Ñòðàííîå ïîâåäåíèå ôàéðâîëà

**skelet** · 06-09-2008, 15:16

íåïðàâèëüíî, ýòè ïðàâèëà áëîêèðóþò âñ¸ íàôèã, ïîëíîñòüþ, êðîìå òîãî, ÷òî ÿâíî ïðîïèñàíî.

À âåäü ëîãè÷íûì ïîâåäåíèåì ÿâëÿåòñÿ:
à) ïîëíàÿ ñâîáîäà âíóòðè äîìàøíåé ëîêàëêè
á) åñëè êàêîé-òî ïàêåò èä¸ò èçíóòðè (ò.å. ïîïàäàåò íà br0) ïî ËÞÁÎÌÓ ïîðòó õîòü â èíåò (ppp0), õîòü â ëîêàëêó ïðîâà(vlan1), òî îí äîëæåí áûòü ïðîïóùåí, à òàêæå îáðàòíûõ.
ã) äîïóñê âõîäÿùèõ ñî ñòîðîíû ppp0 èëè vlan1 ïî ïîðòàì ssh (22) íà ñàì ðîóòåð, rtorrent(10000) íà ñàì ðîóòåð, utorrent 10000 íà 192.168.1.2:10001 ò.å íà êîìï.

Âàøè ïðàâèëà ñìîãóò îáåñïå÷èòü òîëüêî à) è ã) êàê ((

Êàê-òî òàê.

**CocosI** · 23-04-2011, 03:51

ß â ñòóïîðå.
Èëè ÿ ÷åãî-òî íå ïîíèìàþ, èëè ëûæè íå åäóò.

Ðîóòåð RT-16N
ïðîøèâêà RT-N16-1.9.2.7-rtn-r2895

[cocos@RT-16N root]$ robocfg show
Switch: enabled gigabit
Port 0: 100FD enabled stp: none vlan: 2 jumbo: off mac: 00:0f:e2:8e:c3:cf
Port 1: 100FD enabled stp: none vlan: 2 jumbo: off mac: 00:02:02:1c:d7:35
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:06:dc:46:cc:87
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:16:17:9b:d8:67
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 90:e6:ba:3a:6b:44
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 20:cf:30:ce:af:99
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 2 3 4 8t
2: vlan2: 0 1 8t

vlan2 - ïðîâàéäåð (ip àäðåñ èç ñåòè 10.160.101.0/24)
vlan1 - êîìï â ëîêàëüíîé ñåòè (ip àäðåñ èç ñåòè 192.168.133.0/24)

Íà êîìïüþòåðå çàïóñêàåòñÿ çàêà÷êà ñ ñàéòà ïðîâàéäåðà ôàéëà ðàçìåðîì 100MB.
Çàêà÷êà èäåò, íî âîò ïàêåòîâ ýòîé çàêà÷êè íè â îäíîé èç òàáëèö iptables íåò.

Íàïðèìåð íåò çäåñü ïîñëå òîãî êàê áûëî çàêà÷åíî 50M bytes:

[cocos@RT-16N root]$ iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 1832 packets, 455K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 192.168.133.6 0.0.0.0/0 udp spts:16384:16482 MARK set 0x6
0 0 MARK udp -- * * 192.168.133.6 0.0.0.0/0 udp dpt:5060 MARK set 0x6

Chain INPUT (policy ACCEPT 1558 packets, 430K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 108 packets, 5950 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1342 packets, 247K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1472 packets, 254K bytes)
pkts bytes target prot opt in out source destination

Êòî-íèáóäü ñòàëêèâàëñÿ ñ ïîäîáíûì? Ïî÷åìó ïàêåòû õîäÿò ìèìî iptables?

**CocosI** · 23-04-2011, 11:25

Àãà!

Ðàçîáðàëñÿ.
Ïðîáëåìà áûëà âî âêëþ÷åííîì fastnat, êîòîðàÿ ïî âñåé âèäèìîñòè çàñòàâëÿåò õîäèòü òðàíçèòíûå ïàêåòû ìèìî netfilter.
Ïîñëå îòêëþ÷åíèÿ îïöèèè
#nvram set misc_fastnat_x=0
#flashfs save && flashfs commit && flashfs enable && reboot

âñå âñòàëî íà ñâîè ìåñòà.

**Belkin** · 06-07-2011, 21:11

Äîáðûé äåíü âñåì. Åñòü 2 îäèíàêîâûõ ðóòåðà WL500G Premium.

Îäèí íàõîäèòñÿ â ñåòè himki.net, èìååò âíåøíèé âûäåëåííûé IP, ïðîøèâêó îò Îëåãà 1.9.2.7-8

Íàñòðîéêè ôàåðâîëà òàêèå:

Code:

Enable Firewall? 	               Yes No
Enable DoS protection? 	               Yes No
Logged packets type: 	                 none
Enable Web Access from WAN? 	       Yes No
Port of Web Access from WAN: 	         8080
Respond LPR Request from WAN? 	       Yes No
Respond Ping Request from WAN? 	       Yes No
Number of connections to track: 	 4096

Ïðè ýòîì ðóòåð ïèíãóåòñÿ, òðàññèðóåòñÿ è äîñòóï ïî http âîçìîæåí.

Äðóãîé íàõîäèòñÿ â ñåòè Êîðáèíà (ïîäñåòü íå çíàþ, óëèöà Áîëüøàÿ Ìàðüèíñêàÿ), èìååò âíåøíèé âûäåëåííûé IP, ïðîøèâêó îò Îëåãà 1.9.2.7-10

Íàñòðîéêè ôàåðâîëà (áûëè):

Code:

Enable Firewall? 	               Yes No
Enable DoS protection? 	               Yes No
Logged packets type: 	                 none
Enable Web Access from WAN? 	       Yes No
Port of Web Access from WAN: 	         8080
Respond LPR Request from WAN? 	       Yes No
Respond Ping Request from WAN? 	       Yes No
Number of connections to track: 	 4096

Ïðè ýòîì ïèíã è òðàññèðîâêà ïðîõîäèëè, íî äîñòóï ïî http íå ðàáîòàë

Íàñòðîéêè ôàåðâîëà (ñòàëè):

Code:

Enable Firewall? 	               Yes No
Enable DoS protection? 	               Yes No
Logged packets type: 	                 none
Enable Web Access from WAN? 	       Yes No
Port of Web Access from WAN: 	         1024
Respond LPR Request from WAN? 	       Yes No
Respond Ping Request from WAN? 	       Yes No
Number of connections to track: 	 4096

Ïèíã, òðàññèðîâêà – îê. È äîñòóï ïî http çàðàáîòàë. ×òî, ñîáñòâåííî, ìíå è áûëî íóæíî.

Îäíàêî âîïðîñ âîçíèê òàêîé. Âûõîäèò, ÷òî â ñëó÷àå ñ õèìêèíñêèì ðîóòåðîì çíà÷åíèÿ Enable Web Access from WAN è Respond Ping Request from WAN èãíîðèðóþòñÿ, à â ñëó÷àå ñ ðîóòåðîì â ñåòè êîðáèíà èãíîðèðóåòñÿ çíà÷åíèå ïàðàìåòðà Respond Ping Request from WAN. Ìîæåò êòî-íèáóäü îáúÿñíèòü ïî÷åìó òàê? Ìíå äëÿ ñîáñòâåííîãî ðàçâèòèÿ ïðèãîäèòñÿ. Çàðàíåå ñïàñèáî.

**stvladimir** · 14-12-2011, 00:13

Ïûòàþñü ïðîèçâåñòè çàìåíó WL500P íà RT-N16. Âîçíèêàåò ñëåäóþùàÿ ïðîáëåìà:
åñòü ñëåäóþùèé post-firewall, ïðåêðàñíî ðàáîòàþùèé íà ìíîãèõ, ìíîé íàñòðîåííûõ, WL500õ:

Code:

#!/bin/sh

iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -F logaccept
iptables -A logaccept -j ACCEPT

#OpenVPN
iptables -A OUTPUT -p udp -o $1 --destination-port 2294 -j logaccept
iptables -A INPUT -p udp -i $1 --source-port 2294 -j logaccept
iptables -I INPUT -i tun0 -j logaccept
iptables -I FORWARD -i tun0 -j logaccept
iptables -I FORWARD -o tun0 -j logaccept
iptables -I OUTPUT -o tun0 -j logaccept
#SSH
iptables -A INPUT -p tcp -i! $1 --destination-port 22 -j logaccept
iptables -A OUTPUT -p tcp -o! $1 --source-port 22 -j logaccept
#WEB Console
iptables -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --destination-port 80 -j logaccept
iptables -A INPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --source-port 80 -j logaccept
iptables -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --source-port 80 -j logaccept
iptables -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --destination-port 80 -j logaccept
#DNS
iptables -A OUTPUT -p udp --source-port 53 -j logaccept
iptables -A OUTPUT -p udp --destination-port 53 -j logaccept
iptables -A INPUT -p udp --source-port 53 -j logaccept
iptables -A INPUT -p udp --destination-port 53 -j logaccept
#NTP
iptables -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED --source-port 123 -j logaccept
iptables -A OUTPUT -p tcp --destination-port 123 -j logaccept
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED --source-port 123 -j logaccept
iptables -A INPUT -p tcp --destination-port 123 -j logaccept
iptables -A OUTPUT -p udp --source-port 123 -j logaccept
iptables -A OUTPUT -p udp --destination-port 123 -j logaccept
iptables -A INPUT -p udp --source-port 123 -j logaccept
iptables -A INPUT -p udp --destination-port 123 -j logaccept
#DHCP
iptables -A INPUT -p udp --source-port 68 --destination-port 67 -j logaccept
iptables -A OUTPUT -p udp --source-port 67 --destination-port 68 -j logaccept
#ROUTD
iptables -A INPUT -p udp --source-port 520 --destination-port 520 -j logaccept
iptables -A OUTPUT -p udp --source-port 520 --destination-port 520 -j logaccept
#Drop incoming UPnP silently
iptables -A INPUT -p udp --destination-port 1900 -j DROP

Ïîñëå âûïîëíåíèÿ ñêðèïòà ìàøèíû ïî Wifi íå ìîãóò ñîåäèíèòüñÿ ñ óçëîì, íå ìîãóò ïîëó÷èòü IP àäðåñ, ïðè ýòîì ìàøèíû íà LAN ïîðòàõ ïðåêðàñíî ðàáîòàþò, OpenVPN ðàáîòàåò. Ïîñëå ïðîâåäåííûõ èññëåäîâàíèé âûÿñíèëîñü, ÷òî ïðîáëåìà ïðîïàäàåò, åñëè iptables -P INPUT DROP è iptables -P OUTPUT DROP çàìåíèòü íà iptables -P INPUT ACCEPT è iptables -P OUTPUT ACCEPT.

Ïðîáîâàë íà ïðîøèâêàõ íà÷èíàÿ ñ RT-N16-1.9.2.7-rtn-r3497.trx è äî RT-N16-1.9.2.7-rtn-r3668.trx.
×òî èçìåíèëîñü â -rtn ïðîøèâêàõ èëè, ÷òî ÿ äåëàþ íå òàê?

**Spartach** · 14-12-2011, 06:28

Originally Posted by stvladimir

Ïðîáîâàë íà ïðîøèâêàõ íà÷èíàÿ ñ RT-N16-1.9.2.7-rtn-r3497.trx è äî RT-N16-1.9.2.7-rtn-r3668.trx.
×òî èçìåíèëîñü â -rtn ïðîøèâêàõ èëè, ÷òî ÿ äåëàþ íå òàê?

FASTNAT ïðîáîâàëè îòêëþ÷àòü?
Ìíå ïîìîãëî.
nvram set misc_fastnat_x=0 && nvram commit && reboot

**stvladimir** · 14-12-2011, 20:42

Originally Posted by Spartach

FASTNAT ïðîáîâàëè îòêëþ÷àòü?
Ìíå ïîìîãëî.
nvram set misc_fastnat_x=0 && nvram commit && reboot

Ïðîáîâàë. Íå ïîìîãëî

P.S. Ñïàñèáî vectorm çà îôîðìëåíèå ìîåãî âîïðîñà.

**BcTpe4HbIu** · 14-12-2011, 20:59

Originally Posted by stvladimir

Ïðîáîâàë. Íå ïîìîãëî

P.S. Ñïàñèáî vectorm çà îôîðìëåíèå ìîåãî âîïðîñà.

à ìîæåò ëó÷øå óáðàòü

Code:

iptables -F INPUT
iptables -F OUTPUT

çàìåíèâ íà

# remove last default rule
iptables -D INPUT -j DROP
iptables -D OUTPUT-j DROP

**stvladimir** · 14-12-2011, 21:48

Originally Posted by BcTpe4HbIu

à ìîæåò ëó÷øå óáðàòü

Code:

iptables -F INPUT
iptables -F OUTPUT

çàìåíèâ íà

Code:

# remove last default rule
iptables -D INPUT -j DROP
iptables -D OUTPUT-j DROP

Ýòî íå ïîìîãàåò, òàê êàê ïîëèòèêà îñòàåòñÿ DROP.

**BcTpe4HbIu** · 15-12-2011, 12:12

Originally Posted by stvladimir

Ýòî íå ïîìîãàåò, òàê êàê ïîëèòèêà îñòàåòñÿ DROP.

Âàì ñêðèïò â òàêîì âèäå óáèðàåò âñå ñòàíäàðòíûå ïðàâèëà èç ýòèõ òàáëèö.
Íàïðèìåð òàì åñòü

Code:

-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT

À âîîáùå õîòåëîñü áû âûâîä iptables-save ïîñìîòðåòü...

**stvladimir** · 15-12-2011, 20:30

Originally Posted by BcTpe4HbIu

À âîîáùå õîòåëîñü áû âûâîä iptables-save ïîñìîòðåòü...

Code:

*nat
:PREROUTING ACCEPT [2003:216116]
:POSTROUTING ACCEPT [112:7988]
:OUTPUT ACCEPT [142:13942]
:UPNP - [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 192.168.1.190/32 -j VSERVER 
-A POSTROUTING ! -s 192.168.1.190/32 -o vlan2 -j MASQUERADE 
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.0/24 -o br0 -j MASQUERADE 
COMMIT
*mangle
:PREROUTING ACCEPT [4124:374249]
:INPUT ACCEPT [1326:114744]
:FORWARD ACCEPT [2178:141795]
:OUTPUT ACCEPT [1438:219590]
:POSTROUTING ACCEPT [3458:346376]
COMMIT
*filter
:INPUT DROP [50:2796]
:FORWARD ACCEPT [2164:140147]
:OUTPUT DROP [55:5146]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun0 -j logaccept 
-A INPUT -i vlan2 -p udp -m udp --sport 2294 -j logaccept 
-A INPUT ! -i vlan2 -p tcp -m tcp --dport 22 -j logaccept 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j logaccept 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --sport 80 -j logaccept 
-A INPUT -p udp -m udp --sport 53 -j logaccept 
-A INPUT -p udp -m udp --dport 53 -j logaccept 
-A INPUT -p tcp -m tcp --dport 123 -j logaccept 
-A INPUT -p udp -m udp --sport 123 -j logaccept 
-A INPUT -p udp -m udp --dport 123 -j logaccept 
-A INPUT -p udp -m udp --sport 68 --dport 67 -j logaccept 
-A INPUT -p udp -m udp --sport 520 --dport 520 -j logaccept 
-A INPUT -p udp -m udp --dport 1900 -j DROP 
-A FORWARD -o tun0 -j logaccept 
-A FORWARD -i tun0 -j logaccept 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -d 224.0.0.0/4 -p udp -j ACCEPT 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD ! -i br0 -o vlan2 -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A OUTPUT -o tun0 -j logaccept 
-A OUTPUT -o vlan2 -p udp -m udp --dport 2294 -j logaccept 
-A OUTPUT ! -o vlan2 -p tcp -m tcp --sport 22 -j logaccept 
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --sport 80 -j logaccept 
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j logaccept 
-A OUTPUT -p udp -m udp --sport 53 -j logaccept 
-A OUTPUT -p udp -m udp --dport 53 -j logaccept 
-A OUTPUT -p tcp -m tcp --dport 123 -j logaccept 
-A OUTPUT -p udp -m udp --sport 123 -j logaccept 
-A OUTPUT -p udp -m udp --dport 123 -j logaccept 
-A OUTPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
-A OUTPUT -p udp -m udp --sport 520 --dport 520 -j logaccept 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A logaccept -j ACCEPT 
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logdrop -j DROP 
COMMIT

À òåïåðü îïèñûâàþ èíòåðåñíûé ýêñïåðèìåíò. Êîìï ïî Wifi íå ìîæåò ïîëó÷èòü IP è, ñîîòâåòñòâåííî, íå ñîåäèíÿåòñÿ ñ ñåòêîé. Çàõîæó íà óçåë ñ ìàøèíû ïîäêëþ÷åííîé ïî ïðîâîäàì, êîòîðàÿ òàê æå ïîëó÷àåò äèíàìè÷åñêèé IP. Äàþ êîìàíäû:

Code:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

Êîìï ïî WiFi ïîëó÷àåò ñâîé IP, âñå ñåðâèñû íà÷èíàþò ðàáîòàòü íà óðà. Äàëåå íà óçëå äàþ êîìàíäû:

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

Âñå ïðîäîëæàåò ðàáîòàòü äî ìîìåíòà renew IP íà WiFi êîìïå. Êòî ñìîæåò îáúÿñíèòü òàêîå ïîâåäåíèå.

**BcTpe4HbIu** · 15-12-2011, 21:47

Originally Posted by stvladimir

Code:

*nat
:PREROUTING ACCEPT [2003:216116]
:POSTROUTING ACCEPT [112:7988]
:OUTPUT ACCEPT [142:13942]
:UPNP - [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 192.168.1.190/32 -j VSERVER 
-A POSTROUTING ! -s 192.168.1.190/32 -o vlan2 -j MASQUERADE 
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.0/24 -o br0 -j MASQUERADE 
COMMIT
*mangle
:PREROUTING ACCEPT [4124:374249]
:INPUT ACCEPT [1326:114744]
:FORWARD ACCEPT [2178:141795]
:OUTPUT ACCEPT [1438:219590]
:POSTROUTING ACCEPT [3458:346376]
COMMIT
*filter
:INPUT DROP [50:2796]
:FORWARD ACCEPT [2164:140147]
:OUTPUT DROP [55:5146]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun0 -j logaccept 
-A INPUT -i vlan2 -p udp -m udp --sport 2294 -j logaccept 
-A INPUT ! -i vlan2 -p tcp -m tcp --dport 22 -j logaccept 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j logaccept 
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --sport 80 -j logaccept 
-A INPUT -p udp -m udp --sport 53 -j logaccept 
-A INPUT -p udp -m udp --dport 53 -j logaccept 
-A INPUT -p tcp -m tcp --dport 123 -j logaccept 
-A INPUT -p udp -m udp --sport 123 -j logaccept 
-A INPUT -p udp -m udp --dport 123 -j logaccept 
-A INPUT -p udp -m udp --sport 68 --dport 67 -j logaccept 
-A INPUT -p udp -m udp --sport 520 --dport 520 -j logaccept 
-A INPUT -p udp -m udp --dport 1900 -j DROP 
-A FORWARD -o tun0 -j logaccept 
-A FORWARD -i tun0 -j logaccept 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -d 224.0.0.0/4 -p udp -j ACCEPT 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD ! -i br0 -o vlan2 -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A OUTPUT -o tun0 -j logaccept 
-A OUTPUT -o vlan2 -p udp -m udp --dport 2294 -j logaccept 
-A OUTPUT ! -o vlan2 -p tcp -m tcp --sport 22 -j logaccept 
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --sport 80 -j logaccept 
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j logaccept 
-A OUTPUT -p udp -m udp --sport 53 -j logaccept 
-A OUTPUT -p udp -m udp --dport 53 -j logaccept 
-A OUTPUT -p tcp -m tcp --dport 123 -j logaccept 
-A OUTPUT -p udp -m udp --sport 123 -j logaccept 
-A OUTPUT -p udp -m udp --dport 123 -j logaccept 
-A OUTPUT -p udp -m udp --sport 67 --dport 68 -j logaccept 
-A OUTPUT -p udp -m udp --sport 520 --dport 520 -j logaccept 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A logaccept -j ACCEPT 
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logdrop -j DROP 
COMMIT

À òåïåðü îïèñûâàþ èíòåðåñíûé ýêñïåðèìåíò. Êîìï ïî Wifi íå ìîæåò ïîëó÷èòü IP è, ñîîòâåòñòâåííî, íå ñîåäèíÿåòñÿ ñ ñåòêîé. Çàõîæó íà óçåë ñ ìàøèíû ïîäêëþ÷åííîé ïî ïðîâîäàì, êîòîðàÿ òàê æå ïîëó÷àåò äèíàìè÷åñêèé IP. Äàþ êîìàíäû:

Code:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

Êîìï ïî WiFi ïîëó÷àåò ñâîé IP, âñå ñåðâèñû íà÷èíàþò ðàáîòàòü íà óðà.

"Âñå" ýòî êàêèå? ðîóòåð ïèíãóåòñÿ?

Äàëåå íà óçëå äàþ êîìàíäû:

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

Âñå ïðîäîëæàåò ðàáîòàòü äî ìîìåíòà renew IP íà WiFi êîìïå. Êòî ñìîæåò îáúÿñíèòü òàêîå ïîâåäåíèå.

Ðîóòåð óæå íå ïèíãóåòñÿ?
â iptables íåò ïðàâèë äëÿ äîñòóïà ê ðîóòåðó èç ëîêàëüíîé ñåòè (ýòî ïîñëå î÷èñòêè òàáëèö â ñàìîì íà÷àëå). è ÿ êñòàòè íå ïîíèìàþ êàê ïî ïðîâîäó êîìï ip ïîëó÷àåò...

Êàê ñàì ðîóòåð íàñòðîåí? ïîäêëþ÷åíèå êàêîå?

Ïðîáîâàëè ýòî äåëàòü âñå òàêè? Çà÷åì âîîáùå î÷èùàòü òàáëèöû ýòè..?

**stvladimir** · 15-12-2011, 22:39

Originally Posted by BcTpe4HbIu

"Âñå" ýòî êàêèå? ðîóòåð ïèíãóåòñÿ?

ß èìåë ââèäó, ÷òî êîìïüþòåð, ïîäêëþ÷åííûé ïî Wifi, èìååò ïîëíûé äîñòóï â èíòåðíåò, ò.å. ïèíãóåò âñå âíåøíèå àäðåñà, ÷åðåç OpenVPN ìîæíî ïîïàñòü â äðóãóþ äðóæåñòâåííóþ ñåòü, ðàáîòàåò äîñòóï ê ñèñòåìå äîìåííûõ èìåí è ò.ä. Ðàáîòàåò òàê, êàê è çàäóìàíî. Ñàì ðîóòåð íå ïèíãóåòñÿ, íî íà íåì îòêðûòî âñå, ÷òî òðåáóåòñÿ äëÿ îáåñïå÷åíèÿ âñåãî óêàçàííîãî è ÿ ìîãó çàéòè íà íåãî ïî SSH. Ïîñìîòðèòå âíèìàòåëüíåå íà ñêðèïò, òàì åñòü íåáîëüøèå êîììåíòàðèè îò òîì, çà ÷òî îòâå÷àåò òîò èëè èíîé áëîê ïðàâèë: #DNS, #NTP, #SSH, #OpenVPN...

Originally Posted by BcTpe4HbIu

ÿ êñòàòè íå ïîíèìàþ êàê ïî ïðîâîäó êîìï ip ïîëó÷àåò...

Íó, ýòî âîîáùå ïðîñòî. Áëàãîäàðÿ ïðàâèëó:

Code:

#DHCP
iptables -A INPUT -p udp --source-port 68 --destination-port 67 -j logaccept
iptables -A OUTPUT -p udp --source-port 67 --destination-port 68 -j logaccept

ß åùå ðàç ñêàæó, ÷òî ýòîò ñêðèïò ðàáîòàåò, ñ íåáîëüøèìè èçìåíåíèÿìè, íå òîëüêî íà ðîóòåðàõ ñ Oleg'îâîé ïðîøèâêîé, íî è íà äðóãèõ firewall óæå íå îäèí ãîä.

Ñêðèïò ïîñòðîåí "ïî áëî÷íîìó" ïðèíöèïó. Íàïðèìåð, âàì íå íóæåí OpenVPN, òîãäà êîììåíòèðóåòå ñòðîêè îòíîñÿùèåñÿ ê OpenVPN. Ó âàñ ñîåäèíåíèå ê ïðîâàéäåðó ñ èñïîëüçîâàíèåì PPTP, òîãäà äîáàâëÿþòñÿ ñëåäóþùèé áëîê ïðàâèë:

Code:

#PPTP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED --source-port 1723 -j logaccept
iptables -A OUTPUT -p tcp --source-port 1024:65535 --destination-port 1723 -j logaccept
iptables -A OUTPUT -p 47 -j logaccept
iptables -A INPUT -p 47 -j logaccept

Originally Posted by BcTpe4HbIu

Ïðîáîâàëè ýòî äåëàòü âñå òàêè?

Äà.

Originally Posted by BcTpe4HbIu

Çà÷åì âîîáùå î÷èùàòü òàáëèöû ýòè..?

Ñ÷èòàéòå ìåíÿ ïàðàíîèêîì.

**BcTpe4HbIu** · 16-12-2011, 21:57

Originally Posted by stvladimir

Íó, ýòî âîîáùå ïðîñòî. Áëàãîäàðÿ ïðàâèëó:

Code:

#DHCP
iptables -A INPUT -p udp --source-port 68 --destination-port 67 -j logaccept
iptables -A OUTPUT -p udp --source-port 67 --destination-port 68 -j logaccept

ïðîãëÿäåë...

ìîæíî äëÿ òåñòà äîáàâèòü â êîíåö ñêðèïòà

Code:

iptables -A INPUT -j logdrop

íó è ëîãè ñìîòðåòü... ìîæåò ÷òî è ïðîÿñíèòñÿ

Ñ÷èòàéòå ìåíÿ ïàðàíîèêîì.

îê...

**stvladimir** · 19-12-2011, 23:35

Originally Posted by BcTpe4HbIu

ìîæíî äëÿ òåñòà äîáàâèòü â êîíåö ñêðèïòà

Code:

iptables -A INPUT -j logdrop

íó è ëîãè ñìîòðåòü... ìîæåò ÷òî è ïðîÿñíèòñÿ

Äîáàâèë:

Code:

iptables -A INPUT -j logdrop
iptables -A OUTPUT -j logdrop

È...òèøèíà. Òàêîå îùóùåíèå, ÷òî íåò çàïðîñîâ ê DHCP ñåðâåðó îò Wifi êëèåíòà.
Äëÿ òåñòà óáèðàþ:

Code:

#iptables -A INPUT -p udp --source-port 68 --destination-port 67 -j logaccept

Ïîëó÷àþ ðóãàíü äëÿ êëèåíòà íà LAN'å, à ñ Wifi çàïðîñîâ âîîáùå íå âèäíî

Code:

Dec 20 03:20:14 kernel: DROP IN=br0 OUT= MACSRC=00:1e:33:94:44:5b MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=23155 PROTO=UDP SPT=68 DPT=67 LEN=308 
Dec 20 03:20:18 kernel: DROP IN=br0 OUT= MACSRC=00:1e:33:94:44:5b MACDST=ff:ff:ff:ff:ff:ff MACPROTO=0800 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=23156 PROTO=UDP SPT=68 DPT=67 LEN=308

Íè÷åãî íå ïîíèìàþ

P.S. Â÷åðà ïîìåíÿëè ïî ãàðàíòèè æåëåçêó. Â ïÿòíèöó ïðåäûäóùàÿ ïðèêàçàëà äîëãî æèòü. Ïîñëå î÷åðåäíîé ïåðåçàãðóçêè èíäèêàòîðû PWD è Wifi ïîòóõëè è áîëüøå íå çàæãëèñü. Îñòàëüíûå èíäèêàòîðû çàæèãàëèñü, êîãäà âñòàâëÿëñÿ êàáåëü â ñîîòâåòñòâóþùèé ïîðò.

Thread: Ñòðàííîå ïîâåäåíèå ôàéðâîëà

Thread Tools

Rate This Thread

Display

Ñòðàííîå ïîâåäåíèå iptables

Èãíîð çíà÷åíèé ôàåðâîëà

rt-n16

Tags for this Thread

Posting Permissions