Ýêñïåðèìåíòåã.

[Lesnix]

Áåð¸ì íîâûé ASUS WL-500g Premium è íàñòðàèâàåì. Âñ¸ äåëàåì ïî èíñòðóêöèè.

Ìåíÿåì ïðîøèâêó(øüåì ïîñëåäíåå îò Îëåãà).
Íàñòðàèâàåì DHCP+PPTP. Âñ¸ ðàáîòàåò, âñ¸ çàìå÷àòåëüíî.
Ðàçðåøàåì icmp from WAN (ãàëî÷êà â Internet Firewall -> Basic Settings)
Ðàçðåøàåì Web-èíòåðôåéñ ïî ïîðòó 8080 èç WAN(ãàëî÷êà â Internet Firewall -> Basic Settings)
Ðàçðåøàåì ssh from WAN(ïî èíñòðóêöèè ñ ýòîãî ñàéòà, ïàðó ïðàâèë â iptables)
Íàñòðàèâàåì Wireless...

Èòîã:
1) Èíòåðíåò èç äîìàøíåé ñåòè - åñòü !
2) SSH, Web-interface èç WAN - åñòü !
È, êàæåòñÿ, âñ¸ çàìå÷àòåëüíî.
Íî òóò âûïëûâàåò îäíà î÷åíü èíòåðåñíàÿ ôè÷à(äà-äà, èìåííî ôè÷à NAT)...

Àäðåñà òðàíñëèðóþòñÿ â îáå ñòîðîíû. Âõîäÿùèå ñîåäèíåíèÿ, íå èìåþùèå ñîïîñòàâëåíèé â NAT-òàáëèöàõ, óñïåøíî òðàíñëèðóþòñÿ âî âíóòðåííþþ ïîäñåòü.
Ìû ìîæåì äîáðàòüñÿ äî âíóòðåííåé ïîäñåòè èç âíåøíåé !
È íà ýòîì íè÷åãî íå çàêàí÷èâàåòñÿ. Çàïóñêàÿ ðîóòåð â òàêîé êîíôèãóðàöèè, ìû ïðåäîñòàâëÿåì áåñïëàòíûé Èíòåðíåò âñåìó ñåãìåíòó ãîðîäñêîé ñåòè, çà ÷òî íàñ íåìåäëåííî îòêëþ÷àåò íàø ïðîâàéäåð. È îí òðèæäû ïðàâ.

Ýêñïåðèìåíò
Íàñòðàèâàåì ASUS êàê ÿ îïèñàë âûøå.
Åìó âûäàåòñÿ IP 10.7.14.88(MAN). Ðîóòåð êîííåêòèòñÿ ïî PPTP è ïîëó÷àåò IP 212.1.xxx.xx (ó ìåíÿ âíåøíèé).

Èä¸ì ê ñîñåäó. Ó íåãî íà êîìïå èï 10.7.14.89.
Ó ñîñåäà èíòåðíåòà íåò, áàëàíñ îòðèöàòåëüíûé, íà VPN íå ïóñêàåò.
Äåëàåì ó ñîñåäà:
route add -host ya.ru gw 10.7.14.88
route add -net 192.168.0.0/24(ìîÿ âíóòðåííÿÿ ñåòü) gw 10.7.14.88

È ïðîâåðÿåì:
ping 192.168.0.254 (âíóòðåííèé èï ðîóòåðà)
ping 192.168.0.8 (äîìàøíÿÿ òà÷êà)
ping ya.ru

ÂѨ ïèíãóåòñÿ !

....âûñêàçûâàåìñÿ.

Code:

[root@gw /tmp]$ iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state NEW
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     udp  --  anywhere             anywhere           udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             gw                 tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:7776
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:webcam
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere           state INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (2 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere

[root@gw /tmp]$ cat nat_rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 212.1.xxx.xx -j VSERVER
-A PREROUTING -d 10.7.14.88 -j VSERVER
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.254:80
-A POSTROUTING -o ppp0 ! -s 212.1.xx.xx -j MASQUERADE
-A POSTROUTING -o vlan1 ! -s 10.7.14.88 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE
COMMIT

[gaaronk]

Äà. Èìåííî. NAT ýòî òðàíñëÿöèÿ. è íå áîëåå. äëÿ çàùèòû íóæíî èñïîëüçîâàòü firewall

ïîýòîìó ó ìåíÿ â ôàéðâîëëå â ìîìåíò ïîäíÿòèÿ ñîåäèíåíèÿ äîáàâëÿåòñÿ ïðàâèëî

â öåïî÷êó INPUT ïîñëå state INVALID ÷òî òî âðîäå

0 0 DROP all -- ppp0 * 0.0.0.0/0 !83.237.4.187

_ïðèìåðíî_ âîò òàê

iptables -I INPUT 2 -i $interface ! -d $ip -j DROP

(âñå ñîåäèíåíèÿ ÿ ïîäíèìàþ íå ñðåäñòâàìè ïðîøèâêè, à ñâîèìè ñêðèïòàìè)

òî åñòü äðîïàåì âñå âõîäÿùèå åñëè îíè àäðåñîâàíû íå íàøåìó ip

à òàê æå ìîäèôèöèðóþ FORWARD â post-firewall

iptables -P FORWARD DROP
iptables -A FORWARD -i br0 -s 192.168.0.0/24 -j ACCEPT

òî åñòü ðàçðåøàþ ôîðâàðäèòü ïàêåòû òîëüêî ñ àäðåñàìè ìîåé âíóòðåííåé ñåòè è ñ âíóòðåííåãî èíòåðôåñà, à âñå îñòàëüíîå - ïî óìîë÷àíèþ äðîïàåòñÿ

[Alexvaler]

â ôàê ýòîò ìîìåíò íåïðåìåííî!!! æåëàòåëüíî ñî ñòàíäàðòíûì ðåøåíèåì.

[Oleg]

Èñïðàâëÿòü íàäî. Òîëüêî ÷òî-òî ó ìåíÿ ïîêà â ãîëîâå íå ðèñóåòñÿ, ÷òî ñäåëàòü. Öåïî÷êó FORWARD íàäî èçìåíÿòü. ×òî-òî òèïà

iptables -A FORWARD ! -i br0 -j DROP

Íàäî ïðîâåðÿòü, íåò ëè êàêèõ ïîñëåäñòâèé îò òàêîé êîìàíäû.

[Lesnix]

Ðåøåíèå gaaronk, â ïðèíöèïå, ïîäõîäèò...
Òîëüêî ïðè ýòîì ñòàíîâèòñÿ íåâîçìîæíî äîáðàòüñÿ äî ðîóòåðà èç WAN ïî ïîðòó HTTP(8080)...
Âîîáùå ñòðàííî, ÷òî dropbear ssh ñëóøàåò íà âñåõ IP, à äîñòóï ïî http îðãàíèçîâàí òîëüêî ïðîáðàñûâàíèåì ïîðòà 8080 íà âíóòðåííèé èï... ýòî ñóäÿ ïî VSERVER...
ÿ ïðàâ ?

[gaaronk]

Ðåøåíèå gaaronk, â ïðèíöèïå, ïîäõîäèò...
Òîëüêî ïðè ýòîì ñòàíîâèòñÿ íåâîçìîæíî äîáðàòüñÿ äî ðîóòåðà èç WAN ïî ïîðòó HTTP(8080)...
Âîîáùå ñòðàííî, ÷òî dropbear ssh ñëóøàåò íà âñåõ IP, à äîñòóï ïî http îðãàíèçîâàí òîëüêî ïðîáðàñûâàíèåì ïîðòà 8080 íà âíóòðåííèé èï... ýòî ñóäÿ ïî VSERVER...
ÿ ïðàâ ?

à ïî÷åìó??

çàïðîñ ïðèõîäèò íà âíåøíèé ip ïðîïóñêàåòñÿ ôàéðâîëëîì, à ïîòîì îáðàáàòûâàåòñÿ ïîðòôîðâàðäèíãîì

imho òàê

[gaaronk]

Èñïðàâëÿòü íàäî. Òîëüêî ÷òî-òî ó ìåíÿ ïîêà â ãîëîâå íå ðèñóåòñÿ, ÷òî ñäåëàòü. Öåïî÷êó FORWARD íàäî èçìåíÿòü. ×òî-òî òèïà

iptables -A FORWARD ! -i br0 -j DROP

Íàäî ïðîâåðÿòü, íåò ëè êàêèõ ïîñëåäñòâèé îò òàêîé êîìàíäû.

áûòü íå äîëæíî. îòâåòû íà çàïðîñû îáðàáîòàþòñÿ ðàíåå ïðàâèëîì ñ RELATED,ESTABLISHED èëè DNAT (äëÿ ïîðòôîðâàðäèíãà)

ó ìåíÿ åùå áîëåå æåñòêîå óñëîâèå

iptables -A FORWARD -i br0 -s 192.168.0.0/24 -j ACCEPT

à îñòàëüíîå äðîïàåòñÿ. è ãîä ïî÷òè ïîëåò íîðìàëüíûé

âîò êóñîê post-firewall

lanaddr=`nvram get lan_ipaddr`
lanmask=`nvram get lan_netmask`
lan_net=`ipcalc -s -n $lanaddr $lanmask | awk '{print(substr($1,9))}'`/$lanmask

iptables -P FORWARD DROP
iptables -A FORWARD -i br0 -s $lan_net -j ACCEPT

[Diablo-AD]

Ðàçðåøàåì icmp from WAN (ãàëî÷êà â Internet Firewall -> Basic Settings)

OFF: à ãäå òàêàÿ ãàëî÷êà òàì?

[Lesnix]

Diablo-AD, ñìîòðè ïðèëîæåííûé ñêðèíøîò ñ ãàëî÷êîé

gaaronk, ÿ ñåáå post-firewall ïðàêòè÷åñêè àíàëîãè÷íûé ñäåëàë.

Code:

#!/bin/sh

inet_ip=`nvram get wan_ipaddr_t`
man_ip=`nvram get wanx_ipaddr`

lan_ip=`nvram get lan_ipaddr`
lan_mask=`nvram get lan_netmask`
lan_net=`ipcalc -s -n $lan_ip $lan_mask | awk '{print(substr($1,9))}'`/$lan_mask

# set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Remove last default rule
iptables -D INPUT -j DROP

# allow internal routing
iptables -A FORWARD -i br0 -j ACCEPT

# Allow access to ssh server from WAN
iptables -A INPUT -p tcp -i vlan1 --syn --dport 22 -j ACCEPT

# deny all packets with dst-ip !our_ip
iptables -I INPUT 2 -i ppp0 ! -d $inet_ip -j DROP
iptables -I INPUT 2 -i vlan1 ! -d $man_ip -j DROP

...è âîò ñ ýòèìè ïðàâèëàìè ìíå ÍÅ âèäåí ïîðò ðîóòåð:8080 íè èç MAN, íè èç èíåòà.
web-access from wan âêëþ÷åí. ïîðò 8080.

[gaaronk]

gaaronk, ÿ ñåáå post-firewall ïðàêòè÷åñêè àíàëîãè÷íûé ñäåëàë.

Code:

#!/bin/sh

lan_ip=`nvram get lan_ipaddr`
lan_mask=`nvram get lan_netmask`
lan_net=`ipcalc -s -n $lan_ip $lan_mask | awk '{print(substr($1,9))}'`/$lan_mask

çà÷åì âû÷èñëÿòü lan_net åñëè âñå ðàâíî íå èñïîëüçóåòñÿ?

à âåá? äàæå íå çíàþ. ëè÷íî äëÿ ìåíÿ íåò ñìûñëà âûñòàâëÿòü åãî íàðóæó, ÿ ýòî ñðàçó îòêëþ÷èë. äà è ïîòîì ÷òî ìåøàåò âêëþ÷èòü ëîããèðîâàíèå â öåïî÷êàõ input è forward è ïîñìîòðåòü ãäå ÷åãî äðîïàåòñÿ?

[Lesnix]

Íà ñàìîì äåëå $lan_net èñïîëüçóåòñÿ â # allow internal routing, òàì äîáàâëåí ïàðàìåòð -s è óêàçàíà ïîäñåòü. Ïðîñòî âûëîæåíà íåìíîãî ñòàðàÿ âåðñèÿ))

Âêëþ÷èòü ëîããèðîâàíèå è ïîñìîòðåòü ÷òî ãäå äðîïàåòñÿ ìåøàåò òîëüêî îäíî îáñòîÿòåëüñòâî - ïîñðåäñòâåííîå çíàíèå ìíîþ iptables, èáî äåëàë ÷òî-ëèáî, â îñíîâíîì, âî ôðå. Âïðî÷åì, ñïàñèáî, ïîïðîáóþ îòñëåäèòü.

[gaaronk]

â ñàìîì êîíöå post-firewall

# logging

iptables -A INPUT -j logdrop
iptables -A FORWARD -j logdrop

[vsu]

Ìäà, íó è äûðåíü... Ïðè÷¸ì, ñóäÿ ïî âñåìó, ôèðìåííàÿ.

Êñòàòè, äàæå âêëþ÷åíèå WAN to LAN Filter íå èñïðàâëÿåò ñèòóàöèþ â ïîëíîì îáú¸ìå - â ñëó÷àå PPTP äîáàâëÿþòñÿ ïðàâèëà ñ "-i ppp0 -o br0", ïðè ýòîì ïàêåòû ñ vlan1 âñ¸ ðàâíî áóäóò ïðîëåçàòü íàïðÿìóþ. Ðàçâå ÷òî ìîäèôèöèðîâàòü ýòè ôèëüòðû, ÷òîáû âìåñòî "-s wan_if" èñïîëüçîâàëîñü "! -s lan_if".

Êàê ìèíèìóì ïðè âêëþ÷åíèè NAT ìîæíî ñìåëî ðåçàòü â êîíöå FORWARD âñ¸, ÷òî ïðèøëî íå ñ br0. Ñòîèò ëè ýòî äåëàòü ïðè âûêëþ÷åííîì NAT - íå çíàþ; ïîëó÷èòñÿ êàê áû ïðèíóäèòåëüíîå âêëþ÷åíèå WAN to LAN Filter.

[Lesnix]

Íà ñàìîì äåëå ïîòåñòèòü àñóñ íà ýòó òåìó ÿ ðåøèë ïîñëå ïðî÷òåíèÿ êàêîé-òî ñòàòåéêè íà îïåííåòå... Òèïà "çàáëóæäåíèÿ íà÷èíàþùèõ àäìèíîâ"...  îáùåì, òðàíñëÿöèÿ âõîäÿùèõ ñîåäèíåíèé, íå èìåþùèõ ñîïîñòàâëåíèé, - ýòî îñîáåííîñòü NAT, è, ïðè íåïðàâèëüíîé(ïî ìíîãèì FAQ) íàñòðîéêå natd íà FreeBSD áóäåò íàáëþäàòüñÿ òî æå ñàìîå...
...à åùå âîò ýòîò ìîìåíòèê áûë îïèñàí â êàêîì-òî îáçîðå ASUSa... ß ïî÷èòàë è íå ïîâåðèë

[Oleg]

 îáùåì èòîã òàêîé:
äûðêà NAT (êîòîðàÿ åñòü è â ðîäíîé ïðîøèâêå), çàêðûâàåòñÿ äâóìÿ ïðàâèëàìè:
-A FORWARD -o $WAN_IF ! -i $LAN_IF -j DROP
-A FORWARD -o $MAN_IF ! -i $LAN_IF -j DROP

Ôèëüòð WAN->LAN òåïåðü åù¸ ôèëüòðóåò è MAN, ò.å. ïðîâåðÿåòñÿ âåñü òðàôèê èäóùèé â br0. Ò.å. ïðîñòî íå çàáûâàéòå âêëþ÷àòü WAN to LAN filter è âûáðàòü DROP.

Ó êîãî êàêèå ìûñëè? ;-)