Ïîìîãèòå ðàçîáðàòüñÿ ñ ïðîáðîñîì ïîðòà [Archive]

Alexx_B

07-08-2008, 13:03

Wl500gP, ïðîøèâêà 1.9.2.7-10
Óñòàíîâëåí OpenVPN. Êîãäà-òî áûëà íåîáõîäèìîñòü ïðîáðàñûâàòü rAdmin-îâñêèé ïîðò 4899 ÷åðåç ðîóòåð íà êîìï. Íî õèòðî, ÷òîáû ýòî âîçìîæíî áûëî òîëüêî ÷åðåç OpenVPN (êàêàÿ-íèêàêàÿ,à çàùèòà êîìïà). Òàê ÷òî ÷åðåç âåá-îáîëî÷êó íå ïîäõîäèò
ïîýòîìó ÿ äîáàâèë â post-firewall ïðàâèëî
iptables -t nat -A PREROUTING -p tcp -s 10.8.0.1/24 --dport 4899 -j DNAT --to-destination 10.100.1.5:4899

áûëî ýòî äàâíî è âñå ðàáîòàëî, ïîòîì íåîáõîäèìîñòü îòïàëà, òàê ÷òî êîãäà ðàáîòàòü ïåðåñòàëî ÿ íå çíàþ, íî ñåé÷àñ íå ðàáîòàåò. Ñ ðîóòåðîì çà ýòî âðåìÿ ðàçâå ÷òî îáíîâëåíèå ïðîøèâêè ïðîèñõîäèëî..

êîìàíäà òà æå, ïàêåòû óëàâëèâàþòñÿ
tcpdump -i tun0 -v
tcpdump: listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
14:54:16.637974 IP (tos 0x0, ttl 128, id 9327, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>
14:54:19.553936 IP (tos 0x0, ttl 128, id 9350, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>
14:54:25.487031 IP (tos 0x0, ttl 128, id 9394, offset 0, flags [DF], length: 4 10.8.0.2.3124 > 10.8.0.1.4899: S [tcp sum ok] 3727616767:3727616767(0) win 16384 <mss 1260,nop,nop,sackOK>

3 packets captured
3 packets received by filter
0 packets dropped by kernel

íó è âîò
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:5190 to:10.100.1.1:5190
VSERVER all -- anywhere 10.72.8.41
NETMAP udp -- anywhere 10.72.8.41 udp spt:6112 10.100.1.0/24
DNAT tcp -- 10.8.0.0/24 anywhere tcp dpt:4899 to:10.100.1.5:4899

Â ÷åì ÿ íàêîñÿ÷èë?

BORODA(C)

08-08-2008, 07:01

Ó ìåíÿ ïîõîæàÿ ñèòóàöèÿ (http://wl500g.info/showthread.php?t=13761). Îòêëþ÷èë ïðîáðîñ îòäåëüíûõ ïîðòîâ, íî îñòàâèë NAT äëÿ åäèíñòâåííîãî êîìïà â îáå ñòîðîíû. Ïðîáëåìà óøëà. ×òî äåëàòü êîãäà ïðèåäåò ñ äà÷è âòîðîé êîìï - ïîêà íå ïðåäñòàâëÿþ.

Alexx_B

08-08-2008, 09:10

áîþñü ÷òî ýòî ìíå íå ïîäõîäèò..:( ó ìåíÿ èñïîëüçóþòñÿ ðåãóëÿðíî 2 êîìïà, â èäåàëå íàäî ïðîáðîñèòü ïîðòû è äëÿ òîãî è äëÿ äðóãîãî, íî ÿ äóìàþ êîãäà îäèí çàðàáîòàåò - âòîðîé òîæå íàñòðîèòñÿ ëåãêî.. íå ìîãó ïîÿíòü - âåäü ðàáîòàëî æå âñå...

êîëáàñêèí

08-08-2008, 20:35

âîò è ó ìåíÿ òàæå ïðîáëåìà...ïîðòû ïðîñòî íå ïðîáðàñûâàþòñÿ....

vectorm

09-08-2008, 17:58

âîò è ó ìåíÿ òàæå ïðîáëåìà...ïîðòû ïðîñòî íå ïðîáðàñûâàþòñÿ....
À ðó÷íîé ïðîáðîñ ðàçâå íå ðàáîòàåò?
Íàïðèìåð òàê:
iptables -A INPUT -p tcp -m tcp -d $I --dport $P -j ACCEPT

Ãäå $I - íóæíûé âíóòðåííèé IP àäðåñ, $P - íóæíûé ïîðò.
Íå ìîãóò ïîðòû íå ïðîáðàñûâàòüñÿ - ëèáî Âû íå òàê äåëàåòå, ëèáî íå òåì ñìîòðèòå.

êîëáàñêèí

09-08-2008, 20:58

À ðó÷íîé ïðîáðîñ ðàçâå íå ðàáîòàåò?
Íàïðèìåð òàê:
iptables -A INPUT -p tcp -m tcp -d $I --dport $P -j ACCEPT

Ãäå $I - íóæíûé âíóòðåííèé IP àäðåñ, $P - íóæíûé ïîðò.
Íå ìîãóò ïîðòû íå ïðîáðàñûâàòüñÿ - ëèáî Âû íå òàê äåëàåòå, ëèáî íå òåì ñìîòðèòå.

îòäåëüíîå ñïàñèáî çà èíñòðóêöèþ íà âàøåì ðîóòåðå!

íî ïîðò ïðîáðîøåí - ïðîãðàììà ðàáîòàåò - íî ïðè ïåðåäà÷è ìíå ôàéëà ïî netspeaker(ýòî ãîëîñîâîé ÷àò) ïåðåäà÷à ñðàçó æå ñáðàñûâàåòñÿ è ìíå íå ìîãóò ïåðåäàâàòü çâóê! âîîáùåì íà âõîäÿùåå ñîåäèíåíèå ó ìåíÿ ïðîáëåìà...

vectorm

09-08-2008, 21:45

îòäåëüíîå ñïàñèáî çà èíñòðóêöèþ íà âàøåì ðîóòåðå!

íî ïîðò ïðîáðîøåí - ïðîãðàììà ðàáîòàåò - íî ïðè ïåðåäà÷è ìíå ôàéëà ïî netspeaker(ýòî ãîëîñîâîé ÷àò) ïåðåäà÷à ñðàçó æå ñáðàñûâàåòñÿ è ìíå íå ìîãóò ïåðåäàâàòü çâóê! âîîáùåì íà âõîäÿùåå ñîåäèíåíèå ó ìåíÿ ïðîáëåìà...
Òîãäà íàäî ðàçáèðàòüñÿ ñ òåì, êóäà ïàêåòû ïûòàþòñÿ ïðèõîäèòü è çàâîðà÷èâàòü èõ êóäà íóæíî.
Âîçìîæíî ïîìîãóò PREROUTING/POSTROUTING â iptables.

êîëáàñêèí

09-08-2008, 23:09

Âîò ïðîáîâàë íî óâû...

iptables -t nat -I PREROUTING -i eth1 -d 91.195.184.10 -p tcp --dport 8765 -j DNAT --to-destination 192.168.0.2:8765
iptables -I FORWARD -i eth1 -p tcp -m tcp -d 192.168.0.2 --dport 8765 -j ACCEPT
iptables -I FORWARD -p tcp -m tcp -s 192.168.0.2 --sport 8765 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -o eth1 -s 192.168.0.2 --sport 8765 -j SNAT --to-source 91.195.184.10:8765

iptables -t nat -I PREROUTING -i eth1 -d 91.195.184.10 -p tcp --dport 8772 -j DNAT --to-destination 192.168.0.2:8772
iptables -I FORWARD -i eth1 -p tcp -m tcp -d 192.168.0.2 --dport 8772 -j ACCEPT
iptables -I FORWARD -p tcp -m tcp -s 192.168.0.2 --sport 8772 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -o eth1 -s 192.168.0.2 --sport 8772 -j SNAT --to-source 91.195.184.10:8772

âñå òàêæå ôàéëû è çâóê íå ïðèíèìàåò!
åñëè ñåòåâîé êàáåëü âêëþ÷èòü ïðÿìî â êîìïüþòåð - òî âñå íîðìàëüíî!

vectorm

10-08-2008, 10:55

Âîò ïðîáîâàë íî óâû...

iptables -t nat -I PREROUTING -i eth1 -d 91.195.184.10 -p tcp --dport 8765 -j DNAT --to-destination 192.168.0.2:8765
iptables -I FORWARD -i eth1 -p tcp -m tcp -d 192.168.0.2 --dport 8765 -j ACCEPT
iptables -I FORWARD -p tcp -m tcp -s 192.168.0.2 --sport 8765 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -o eth1 -s 192.168.0.2 --sport 8765 -j SNAT --to-source 91.195.184.10:8765

iptables -t nat -I PREROUTING -i eth1 -d 91.195.184.10 -p tcp --dport 8772 -j DNAT --to-destination 192.168.0.2:8772
iptables -I FORWARD -i eth1 -p tcp -m tcp -d 192.168.0.2 --dport 8772 -j ACCEPT
iptables -I FORWARD -p tcp -m tcp -s 192.168.0.2 --sport 8772 -j ACCEPT
iptables -t nat -I POSTROUTING -p tcp -o eth1 -s 192.168.0.2 --sport 8772 -j SNAT --to-source 91.195.184.10:8772

âñå òàêæå ôàéëû è çâóê íå ïðèíèìàåò!
åñëè ñåòåâîé êàáåëü âêëþ÷èòü ïðÿìî â êîìïüþòåð - òî âñå íîðìàëüíî!
Òîãäà çíà÷èò ïðîïóñêíîé ñïîñîáíîñòè Wi-Fi íå õâàòàåò

Alexx_B

10-08-2008, 12:34

À ðó÷íîé ïðîáðîñ ðàçâå íå ðàáîòàåò?
Íàïðèìåð òàê:
iptables -A INPUT -p tcp -m tcp -d $I --dport $P -j ACCEPT

íå ðàáîòàåò, íî tcpdump-îì ëîâèòñÿ èíà÷å
íà êàæäûé S ïðèõîäèò îòâåò R (òå. ïîðò ïîëó÷àåòñÿ çàêðûò)

post-firewall:
#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 10.8.0.1/24 --dport 4899 -j DNAT --to-destination 10.100.1.5:4899
iptables -D INPUT -j DROP
iptables -I INPUT -p tcp --dport 5190 -j ACCEPT
iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 5190 -j DNAT --to-destination $4:5190
iptables -A INPUT -j DROP
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT

Íå ìîãóò ïîðòû íå ïðîáðàñûâàòüñÿ - ëèáî Âû íå òàê äåëàåòå, ëèáî íå òåì ñìîòðèòå.
ÿ áóäó ðàä âûñëóøàòü ëþáûå èäåè. íî ñàìîå îáèäíîå - ÷òî ðàáîòàëî....

êîëáàñêèí

10-08-2008, 12:54

Òîãäà çíà÷èò ïðîïóñêíîé ñïîñîáíîñòè Wi-Fi íå õâàòàåò

ýòî êàê... ÿ ïîäîçðåâàë ÷òî ïàêåòû íå òóäà èäóò è ïîýòîìó ñáðàñûâàåòñÿ ñîåäèíåíèå...
ÿ æå íîðìàëüíî ìîãó ïåðåäàâàòü çâóê è ôàéëû,à âîò ìíå íå ìîãóò... åñëè áû âîîáùå íå ðàáîòàëî - ÿ áû ñîãëàñèëñÿ....