Ïðîáëåìû ñ UPnP (ïðîáðîñ ïîðòîâ è îòñóòñòâèå èíòåðíåòà)

[toxarbk]

Ïðîïèñàë â virtual server ïîðòû 20 è 21. Õîòåë áûëî îñòàëüíîå íàñòðàèâàòü, íî ïîãëÿäåë â status&log > Port Forwarding è ÎÔÈÃÅË, ñêîëüêî òàì âñåãî ôîðâàðäèòñÿ (íå, îíî âñå ïðàâèëüíî ïðîïèñàíî, ÿ ðóêàìè áû òî æå ñàìîå âñå ïðîïèñàë, ñêàéïû òàì âñÿêèå, òîððåíòû è ïðî÷èå çâåðóøêè, õîòÿùèå ïðÿìîãî ip), íî ÷òî çà ñàìîäåÿòåëüíîñòü?! =)
Ýòî ôè÷à èëè áàã? Êàê çàïðåòèòü âñå, êðîìå ïðîïèñàííîãî â virtual server?
Çàðàíåå ñïàñèáî. =)

[toxarbk]

ôèãíÿ ïðîäîëæàåòñÿ. Ðåáóòíóë ðóòåð,
â virtual server:
21 192.168.1.101 21 TCP
20 192.168.1.101 20 TCP

â ñòàòèñòèêå:
Destination Proto. Port Range Redirect to
all TCP 20 192.168.1.101
all TCP 21 192.168.1.101

à ñíàðóæè - õðåí. 20é îòêðûò, 21é çàêðûò. Ïîäñêàæèòå ãäå êîïàòü ÏËÇ? Ïðîøèâêà îò Îëåãà.

[StaREViL]

ôèãíÿ ïðîäîëæàåòñÿ. Ðåáóòíóë ðóòåð,
â virtual server:
Ïîäñêàæèòå ãäå êîïàòü ÏËÇ? Ïðîøèâêà îò Îëåãà.

Ïî÷åìó æå ôèãíÿ. Òû ëó÷øå iptables -L ïîêàæè.

[toxarbk]

âîò òàê âèäåí 21é ïîðò (òîëüêî ÷òî ïðîâåðèë)

Code:

[admin@(none) root]$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere            limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere            limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere
[admin@(none) root]$

à âîò òàê âèäíû îáà ïîðòà, 20 è 21:

Code:

[admin@(none) root]$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere            limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere            limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere
[admin@(none) root]$

[Dr.]

Åñëè â âåáìîðäå Port Forwarding default policy óñòàíîâëåíî â DROP, òî íóæíî ïðîïèñàòü ïðàâèëà äëÿ ïàêåòîâ â òàáëèöó FORWARD.

[toxarbk]

Åñëè â âåáìîðäå Port Forwarding default policy óñòàíîâëåíî â DROP, òî íóæíî ïðîïèñàòü ïðàâèëà äëÿ ïàêåòîâ â òàáëèöó FORWARD.

LAN to WAN Filter:
Enable LAN to WAN Filter? - NO
WAN to LAN Filter:
Port Forwarding default policy: - ACCEPT

[svk4286]

Ïðîïèñàë â virtual server ïîðòû 20 è 21. Õîòåë áûëî îñòàëüíîå íàñòðàèâàòü, íî ïîãëÿäåë â status&log > Port Forwarding è ÎÔÈÃÅË, ñêîëüêî òàì âñåãî ôîðâàðäèòñÿ (íå, îíî âñå ïðàâèëüíî ïðîïèñàíî, ÿ ðóêàìè áû òî æå ñàìîå âñå ïðîïèñàë, ñêàéïû òàì âñÿêèå, òîððåíòû è ïðî÷èå çâåðóøêè, õîòÿùèå ïðÿìîãî ip), íî ÷òî çà ñàìîäåÿòåëüíîñòü?! =)
Ýòî ôè÷à èëè áàã? Êàê çàïðåòèòü âñå, êðîìå ïðîïèñàííîãî â virtual server?
Çàðàíåå ñïàñèáî. =)

Âûêëþ÷èòå UPnP â âåáìîðäå,çàòåì ïðîâåðüòå,÷òî òàì UPnP ó âàñ ïîíàçàïèñàë:

Code:

nvram show|grep forw

È íåíóæíîå ïîòðèòå :

Code:

nvram unset ïåðåìåííàÿ

Íå çàáóäüòå ñîõðàíèòüñÿ.Ïîñëå ýòîãî ó âàñ áóäóò îòêðûâàòüñÿ ïîðòû òîëüêî ÷åðåç virtual server â âåáìîðäå.

[toxarbk]

Ïîñëå ýòîãî ó âàñ áóäóò îòêðûâàòüñÿ ïîðòû òîëüêî ÷åðåç virtual server â âåáìîðäå.

Âðîäå áû ðàáîòàåò, ïàñèáêè! À êàê òåïåðü ÷åðåç telnet ãëÿíóòü ÷òî òàì ñ ôîðâàðäèíãîì?

[svk4286]

À êàê òåïåðü ÷åðåç telnet ãëÿíóòü ÷òî òàì ñ ôîðâàðäèíãîì?

Ìîæíî óâèäåòü â âåáìîðäå Status & Log -> Port Forwarding,ìîæíî

Code:

 iptables -t nat -L

íî ýòà êîìàíäà ó ìåíÿ ïî÷åìó-òî î÷åíü äîëãî îòðàáàòûâàåòñÿ,à ìîæíî â telnete èëè â âåáìîðäå

Code:

cat /tmp/nat_rules

[toxarbk]

Code:

 iptables -t nat -L

Ó ìåíÿ ìãíîâåííî îòäàåò. Íî ñóòü íå â òîì.
Ýêñïåðèìåíòàëüíî âûÿñíèëîñü, ÷òî, åñëè çàäàòü äèàïàçîí ïîðòîâ â virtual server, íàïðèìåð 20:21->21 Òî îêàçûâàåòñÿ çàêðûòûì âîîáùå âñå.

[Power]

Ó ìåíÿ ìãíîâåííî îòäàåò. Íî ñóòü íå â òîì.
Ýêñïåðèìåíòàëüíî âûÿñíèëîñü, ÷òî, åñëè çàäàòü äèàïàçîí ïîðòîâ â virtual server, íàïðèìåð 20:21->21 Òî îêàçûâàåòñÿ çàêðûòûì âîîáùå âñå.

Âûâîä êîìàíäû iptables-save â ñòóäèþ!

[toxarbk]

Âûâîä êîìàíäû iptables-save â ñòóäèþ!

âîäò...

Code:

(none) login: admin
Password:
[admin@(none) root]$ iptables-save
# Generated by iptables-save v1.3.8 on Sun Feb 15 05:36:21 2009
*nat
:PREROUTING ACCEPT [8787:731091]
:POSTROUTING ACCEPT [10571:804906]
:OUTPUT ACCEPT [42:3113]
:VSERVER - [0:0]
-A PREROUTING -d 79.120.123.173 -j VSERVER
-A POSTROUTING -s ! 79.120.123.173 -o vlan2 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 20101 -j DNAT --to-destination 192.168.1.101:20101
-A VSERVER -p tcp -m tcp --dport 53161 -j DNAT --to-destination 192.168.1.101:53161
-A VSERVER -p tcp -m tcp --dport 2001 -j DNAT --to-destination 192.168.1.101:2001
-A VSERVER -p udp -m udp --dport 2001 -j DNAT --to-destination 192.168.1.101:2001
-A VSERVER -p tcp -m tcp --dport 54011 -j DNAT --to-destination 192.168.1.102:54011
-A VSERVER -p tcp -m tcp --dport 10001 -j DNAT --to-destination 192.168.1.101:10001
-A VSERVER -p udp -m udp --dport 10001 -j DNAT --to-destination 192.168.1.101:10001
-A VSERVER -p tcp -m tcp --dport 10002 -j DNAT --to-destination 192.168.1.102:10002
-A VSERVER -p udp -m udp --dport 10002 -j DNAT --to-destination 192.168.1.102:10002
-A VSERVER -p tcp -m tcp --dport 8128 -j DNAT --to-destination 192.168.1.101:8128
-A VSERVER -p udp -m udp --dport 8128 -j DNAT --to-destination 192.168.1.101:8128
-A VSERVER -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.101:21
COMMIT
# Completed on Sun Feb 15 05:36:21 2009
# Generated by iptables-save v1.3.8 on Sun Feb 15 05:36:21 2009
*mangle
:PREROUTING ACCEPT [102815:42116895]
:INPUT ACCEPT [3609:219425]
:FORWARD ACCEPT [98731:41831763]
:OUTPUT ACCEPT [793:608966]
:POSTROUTING ACCEPT [99481:42436929]
COMMIT
# Completed on Sun Feb 15 05:36:21 2009
# Generated by iptables-save v1.3.8 on Sun Feb 15 05:36:21 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [7305:622486]
:OUTPUT ACCEPT [738:605327]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan2 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Feb 15 05:36:21 2009
[admin@(none) root]$

[Power]

âîäò...

Code:

-A VSERVER -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.101:21

Ó âàñ îáà ïîðòà (20 è 21) ïåðåíàïðàâëÿþòñÿ íà îäèí ïîðò (21). Åñòåñòâåííî, ÷òî íå ðàáîòàåò. Ïðîñòî íå óêàçûâàéòå â òàêîì ñëó÷àå â ïîëå Local Port íè÷åãî. Òîãäà ïðåîáðàçîâàíèþ áóäóò ïîäâåðãàòüñÿ òîëüêî àéïè-àäðåñà, à íå ïîðòû.

[toxarbk]

Ó âàñ îáà ïîðòà (20 è 21) ïåðåíàïðàâëÿþòñÿ íà îäèí ïîðò (21). Åñòåñòâåííî, ÷òî íå ðàáîòàåò.

Çàêðûòû îêàçûâàþòñÿ ÂÑÅ ïîðòû, à íå òîëüêî 20 è 21.

[Power]

Çàêðûòû îêàçûâàþòñÿ ÂÑÅ ïîðòû, à íå òîëüêî 20 è 21.

À ïîêàæèòå â òàêîì ñëó÷àå, ÷òî âûâîäèò êîìàíäà

Code:

ifconfig