Dial-in Server [Archive] - AsusForum.NET -- WL500g

Bekijk de volledige versie : Dial-in Server

Vofik

09-02-2008, 10:32

Ðàñêàæèòå êàê íà áàçå íàøåãî ðîóòåðà + âñòðîåííîãî com-ïîðòà (ìîæíî è ïåðåõîäíèê USB-COM) + ìîäåìà îðãàíèçîâàòü Dial-in Server ñ îáðàòíûì äîçâîíîì (ýòî êîãäà òû çâîíèø ñ óäàë¸ííîé ìàøèíû íà ñåðâåð (ïðè ýòîì íà óäàë¸ííîé ìàøèíå äîëæíà áûòü âêëþ÷åíà îïöèÿ îáðàòíîãî äîçâîíà) ëîãèíèøñÿ, à çàòåì ñåðâåð òåáÿ ñáðàñûâàåò ñ ëèíèè è ïåðåçâàíèâàåò. Ýòî íóæíî ê ïðèìåðó åñëè ó ñåðâåð òåëåôîí áåñïëàòíûé, à ó êëèåíòà ïëàòíûé ñ ïîìèíóòíîé òàðèôôèêàöèåé. Âñå ñõåìû è ñïîñîáû ïîäêëþ÷åíèÿ åñòü íà ôîðóìå! Òåïåðü äåëî ëèøü çà ïðîãðàìíîé ÷àñòüþ ;)

Æåëàòåëüíî, ÷òîá ìîäåì áðàë òðóáêó òîëüêî ïîñëå îïðåäåë¸ííîãî âðåìÿíè çâîíêà, ÷òîá óáåäèòüñÿ, ÷òî íèêîãî íåò äîìà è dial-in íèêîìó íå ïîìåøàåò òðåïàòüñÿ ïî âñÿêîé ÿðóíäå;)

Âîò íàøåë ìàòåðèàë, îñòàëîñü òîëüêî, ÷òîá êòî-íèáóòü åãî ðàçæåâàë ;)

http://www.opennet.ru/prog/sml/54.shtml

http://www.homepc.ru/2002/72/18591/ (íàäî íàéòè ïåðâóþ ÷àñòü)

http://i2r.ru/static/486/out_12889.shtml

http://gazette.linux.ru.net/lg77/articles/rus-sunil.html

http://www.howtoforge.com/linux_dialin_server

http://www.opennet.ru/base/modem/dialin_simple_bill.txt.html

Mapseam

22-01-2010, 20:05

Âîçìîæíî, íà òåìó dial-in óæå íåàêòóàëüíî äëÿ ìíîãèõ, íî ìíå ïîêà ýòî íåîáõîäèìî èñïîëüçîâàòü. Ïîýòîìó âíåñó ñâîè "ïÿòü êîïååê".

Ìèãðèðîâàë íà ïðîøèâêó Oleg++ (îíà æå - "îò ýíòóçèàñòîâ", 1.9.2.7-d-r1000). Ïàðà äîï. ìîäóëåé ÿäðà èç ñîîòâ. àðõèâà (http://wl500g.googlecode.com/files/modules-1.9.2.7-d-r1000.tgz) ìíå ïðèãîäèëèñü - óäàëîñü ðåàëèçîâàòü dial-in ñ ïîìîùüþ èäóùèõ ñ ïðîøèâêîé pppd è chat.

Îñòàëñÿ ëèøü âîïðîñ ñ ïåðåäà÷åé êëèåíòó àäðåñîâ DNS. Âàðèàíò ñ óêàçàíèåì îïöèè ms-dns â ôàéëå îïöèé pppd (â ìîåì ñëó÷àå - â /tmp/ppp/options.usb.acm.0) - òðèâèàëåí. Òàêîé âàðèàíò - ðàáîòàåò, íî àäðåñà DNS ìîãóò áûòü èçìåíåíû ïðîâàéäåðîì è íå õîòåëîñü áû èõ óêàçûâàòü ÿâíî.
Åñëè âìåñòî îïöèè ms-dns óêàçàòü îïöèþ usepeerdns, òî êëèåíò íå ïîëó÷àåò èíôû ïî àäðåñàì DNS.

Âîò òóò (http://www.wl500g.info/showpost.php?...1&postcount=18) ïðî÷èòàë, ÷òî pppd èùåò resolv.conf â /tmp/ppp/, òîãäà êàê åãî îðèãèíàë ëåæèò â /tmp/. (Òàì, ïðàâäà, âìåñòî tmp óïîìèíàåòñÿ etc, íî, âîçìîæíî, ýòî îñîáåííîñòü ïðîøèâêè DD-WRT, òîãäà êàê ó ìåíÿ - íå îíà).
ß òàê è ñäåëàë: ln -fs /tmp/resolv.conf /tmp/ppp/resolv.conf
Îäíàêî, îæèäàåìîãî ýôôåêòà ýòî íå äàëî.

Êòî-íèáóäü ìîæåò ñêàçàòü òî÷íåå, ðåøàåìî ëè, ÷òîáû pppd áðàë àäðåñà DNS èç /tmp/resolv.conf (èëè åãî ñèìëèíêà)?

Mapseam

04-02-2010, 09:15

Ñòîëêíóëñÿ ñ ïðîáëåìîé "îòâàëèâàíèÿ" êîííåêòà. Ñóòü òàêîâà.
Ê ðîóòåðó ïðèñîåäèíåí USB-ìîäåì, îí îïîçíàí è íàñòðîåí íà ïðèåì âõîäÿùèõ ñîåäèíåíèé (èñïîëüçóþòñÿ pppd è chat). Ïðè âõ. çâîíêå ñ äð. ìîäåìà îáðàçóåòñÿ ñîåäèíåíèå íà èíòåðôåéñå ppp1. Â ñâ-õ ñîåäèíåíèÿ óêàçàíî, ÷òî àäðåñ èíòåðôåéñà ppp1 - 192.168.2.1, à àäðåñ çâîíÿùåãî - 192.168.2.2 (ò.å. àäðåñ - ôèêñèðîâàííûé, õîòÿ åñòü çàäóìêà êàæäîìó çâîíÿùåìó âûäàâàòü ñâîé IP, íî ýòî "íà ïîòîì"). Çâîíÿùåìó ñîîáùàþòñÿ 2 àäðåñà DNS. Ãåéò äëÿ íåãî - 192.168.2.1 (õîòÿ, åñëè íà êëèåíòå (WinXP) ñìîòðåòü âûâîä ipconfig /all, òî ãåéòîì çíà÷èòñÿ 192.168.2.2).
Îäíèì ñëîâîì, èíòåðôåéñó ppp1 âûäåëåí äèàïàçîí IP 192.168.2.0/24
Ó ðîóòåðà âíóò. àäðåñ - 192.168.1.1 è èíò-ñ br0, à âíåø. àäðåñ - "áåëûé" íà èíòåðôåéñå ppp0. Ïðîâàéäåð ïðåäîñòàâëÿåò êîííåêò ïî PPPoE.

Çàäà÷à òàêîâà: äëÿ íà÷àëà äàòü âîçìîæíîñòü äîçâîíèâøåìóñÿ ïîëüçîâàòüñÿ âñåìè ñåðâèñàìè Èíåòà (êàê áóäòî ýòî õîñò èç ìîåé äîì. ëîêàëêè). Äëÿ ðåøåíèÿ çàäà÷è, ÿ òàê ïîíÿë, íåîáõîäèìî ëèøü áåçóñëîâíî ïðîáðàñûâàòü òðàôèê ìåæäó ppp1 è ppp0.

Íî... Ïðè óñòàíîâëåíèè dial-in ñîåäèíåíèÿ ñî ñòîðîíû êëèåíòà ïîíà÷àëó ïèíãóåòñÿ àäðåñ gw (ãåéòà), íî íå ïèíãóþòñÿ íè îäèí èç äâóõ àäðåñîâ DNS, êîòîðûå ïåðåäàþòñÿ êëèåíòó ïðè óñòàíîâëåíèè ñîåäèíåíèÿ. Ïðè÷åì â êîìàíäå, íàïðèìåð, ping www.ru FQDN ðàçðåøàåòñÿ â IP-àäðåñ, íî ïèíãà íåò. Ïîëó÷àåòñÿ, ÷òî îòâåò îò DNS-îâ êëèåíò ïîëó÷àåò, íî ICMP-òðàôèê "ðåæåòñÿ" iptables.

×åðåç íåñêîëüêî ìèíóò ïåðåñòàåò ïèíãîâàòüñÿ ãåéò è ïåðåñòàþò ðàçðåøàòüñÿ FQDN. Êòî áû ñêàçàë, â ÷åì ïðè÷èíà ýòîãî ÿâëåíèÿ è êàê ðåøèòü âîçíèêàþùóþ ïðîáëåìó?

Â post-firewall äëÿ ýòîãî íàïðàâëåíèÿ ïðîïèñàíû òàêèå ïðàâèëà:
iptabels -t -I FORWARD -i $1 -o ppp1 -j ACCEPT
iptabels -t -I FORWARD -i ppp1 -o $1 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE

Ïîäîçðåâàþ, ÷òî ïðîïóùåíî ïðàâèëî íà ïðåäìåò PREROUTING. Êàê îíî äîëæíî âûãëÿäåòü? È ÷òî åùå íå äîïèñàíî, ÷òîáû ðåøèòü çàäà÷ó?

Basile

04-02-2010, 10:15

×òî äàþò ïèíãè è òðàññèðîâêè?

Mapseam

04-02-2010, 15:33

Ñî ñòîðîíû äîçâîíèâøåãîñÿ êëèåíòà ïîíà÷àëó ïèíãóåòñÿ òîëüêî àäðåñ ãåéòà (192.168.2.1), íî ÷åðåç íåñêîëüêî ìèíóò ãåéò óæå íå ïèíãóåòñÿ.
Ñî ñòîðîíû ðîóòåðà, ïîñëå óñòàíîâëåíèÿ ñîåäèíåíèÿ, êëèåíò (åãî àäðåñ 192.168.2.2) - íå ïèíãóåòñÿ âîîáùå íèêîãäà.

Ïîä òðàññèðîâêîé ïîíèìàåòñÿ çàïóñê tcpdump -i ppp1? Ïîêà íå òðàññèðîâàë. Ñïàñèáî çà íàâîäêó - íàäî áóäåò ïîïðîáîâàòü.

Basile

04-02-2010, 16:18

Ïîä òðàññèðîâêîé ïîíèìàåòñÿ çàïóñê tcpdump -i ppp1?traceroute ya.ru ;)

Power

04-02-2010, 16:44

Íàäî ñìîòðåòü âàøè òåêóùèå ïðàâèëà iptables ïðè ïîäíÿòûõ âñåõ ñîåäèíåíèÿõ

iptables-save

Åùå õîðîøî áû óâèäåòü IP-àäðåñà òåõ dns, êîòîðûå âûäàþòñÿ êëèåíòó.
È òàáëèöó ìàðøðóòèçàöèè íà ðîóòåðå (à òî ìàëî ëè, êóäà ïàêåòû íàïðàâëÿþòñÿ...)

route -n

Mapseam

04-02-2010, 19:59

traceroute ya.ru ;)

Ðåçóëüòàò íåóòåøèòåëüíûé:

C:\Documents and Settings\user>tracert ya.ru

Òðàññèðîâêà ìàðøðóòà ê ya.ru [213.180.204.8]
ñ ìàêñèìàëüíûì ÷èñëîì ïðûæêîâ 30:

1 * * * Ïðåâûøåí èíòåðâàë îæèäàíèÿ äëÿ çàïðîñà.
2 * * * Ïðåâûøåí èíòåðâàë îæèäàíèÿ äëÿ çàïðîñà.
3 * * * Ïðåâûøåí èíòåðâàë îæèäàíèÿ äëÿ çàïðîñà.
4 * * * Ïðåâûøåí èíòåðâàë îæèäàíèÿ äëÿ çàïðîñà.
5 * * * Ïðåâûøåí èíòåðâàë îæèäàíèÿ äëÿ çàïðîñà.
6 ^C
C:\Documents and Settings\user>

Õîòÿ èç øåëëà ðîóòåðà òðàññèðîâêà ðàáîòàåò:

traceroute to ya.ru (213.180.204.8), 30 hops max, 38 byte packets
1 bsr01.volgograd.ertelecom.ru (88.87.65.92) 2.225 ms 4.024 ms 1.588 ms
2 te-2-0-0-48.bsr02.volgograd.ertelecom.ru (88.87.65.194) 4.112 ms 1.945 ms 3.563 ms
3 vgd15.transtelecom.net (217.150.50.122) 30.456 ms 30.097 ms 30.052 ms
4 xe120-197.RT.TNR.HKI.FI.retn.net (87.245.248.17) 46.002 ms 46.135 ms 45.955 ms
5 ae2-9.RT.V10.MSK.RU.retn.net (87.245.233.13) 47.362 ms 46.123 ms 95.766 ms
6 ya.ru (213.180.204.8) 46.031 ms 45.993 ms 45.966 ms

Basile

04-02-2010, 20:16

Åùå áû òàáëèöó ìàðøðóòèçàöèè ñ êîìïà, ñ êîòîðîãî ïðîèçâîäèëàñü òðàññèðîâêà.

Mapseam

04-02-2010, 20:46

iptables-save

# Generated by iptables-save v1.3.8 on Thu Feb 4 21:53:15 2010
*nat
:PREROUTING ACCEPT [674:81919]
:POSTROUTING ACCEPT [653:39801]
:OUTPUT ACCEPT [656:40373]
:VSERVER - [0:0]
-A PREROUTING -d 188.187.23.236 -j VSERVER
-A POSTROUTING -s ! 188.187.23.236 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j SNAT --to-source 192.168.1.1
-A POSTROUTING -o ppp1 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 51413:51419 -j DNAT --to-destination 192.168.1.1:51413
-A VSERVER -p udp -m udp --dport 51413:51419 -j DNAT --to-destination 192.168.1.1:51413
-A VSERVER -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.1.1:2222
-A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.1:2222
-A VSERVER -p tcp -m tcp --dport 17643:17649 -j DNAT --to-destination 192.168.1.2:17643
-A VSERVER -p udp -m udp --dport 17643:17649 -j DNAT --to-destination 192.168.1.2:17643
-A VSERVER -p tcp -m tcp --dport 30002 -j DNAT --to-destination 192.168.1.2:30002
-A VSERVER -p udp -m udp --dport 30002 -j DNAT --to-destination 192.168.1.2:30002
-A VSERVER -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.1:8821
COMMIT
# Completed on Thu Feb 4 21:53:15 2010
# Generated by iptables-save v1.3.8 on Thu Feb 4 21:53:15 2010
*mangle
:PREROUTING ACCEPT [5741:4268096]
:INPUT ACCEPT [5183:4067105]
:FORWARD ACCEPT [554:199215]
:OUTPUT ACCEPT [6783:1650864]
:POSTROUTING ACCEPT [7384:1856511]
COMMIT
# Completed on Thu Feb 4 21:53:15 2010
# Generated by iptables-save v1.3.8 on Thu Feb 4 21:53:15 2010
*filter
:INPUT DROP [74:4239]
:FORWARD ACCEPT [54:3125]
:OUTPUT ACCEPT [6783:1650864]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i ppp1 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 30002 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30002 -j ACCEPT
-A INPUT -p udp -m udp --dport 51413 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -i br0 -j MACS
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -i ppp1 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o ppp1 -j ACCEPT
-A FORWARD -i br0 -j MACS
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A FORWARD -o ppp0 -p tcp -m tcp --dport 411 -j DROP
...
<öåïî÷êà MACS - ïîñêèïàíà>
...
-A SECURITY -p udp -m udp --dport 30002:30254 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Feb 4 21:53:15 2010

Åùå õîðîøî áû óâèäåòü IP-àäðåñà òåõ dns, êîòîðûå âûäàþòñÿ êëèåíòó.

PPP àäàïòåð:

DNS-ñóôôèêñ ýòîãî ïîäêëþ÷åíèÿ . . :
Îïèñàíèå . . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Ôèçè÷åñêèé àäðåñ. . . . . . . . . : 00-53-45-00-00-00
DHCP âêëþ÷åí. . . . . . . . . . . : íåò
IP-àäðåñ . . . . . . . . . . . . : 192.168.2.2
Ìàñêà ïîäñåòè . . . . . . . . . . : 255.255.255.255
Îñíîâíîé øëþç . . . . . . . . . . : 192.168.2.2
DNS-ñåðâåðû . . . . . . . . . . . : 88.87.64.6
88.87.65.3
NetBIOS ÷åðåç TCP/IP. . . . . . . : îòêëþ÷åí

route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
88.87.65.92 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 192.168.2.1 255.255.255.0 UG 0 0 0 ppp1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 88.87.65.92 0.0.0.0 UG 0 0 0 ppp0

Åñëè ýòî ÷òî-òî äàñò, ïðèâåäó ëèñòèíã ôàéëà îïöèé äëÿ ñîåäèíåíèÿ ppp1:

[admin@mapseam root]$ cat /tmp/ppp/options.usb.acm.0
115200
#nolog
debug
lock
silent
persist
maxfail 0
modem
crtscts
mru 296
login
auth
show-password
-chap
+pap
192.168.2.1:192.168.2.2
netmask 255.255.255.0
ms-dns 88.87.64.6
ms-dns 88.87.65.3
nodefaultroute
unit 1
init "/usr/sbin/chat -s -V -t 10 -f /tmp/ppp/peers/init.chat"
connect "/usr/sbin/chat -s -V -t 10 -f /tmp/ppp/peers/conn.chat"
disconnect "/usr/sbin/chat -s -V -t 20 -f /tmp/ppp/peers/disconn.chat"
ip-up-script /tmp/ppp/peers/ip-up.sh
ip-down-script /tmp/ppp/peers/ip-down.sh
nomppe nomppc
noaccomp
nopcomp

Ïî òåêñòó âèäíî, êàêèå IP-àäðåñà ÿ çàäàþ èíòåðôåéñó è êëèåíòó, êàê ñîîáùàþ êëèåíòó àäðåñà DNS. Êñòàòè, ñòðàííî, ÷òî ó êëèåíòà ãåéòîì ÿâëÿåòñÿ îí ñàì (ñì. ëèñòèíã "PPP àäàïòåð"), äà è ìàñêà ó íåãî íå òà, ÷òî ÿ åìó ïåðåäàþ: 255.255.255.255, à íå 255.255.255.0

P.S. Ìàðøðóò äëÿ 192.168.2.0/24 ÿ äîáàâëÿþ àâòîìàòè÷åñêè ÷åðåç ñêðèïò /tmp/ppp/peers/ip-up.sh, à óäàëÿþ - òîæå àâòîìàòîì ÷åðåç /tmp/ppp/peers/ip-down.sh

Mapseam

04-02-2010, 21:04

Åùå áû òàáëèöó ìàðøðóòèçàöèè ñ êîìïà, ñ êîòîðîãî ïðîèçâîäèëàñü òðàññèðîâêà.

Íå âîïðîñ:

C:\Documents and Settings\user>route print

IPv4 òàáëèöà ìàðøðóòà
================================================== =========================
Ñïèñîê èíòåðôåéñîâ
0x1 ........................... MS TCP Loopback interface
0x10003 ...08 00 27 00 88 a9 ...... VirtualBox Host-Only Ethernet Adapter - Virtual Machine Network Services Driver
0x80005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
================================================== =========================
================================================== =========================
Àêòèâíûå ìàðøðóòû:
Ñåòåâîé àäðåñ Ìàñêà ñåòè Àäðåñ øëþçà Èíòåðôåéñ Ìåòðèêà
0.0.0.0 0.0.0.0 192.168.2.2 192.168.2.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.1 255.255.255.255 192.168.2.2 192.168.2.2 1
192.168.2.2 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.2.255 255.255.255.255 192.168.2.2 192.168.2.2 50
192.168.56.0 255.255.255.0 192.168.56.1 192.168.56.1 20
192.168.56.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.56.255 255.255.255.255 192.168.56.1 192.168.56.1 20
224.0.0.0 240.0.0.0 192.168.56.1 192.168.56.1 20
224.0.0.0 240.0.0.0 192.168.2.2 192.168.2.2 1
255.255.255.255 255.255.255.255 192.168.2.2 192.168.2.2 1
255.255.255.255 255.255.255.255 192.168.56.1 192.168.56.1 1
Îñíîâíîé øëþç: 192.168.2.2
================================================== =========================
Ïîñòîÿííûå ìàðøðóòû:
Îòñóòñòâóåò

Power

04-02-2010, 21:47

Ïî ïîâîäó iptables:
1. Âåðõóøêà âûâîäà îáðåçàíà, à òàì òîæå èíòåðåñíî.
2. Ìîæíî ïîïðîáîâàòü ïåðåìåñòèòü ïðàâèëà

FORWARD -i ppp1 -o ppp0 -j ACCEPT
FORWARD -i ppp0 -o ppp1 -j ACCEPT

êóäà-íèáóäü ïîñëå ïðàâèë

FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

÷òîáû óìåíüøèòü âåðîÿòíîñòü ïðîáëåì ñ MTU. Êîä ïðèìåðíî òàêîé:

index=`iptables -L FORWARD -n --line-numbers | awk '/ESTABLISHED|TCPMSS/ {print($1)}' | tail -1`

iptables -I FORWARD $((index + 1)) -i ppp1 -o ppp0 -j ACCEPT
iptables -I FORWARD $((index + 2)) -i ppp0 -o ppp1 -j ACCEPT

Â îñòàëüíîì âðîäå íè÷åãî ïîäîçðèòåëüíîãî.

Íó è åù¸ íà âñÿêèé ñëó÷àé ïîêàæèòå ñâåäåíèÿ îá èíòåðôåéñå ppp1:

ifconfig ppp1

È êñòàòè, â ñëó÷àÿõ, êîãäà ñî ñòîðîíû êëèåíòà ïèíãóåòñÿ àäðåñ ãåéòà è êîãäà (÷åðåç íåêîòîðîå âðåìÿ) ãåéò óæå íå ïèíãóåòñÿ, ðàçëè÷àþòñÿ ëè ðåçóëüòàòû "route -n" íà ðîóòåðå?

Mapseam

05-02-2010, 07:40

Ïî ïîâîäó iptables:
1. Âåðõóøêà âûâîäà îáðåçàíà, à òàì òîæå èíòåðåñíî.

Âåðõóøêó âûâîäà ïîïðàâèë ïî ìåñòó. Ïðîøó Âàñ âçãëÿíóòü åùå ðàç.

2. Ìîæíî ïîïðîáîâàòü ïåðåìåñòèòü ïðàâèëà ... , ÷òîáû óìåíüøèòü âåðîÿòíîñòü ïðîáëåì ñ MTU.

Ïðåäëîæåííûé Âàìè êîä ïîìåñòèë â post-firewall.

Ïîêàçàíèÿ "ifconfig ppp1" è "route -n" íà ðîóòåðå (äî è ïîñëå) - ïðåäñòàâëþ ÷óòü ïîçäíåå, êîãäà äîáåðóñü äî íåãî.

Ïîäñêàæèòå, ïîæàëóéñòà, â ïðàâèëå âðîäå "iptables -I FORWARD ...", åñëè ÿâíî íå óêàçûâàþ íîìåð ñòðîêè, â êîòîðóþ âñòàâèòü ïðàâèëî, ïðàâèëî âñòàâëÿåòñÿ íà 1-å ìåñòî, â ñàìûé âåðõ öåïî÷êè?

Êñòàòè, êîãäà èñêàë ïðèìåðû ðåàëèçàöèè dial-in äëÿ ñâîåãî ðîóòåðà, íàòêíóëñÿ íà ýòó òåìó - http://www.wl500g.info/showthread.php?t=9628&highlight=com-%EF%EE%F0%F2
Îäèí èç ó÷àñòíèêîâ (íåêòî BELPAV) òîæå ñòîëêíóëñÿ ñ "îòâàëèâàíèåì" ìîäåìíîãî ñîåäèíåíèÿ (íå ñðàçó, à ÷åðåç íåêîòîðîå âðåìÿ).

Power

05-02-2010, 17:23

Âåðõóøêó âûâîäà ïîïðàâèë ïî ìåñòó. Ïðîøó Âàñ âçãëÿíóòü åùå ðàç.

2 çàìå÷àíèÿ:
1) ïðàâèëî "-A POSTROUTING -o ppp1 -j MASQUERADE" íàâåðíîå ëó÷øå óáðàòü;
2) [íå îòíîñèòñÿ íàïðÿìóþ ê òåìå] êîãäà âû ïðîáðàñûâàåòå äèàïàçîí ïîðòîâ íà îäèí ïîðò, ýòî ðàáîòàåò òàê:
ïðîáðîñ (â vitrual servers) 51413:51419 -> 192.168.1.1:51413 ðàâíîñèëåí òàêèì:
51413 -> 192.168.1.1:51413
51414 -> 192.168.1.1:51413
51415 -> 192.168.1.1:51413
...
51419 -> 192.168.1.1:51413
Ýòî, ñêîðåå âñåãî, íå òî, ÷òî îæèäàëîñü.
Åñëè íóæíî ïðîáðîñèòü äèàïàçîí áåç èçìåíåíèÿ íîìåðîâ ïîðòîâ, òî ìîæíî ïðîñòî 51413:51419 -> 192.168.1.1 (íå óêàçûâàòü ïîðò íàçíà÷åíèÿ). Åñëè æå íóæíî èçìåíèòü, òî ïðèä¸òñÿ ïðîáðàñûâàòü ïî îäíîìó ïîðòó çà ðàç:
20 -> 192.168.1.1:8820
21 -> 192.168.1.1:8821

Ïîäñêàæèòå, ïîæàëóéñòà, â ïðàâèëå âðîäå "iptables -I FORWARD ...", åñëè ÿâíî íå óêàçûâàþ íîìåð ñòðîêè, â êîòîðóþ âñòàâèòü ïðàâèëî, ïðàâèëî âñòàâëÿåòñÿ íà 1-å ìåñòî, â ñàìûé âåðõ öåïî÷êè?

Äà.

Êñòàòè, êîãäà èñêàë ïðèìåðû ðåàëèçàöèè dial-in äëÿ ñâîåãî ðîóòåðà, íàòêíóëñÿ íà ýòó òåìó - http://www.wl500g.info/showthread.php?t=9628&highlight=com-%EF%EE%F0%F2
Îäèí èç ó÷àñòíèêîâ (íåêòî BELPAV) òîæå ñòîëêíóëñÿ ñ "îòâàëèâàíèåì" ìîäåìíîãî ñîåäèíåíèÿ (íå ñðàçó, à ÷åðåç íåêîòîðîå âðåìÿ).

Ïðè÷èíà îòòóäà íå ÿñíà, íî ìîãó ïðåäëîæèòü äîïèñàòü â ôàéë îïöèé pppd âêëþ÷åíèå lcp-ïèíãà

lcp-echo-interval 10
lcp-echo-failure 6

Òàêæå ìîæíî ïîïðîáîâàòü ïîîòêëþ÷àòü ðàçíîãî ðîäà ñæàòèå (õîòÿ âðÿä ëè ýòî âëèÿåò íà îòêëþ÷åíèå, ó÷èòûâàÿ, ÷òî ïðîõîäèò êàêîå-òî âðåìÿ)

novj
nobsdcomp
nodeflate

Mapseam

05-02-2010, 19:37

Ïîñëå çàäåéñòâîâàíèÿ lcp-ïèíãà êîííåêò ïðîäåðæàëñÿ óæå íåñêîëüêî ìèíóò.

Âîò îáåùàííûå "route -n"

Äî:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
88.87.65.92 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 192.168.2.1 255.255.255.0 UG 0 0 0 ppp1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 88.87.65.92 0.0.0.0 UG 0 0 0 ppp0

Ïîñëå:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
88.87.65.92 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 192.168.2.1 255.255.255.0 UG 0 0 0 ppp1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 88.87.65.92 0.0.0.0 UG 0 0 0 ppp0

Ðàçíèöû ÿ íå âèæó. Ìàðøðóò äëÿ 192.168.2.0/24 ñîçäàþ ïðè êîííåêòå â /tmp/ppp/peers/ip-up.sh è óäàëÿþ â /tmp/ppp/peers/ip-down.sh ïðè äèñêîííåêòå (ýòè ñêðèïòû çàäåéñòâîâàíû â options.usb.acm.0 äëÿ ìîåãî ýêçåìïëÿðà pppd).

Âîò ïîêàçàíèÿ ifconfig ppp1:

[admin@mapseam root]$ ifconfig ppp1
ppp1 Link encap:Point-to-Point Protocol
inet addr:192.168.2.1 P-t-P:192.168.2.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:296 Metric:1
RX packets:13 errors:1 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:853 (853.0 B) TX bytes:127 (127.0 B)

Òóò ñìóùàåò errors:1 è txqueuelen:3
È åùå: ìîæåò, MTU:296 íåïîäõîäÿùèé? ß, ïðàâäà, çàäàþ òàì æå, â options.usb.acm.0, òîëüêî MRU=296.

Power

06-02-2010, 00:59

Òóò ñìóùàåò errors:1 è txqueuelen:3
È åùå: ìîæåò, MTU:296 íåïîäõîäÿùèé? ß, ïðàâäà, çàäàþ òàì æå, â options.usb.acm.0, òîëüêî MRU=296.

Îøèáêè, åñëè îíè ñîñòàâëÿþò ìàëóþ äîëþ òðàôèêà, ìîæíî èãíîðèðîâàòü, ÿ äóìàþ (ó âàñ òàì âîîáùå ìàëî òðàôèêà, òàê ÷òî ýòî íå ïîêàçàòåëüíî).
txqueuelen - ÿ íå çíàþ, ÷òî òàêîå. man ãîâîðèò, ÷òî ýòî "length of the transmit queue of the device" - äëèíà î÷åðåäè íà ïåðåäà÷ó (íå òåêóùàÿ, à ìàêñèìàëüíàÿ).
MTU ïî õîðîøåìó íàäî âûáèðàòü èñõîäÿ èç òîãî, êàêîé èñïîëüçóåòñÿ ïðîòîêîë íèæåëåæàùåãî óðîâíÿ. Íî ìîæíî è ìåòîäîì òûêà.