спасибо за совет, я их тоже попробу...
но на данный момент
post-firewall содержит:
Code:
#!/bin/sh
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i -p tcp --dport 8081 -j DNAT --to-destination :
iptables -A INPUT -p tcp --syn --dport 8081 -j ACCEPT
но
iptables -L
возвращает:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain MACS (0 references)
target prot opt source destination
Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
DROP all -- anywhere anywhere
Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere
iptables -L -t nat
Code:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 213.xxxxx<мой внешний IP>
VSERVER all -- anywhere 10.16.81.233
NETMAP udp -- anywhere 213.xxxxx<мой внешний IP> udp spt:6112 192.168.0.0/24
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 192.168.0.0/24 anywhere udp dpt:6112 213.141.140.91/32
MASQUERADE all -- !213.xxxxx<мой внешний IP> anywhere
MASQUERADE all -- !10.16.81.233 anywhere
MASQUERADE all -- 192.168.0.0/24 192.168.0.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain VSERVER (2 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:59627 to:192.168.0.147:59627
DNAT udp -- anywhere anywhere udp dpt:59627 to:192.168.0.147:59627
netstat -na | grep LISTEN
Code:
tcp 0 0 0.0.0.0:1025 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1026 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1028 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1029 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1030 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1031 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1032 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1033 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1034 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1035 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.1:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1036 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9100 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5431 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3838 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::23 :::* LISTEN
т.е., на сколько я понимаю, post-firewall у меня не сработал?
если так, то почему это может быть?