Íàñòðîéêà IPTables

[_Denis_]

Ïðèâåòñòâóþ,íóæíà òâîÿ ïîìîùü.

Ïðîáëåìêà ñëåäóþùàÿ:
Åñòü 2 íåçàâèñèìûå ñåòè, ñêàæåì "A" è "B". Ðàçäàâàòü èíòåðíåò. Èíòåðíåò "èäåò" ÷åðåç ìåñòíóþ ëîêëüíóþ ñåòü, Ïðèñâàèâàåòñÿ IP ÷åðåç DHCP.

×òî ÿ äåëàþ.
÷åðåç îáîëî÷êó íàñòðàèâàþ.
WAN - êëèåíò DHCP (âîçìîæíî çäåëàòü åñëè îòâåòà îò ñåðâåðà íåò òî ïî óìîë÷àíèþ âûñòàâëÿëñÿ îïðåäåëëåííûé IP)
LAN - 10.0.9.1/255.255.255.0 - "A"

×åðåç òåëíåò
LAN "B"
robocfg vlan 2 ports "1 5t" vlan 0 ports "2 3 4 5t"
vconfig add eth0 2
ifconfig vlan2 10.0.8.1 broadcast 10.0.8.255 netmask 255.255.255.0 up

âñå âðîäå ïîäíèìàåòñÿ íî â èíòåðåíò ÷åðåç vlan2 íå âûõîäèò.
À òàê æå íå ìîãó ïîäñîåäèíèòüñÿ ïî òåëíåòó èç ñåòè LAN "B".

À ÷òî äàëüøå äåëàòü ?
Êàê ÿ ïîíåìàþ íàäî ïðîïèñûâàòü ïðàâèëà, íî êàêèå?

PS: Â ïîèñêå ÿ èñêàë ïîõîæóþ çàäà÷ó, íî âñå õîòÿò íàñòðàèâàòü 2 WAN èíòåðôåéñà.

[twinsys]

Ïðîøèâêà WL500gp-1.9.2.7-8.19.trx
Êàê ìîæíî ìåíÿòü ïðàâèëà êîòîðûå çàáèòû ïî óìîë÷àíèþ (ìîæåò åñòü ôàéë)?
Èëè åäèíñòâåííûé ñïîñîá ìåíÿòü ïðàâèëè IPTables ÷åðåç /usr/local/sbin/post-firewall – (èñïîëíÿåòñÿ âñÿêèé ðàç, ïîñëå òîãî êàê óñòðîéñòâî ìåíÿåò âíóòðåííèå ïðàâèëà ñ ïîìîùüþ êîìàíä iptables, ñ òåì, ÷òîáû Âû ìîãëè âíåñòè ñâîè èçìåíåíèÿ â firewall)?

[djet]

À â ÷¸ì, ñîáñòâåííî, ïðîáëåìà?

Ó ìåíÿ, íàïðèìåð, òàê:

# Default policy
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -D INPUT -m state --state INVALID -j DROP
iptables -I INPUT 1 -m state --state INVALID -j logdrop
iptables -F logdrop
iptables -A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP

+ êó÷à ñòðî÷åê äëÿ ñåðâèñîâ.

[twinsys]

Ïðîáëåìû äåéñòâèòåëüíî íåò.
Ïðîñòî õî÷åòñÿ ïîíÿòü, ãäå òî æå äîëæíû áûòü íàñòðîéêè, êîòîðûå èçíà÷àëüíî â ïðîøèâêå… È ãëàâíîå õî÷åòñÿ ïîíÿòü ìîæíî ëè èõ ìåíÿòü?
P.S. È ñïàñèáî ÷òî îòêëèêíóëèñü…

[al37919]

Âî ïåðâûõ, åñòü êîììàíäà iptables-save
Âî âòîðûõ, ïðè çàãðóçêå ïî óñòàíîâêàì âåá-ìîðäû ãåíåðÿòñÿ ôàéëû /tmp/filter_rules è /tmp/nat_rules , êîòîðûå çàòåì çàëèâàþòñÿ ñ ïîìîùüþ iptables-restore

[bocman]

Ïîäíÿë SSH ñåðâåð, êàê îïèñàíî â íàñòðîéêå ðîóòåðà ñ íóëÿ, ðàçðåøèë â iptables äîñòóï ïî WAN
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
âñå çàðàáîòàëî, õîòÿ ìíå íå î÷åíü ïîíÿòíî, ïî÷åìó äàííîå ïðàâèëî ðàçðåøàåò äîñòóï èìåíî ïî WAN...
(ò.å. äî òîãî êàê åãî ïðîïèñàë, ÿìîã òîëêüî èç LAN ëåçòü ïî SSH, íî âåäü ýòî-òî òîæå INPUT ?)

Íî òóò ïîíÿë, ÷òî íà ðàáîòå ó ìåíÿ çàêðûò 22 ïîðò

êàê ìîæíî íà ðîóòåðå ïðîïèñàòü ïåðåêèäûâàíèå ïàêåòîâ ïðèõîäÿùèõ ÈÌÅÍÍÎ ÏÎ WAN íà êàêîé-íèòü 8081 ïîðò íà ïîðò 22?
èëè ìîæíî â íàñòðîéêàõ SSH ñåðâåðà èçìåíèòü ïîðò äëÿ âíåøíåãî èíòåðôåéñà?

[al37919]

iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
èëè
dropbear -p 22 -p 8081

[bocman]

ê ñîæàëåíèþ, íè âûïîëíåíèå êîìàíäû
dropbear -p 22 -p 8081
íè ïðîïèñûâàíèÿ
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22 â post-firewall ñ ïîñëåäóþùåé ïåðåçàãðóçêîé íå ïîìîãëè...
ssh òàê è ñîåäèíÿòåòñÿ èçâíå è èç ëîêàëêè ïî 22 ïîðòó
à íàäî ÷òî áû èçìíå ïî 8081 ,à èç ëîêàëêè ïî 22...

[al37919]

òàê, êîíêðåòèçèðóþ.

Ïî ïåðâîìó âàðèàíó îáðàùåíèå èç wan ê ïîðòó 8081 äîëæíî ïðèâåñòè ê ïåðåáðîñó íà 22é ïîðò, íà êîòîðîì ssh ñåðâåð ñèäèò ïî óìîë÷àíèþ.

Âòîðîé âàðèàíò çàäàåò dropbear ñëóøàòü íà äâóõ ïîðòàõ, ïðè ýòîì äîñòóï íà 8081 èç wan äîëæåí áûòü ðàçðåøåí:
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

_â_îáîèõ_ñëó÷àÿõ_ ïðàâèëî iptables -I INPUT -p tcp --dport 22 -j ACCEPT äîëæíî îòñóòñòâîâàòü.

Âñå äåéñòâèÿ ñ iptables äîëæíû áûòü çàïèñàíû â post-firewall

Åñëè ïî ïðåæíåìó íå ïîìîæåò --- ïðèâåäèòå âûâîä ñëåäóþùèõ êîììàíä
iptables -L
iptables -L -t nat
netstat -na | grep LISTEN

[bocman]

òàê, êîíêðåòèçèðóþ.

Ïî ïåðâîìó âàðèàíó îáðàùåíèå èç wan ê ïîðòó 8081 äîëæíî ïðèâåñòè ê ïåðåáðîñó íà 22é ïîðò, íà êîòîðîì ssh ñåðâåð ñèäèò ïî óìîë÷àíèþ.

Âòîðîé âàðèàíò çàäàåò dropbear ñëóøàòü íà äâóõ ïîðòàõ, ïðè ýòîì äîñòóï íà 8081 èç wan äîëæåí áûòü ðàçðåøåí:
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

_â_îáîèõ_ñëó÷àÿõ_ ïðàâèëî iptables -I INPUT -p tcp --dport 22 -j ACCEPT äîëæíî îòñóòñòâîâàòü.

Âñå äåéñòâèÿ ñ iptables äîëæíû áûòü çàïèñàíû â post-firewall

Åñëè ïî ïðåæíåìó íå ïîìîæåò --- ïðèâåäèòå âûâîä ñëåäóþùèõ êîììàíä
iptables -L
iptables -L -t nat
netstat -na | grep LISTEN

Ñïàñèáî! Äîìà ïîïðîáóþ...
íî ïî ïîâîäó iptables ÿ íå î÷åíü ïîíèìàþ ãäå óêàçûâàåòñÿ ÷òî ïðàâèëà ñîçäàåòñÿ äëÿ èíòðåôåñà WAN à íå LAN?

à ïî ïîâîäó âòîðîãî ñïîñîáà âîïðîñ â òîì, ÷òî êîìàíäó dropbear -p 22 -p 8081 íàäî ïðîñòî âûïîëíèòü èëè ãäå-òî ïðîïèñàòü? ò.å. êàê ñäåëàòü ÷òî áû ïîñëå ïåðåçàãðóçêè îíà îñòàëàñü â ñèëå
?

[al37919]

1) ïî óìîë÷àíèþ ôàéðâîë â ýòèõ ïðîøèâêàõ ñèäèò íà wan, à â lan åãî íåò. Ýòî íóæíî ïðîñòî ïðèíÿòü êàê óòâåðæäåíèå, íå òðåáóþùåå äîêàçàòåëüñòâà.
2) â post-boot

[bocman]

â post-firewall ïðîïèñàë
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

ñîõðàíèëñÿ è äàæå ïåðåçàãðóçèëñÿ, íî ýòî íå ïîìîãëî

áóäó ýêñïåðèìåíòèðîâàòü äàëüøå...

[Max128]

â post-firewall ïðîïèñàë
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 8081 -j DNAT --to-destination $4:22
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

ñîõðàíèëñÿ è äàæå ïåðåçàãðóçèëñÿ, íî ýòî íå ïîìîãëî

áóäó ýêñïåðèìåíòèðîâàòü äàëüøå...

Íå ïîíèìàþ â ÷åì ïðîáëåìà, ïðåäûäóùèå ñîâåòû âïîëíå õîðîøè, âîò ìîé âàðèàíò:
post-boot

PHP Code:

dropbear -p 443 > /dev/null 2>&1 


post-firewall

PHP Code:

iptables -P INPUT DROP
#remove last default rule
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -j DROP 


ïîòîì ñîõðàíÿåìñÿ è ïåðåãðóæàåìñÿ

PHP Code:

/sbin/flashfs save && /sbin/flashfs commit && /sbin/flashfs enable && reboot 


Âñå. SSH âèñèò íà 443 ïîðòó, êîòîðûé ñîááñíî îòêðûò âåçäå.

[bocman]

ñïàñèáî çà ñîâåò, ÿ èõ òîæå ïîïðîáó...
íî íà äàííûé ìîìåíò
post-firewall ñîäåðæèò:

Code:

#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i  -p tcp --dport 8081 -j DNAT --to-destination :
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

íî
iptables -L
âîçâðàùàåò:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state NEW
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     udp  --  anywhere             anywhere           udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere           state INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (2 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere

iptables -L -t nat

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VSERVER    all  --  anywhere             213.xxxxx<ìîé âíåøíèé IP>
VSERVER    all  --  anywhere             10.16.81.233
NETMAP     udp  --  anywhere             213.xxxxx<ìîé âíåøíèé IP>     udp spt:6112 192.168.0.0/24

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
NETMAP     udp  --  192.168.0.0/24       anywhere           udp dpt:6112 213.141.140.91/32
MASQUERADE  all  -- !213.xxxxx<ìîé âíåøíèé IP>       anywhere
MASQUERADE  all  -- !10.16.81.233         anywhere
MASQUERADE  all  --  192.168.0.0/24       192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain VSERVER (2 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere           tcp dpt:59627 to:192.168.0.147:59627
DNAT       udp  --  anywhere             anywhere           udp dpt:59627 to:192.168.0.147:59627

netstat -na | grep LISTEN

Code:

tcp        0      0 0.0.0.0:1025            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1026            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:515             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1028            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1029            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1030            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1031            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1032            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1033            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1034            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1035            0.0.0.0:*               LISTEN
tcp        0      0 192.168.0.1:139         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1036            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9100            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:5431            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:3838            0.0.0.0:*               LISTEN
tcp        0      0 :::22                   :::*                    LISTEN
tcp        0      0 :::23                   :::*                    LISTEN

ò.å., íà ñêîëüêî ÿ ïîíèìàþ, post-firewall ó ìåíÿ íå ñðàáîòàë?
åñëè òàê, òî ïî÷åìó ýòî ìîæåò áûòü?

[Max128]

ñïàñèáî çà ñîâåò, ÿ èõ òîæå ïîïðîáó...
íî íà äàííûé ìîìåíò
post-firewall ñîäåðæèò:

Code:

#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i  -p tcp --dport 8081 -j DNAT --to-destination :
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT

ò.å., íà ñêîëüêî ÿ ïîíèìàþ, post-firewall ó ìåíÿ íå ñðàáîòàë?
åñëè òàê, òî ïî÷åìó ýòî ìîæåò áûòü?

Ìåíÿ ñìóùàþò êëþ÷èêè -I, -t íàäî ÷èòàòü ìàí ïî èïòàáëåñ
À âîîáøå 22 ïîðò îòêðûò âñå íîðìàëüíî.
ÊÎãäà ÿ ñåáå äåëàë ôòï ÿ äåëàë íåìíîãî ïî äðóãîìó :

PHP Code:

#FTP Server Local 21, remote 6667
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j ACCEPT 


âðîäå ðàáîòàëî