íåïðåìëåìûìè äëÿ ìåíÿ çàòðàòàìè. À âîò òàêîå-òî âïîëíå ðåàëüíî, åñëè âëîæèòü òàêèå-òî äîñòóïíûå ìíå ðåñóðñû.


Ìíå æå ïðåäëàãàþò íà÷èíàòü ñ èíâåñòèöèé - íå äåíåã, òàê âðåìåíè è êîãíèòèâíûõ ñïîñîáíîñòåé - òàì, ãäå ÿ åù¸ íå îïðåäåëèëñÿ ñ ìîòèâàöèåé ê íèì. "Íå íðàâèòñÿ êóðèòü ìàí èïòàáëåñ - êîïè äåíåã íà öèñêó". Íàâÿçûâàþò îäíîìåðíóþ ëîãèêó òàì, ãäå, ïî ìîåìó óáåæäåíèþ, íåîáõîäèì ñëîæíûé ìíîãîôàêòîðíûé ïðîöåññ.  òîì ÷èñëå è acceptance tests, ñ ïðîáíûìè çàïóñêàìè íà ôîíå ïî÷òè íóëåâîãî ïîíÿòèÿ îá èïòàáëåñ.

Íàäåþñü, ñ ýòèì ïîñòîì íåäîðàçóìåíèå ðàçâååòñÿ.

Ãêõì.. Ïîäñêàæèòå ïëèç (÷òîáû íå ïëîäèòü òåì), ìîæíî ëè ïîïðîñèòü (a)sh ïîñëå ðåáóòà âñïîìèíàòü ïðåäûñòîðèþ êîìàíä - èëè äëÿ ýòîãî ïîòðåáíî ìåíÿòü øåëë íà bash?

Ìäà-ñü... Ðîóòåð ó ìåíÿ ïðîäîëæàåò ïàðòèçàíèòü:



[myself@usb-router root]$ cat /usr/local/sbin/post-firewall
#!/bin/sh
#iptables -t nat -nvL POSTROUTING | grep MASQUERADE | awk '{
# "ifconfig "$7" | grep Mask" | getline ip;
# split(ip,ip,":"); split(ip[2],ip," ");
# split($8,src,"!");
# if (src[1]=="") {src="! -s "src[2]} else {src="-s "src[1]};
# if ($9=="0.0.0.0/0") {dst=""} else {dst="-d "$9};
# system("iptables -t nat -A POSTROUTING -o "$7" "src" "dst" -j SNAT --to-source "ip[1]);
# system("iptables -t nat -D POSTROUTING -o "$7" "src" "dst" -j MASQUERADE");
#}'

#set default policy
iptables -P INPUT DROP
#remove last default rule
iptables -D INPUT -j DROP
iptables -I INPUT -p tcp --dport 22322 --syn -j ACCEPT


[myself@usb-router root]$ iptables -L -nv
Chain INPUT (policy DROP 92 packets, 7388 bytes)
pkts bytes target prot opt in out source destination
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22322 flags:0x16/0x02
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
328 28003 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
22 1320 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
88 7015 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.10.10.2 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 309 packets, 28461 bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


[myself@usb-router root]$ iptables -L -nvt nat
Chain PREROUTING (policy ACCEPT 105 packets, 8772 bytes)
pkts bytes target prot opt in out source destination
3 144 VSERVER all -- * * 0.0.0.0/0 10.10.11.254

Chain POSTROUTING (policy ACCEPT 28 packets, 1710 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * vlan1 !10.10.11.254 0.0.0.0/0
0 0 MASQUERADE all -- * br0 10.10.10.0/24 10.10.10.0/24

Chain OUTPUT (policy ACCEPT 28 packets, 1710 bytes)
pkts bytes target prot opt in out source destination

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.10.10.2:80
3 144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22322 to:10.10.10.2:22



-----
Ïî WAN èíòåðôåéñó íå êîííåêòèòñÿ ïî-ïðåæíåìó
C:\Documents and Settings\Administrator>telnet 10.10.11.254 22322
Connecting To 10.10.11.254...Could not open connection to the host, on port 22322: Connect failed

Ïî âíóòðåííåìó èíòåðôåéñó âñ¸ ïóò¸ì.

Êàê ïðîâåðèòü ñóäüáó âõîäÿùèõ èç WAN:22322 tcp ïàêåòîâ?

Êóäà è êàê ïîâåñèòü ëîããèðîâàíèå, ãäå áóäóò ñîáèðàòüñÿ ëîãè? Ñèñëîã åñëè è åñòü êàêîé - òî óìîë÷àòåëüíûé äëÿ ïðîøèâêè, íè÷åãî ñàì ïîêà íå íàñòðàèâàë.ll

Ìäà-ñü... Ðîóòåð ó ìåíÿ ïðîäîëæàåò ïàðòèçàíèòü:

Ïî WAN èíòåðôåéñó íå êîííåêòèòñÿ ïî-ïðåæíåìó
C:\Documents and Settings\Administrator>telnet 10.10.11.254 22322
Connecting To 10.10.11.254...Could not open connection to the host, on port 22322: Connect failed

Ïî âíóòðåííåìó èíòåðôåéñó âñ¸ ïóò¸ì.
Ïîâòîðþ ñâîé âîïðîñ: Âû èç êàêîé ñåòè ïûòàåòåñü ïðîâåðÿòü êîííåêòû ê ðîóòåðó ïî âíåøíèì èíòåðôåéñàì? Èç ñåòè "âíóòðè" ëîêàëêè ðîóòåðà? Èëè ïîäêëþ÷èâøèñü ê ðîóòåðó ñî ñòîòîíû WAN?

Êîíå÷íî, èç WAN.
Îòâå÷àþ íà ýòîò âîïðîñ íå â ïåðâûé ðàç - íî ïîñëå â÷åðàøíåãî ôëåéìà íå óäèâèòåëüíî, ÷òî Âû ïðîïóñòèëè îòâåò :(

È âîò, äâóìÿ ñîîáùåíèÿìè âûøå:
Êàê ïðîâåðèòü ñóäüáó âõîäÿùèõ èç WAN:22322 tcp ïàêåòîâ?

Âî, íàø¸ë êðàòêîå ââåäåíèå â èïòàáëåñ, áåç "ìíîãàáóêîâ":
http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routing

Êñòàòè, òî, ÷òî òàì âíèçó îïèñàíî (target MARK) â Îëåãîâîé ïðîøèâêå áóäåò ðàáîòàòü?

Îñíîâíàÿ ïðîáëåìà ðåøåíà

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.10.10.2:80
3 144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22322 to:10.10.10.2:22

Ýòî ðåçóëüòàò íåâåðíîãî èñïîëüçîâàíèÿ âåáìîðäû. Óäàëèë ïðàâèëî èç âåáìîðäû æå - çàðàáîòàëî.


Íà ïîáî÷íûå âîïðîñû æäó îòâåòîâ.

Åù¸ îäèí ïîáî÷íûé âîïðîñ: íóæíî ëè/ìîæíî ëè çàñòàâèòü ðîóòåð ñëóøàòü 22322 ïîðò òîëüêî íà LAN èíòåðôåéñå? Åñëè äà - òî êàê?

Èç 600+ çàãëÿäûâàòåëåé â ýòó òåìó êîñÿê íå óãëÿäåë ÍÈÊÒÎ. Ïîêàçàòåëüíî :(

ñåðâåð dropbear íå óìååò íàçíà÷àòü ïðèøåäøèé ïî ññø òóííåëþ ïîðò, âñåì èíòåðôåéñàì ðîóòåðà


Åñëè â post-boot çàïóñêàòü dropbear ñ êëþ÷îì "-a" (dropbear -a), òî îí òîæå îòëè÷íî ñïðàâëÿåòñÿ ñ çàäà÷åé ïðîñëóøèâàíèÿ ïîðòà äëÿ âñåõ èíòåðôåéñîâ (0.0.0.0) è íå íóæíî çàìîðà÷èâàòüñÿ ñ DNAT (ñ íèì ó ìåíÿ òîæå äàííóþ çàäà÷ó ïî÷åìó-òî íå ïîëó÷èëîñü ðåøèòü).

Íå ïîäñêàæåò ëè óâàæàåìûé êòî-íèáóäü, çà÷åì íóæíà ïðîâåðêà -s !$localIP ïðè ìàñêàðàäèíãå?

Chain POSTROUTING (policy ACCEPT 505 packets, 30836 bytes)
pkts bytes target prot opt in out source destination
339 20983 MASQUERADE all -- * ppp0 !95.31.130.1 0.0.0.0/0
8 552 MASQUERADE all -- * vlan1 !10.209.194.175 0.0.0.0/0
31 1860 SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.170

ß óæå ìîçã ñëîìàë, ïûòàÿñü ïðèäóìàòü ñèòóàöèþ, êîãäà îíà ñðàáîòàåò (â ñìûñëå, êîãäà îíà äàñò îòðèöàòåëüíûé ðåçóëüòàò). Ïàêåòû ñ ñàìîãî ðîóòåðà â POSTROUTING íå èäóò. Îòâåòû îò VSERVER íå èäóò ÷åðåç òàáëèöó nat... Êòî, ¸ëû-ïàëû, ìîæåò ñãåíåðèðîâàòü ïàêåò ñ ìîåãî àäðåñà, è ïðè ýòîì òàê, ÷òîáû îí ïîïàë â nat-POSTROUTING è çàíàòèëñÿ áû, åñëè íå ïðîâåðÿòü? Ðàçâå ÷òî NETMAP êàêîé-íèáóäü?

Âîïðîñ íå ïðàçäíûé: äåëàþ ðàçâåñèñòîå ðåøåíèå äëÿ multi-wan (òî, ÷òî çäåñü ïðîëåòàëî, î÷åíü ïîìîãëî, íî ñàìî îíî íåäîñòàòî÷íî ðàçâåñèñòîå); ïî îïðåäåë¸ííûì ïðè÷èíàì õîòåëîñü áû âîîáùå íå òðîãàòü ïðàâèëà iptables ïðè ðåêîííåêòàõ, à ýòî ÷óòü ëè íå åäèíñòâåííîå ìåñòî, ãäå èõ ïîòåíöèàëüíî íàäî òðîãàòü (åñëè ÿ õî÷ó ñîõðàíèòü ïðîâåðêó --src; íàäåþñü, ïðàâäà, ÷òî åñëè óçíàþ, äëÿ ÷åãî îíà íóæíà - ïðèäóìàþ äðóãîé ñïîñîá äîáèòüñÿ òîãî æå ñàìîãî).

Èíòåðåñíî, ÷òî ýòî ìåíÿ ïðîãëþ÷èëî, ÷òî ÷åðåç POSTROUTING íå èäóò ëîêàëüíûå ïàêåòû (ñàì âåäü íà ýòîì ïðîêàëûâàëñÿ êîãäà-òî)?  îáùåì, âñ¸ ïîíÿòíî.

Âå÷åð äîáðûé!
Ïî÷åìó ïðè âûâîäå iptables-save ðîóòåðà wl500gP îòñóòñòâóþò ïðàâèëà, ïðîïèñàííûå â post-firewall?

Äèêî èçâèíÿþñü, íî ïûòàþñü çàïðåòèòü äîñòóï ñ êîíêðåòíîãî IP íî ðåçóëüòàò íóëåâîé.

iptables -A INPUT -s 10.168.51.17 -i vlan1 -j DROP

Âîïðîñ: Êàê ýòî ñäåëàòü ïðàâèëüíî?

Ñïàñèáî.

iptables -I INPUT -s 10.168.51.17 -j DROP

Ñìîòðÿ ÷òî Âû ïûòàåòåñü çàïðåòèòü. Âîçìîæíî Âàì ïðàâèëî íàäî â FORWARD äîáàâëÿòü, à íå â INPUT. Âîçìîæíî äî ýòîãî òàì óæå åñòü ïðàâèëî ðàçðåøàþùåå äîñòóï.

iptables -L -v -n

ïðèøëèòå ïîñëå òîãî êàê äîáàâèòå ïðàâèëî è ïîïûòàåòåñü ÷òî-íèáóäü ñäåëàòü ñ òîãî êîìïüþòåðà, êîòîðûé íóæíî çàïðåòèòü.

Ñìîòðÿ ÷òî Âû ïûòàåòåñü çàïðåòèòü. Âîçìîæíî Âàì ïðàâèëî íàäî â FORWARD äîáàâëÿòü, à íå â INPUT. Âîçìîæíî äî ýòîãî òàì óæå åñòü ïðàâèëî ðàçðåøàþùåå äîñòóï.

iptables -L -v -n

ïðèøëèòå ïîñëå òîãî êàê äîáàâèòå ïðàâèëî è ïîïûòàåòåñü ÷òî-íèáóäü ñäåëàòü ñ òîãî êîìïüþòåðà, êîòîðûé íóæíî çàïðåòèòü.

Õî÷ó ïîëíîñòüþ çàïðåòèòü äîñòóï ñ ýòîãî êîìïüþòåðà. Äîñòàë îí óæå - StrongDC àæ ìîðãàåò âåñü (óæ íå çíàþ ÷òî òàì ñ ýòîãî IP èäåò çà õëàì).
Íó è ñîîòâåòñòâåííî ÿ ñàì ÷òî-íèáóäü ñäåëàòü ñ ýòîãî êîìïüþòåðà íå â ñèëàõ.

Ïîïðîáóéòå êàê íàïèñàë 2bars, ÷åðåç íåñêîëüêî ìèíóò âûâîä iptables -L -v -n ïîñìîòðèòå. Áóäóò ëè ïàêåòû ïîïàäàòü â ýòî ïðàâèëî. Âûâîä åñëè ñþäà ïðèøëåòå - áóäåò ïðîùå ïîíÿòü ïî÷åìó íå ðàáîòàåò, åñëè íå çàðàáîòàåò.

ñèòóàöèÿ òàêîâà.
åñòü dir 320 ïðîøèòûé îëåãîâñêîé ïðîøèâêîé.
ðîóòåð â ðåæèìå AP.
çàäà÷à ñîñòîèò â òîì ÷òîáû þçâåðÿì ñ âàé ôàÿ ðàçðåøàòü äîñòóï òîëüêî íà îïðåäåë¸ííûé àé-ïè àäðåñ (172.30.62.254). íà ñåòåâóøêå òî÷êè: àäðåñ 172.30.62.253.
ïðîñòî ñ íèêîãäà íå ðàáîòàë ñ AP.
èëè ìîæíî ïðîñòî óêàçàòü FORWARD -j DROP

ifconfig
br0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00
inet addr:172.30.62.253 Bcast:172.30.63.255 Mask:255.255.252.0
inet6 addr: fe80::290:4cff:fec0:0/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:180565 errors:0 dropped:0 overruns:0 frame:0
TX packets:803 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12574615 (11.9 MiB) TX bytes:107146 (104.6 KiB)

eth0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00
inet6 addr: fe80::290:4cff:fec0:0/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:181769 errors:0 dropped:0 overruns:0 frame:0
TX packets:181093 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:17112484 (16.3 MiB) TX bytes:16018861 (15.2 MiB)
Interrupt:4 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:90:4C:C1:00:00
inet6 addr: fe80::290:4cff:fec1:0/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:546 errors:0 dropped:0 overruns:0 frame:93997
TX packets:180126 errors:228 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:121617 (118.7 KiB) TX bytes:16910084 (16.1 MiB)
Interrupt:13 Base address:0x5000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:4826 errors:0 dropped:0 overruns:0 frame:0
TX packets:4826 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:416960 (407.1 KiB) TX bytes:416960 (407.1 KiB)

vlan0 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00
inet6 addr: fe80::290:4cff:fec0:0/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:181761 errors:0 dropped:0 overruns:0 frame:0
TX packets:1354 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13840210 (13.1 MiB) TX bytes:234487 (228.9 KiB)

vlan2 Link encap:Ethernet HWaddr 00:90:4C:C0:00:00
inet6 addr: fe80::290:4cff:fec0:0/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:179735 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:15784086 (15.0 MiB)

route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.30.60.0 0.0.0.0 255.255.252.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 br0

Äîáðîãî âðåìåíè ñóòîê âñåì!

Íåîáõîäèìà ïîìîùü ñ íàñòðîéêîé iptables äëÿ ðàáîòû ñ èíòåðôåéñîì tun.
Îïèñàíèå: ðîóòåð ïîäêëþ÷åííûé ïî openvpn ÷åðåç èíòåðôåéñ tun âèäèò äðóãóþ ñåòü. Çäåñü îí âûñòóïàåò â ðîëè êëèåíòà. Íà ðîóòåðå óæå èìååòñÿ ïîäêëþ÷åíèå ïî PPTP è âñå íàñòðîåíî ïî âåá èíòåðôåéñó.
Òðåáóåòñÿ: íàïðàâëÿòü ïàêåòû èç ñåòè çà ðîóòåðîì ÷åðåç tun â äðóãóþ ñåòü è ïîëó÷àòü èõ îáðàòíî. Íóæíî, êàê ÿ ïîíÿë, èñïîëüçîâàòü NAT. Ïðè ýòîì, âîçìîæíî, ÷òî áóäåò íåñêîëüêî tun èíòåðôåéñîâ.

Ðóêîâîäñòâî ïî iptables (Iptables Tutorial) (http://opennet.ru/docs/RUS/iptables/index.html)

 ñêðèïòàõ íå ñèëåí, ïîìîãèòå ïîæàëóéñòà ñîîðóäèòü ðåøåíèå.
Äóìàþ äëÿ ïðîôè, ýòî áóäåò ëåãêî.

Êðîìå âñåãî ïðî÷åãî (ppp0 è vlan1) ó ìåíÿ óñòàíîâëåí êëèåíò openvpn (tap0). IP íà tap0 ðàçäàåò dhcp-ñåðâåð.
udhcpc ÿ íàó÷èë ïîëó÷àòü ýòîò ip è ïðîïèñûâàòü ìàðøðóòû.
Çàïíóëñÿ ÿ íà iptables.
Âðåìÿ àðåíäû IP óñòàíîâëåíî 600 ñåê, è ïî ìîèì íàáëþäåíèÿì íî äåéñòâèòåëüíî ìîæåò ïîìåíÿòüñÿ :-(
 îáùåì ÿ õî÷ó ñëåäóþùåå:
ïðè ïîëó÷åíèè IP äîáàâëÿòü ñëåäóþùåå ïðàâèëî:
â òàáëèöó nat PREROUTING -d <ìîé IP> -j VSERVER
à ñòàðîå ïðàâèëî ñî ñòàðûì IP óäàëÿòü

PS: ß òàê ïîíèìÿë ýòî ïðàâèëî íóæíî äëÿ ðàáîòû uPnP.

iptables -t nat -A PREROUTING -i tap0 -j VSERVER

ñòàòè÷åñêîå íå ïîéäåò?

iptables -t nat -A PREROUTING -i tap0 -j VSERVER

ñòàòè÷åñêîå íå ïîéäåò?

Ìîæåò è ïîéäåò.
Íî íàâåðíî ìíå ýòî íå ïîìîæåò.
ß òàê ïîíÿë uPnP èç ïðîøèâêè çàóñêàåòñÿ ëèáî íà WAN, ëèáî íà MAN.
È ÿ ïðåïîëàãàþ, ÷òî íà íà tap0 ðàáîòàòü íå áóäåò. :-(

À âîîáùå, ÿ õî÷ó, ÷òîáû ìîé rTorrent ðàáîòàë è â ñåòè ïðîâàéäåðà (tap0) è â èíåòå (ppp0)
×òî äëÿ ýòîãî íóæíî ÿ ïîêà íå ïîíÿë.
è âîîáùå íóæíî ëè îòêðûâàòü è/èëè ïðîáðàñûâàòü ïîðòû.
Âðîäå ñåé÷àñ ðàáîòàåò, íî âîò ñêîðîñòü ìåíÿ íå âïå÷àòëÿåò.

Ïðîïèøûòå ðóêàìè port forwarding.
Âàðèàíòîâ 3:
1) UPnP
2) VSERVER
3) ðó÷êàìè ïðàâèëà íàïèñàòü â post-firewall


## uTorrent
iptables -t nat -I PREROUTING -i $WANIF -p tcp --dport 25544 -j DNAT --to-destination 192.168.1.2:25544
iptables -t nat -I PREROUTING -i $WANIF -p udp --dport 25544 -j DNAT --to-destination 192.168.1.2:25544
iptables -I FORWARD -i $WANIF -p tcp --dport 25544 -d 192.168.1.2 -j ACCEPT
iptables -I FORWARD -i $WANIF -p udp --dport 25544 -d 192.168.1.2 -j ACCEPT

íàðîä íó ïîìîãèòå ñêàæèòå õîòÿáû ê êàêîìó èíòåðôåéñó ÷òî âåøàòü. ïðàâèëà ÿ êàê íèáóäü íàïèøó. ïðîñòî ìíå íåïîíÿòíî ãäå òóò êàðòî÷êà êîòîðàÿ ñìîòðèò â èíåò à êàêàÿ íà âàé ôàé. èëè äåëàòü ôîðâàðä äðîï äëÿ áðèäæ èíòåðôåéñà.

Ðóêîâîäñòâî ïî iptables (Iptables Tutorial) (http://opennet.ru/docs/RUS/iptables/index.html)

Ýòî ÿ âñå óæå ïðîñìîòðåë. Ðàçâå òàê ñëîæíî ïðîñòî íàïèñàòü êàê ýòî îñóùåñòâèòü? Èëè íàäî îáÿçàòåëüíî ïåðåä ýòèì ïðî÷èòàòü âñå ðóêîâîäñòâî è çàáèòü íà ýòó èäåþ? :D

Äëÿ ìåíÿ ñåé÷àñ ïðîáëåìà íà ñàìèõ ïðàâèëàõ, à â òîì, ÷òî ïåðåä äîáàâëåíèåì ïðàâèë â iptables, óäàëèòü ïðàâèëà ñî "ñòàðûì" ip íà tap0

Íó è ÿ òàê ïîíèìàþ, ÷òî uPnP è VSERVER èç ïðîøèâêè ðàáîòàþò òîëüêî ñ èíòåðôåñàìè ppp0 è vlan1.
À ìíå íóæíî ýòî îðãàíèçîâàòü íà tap0.

Äëÿ ìåíÿ ñåé÷àñ ïðîáëåìà íà ñàìèõ ïðàâèëàõ, à â òîì, ÷òî ïåðåä äîáàâëåíèåì ïðàâèë â iptables, óäàëèòü ïðàâèëà ñî "ñòàðûì" ip íà tap0

Íó è ÿ òàê ïîíèìàþ, ÷òî uPnP è VSERVER èç ïðîøèâêè ðàáîòàþò òîëüêî ñ èíòåðôåñàìè ppp0 è vlan1.
À ìíå íóæíî ýòî îðãàíèçîâàòü íà tap0.
À çå÷åì âåøàòü ïðàâèëà íà IP ??? Âåøàéòå íà èíòåðôåéñ, òîãäà çàìîðà÷èâàòüñÿ íå ïðèäåòñÿ ñ óäàëåíèåì.
Âîîáùå - ïî èäåå, ïðàâèëà ñ íåñóùåñòâóþùèìè ïóòÿìè äîëæíû àâòîìàòîì íèâåëèðîâàòüñÿ.

À çå÷åì âåøàòü ïðàâèëà íà IP ???
ß íå áîëüøîé ñïåöèàëèñò â ñåòÿõ è ôàéðâîëàõ.
Ïîýòîìó ïûòàþñü äåëàþ ïî àíàëîãèè ñ òåì ÷òî âèæó.
 ïðàâèëàõ êîòîðûå ãåíåðèò ñàì ðîóòåð äëÿ ppp0 è vlan1, ip ýòèõ èíòåðôåéñîâ ïðîïèñàíû. Ïîýòîìó è ïûòàþ ðåàëèçîâàòü äîáàâëåíèå ïðàâèë äëÿ tap0, àíàëîãè÷íûå òåì, ÷òî åñòü äëÿ ppp0 è vlan1.


Âåøàéòå íà èíòåðôåéñ, òîãäà çàìîðà÷èâàòüñÿ íå ïðèäåòñÿ ñ óäàëåíèåì.
Ò.å. íà IP ìîæíî çàáèòü? Âñå áóäåò ðàáîòàòü ñ óêàçàíèåì òîëüêî èíòåðôåéñà?


Âîîáùå - ïî èäåå, ïðàâèëà ñ íåñóùåñòâóþùèìè ïóòÿìè äîëæíû àâòîìàòîì íèâåëèðîâàòüñÿ.
Íå ñîâñåì ïîíÿë.
×òîáû ÷òî-òî àâòîìàòè÷åñêè ñäåëàëîñü, íóæíî ÷òîáû àëãîðèòì ýòîãî àâòîìàòà, áûë ãäå-òî îïèñàí, è ïðè íàñòóïëåíèè ñîîòâåòñòâóþùåãî ñîáûòèÿ âûïîëíèëñÿ.
Âîçìîæíî äëÿ ppp0 è vlan1 ýòî òàê, à âîò äëÿ òîãî, ÷òî ñîçäàåòñÿ íå èç ïðîøèâêè òî âðÿäëè :(

Âîîáùå ìåíÿ òóò ñìóùàåò ñëåäóþùåå:
1. Åñëè ÿ áóäó òîëüêî äîáàâëÿòü ïðàâèëà ñ IP òî òàáëèöà(û) iptables áóäåò ðàçðàñòàòüñÿ.
2. ×òî áóäåò ïðîècõîäèòü ñ ïàêåòàìè, àäðåñîâàííûìè "ìîèì ñòàðûì IP", êîãäà(åñëè) îíè áóäóò ïîïàäàòü íà ðîóòåð? È âîîáùå, áóäóò ëè îíè â íåãî ïîïàäàòü?

Ðåøåíèå ó ìåíÿ óæå ïî÷òè åñòü, âîò êàê åãî ðåàëèçîâàòü â âèäå ñêðèïòà, ÿ ïîêà íå çíàþ. Ìîæåò êòî ïîäñêàæåò.
Èäåÿ òàêàÿ, äëÿ post-firewall:
1. Ïðîâåðÿþ íàëè÷èå ôàéëà ñ ðàíåå äîáàâëåííûìè ïðàâèëàìè. (ïðèìåðíî ïðåäñòàâëÿþ, êàê ýòî ñäåëàòü)
2. Åñëè ôàéë åñòü, òî ï.ï. 3
3. Åñëè ñêðèïò çàïóùåí èç udhcpc-êëèåíò íà tap0, òî ïðîáåãàþ ïî ýòîìó ôàéëó è óäàëÿþ ýòè ïðàâèëà (âîîáùå íå ïðåäñòàâëÿþ, êàê ýòî ðåàëèçîâàòü) ïåðåõîäèì ê ï.ï. 8
4. Èíà÷å (ò.å. ñêðèïò çàïóùåí âñëåäñòâèè ðåêîíåêòà ê ppp0 èëè vlan1),
ïðîáåãàþ ïî ýòîìó ôàéëó è äîáàâÿþ ýòè ïðàâèëà (âîîáùå íå ïðåäñòàâëÿþ, êàê ýòî ðåàëèçîâàòü) ïåðåõîäèì ê ï.ï. ÊÎÍÅÖ
5. Åñëè ôàéëà íåò, òî ï.ï.6
6. Åñëè ñêðèïò çàïóùåí èç udhcpc-êëèåíò íà tap0, òî ïåðåõîäèì ê ï.ï. 8
7. Èíà÷å (ò.å. ñêðèïò çàïóùåí âñëåäñòâèè ðåêîíåêòà ê ppp0 èëè vlan1),
ïåðåõîäèì ê ï.ï. ÊÎÍÅÖ
8. Äîáàâëÿåì ïðàâèëî(à) â iptables è ñóòü ýòîãî ïðàâèë(à) ïèøåì â êàêîé-íèáóäü ôàéë (ýòî ÿ çíàþ êàê ñäåëàòü)
~ÊÎÍÅÖ

Âîò ÷òî òèïà òàêîãî.

Ýòîò ôàéë, ãäå áóäóò õðàíèòüñÿ äîáàâëåííûå ïðàâèëà, ÿ äóìàë ïîëîæèòü â /etc/my_iptables.conf. Òîãäà, ïðè çàãðóçêå/ïåðåãðóçêå ðîóòåðà, ýòîãî ôàéëà òî÷íî íå áóäåò.
Èëè ìîæåò ëó÷øå åãî ïîëîæèòü íà /opt/etc ???

íàðèñóéòå, íè÷¸ íå ïîíÿë êòî êóäà äîëæåí õîäèòü è ïðè÷åì òóò ïïòï

Ýòî ÿ âñå óæå ïðîñìîòðåë. Ðàçâå òàê ñëîæíî ïðîñòî íàïèñàòü êàê ýòî îñóùåñòâèòü? Èëè íàäî îáÿçàòåëüíî ïåðåä ýòèì ïðî÷èòàòü âñå ðóêîâîäñòâî è çàáèòü íà ýòó èäåþ? :D

Âàì íåîáõîäèìî ïîìèìî íàñòðîéêè ïðàâèë iptables íàñòðîèòü routing (ìàðøðóòèçàöèþ).

Äàéòå ñõåìó ÷òî Âàì íàäî, íàïðèìåð òàê:
ñåòü 172.1.1.0/24 <---> VPN (172.1.1.11/24) (wl500gp) tun0 (192.2.2.23/24) <---> 192.2.2.0/24

ñîîáñòâåííî íóæíî çàáëîêèðîâàòü èñõîäÿùèå íà ppp0 411 ïîðò
òîåñòü çàáëîêèðîâàòü âñå èíòåðíåò äö++ õàáû (íó òå ÷òî íà ñòàíäàðòíîì 411 ïîðòó)
ïðè òîì òå ÷òî â ëîêàëêå äîëæíû ðàáîòàòü
âîîáùåì íå ïîëó÷àåòñÿ , íå ñèë¸í ÿ â ëèíóêñå

Äîáàâèòü â post-firewall


iptables -A FORWARD -o ppp0 -p tcp -m tcp --dport 411 -j DROP

Åñëè íóæíî, ÷òîáû è ñàì ðîóòåð íå ìîã ñîåäèíèòüñÿ, äîáàâèòü åù¸ òàêóþ æå ñòðî÷êó, òîëüêî çàìåíèòü FORWARD íà OUTPUT

ñïàñèáî ðàáîòàåò

÷èñòî òåîðåòè÷åñêèé âîïðîñ, äëÿ îáùåãî ðàçâèòèÿ... :)

Ýýýý... iptables? %)

ïîëàãàþ, kernel

â ïðèíöèïå äà, òîëüêî ýòî íå ïðîöåññ ... ÷åì òî æå äîëæíî áûòü ïðåäñòàâëåíî âñ¸ ýòî, ÷òî-áû õîòü ìîíèòîðèíã ïðîâåñòè

Êóðèì... :cool:
http://www.opennet.ru/base/net/iptables_inside.txt.html

ñèå çäîðîâî è èíòåðåñíî, íî ... àáñîëþòíî íå ïî òåìå :(((


Ïåðåôîðìóëèðóþ âîïðîñ:
åñòü íåêîòîðûé òðàôôèê ÷åðåç ðîóòåð, ÷àñòü èä¸ò èç ëîêàëêè ïðîâà, ÷àñòü - èç èíåòà (pptp).

Íàäî îïðåäåëèòü ñêîëüêî ïðèìåðíî % ïðîöà ñæèðàåò WAN->LAN ïðåîáðàçîâàíèå, ò.å. NAT è ôàéðâîë.

Ñêîëüêî ñæèðàåò èíåò ïîíÿòíî - ñìîòðèì pptp. (êîíå÷íî ïàêåòû, ïðèõîäÿùèå èç pptp òàêæå ïîäâåðãàþòñÿ ôèëüòðîâàíèþ, íî ñèå íå êðèòè÷íî, ò.ê. íóæíà ëèøü îáùàÿ îöåíêà, à íå òîíêîñòè )

 rTorrent îòñóòñòâóåò IP -ôèëüòð, êàê â uTorrent. Íó è êàê ÿ ïî÷åðïíóë èç ýòîãî ôîðóìà, åãî ìîæíî ðåàëèçîâàòü ñðåäñòâàìè IpTables.
Ïîäñêàæèòå ïîæàëóéñòà, êàê ýòî ñäåëàòü? ß â Linux íè÷åãîøåíüêè íå ïîíèìàþ... Ïî÷èòàë òóòîðèàë îá IpTables... âåñüìà ñìóòíûå âïå÷àòëåíèå îñòàâèëî ýòî ìåðîïðèÿòèå. Ìîã áû êòî íèòü íàïèñàòü ïðèìåð, êàê ýòî ñäåëàòü. Êàê ýòî âáèòü, ÷òîáû çàïóñêàëîñü âñåãäà ãäå ïîòîì ñìîòðåòü è ò.ä.
Äëÿ ïðèìåðà çàáëîêèðîâàòü äèàïàçîí IP àäðåñîâ 0.0.0.0 - 82.200.197.255

Íåóæåëè íèêòî íå ïîìîæåò?

Ïîðûñêàâ ïî èíåòó, ïîñìîòðåâ ïðèìåðû íàêèäàë âîò òàêîé âàðèàíò:
Äîïóñòè ìíå íóæíî ÷òîáû rtorrent êà÷àë òîëüêî èç äèàïàçîíà ñåòåé 82.200.127.255-82.201.0.0, òàêèì îáðàçîì êàê ÿ ïîíÿë äîëæíà áûòü
ïðèáëèçèòåëüíî òàêèå ñòðîêè:

iptables -A OUTPUT -p tcp --destination-port 12304:12305 -m iprange --dst-range 82.200.127.255-82.201.0.0 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 12304:12305 -m iprange --dst-range 82.200.127.255-82.201.0.0 -j ACCEPT

12304:12305 - ýòî ïîðòû íà êîòîðûõ ðàáîòàåò rtorrent, íó è ñîîòâåòñòâåííî ACCEPT, çíà÷èò ïàêåòû ïðèíèìàþòñÿ.
Ïðàâäà ÿ íå ïîíÿë êàê çàïðåòèòü îñòàëüíûå?
Îïðîáîâàâ ñèè ñòðîêè, îïèñàíûå âûøå ïðèøåë ê âûâîäó, ÷òî ìîäåì íå ïîíèìàåò êîìàíäó iprange, íó è ñîîòâåòñòâåííî òàêèì îáðàçîì äèàïàçîí
ip àäðåñîâ íå çàäàøü. Ïðèøëîñü ðàçáèâàòü âñå ýòî äåëî íà ïîäñåòè

82.200.127.255-82.201.0.0

82.200.127.255/32
82.200.128.0/17
82.201.0.0/32

òàêèì îáðàçîì ïîëó÷èëîñü ñëåäóþùåå

iptables -A OUTPUT -p tcp --source-port 12304:12305 -s 82.200.127.255/32 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 12304:12305 -d 82.200.127.255/32 -j ACCEPT

êòî ïîíèìàåò â ýòîì ïîñìîòðèòå, ïðàâèëüíî ëè ÿ äåëàþ?
êàê çàïðåòèòü îñòàëüíûå ïàêåòû, íå ïðèíàäëåæàùèå ýòèì ñåòÿì?

iptables -A OUTPUT -p tcp --source-port 12304:12305 -j DROP
iptables -A INPUT -p tcp --destination-port 12304:12305 -j DROP

ïðàâèëüíî ëè ýòî?
÷òî âáèâàòü âïåðåä, ÷òî ïîñëå?

Åñòü ðîóòåð àñóñ, ïîäêëþ÷åííûé ê èíòåðíåòó (LAN 192.168.0.1), ê íåìó ïîäêëþ÷åí Áîëüøîé Linux-ðîóòåð ñ äâóìÿ ñåòåâóõàìè (eth1-192.168.0.2 - ê àñóñó, eth1-192.168.1.1-ñìîòðèò â ëîêàëêó).Íà áîëüøîì ðîóòåðå ñòîèò âåá-ñåðâåð íà ïîðòó 8081. Àñóñ ïåðåíàïðàâëÿåò âåá-çàïðîñû ñ èíåòà ïî ïðàâèëó:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081
iptables -t nat -D PREROUTING -i ppp0 -p tcp --dport 80 -j DROP
Åñòü î÷åíü áîëüøàÿ íåîáõîäèìîñòü ïîñûëàòü çàïðîñû ê âåá-ñåðâåðó èç ëîêàëêè (192.1681.1/24), îáðàùàÿñü ïðè ýòîì ïî õîñòíåéìó áëàáëàáëà.dyndns.org (http://áëàáëàáëà.dyndns.org), îäíàêî îí âûêèäûâàåò ìåíÿ íà 192.168.0.1:80. âìåñòî 192.168.1.1:8081 :(
Çàðàíåå ñïàñèáî!
P.S.: man iptables íå ïðåäëàãàòü)

Åñëè çàâåðíóòü èñõîäÿùèå ñîåäèíåíèÿ âîò òàê
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081

òî âåá-ñåðâåð ðàáîòàåò ïî õîñòíåéìó, íî èíåòà íåò

Åñëè çàâåðíóòü èñõîäÿùèå ñîåäèíåíèÿ âîò òàê
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081

òî âåá-ñåðâåð ðàáîòàåò ïî õîñòíåéìó, íî èíåòà íåò

iptables -t nat -A PREROUTING -i br0 -p tcp -d âíåøíèé_IP_Asus_íà_ppp0 --dport 80 -j DNAT --to-destination 192.168.0.2:8081