iptables -t nat -A PREROUTING -i br0 -p tcp -d âíåøíèé_IP_Asus_íà_ppp0 --dport 80 -j DNAT --to-destination 192.168.0.2:8081
IP äèíàìè÷åñêèé :(

Åñòü ðîóòåð àñóñ, ïîäêëþ÷åííûé ê èíòåðíåòó (LAN 192.168.0.1), ê íåìó ïîäêëþ÷åí Áîëüøîé Linux-ðîóòåð ñ äâóìÿ ñåòåâóõàìè (eth1-192.168.0.2 - ê àñóñó, eth1-192.168.1.1-ñìîòðèò â ëîêàëêó).Íà áîëüøîì ðîóòåðå ñòîèò âåá-ñåðâåð íà ïîðòó 8081. Àñóñ ïåðåíàïðàâëÿåò âåá-çàïðîñû ñ èíåòà ïî ïðàâèëó:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081
iptables -t nat -D PREROUTING -i ppp0 -p tcp --dport 80 -j DROP
Åñòü î÷åíü áîëüøàÿ íåîáõîäèìîñòü ïîñûëàòü çàïðîñû ê âåá-ñåðâåðó èç ëîêàëêè (192.1681.1/24), îáðàùàÿñü ïðè ýòîì ïî õîñòíåéìó áëàáëàáëà.dyndns.org (http://áëàáëàáëà.dyndns.org), îäíàêî îí âûêèäûâàåò ìåíÿ íà 192.168.0.1:80. âìåñòî 192.168.1.1:8081 :(
Çàðàíåå ñïàñèáî!
P.S.: man iptables íå ïðåäëàãàòü)

Ñóäÿ ïî îïèñàíèþ ñåòè - asus íèêàêèì áîêîì íå ó÷àñòâóåò â ìàðøðóòèçàöèè ïàêåòîâ èç ëîêàëêè íà áîëüøîé ðîóòåð :)

inet <--> asus <--> big.router <--> local net âñå âåðíî ?

Ñóäÿ ïî îïèñàíèþ ñåòè - asus íèêàêèì áîêîì íå ó÷àñòâóåò â ìàðøðóòèçàöèè ïàêåòîâ èç ëîêàëêè íà áîëüøîé ðîóòåð :)

inet <--> asus <--> big.router <--> local net âñå âåðíî ?

Äà, âåðíî, åãî-òî è íàäî çàäåéñòâîâàòü òîëüêî ïðè çàïðîñå ê ñåðâåðó ïî 80 ïîðòó
Âîò òàê:



_:8081>__ ______:80>___
| | | |
^ | ^ |
inet <--> asus <--> big.router <--> local net
^ |
|_____________<:80______________|

-A PREROUTING -s 192.168.1.0/24 -d 192.168.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081

Òîëüêî "ïðàâèëüíî" ïåðåíàïðàâëåíèå äîëæåí äåëàòü big.router:
â /etc/hosts ïðîïèñàòü 192.168.1.1 áëàáëàáëà.dyndns.org (äëÿ ëîêàëêè áëàáëàáëà.dyndns.org - ñòàòè÷íûé :))
à â iptables -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8081

-A PREROUTING -s 192.168.1.0/24 -d 192.168.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8081

Òîëüêî "ïðàâèëüíî" ïåðåíàïðàâëåíèå äîëæåí äåëàòü big.router:
â /etc/hosts ïðîïèñàòü 192.168.1.1 áëàáëàáëà.dyndns.org (äëÿ ëîêàëêè áëàáëàáëà.dyndns.org - ñòàòè÷íûé :))
à â iptables -s 192.168.1.0/24 -d 192.168.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8081

Óæå ëó÷øå - ïîñëå äîáàâëåíèÿ äèíäíñ â /etc/hosts ñòàëà îòêðûâàòüñÿ èíäåêñíàÿ ñòðàíè÷êà:) Îäíàêî ïîääèðåêòîðèè è phpbb îòêàçûâàþòñÿ ïîä÷èíèòüñÿ. Äà, åùå ìàëåíüêèé íþàíñ - â big.routerå ñòîèò squid, ñîîòâåòñòåâåííî òàì åùå ïðàâèëî åñòü
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3122
Îò ïðèâåäåííûõ âûøå ïðàâèë íè÷åãî íå èçìåíÿåòñÿ:(

IP äèíàìè÷åñêèé :(
man "/tmp/local/sbin/post-firewall" íà ïðåäìåò åãî âûçîâà è ïåðåäà÷è ÄÅÉÑÒÂÓÞÙÈÕ IPàäðåñîâ ïðè ÊÀÆÄÎÌ ðåêîíåêòå.
P.S. êàêîé $õ, íà êàêîé èíòåðôåéñ íàçíà÷åí - òî÷íî íå ïîìíþ, à èñêàòü èíôó íåêîãäà....

man "/tmp/local/sbin/post-firewall" íà ïðåäìåò åãî âûçîâà è ïåðåäà÷è ÄÅÉÑÒÂÓÞÙÈÕ IPàäðåñîâ ïðè ÊÀÆÄÎÌ ðåêîíåêòå.
P.S. êàêîé $õ, íà êàêîé èíòåðôåéñ íàçíà÷åí - òî÷íî íå ïîìíþ, à èñêàòü èíôó íåêîãäà....

Ñïàñèáî! Äîëãî æå ÿ èñêàë ïî ôîðóìó ýòè $õ, íî òàê è íå íàøåë! Ìåòîäîì íàó÷íîãî òûêà ïîäîáðàë ñëåäóþùèé êîíôèã, ïîñëå êîòîðîãî âñå çàðàáîòàëî:)

iptables -t nat -I PREROUTING 1 -p tcp -d "$2" --dport 80 -j DNAT --to 192.168.0.2:8081
iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
iptables -t nat -I PREROUTING 2 -i "$1" -p tcp --dport 8081 -j DROP
è îáÿçàòåëüíî óäàëèòü èç /etc/hosts çàïèñü î diddns!
Ìîæåò êîìó è ïðèãîäèòüñÿ;)

Äîáðûé äåíü, åñòü âîò òàêîå ïðàâèëî â /usr/local/sbin/post-firewall


iptables -I INPUT -p tcp --dport 22 -j ACCEPT

Ïîäñêàæèòå ïîæàëóéñòà êàêîå íóæíî äîáàâèòü ïðàâèëî , ÷òîáû äîñòóï ê ýòîìó ïîðòó èìåëñÿ òîëüêî ñ äèàïàçîíîâ ip 192.168.0.0/24 è ñ ip 78.106.X.X .

Êàêîé êîìàíäîé ìîæíî óäàëèòü âñå ñîçäàííûå ïðàâèëà â /usr/local/sbin/post-firewall? Çàðàíåå ñïàñèáî.

Äîáðûé äåíü, åñòü âîò òàêîå ïðàâèëî â /usr/local/sbin/post-firewall


iptables -I INPUT -p tcp --dport 22 -j ACCEPT

Ïîäñêàæèòå ïîæàëóéñòà êàêîå íóæíî äîáàâèòü ïðàâèëî , ÷òîáû äîñòóï ê ýòîìó ïîðòó èìåëñÿ òîëüêî ñ äèàïàçîíîâ ip 192.168.0.0/24 è ñ ip 78.106.X.X .

Êàêîé êîìàíäîé ìîæíî óäàëèòü âñå ñîçäàííûå ïðàâèëà â /usr/local/sbin/post-firewall? Çàðàíåå ñïàñèáî.

Âìåñòî
iptables -I INPUT -p tcp --dport 22 -j ACCEPT ïèøåì
iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -s 78.106.0.0/16 -p tcp --dport 22 -j ACCEPT

ïîìîåìó òàê... òîëüêî ñ ìàñêàìè ìîã íàïóòàòü :D:cool:

Âìåñòî
iptables -I INPUT -p tcp --dport 22 -j ACCEPT ïèøåì
iptables -I INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -s 78.106.0.0/16 -p tcp --dport 22 -j ACCEPT

ïîìîåìó òàê... òîëüêî ñ ìàñêàìè ìîã íàïóòàòü :D:cool:

Ñïàñèáî áîëüøîå, à êàê ìîæíî óäàëèòü ñòàðîå?

Êàêîé êîìàíäîé ìîæíî óäàëèòü âñå ñîçäàííûå ïðàâèëà â /usr/local/sbin/post-firewall? Çàðàíåå ñïàñèáî.

Ñèíòàêñèñ óäàëåíèÿ ïðàâèëà òàêîé-æå, êàê è åãî ñîçäàíèå, òîëüêî âìåñòî -I (èëè -A) íàäî èñïîëüçîâàòü -D

Íàïðèìåð:
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Óäàëåíèå _âñåõ_ ïðàâèë: iptables -F

Åñëè ïîä "óäàëåíèåì ñòàðîãî" ïîíèìàëîñü óäàëåíèå èç ôàéëà post-firewall, òî íóæíî îòêðûòü ôàéë ðåäàêòîðîì (vi, èëè, åñëè óñòàíîâëåí, nano) è óäàëèòü ñîîòâåòñòâóþùèå ñòðî÷êè.

È åù¸, åñëè ïîä 78.106.X.X èìåëñÿ â âèäó êîíêðåòíûé àäðåñ, à íå äèàïàçîí, òî è ââîäèòü åãî íàäî òàê æå:


iptables -I INPUT -s 78.106.X.X -p tcp --dport 22 -j ACCEPT

Åñëè ïîä "óäàëåíèåì ñòàðîãî" ïîíèìàëîñü óäàëåíèå èç ôàéëà post-firewall, òî íóæíî îòêðûòü ôàéë ðåäàêòîðîì (vi, èëè, åñëè óñòàíîâëåí, nano) è óäàëèòü ñîîòâåòñòâóþùèå ñòðî÷êè.

È, åñëè èäòè äî êîíöà, âûïîëíèòü òðîéêó êîìàíä:
flashfs save && flashfs commit && flashfs enable

Ñïàñèáî âñåì áîëüøîå çà ïîìîùü, âñå ïîëó÷èëîñü ))

Ïîÿâèëàñü íåîáõîäèìîñòü èñïîëüçîâàòü ðàñøèðåíèå owner, ÷òîáû ñîñòàâèòü ïðàâèëî âèäà:

iptables -A OUTPUT -m owner --uid-owner 500 -j MARK --set-mark 0x2e

Îäíàêî â ïðîøèâêå Îëåãà òàêîå ðàñøèðåíèå îòñóòñòâóåò. Â ïîëüñêîé âåòêå íàøåë ñêîìïèëèðîâàííîå ìîäóëè äëÿ ýòîãî ðàñøèðåíèÿ:


http://lesiuk.ath.cx/dysk/libipt_owner.so -> / usr / lib / iptables (match)
http://lesiuk.ath.cx/dysk/ipt_owner.o -> insmod / path / to / ipt_owner.o (kernel module)
Ìîäóëü ÿäðà çàãðóæàåòñÿ áåç ïðîáëåì, à ðàñøèðåíèå libipt_owner.so äîëæíî ëåæàòü â äèðåêòîðèè /usr/lib/iptables êîòîðàÿ íàõîäèòñÿ âî ôëåø ïàìÿòè ðîóòåðà. Ñîîòâåòñòâåííî ñèñòåìà ðóãàåòñÿ: Read-only file system
Åñòü ëè âîçìîæíîñòü ïîëîæèòü áèáëèîòåêó â ýòó äèðåêòîðèþ (çàïèñàòü åå èëè õîòÿ áû ñèìëèíê âî ôëåø)? Èëè ìîæíî êàêèì-òî îáðàçîì çàñòàâèòü iptables èñêàòü ýòó áèáëèîòåêó â äðóãîé äèðåêòîðèè?
Çàðàíåå ñïàñèáî.

Доброго времени суток!
Помогите пожалуйста правильно post-firewall организовать, замаялся уже :(
Есть - роутер на котором стоит rTorrent (порт 52ХХХ), за ним стоит компьютер с uTorrent (порт 51ХХХ) и StrongDC (порт 16ХХХ).
В веб морде прописаны в virtual server проброски к uTorrent и StrongDC (both). Имеется реальный статический внешний IP.
Для стронга брал из одной статьи:


IPTABLES -I SECURITY -p udp --dport 16XXX -j RETURN
IPTABLES -D INPUT -j DROP

Это брал из "настройки с нуля":


IPTABLES -A OUTPUT -s wan_адрес/255.255.255.255 -o vlan1 -j ACCEPT
IPTABLES -A OUTPUT -o vlan1 -j DROP

Для uTorrent написал:


IPTABLES -I FORWARD -j ACCEPT
IPTABLES -I FORWARD -p all --dport 51xxx -j ACCEPT

Для rTorrent (по советам форума торрентс.ру где аналогичное обсуждалось):


iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp --dport 52xxx -j ACCEPT

Вроде всё логично, но rTorrent ни в какую не хочет раздавать на Торрентс.ру, при этом uTorrent раздаёт на ура :confused: , правда так - скорость скачком дёрнется, затем падает, потом опять и так далее. Но что больше всего смущает - в логах веб морды вижу:


Aug 21 03:04:46 dropbear[348]: Child connection from ::ffff:213.87.81.74:38078
Aug 21 03:05:20 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:32 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:39 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:41 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:46 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:47 dropbear[348]: exit before auth: Max auth tries reached - user 'is invalid' from ::ffff:213.87.81.74:38078

И таких подобных там - чуть ли не каждую секунду штук по 5 (явно ломятся). Что меня явно не радует :mad:. Ставя вместо ...INPUT ACCEPT > DROP они прекращаются, но rTorrent всё-равно молчит и uTorrent перестаёт раздавать.
Помогите пожалуйста организовать всё как надо, и чтобы можно было самому из инета заходить на роутер (через PuTTY-SSH (22) и на веб морду rTorrent-a (8081) )

Íî ÷òî áîëüøå âñåãî ñìóùàåò - â ëîãàõ âåá ìîðäû âèæó:


Aug 21 03:04:46 dropbear[348]: Child connection from ::ffff:213.87.81.74:38078
Aug 21 03:05:20 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:32 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:39 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:41 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:46 dropbear[348]: login attempt for nonexistent user from ::ffff:213.87.81.74:38078
Aug 21 03:05:47 dropbear[348]: exit before auth: Max auth tries reached - user 'is invalid' from ::ffff:213.87.81.74:38078

È òàêèõ ïîäîáíûõ òàì - ÷óòü ëè íå êàæäóþ ñåêóíäó øòóê ïî 5 (ÿâíî ëîìÿòñÿ). ×òî ìåíÿ ÿâíî íå ðàäóåò :mad:. Ñòàâÿ âìåñòî ...INPUT ACCEPT > DROP îíè ïðåêðàùàþòñÿ, íî rTorrent âñ¸-ðàâíî ìîë÷èò è uTorrent ïåðåñòà¸ò ðàçäàâàòü.
Ïîìîãèòå ïîæàëóéñòà îðãàíèçîâàòü âñ¸ êàê íàäî, è ÷òîáû ìîæíî áûëî ñàìîìó èç èíåòà çàõîäèòü íà ðîóòåð (÷åðåç PuTTY-SSH (22) è íà âåá ìîðäó rTorrent-a (8081) )
ssh server íà äðóãîì ïîðòó ïîäíÿòü è âñå...

А можно чуть поподробнее? :-)
настраивал по инструкции с нуля, а именно:


mkdir -p /usr/local/etc/dropbear
dropbearkey -t dss -f /usr/local/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /usr/local/etc/dropbear/dropbear_rsa_host_key
mkdir -p /usr/local/sbin/
echo "#!/bin/sh" >> /usr/local/sbin/post-boot
cp /usr/local/sbin/post-boot /usr/local/sbin/post-firewall
cp /usr/local/sbin/post-boot /usr/local/sbin/post-mount
cp /usr/local/sbin/post-boot /usr/local/sbin/pre-shutdown
chmod +x /usr/local/sbin/p*
echo "dropbear > /dev/null 2>&1" >> /usr/local/sbin/post-boot
dropbear > /dev/null 2>&1

что нужно добавить/изменить?

À ìîæíî ÷óòü ïîïîäðîáíåå? :-)
íàñòðàèâàë ïî èíñòðóêöèè ñ íóëÿ, à èìåííî:



dropbear -p 1234 > /dev/null 2>&1

÷òî íóæíî äîáàâèòü/èçìåíèòü?
Âîò òàê ñäåëàòü.
1234 - ëþáîé ïîðò íà óñìîòðåíèå, ðåêîìåíäóþò îáû÷íî ïîðòû âûøå 1024 äåëàòü.

Ñïàñèáî áîëüøîå :)

Äîáðîãî âðåìåíè ñóòîê!
Ïîìîãèòå ïîæàëóéñòà ïðàâèëüíî post-firewall îðãàíèçîâàòü, çàìàÿëñÿ óæå :(
Åñòü - ðîóòåð íà êîòîðîì ñòîèò rTorrent (ïîðò 52ÕÕÕ), çà íèì ñòîèò êîìïüþòåð ñ uTorrent (ïîðò 51ÕÕÕ) è StrongDC (ïîðò 16ÕÕÕ).
 âåá ìîðäå ïðîïèñàíû â virtual server ïðîáðîñêè ê uTorrent è StrongDC (both). Èìååòñÿ ðåàëüíûé ñòàòè÷åñêèé âíåøíèé IP.
Äëÿ ñòðîíãà áðàë èç îäíîé ñòàòüè:


IPTABLES -I SECURITY -p udp --dport 16XXX -j RETURN
IPTABLES -D INPUT -j DROP

Ýòî áðàë èç "íàñòðîéêè ñ íóëÿ":


IPTABLES -A OUTPUT -s wan_àäðåñ/255.255.255.255 -o vlan1 -j ACCEPT
IPTABLES -A OUTPUT -o vlan1 -j DROP

Äëÿ uTorrent íàïèñàë:


IPTABLES -I FORWARD -j ACCEPT
IPTABLES -I FORWARD -p all --dport 51xxx -j ACCEPT

Äëÿ rTorrent (ïî ñîâåòàì ôîðóìà òîððåíòñ.ðó ãäå àíàëîãè÷íîå îáñóæäàëîñü):


iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp --dport 52xxx -j ACCEPT




Ïîëîâèíà èç ýòîãî íå íóæíà èëè äàæå âðåäíà. Âîò ÷òî ñòîèò îñòàâèòü (çàìåòüòå, iptables ïèøåòñÿ ñòðîãî ìàëåíüêèìè [ñòðî÷íûìè] áóêâàìè) :


iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 52xxx -j ACCEPT

iptables -I SECURITY -p udp --dport 16XXX -j RETURN

È íóæíî óáåäèòüñÿ, ÷òî â íàñòðîéêàõ ðîóòåðà íà ñòðàíèöå Internet Firewall - WAN & LAN Filter ïîëå Port Forwarding default policy âûñòàâëåíî â ACCEPT.

Åñëè íóæíî èçâíå îòêðûòü ssh è ìîðäó rtorrent, òî äîáàâëÿåì


iptables -A INPUT -p tcp --dport xxx -j ACCEPT
iptables -A INPUT -p tcp --dport yyy -j ACCEPT

ãäå xxx - ïîðò, íà êîòîðîì âèñèò dropbear (ssh), à yyy - ïîðò ìîðäû rtorrent-à.

(çàìåòüòå, iptables ïèøåòñÿ ñòðîãî ìàëåíüêèìè [ñòðî÷íûìè] áóêâàìè)
äà, ýòî çàìåòèë ïî÷òè ñðàçó, èñïðàâèë:o


È íóæíî óáåäèòüñÿ, ÷òî â íàñòðîéêàõ ðîóòåðà íà ñòðàíèöå Internet Firewall - WAN & LAN Filter ïîëå Port Forwarding default policy âûñòàâëåíî â ACCEPT.

ýòî åù¸ èçíà÷àëüíî âûñòàâèë, ïðè ïåðâîé æå íàñòðîéêå
Ñïàñèáî çà ñîâåòû:)è ïðàâäà ýòîãî äîñòàòî÷íî

à êòî ïîäñêàæåò, êàê ìîæíî áîðîòüñÿ ñ ãëþêàìè iptables?

ïîÿñíþ
ïîñëå ïîêóïêè ðîóòåðà ïðîøèë òóòîøíåé ïðîøèâêîé, ïî "ïðîñòîé íàñòðîéêå äî òîððåíòîâ" è "äóðàê åäèøåí" ïîäíÿë âñå ÷òî íóæíî, dropbear, ñâîþ ñàìáó, ôòï, rtorrent. Âñå ïîëó÷èëîñü îòëè÷íî

ïîòîì ñòàëè âûëåçàòü ãëþêè - ñî âðåìåíåì asus íà÷àë ïåðåñòàâàòü ïóñêàòü ñíàðóæè ïî ssh è ïî âåá ìîðäå 8080. ïðè÷åì ìîðäà îò òîððåíòà ïî 8081 ïðîäîëæàëà ïóñêàòü, ðàâíî è êàê ñàì òîððåíò ïðîäîëæàë êà÷àòü

ðåáóò ìàøèíêè ïîìîãàë íà íåêîòîðå âðåìÿ.
îïûòíûì ïóòåì âûÿñíåíî, ÷òî íà íåêîòîðîå âðåìÿ ïîìîãàåò ïåðåäåðãèâàíèå ïðàâèë iptables âìåñòî ðåáóòà, îíè íèêóäà íå äåâàëèñü, ïðîñòî ïî÷åìó òî ïåðåñòàâàëè äåéñòâîâàòü

âûäâèíóòî ïðåäïîëîæåíèå, ÷òî iptables-ó íå õâàòàåò ðåñóðñîâ
ñâîï ñäåëàí 512 ìåòðîâ, íî ñèñòåìà åãî îñîáî íå þçàåò, äåðæèò ôèçè÷åñêîé îïåðàòèâû êèëîáàéò 600

total used free shared buffers
Mem: 30164 29644 520 0 1216
Swap: 506008 35280 470728
Total: 536172 64924 471248
êàê âðåìåííàÿ ìåðà ñäåëàí ñêðèïòèê äëÿ ïåðåäåðãèâàíèÿ ïðàâèë, èñïîëíÿåìûé ðàç â ÷àñ ïî êðîíó.  òàêîì âèäå ýòî æèëî ïîëãîäà è íåäàâíî ïåðåñòàëî ïîìîãàòü. Òî åñòü, ñíàðóæè íåò äîñòóïà ïî ssh äàæå ñðàçó ïîñëå ðåáóòà. ïðàâäà åñòü ïî âåá ìîðäå, è ÷åðåç åå êîìàíäíóþ ñòðîêó ñíàðóæè ìîæíî õîòü ÷òî òî âèäåòü, ÷òî òâîðèòñÿ âíóòðè. Íî çàòî ïåðåñòàë ðàáîòàòü äî êó÷è ftp.

êîðî÷å ÷àñòü ïðàâèë ðàáîòàåò, ÷àñòü - íåò
÷å äåëàòü - õåçå

âîò post-firewall

#!/bin/sh

# SSH from WAN
iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 20 -j ACCEPT

# torrent
iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
# torrent morda
iptables -I INPUT -p tcp --dport 8081 -j ACCEPT

iptables -A INPUT -j DROP



à âîò âûâîä iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
ACCEPT tcp -- anywhere anywhere tcp dpt:65534
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere ddd tcp dpt:www
ACCEPT icmp -- anywhere anywhere
logdrop all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN


Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
logdrop all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (6 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere


âðîäå âñå åñòü

à êòî ïîäñêàæåò, êàê ìîæíî áîðîòüñÿ ñ ãëþêàìè iptables?


Âàø ïðèìåð îòëè÷íî ïîêàçûâàåò ñëàáîñòè ïðèíöèïà "[DURAK EDITIONS]". À èìåííî - ÷òîáû ÷òî-òî äåëàòü, íàäî ïîíèìàòü, ÷òî äåëàåøü.

Êîíêðåòíî, âàì íàäî ïîìåíÿòü ñòðî÷êó "iptables -D INPUT -j DROP" íà "iptables -D INPUT -j logdrop" (à ëó÷øå îñòàâèòü ïåðâóþ, à âòîðóþ ñðàçó çà íåé äîïèñàòü).
À âîò ýòà âîîáùå íå íóæíà: "iptables -A INPUT -j DROP".

âûõîäèò äóðàêè íå ìû à òå êòî ïèøåò òàêèå ñòàòüè
íàôèãà íóæíû òàêèå ñòàòüè, ïî êîòîðûì çàâåäîìî íè÷åãî íå ðàáîòàåò
âåðíåå, äîëæíî ðàáîòàòü â òåîðèè, èëè íà íîðìàëüíîé ëèíóêñîâîé ìàøèíå
íî ó íàñ òî ñïåöèôè÷åñêàÿ ìàøèíêà.
äåëî â òîì, ÷òî ñíà÷àëà èñïîëíÿþòñÿ êîíôèãè ïðîøèâêè, à ïîòîì óæå íàøè èç /usr/local/*

ÿ óæå ñ ïîìîùüþ ðàçáèðàþùèõñÿ ëþäåé âñå èñïðàâèë

èòàê, êòî áóäåò áîðîòüñÿ ñ durak-edition - òàì âñå íåâåðíî!

ïðîñèì ïîêàçàòü iptables, ÷åãî ó íåãî åñòü ñ verbo-çîì

iptables -L -v

[admin@ddd sbin]$ iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2404 167K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
8686 1477K ACCEPT tcp -- any any anywhere anywhere tcp dpt:tproxy
1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:65534
5222 404K logdrop all -- any any anywhere anywhere state INVALID
15M 948M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
32512 1951K ACCEPT all -- lo any anywhere anywhere state NEW
80183 29M ACCEPT all -- br0 any anywhere anywhere state NEW
735K 38M SECURITY all -- ppp0 any anywhere anywhere state NEW
3413 1152K ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
75 4500 ACCEPT tcp -- any any anywhere ddd tcp dpt:www
134 8316 ACCEPT icmp -- any any anywhere anywhere
533K 58M logdrop all -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN

êîðî÷å, òóò óæå âèäíî, ÷òî âñå ïðàâèëà, äîáàâëåííûå êîìàíäîé -A â êîíåö öåïî÷êè ïîñëå logdrop - íå ðàáîòàþò - òàì ïî íóëÿì ïàêåòîâ
è êàê èçáàâèòüñÿ îò ýòîãî ëîãäðîïà íå ïîíÿòíî. Ïðîñòî âìåñòî -A(dda) ñäåëàë -I(nsert)
ïðàâèëà âíåñëèñü â ñàìîå íà÷àëî è âñå çàðàáîòàëî

è êàê èçáàâèòüñÿ îò ýòîãî ëîãäðîïà íå ïîíÿòíî.


"iptables -D INPUT -j logdrop"
ý...
íó äà, òî åñòü òåïåðü óæå ïîíÿòíî, íó äà ëàäíî, âûõîäèò ìû ñäåëàëè òî æå ñàìîå, òîëüêî ñ äðóãîãî êîíöà

à DROP-û ìû òîæå îáà óäàëèëè)))


#iptables -D INPUT -j DROP
...
#iptables -A INPUT -j DROP

Ïîñòàâèë Îëåãîâñêóþ ïðîøèâêó, çàïóñòèë dropbear è çàøåë íà ðîóòåð ñ LAN.
Ïîïðîáîâàë çàéòè íà ðîóòåð ñ óäàëåííîãî ñåðâåðà - ñîîòâ ÷åðåç WAN.
Íå ïîëó÷àåòñÿ.
Ê ïðîâàéäåðó ïîäêëþ÷åí ïî PPTP. äåëàþ tcpdump íà ppp0 è âèæó ÷òî ïàêåòû SYN ñ óäàëåííîãî ñåðâåðà íà ïîðò 22 ïðèõîäÿò, íî SYN/ACK
â îòâåò íåò.
Íå ìîãó ïîíÿòü ïðè÷èíó. Êîíôèã iptables òàêîé:
52.282.79.18 - àäðåñ ðîóòåðà íà ppp0
10.4.71.180 - eth1 (WAN)
(êñòàòè, ó ìåíÿ wl500w - 1wan, 4lan, à èíòåðôåéñîâ eth òðè - eth0,eth1,eth2 - êòî ê ÷åìó îòíîñèòñÿ? ïî÷åìó íå 5 èëè 2 ?)


[admin@WL-00212344D50F root]$ iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.1.204 tcp dpt:11245
ACCEPT udp -- 0.0.0.0/0 192.168.1.204 udp dpt:11245
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
DROP all -- 0.0.0.0/0 0.0.0.0/0
[dp@WL-00212344D50F root]$ iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- 0.0.0.0/0 52.282.79.18
VSERVER all -- 0.0.0.0/0 10.4.71.180

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !52.282.79.18 0.0.0.0/0
MASQUERADE all -- !10.4.71.180 0.0.0.0/0
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (2 references)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:11245 to:192.168.1.204:11245
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:11245 to:192.168.1.204:11245
[admin@WL-00212344D50F root]$

Ïðè÷èíà - â ôàåðâîëëå (iptables) ýòî ÿâíî çàïðåùåíî.
Äëÿ ðàçðåøåíèÿ:


iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT



(êñòàòè, ó ìåíÿ wl500w - 1wan, 4lan, à èíòåðôåéñîâ eth òðè - eth0,eth1,eth2 - êòî ê ÷åìó îòíîñèòñÿ? ïî÷åìó íå 5 èëè 2 ?)
Äâà ïðîâîäíûõ (LAN è WAN) è îäèí áåñïðîâîäíîé (Wi-Fi).

Èíòåðôåéñû: eth0 - LAN ïîðòû ñâèò÷à, eth1 - WAN ïîðò, eth2 - WiFi
Ýòî äëÿ WL-500W : http://wl500g.info/showpost.php?p=89585 :)
À äëÿ WL-500gP : http://wl500g.info/showthread.php?t=20609 :cool:

ß âñå-òàêè íå ïîíÿë êàêèì èìåííî ïðàâèëîì ýòî çàïðåùåíî ó ìåíÿ.
âåäü â öåïî÷êå INPUT íàïèñàíî ÷òî ïðèíèìàëü êàê íîâûå òàê è îñòàëüíûå
íîðìàëüíûå ñîåäèíåíèÿ.


ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW


à ïî ïîâîäó èíòåðôåéñîâ - íå ñõîäèòñÿ ÷î-òî ñ eth2 - ó ìåíÿ äëÿ wifi
åñòü br0 - êîòîðûé ñ àäðåñîì wifi-íûì è ÿ ÷åðåç íåãî ðàáîòàþ, à eth2 ïóñòîé.

ß âñå-òàêè íå ïîíÿë êàêèì èìåííî ïðàâèëîì ýòî çàïðåùåíî ó ìåíÿ.
âåäü â öåïî÷êå INPUT íàïèñàíî ÷òî ïðèíèìàëü êàê íîâûå òàê è îñòàëüíûå
íîðìàëüíûå ñîåäèíåíèÿ.


ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW



À âû âûïîëíèòå ëèñòèíã ñ êëþ÷èêîì -v (òàêæå èçâåñòåí êàê --verbose) è òîãäà âñ¸ ïîéì¸òå:


iptables -L -nv





à ïî ïîâîäó èíòåðôåéñîâ - íå ñõîäèòñÿ ÷î-òî ñ eth2 - ó ìåíÿ äëÿ wifi
åñòü br0 - êîòîðûé ñ àäðåñîì wifi-íûì è ÿ ÷åðåç íåãî ðàáîòàþ, à eth2 ïóñòîé.

Âñ¸ ñõîäèòñÿ. À âîò br0 - ýòî ìîñò (bridge), ò.å. èíòåðôåéñ, îáúåäèíÿþùèé íåñêîëüêî äðóãèõ èíòåðôåéñîâ, â äàííîì ñëó÷àå, LAN è Wi-Fi (eth0 + eth2).

Àãà, ñïàñèáî, ïîíÿë, à òî ÿ äóìàë ÷òî çà ñòðàííàÿ îøèáêà - â öåïî÷êå INPUT äâà ðàçà ACCEPT NEW ïðîïèñàí)

âîò òóò è ïîíèìàíèå ÷òî òàêîå br0 ïðèãîäèëîñü)

Îñòàëñÿ îäèí âîïðîñ - ÷òî òàêîå öåïî÷êà SECURITY - ìîæåò ïëîõî èñêàë
íî íå íàøåë åå â ñòàíäàðòíûõ öåïî÷êàõ iptables. Ýòî ôè÷à àñóñà?
êàêîâ åå ñàêðàëüíûé ñìûñë?

Îñòàëñÿ îäèí âîïðîñ - ÷òî òàêîå öåïî÷êà SECURITY - ìîæåò ïëîõî èñêàë
íî íå íàøåë åå â ñòàíäàðòíûõ öåïî÷êàõ iptables. Ýòî ôè÷à àñóñà?
êàêîâ åå ñàêðàëüíûé ñìûñë?

Ýòî ôè÷à ïðîøèâêè. Ýòà öåïî÷êà çàäåéñòâóåòñÿ, åñëè âêëþ÷èòü "çàùèòó îò DoS" â âåá-ìîðäå.

ñïàñèáî! âñå ïîíÿë!

Ó ìåíÿ òàêæå åñòü âîïðîñ ïî iptables - íàäî ðàçðåøèòü ssh è ftp ïîðòû(21 è 22) èç WAN. Â iptables ðàçáèðàòüñÿ ñèë íåòó, áóäó áëàãîäàðåí çà ïîìîùü. IP ðîóòåðà - 192.168.10.50.
 äàííûé ìîìåíò âûãëÿäèò âîò òàê:

[admin@WL500gp session]$ iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
105 8619 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
177K 198M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
909 54540 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
4436 338K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
841 26912 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 udp dpt:!1900
0 0 SECURITY all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.50 tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 1557 packets, 80691 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4
34712 24M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 40 DROP all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
1971 134K SECURITY all -- !br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
1015 83260 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT

Chain OUTPUT (policy ACCEPT 133K packets, 12M bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (2 references)
pkts bytes target prot opt in out source destination
422 20992 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
593 62268 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
956 50588 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
[admin@WL500gp session]$

Íó åñëè "íåòó ñèë", òî ïðîñòî ìîæåòå ýòî ñäåëàòü äëÿ íóæíîãî êîìïà â Virtual Server â web-ìîðäå ... ;)
À åñëè äîñòóï íóæåí íà ðîóòåð, òî ñìîòðèòå íàñòðîéêè ftp èëè óæå âûøåïðèâåä¸ííûé ïðèìåð ... :)

Ó ìåíÿ òàêæå åñòü âîïðîñ ïî iptables - íàäî ðàçðåøèòü ssh è ftp ïîðòû(21 è 22) èç WAN. Â iptables ðàçáèðàòüñÿ ñèë íåòó, áóäó áëàãîäàðåí çà ïîìîùü. IP ðîóòåðà - 192.168.10.50.


Íó, îòâåò áóäåò òîò æå, òîëüêî ïîðòû ïîìåíÿþòñÿ (ÿ ïðåäïîëàãàþ, ÷òî ðàç âàì íóæåí ftp, òî íóæíî îòêðûòü è ïîðò 20 - ftp-data)


iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20:22 --syn -j ACCEPT




Íó åñëè "íåòó ñèë", òî ïðîñòî ìîæåòå ýòî ñäåëàòü â Virtual Server â web-ìîðäå ... ;)

Virtual Server íå îòêðûâàåò äîñòóï ê ïîðòàì ñàìîãî ðîóòåðà, à òîëüêî ê ïîðòàì óñòðîéñòâ çà ðîóòåðîì.

Virtual Server íå îòêðûâàåò äîñòóï ê ïîðòàì ñàìîãî ðîóòåðà, à òîëüêî ê ïîðòàì óñòðîéñòâ çà ðîóòåðîì.

Ýòî ïðàâèëüíî ... :) Íåìíîãî ñìóòèëî óêàçàíèå ip-àäðåñà ... Ìîæåò àôôòàð èìåë â âèäó àäðåñ êîìïà, à íå ðîóòåðà ? ;)
Êàê èç èíåòà îí áóäåò çàõîäèòü íà ëîêàëüíûé àäðåñ áåç âíåøíåãî ïî dyndns ? Íóæíî òî÷íåå ôîðìóëèðîâàòü ñâîè âîïðîñû ... :D

Ç.Û. Âïðî÷åì, ñóäÿ ïî åãî ïîñòàì, ýòè ñîâåòû ìîãóò è íå ïîìî÷ü ... :(

Ýòî ïðàâèëüíî ... :) Íåìíîãî ñìóòèëî óêàçàíèå ip-àäðåñà ... Ìîæåò àôôòàð èìåë â âèäó àäðåñ êîìïà, à íå ðîóòåðà ? ;)
Êàê èç èíåòà îí áóäåò çàõîäèòü íà ëîêàëüíûé àäðåñ áåç âíåøíåãî ïî dyndns ? Íóæíî òî÷íåå ôîðìóëèðîâàòü ñâîè âîïðîñû ... :D

Íå, ðàç óæ îí óïîìÿíóë "IP ðîóòåðà", çíà÷èò ñ÷èòàåì, ÷òî çàõîäèòü áóäåò íà ðîóòåð (ìû æ íå îðàêóëû èëè òåëåïàòû, ÷òîáû çíàòü, ÷òî àâòîðó íà ñàìîì äåëå íóæíî). Ðàç ñêàçàíî "íàäî ðàçðåøèòü ... èç WAN" - çíà÷èò, áóäåò èç WAN.  êðàéíåì ñëó÷àå, åñëè âíåøíåãî àäðåñà íåò, ñìîæåò õîòÿ áû èç ëîêàëêè ïðîâàéäåðà çàéòè :)

Ñïñ, ïîìîãëî) Ïðàâäà ïðèøëîñü åùå ñïåðâà iptables --flush ñäåëàòü.
Ïîÿñíþ - 192.168.10.50 - ëîêàëüíûé ÈÏ ðîóòåðà. Ìíå íàäî çàéòè èìåííî íà íåãî, à íå ïðîêèíóòü ïîðò íà êîìï/íîóò ïî ññø. Ñêàçàë ïðîñòî äëÿ óòî÷íåíèÿ, ÷òî ýòî íå êîìï, à èìåííî ðîóòåð ïî ýòîìó èïó ñèäèò)
À çàõîäèòü ÿ íà íåãî áóäó ïî lerk.<>.org ))


ÇÛ. Ýòîò(500ãï â1) ðîóòåð òàêîé õèòðûé, ÷òî ñòàíäàðòíûå ìåòîäû ÷òåíèÿ ìàíîâ òóò íå ðàáîòàþò - õîòÿ áû ïðè ìîíòèðîâàíèè äèñêîâ îí íàïðî÷ü èãíîðèðóåò fstab)) õç ïî÷åìó, íî ôàêò)

Ñïñ, ïîìîãëî) Ïðàâäà ïðèøëîñü åùå ñïåðâà iptables --flush ñäåëàòü.


À çà÷åì flush? Äîëæíî è òàê ðàáîòàòü.

P.S. ß íå ñòàë ïèñàòü, ò.ê. ýòî êàê áû ñàìî ñîáîé ðàçóìååòñÿ, íî óêàçàííûå ñòðî÷êè â áîëüøèíñòâå ñëó÷àåâ íàäî äîáàâèòü â post-firewall, ÷òîáû îíè ïðèìåíÿëèñü âñåãäà, êîãäà íóæíî.

Áåç íåãî ðàáîòàòü îòêàçûâàëîñü íàïðî÷ü.
PS. Ïðî post-firewall è òàê ÿñíî)

Áåç íåãî ðàáîòàòü îòêàçûâàëîñü íàïðî÷ü.


Íî flush æå óáèâàåò âñå ïðàâèëà. Ôàêòè÷åñêè, âû ýòèì äåéñòâèåì îòêëþ÷àåòå ôàåðâîëë.

Óãó. Íó ÿ åãî î÷èñòèë, ïîòîì ðåáóíóë ðîóòåð - îí âîññòàíîâèë âñå ïðàâèëà, êîòîðûå ïðîïèñàíû(ïëþñ òå, ÷òî ÿ äîáàâèë).
Íó è åùå âîïðîñ - êàê çàïðåòèòü êàêîìó-òî âíóòðåííåìó IP ïîëó÷àòü èíôîðìàöèþ îò îïðåäåëåííîãî âíåøíåãî IP ïî ëþáîìó èç ïîðòîâ\ïðîòîêîëîâ?
PS. Íó è çàîäíî íå â òåìó âîïðîñ - åñòü âîîáùå ñîôòèíêà äëÿ ìîíèòîðèíãà êòî è ñ êåì ïî êàêîìó ïîðòó îáìåíèâàåòñÿ èíôîðìàöèåé?(òèïà êàê â àóòïîñò ôàåðâîëëå)

Íó è åùå âîïðîñ - êàê çàïðåòèòü êàêîìó-òî âíóòðåííåìó IP ïîëó÷àòü èíôîðìàöèþ îò îïðåäåëåííîãî âíåøíåãî IP ïî ëþáîìó èç ïîðòîâ\ïðîòîêîëîâ?
PS. Íó è çàîäíî íå â òåìó âîïðîñ - åñòü âîîáùå ñîôòèíêà äëÿ ìîíèòîðèíãà êòî è ñ êåì ïî êàêîìó ïîðòó îáìåíèâàåòñÿ èíôîðìàöèåé?(òèïà êàê â àóòïîñò ôàåðâîëëå)

Çàïðåòèòü, íàïðèìåð, òàê


INT_IP='192.168.1.222'
EXT_IP='213.180.204.8'

iptables -I FORWARD 1 -s "$INT_IP" -d "$EXT_IP" -j DROP
iptables -I FORWARD 2 -s "$EXT_IP" -d "$INT_IP" -j DROP


Ïî ïîâîäó ñîôòà äëÿ ìîíèòîðèíãà - íå ñëûøàë. Íî èç êîíñîëè ìîæíî ïîëó÷èòü èíôîðìàöèþ î òåêóùèõ ñîåäèíåíèÿõ, âûïîëíèâ "cat /proc/net/ip_conntrack". À ñëåäèòü çà òðàôèêîì ìîæíî ñ ïîìîùüþ tcpdump.

Íó è íàêîíåö åùå âîïðîñ)
Íóæíî ïðîêèíóòü âíåøíèé ïîðò N íà âíóòðåíèé M íà àéïèøíèê IP1 Íà tcp è udp òðàôôèê. Êàê?) Çàðàíåå ñïàñèáî.
PS. Âèðòóàë ñåðâåð íå õî÷ó èñïîëüçîâàòü, ò.ê. îí òðåáóåò ðåáóòà ðîóòåðà, ÷òî ÷ðåâàòî ÷àñîâûìè õýø ïðîâåðêàìè òîððåíòà, òîãäà êàê iptables ïîäõâàòûâàþòñÿ íà ëåòó.

Íó è íàêîíåö åùå âîïðîñ)
Íóæíî ïðîêèíóòü âíåøíèé ïîðò N íà âíóòðåíèé M íà àéïèøíèê IP1 Íà tcp è udp òðàôôèê. Êàê?) Çàðàíåå ñïàñèáî.
PS. Âèðòóàë ñåðâåð íå õî÷ó èñïîëüçîâàòü, ò.ê. îí òðåáóåò ðåáóòà ðîóòåðà, ÷òî ÷ðåâàòî ÷àñîâûìè õýø ïðîâåðêàìè òîððåíòà, òîãäà êàê iptables ïîäõâàòûâàþòñÿ íà ëåòó.

Ïóñòü
âíåøíèé ïîðò N = 1234
âíóòðåííèé ïîðò M = 4321
àéïèøíèê IP1 = 192.168.1.223

Òîãäà


for proto in tcp udp ; do
iptables -t nat -A VSERVER -p "$proto" -m "$proto" --dport 1234 -j DNAT --to-destination 192.168.1.223:4321
done

À âîîáùå, ïî÷èòàéòå ââîäíîå ðóêîâîäñòâî ïî iptables (http://www.opennet.ru/docs/RUS/iptables/), ìîæåò, ïðèãîäèòñÿ.

Ïî ïîâîäó P.S. è ïåðåõåøèðîâàíèÿ: âûêëþ÷àéòå/ïåðåçàãðóæàéòå ðîóòåð ïðàâèëüíî (http://wl500g.info/showthread.php?t=12806) è íèêòî íè÷åãî ïåðåõåøèðîâàòü íå áóäåò. Âñåãî-òî íóæíî ñî÷èíèòü ïðàâèëüíûé pre-shutdown.

Проблема есть локальная сеть 192.168.1.0-255 нада запретить всем доступ к интернету кроме 4 человек и эти 4 нада ограничить по скорости если найдеться добрый человек и напишет мне эти злосчастные строчки я буду счастлив ! заранее спасибо ! извините за глупые просьбы

Ó ìåíÿ ñòîèò ðóòåð WL500gP v1, çà íèì ñòîèò âåá-ñåðâåð íà îòäåëüíîé æåëåçêå.. ñ ïîìîùüþ ïðàâèëà:

iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.5:80

âñå ðàáîòàåò, íî î÷åíü ìåäëåííî (åñëè èç âíåøíåé ñåòè ñìîòðåòü)..
Åñëè îòêðûâàòü ôîòîãàëëåðåþ, (ìíîãî ìåëêèõ êàðòèíîê), òî íåêîòîðûå èç íèõ âîîáùå íå çàãðóæàþòñÿ.. èçíóòðè ñåòè òàêèõ ïðîáëåì íå âîçíèêàåò, òàê ÷òî ñåðâåð íå ïðè ÷åì.

ïðèìåð ññûëêè: http://www.faraon.lv/foto/showphotos.php?showgal=amrita.

Åñòü ïîäîçðåíèå, ÷òî ñîåäèíåíèÿ "âûñòðàèâàþòñÿ â î÷åðåäü".. ìîæåò ãäå-òî â ðóòåðå åñòü ïàðàìåòð, îòâå÷àþùèé çà ýòî?..

íå èñêëþ÷åíî, ÷òî ïðîáëåìà ìîæåò êðûòüñÿ â ïðîâàéäåðå, íî õîòåëîñü áû áûòü óâåðåííûì â ñâîåé æåëåçêå :)

Çàùèòà îò DoS äà¸ò òàêîé ýôôåêò.

Ðåøèë îãðàíè÷èòü ïî âðåìåíè äîñòóï ê èíåòó ñ ïîìîùüþ ïðàâèë iptables.
ò.ê. ïåðåêðûâàòü âñå èãðîâûå ïîðòû ñìûñëà íåòó, ðåøèë çàðåçàòü âñå, à ðàçðåøàòü óæå íåîáõîäèìûå 80,21 è ò.ä.
Ñîçäàþò ïðàâèëî:

iptables -A FORWARD -s 192.168.1.6 -p tcp -j DROP
Çàêðûâàÿ âñå tcp ñîåäèíåíèÿ.



[admin@router root]$ iptables -A INPUT -s 192.168.1.6 -p tcp --sport 80 -j ACCEPT
[admin@router root]$ iptables -A INPUT -s 192.168.1.6 -p tcp --dport 80 -j ACCEPT
Õî÷ó ðàçðåøèòü òîëüêî 80 ïîðò, íî îí âñå ðàâíî îñòàåòüñÿ çàêðûòûì, ÷òî äåëàþò íå òàê?

ïîïðîáóé â îáðàòíîì ïîðÿäêå :

Ñíà÷àëà äàòü äîñòóï íà ïîðòû è àéïèøíèêè à ñëåäóùåì ïðàâèëîì çàêðûòü âñ¸....

Ðåøèë îãðàíè÷èòü ïî âðåìåíè äîñòóï ê èíåòó ñ ïîìîùüþ ïðàâèë iptables.

Ðóêîâîäñòâî ïî iptables (Iptables Tutorial 1.1.19) (http://www.opennet.ru/docs/RUS/iptables/)

Íà 192.168.1.1:8082 ó ìåíÿ ïðåêðàñíî ðàáîòàåò lighttpd. Ó ìåíÿ åñòü ñòàòè÷åñêèé IP (82.199.109.144). ß õî÷ó, ÷òîáû äëÿ âñåãî èíòåðíåòà íà http://82.199.109.144/ îòêðûâàëîñü òîæå, ÷òî è äëÿ ìåíÿ 192.168.1.1:8082.

ß òàê ïîíèìàþ, äëÿ ýòîãî íóæíî ïðîáðîñèòü ïîðò 80 íà 8082. Êàê ìíå ýòî ñäåëàòü? Ñåé÷àñ íè÷åãî íå ðàáîòàåò.


$ cat /usr/local/sbin/post-firewall
#!/bin/sh
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8082


$ iptables --list -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 1574 DROP all -- any any anywhere anywhere state INVALID
3862 338K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
254 15240 ACCEPT all -- lo any anywhere anywhere state NEW
1660 524K ACCEPT all -- br0 any anywhere anywhere state NEW
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 DROP all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 688 ACCEPT all -- br0 br0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
1688 93128 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
103K 90M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 ppp0 anywhere anywhere
0 0 DROP all -- !br0 eth0 anywhere anywhere
1747 121K ACCEPT all -- br0 any anywhere anywhere
1567 188K ACCEPT all -- any any anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT 5486 packets, 948K bytes)
pkts bytes target prot opt in out source destination

Chain MACS (0 references)
pkts bytes target prot opt in out source destination

Chain SECURITY (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 RETURN udp -- any any anywhere anywhere limit: avg 5/sec burst 5
0 0 RETURN icmp -- any any anywhere anywhere limit: avg 5/sec burst 5
0 0 DROP all -- any any anywhere anywhere

Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
0 0 ACCEPT all -- any any anywhere anywhere

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
0 0 DROP all -- any any anywhere anywhere

http://wl500g.info/showpost.php?p=128994&postcount=6

Ñïàñèáî, íî ýòî ìíå íå ïîìîãëî.

Òóò îáñóæäàëàñü ïîõîæàÿ ïðîáëåìà: http://wl500g.info/showpost.php?p=53300&postcount=3. ß ïîïðîáîâàë êîä îòòóäà, ïîìåíÿâ ëèøü ïîðò 82 íà ìîé 8082.


#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 8082 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8082
iptables -A INPUT -j DROP

Ýòî íå ïîìîãëî.


$ iptables --list PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 82.199.109.144.iskratelecom.ru
NETMAP udp -- anywhere 82.199.109.144.iskratelecom.ruudp spt:6112 192.168.1.0/24
autofw tcp -- anywhere anywhere tcp dpt:50001 autofw tcp dpt:50001 to:50001
autofw udp -- anywhere anywhere udp dpt:50001 autofw udp dpt:50001 to:50001
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.1.1:8082
Òóò âñ¸ â ïîðÿäêå?

Ïîë äíÿ è ïîë íî÷è è òåïåðü âñ¸ ðàáîòàåò!


$ cat /usr/local/sbin/post-firewall
#!/bin/sh
# $1 = vlan1
# $2 = 192.168.1.1

iptables -t nat -I PREROUTING 1 -p tcp -d "$2" --dport 80 -j DNAT --to "$2":8082
iptables -t nat -D PREROUTING -i "$1" -p tcp --dport 80 -j DROP
iptables -t nat -I PREROUTING 2 -i "$1" -p tcp --dport 8082 -j DROP
iptables -I INPUT 1 -i "$1" -d "$2" -p tcp --syn --dport 8082 -j ACCEPT

Ðåøåíèå âçÿòî îòñþäà: http://wl500g.info/showpost.php?p=53309&postcount=5

Ýìì... Çà÷åì òàê ñëîæíî? åñëè íàäî ðóêàìè ñäåëàòü òî, ÷òî äåëàåòñÿ ÷åðåç Virtual server â âåá-ìîðäå, òî îíî äåëàåòñÿ òàê:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8082

À äåëàòü ïðîáðîñ íà ñàì ðîóòåð èëè íà êàêîé-òî äðóãîé êîìï â ëîêàëüíîé ñåòè, âðîäå êàê íå êðèòè÷íî. Ïî êðàéíåé ìåðå ó ìåíÿ ðàáîòàåò :-)

allion, òàê ó ìåíÿ íå ðàáîòàåò ïî÷åìó-òî.

1. Äîïóñòèì, íåîáõîäèìî âûïîëíèòü
iptables -A FORWARD -d 10.3.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
Êðèòåðèé -m state íå ïîääåðæèâàåòñÿ ÿäðîì? Èëè êàê-òî ìîæíî ýòî äåëî âêëþ÷èòü?
firmware 1.9.2.7-10
2. À ðåïîçèòàðèé òî ó íàñ îáíîâëÿåòñÿ? Òàì ëåæèò openssl - 0.9.7m-5.
À òî, íàïðèìåð, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

Êàêèì ÿäðîì? À ïîïðîáîâàòü?

Ç.Û. Â âåðñèÿõ ïðîøèâîê îò Îëåãà è 1.9.2.7-d îò ýíòóçèàñòîâ, ðàáîòàåò "èç êîðîáêè".

1. Äîïóñòèì, íåîáõîäèìî âûïîëíèòü
iptables -A FORWARD -d 10.3.0.0/24 -m state –state ESTABLISHED,RELATED -j ACCEPT
Èëè êàê-òî ìîæíî ýòî äåëî âêëþ÷èòü? Òàê ïàðàìåòðû íàäî ïðàâèëüíî äàâàòü:

iptables -A FORWARD -d 10.3.0.0/24 -m state -–state ESTABLISHED,RELATED -j ACCEPT ;)

Òàê ïàðàìåòðû íàäî ïðàâèëüíî äàâàòü:


iptables -A FORWARD -d 10.3.0.0/24 -m state -–state ESTABLISHED,RELATED -j ACCEPT



Íåò, ïðàâèëüíî áóäåò òàê


iptables -A FORWARD -d 10.3.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

Âñ¸-òàêè, äåôèñ è ñèìâîë, ïîõîæèé íà äåôèñ, ÿâëÿþòñÿ äëÿ êîìïüþòåðà ðàçíûìè.

Âè íå ïîâåðèòå, íî òàì äâà ÎÄÈÍÀÊÎÂÛÕ ñèìâîëà ñ '-' (ìèíóñ) èìåþùèõ êîä 0x2D. Ïî÷åìó îíè ÂÛÃËßÄßÒ ïî ðàçíîìó, ìíå íå âåäîìî :cool:

Âè íå ïîâåðèòå, íî òàì äâà ÎÄÈÍÀÊÎÂÛÕ ñèìâîëà ñ '-' (ìèíóñ) èìåþùèõ êîä 0x2D. Ïî÷åìó îíè ÂÛÃËßÄßÒ ïî ðàçíîìó, ìíå íå âåäîìî :cool:

Äà, íå ïîâåðþ, èáî ýòî íåïðàâäà:


$ echo 'iptables -A FORWARD -d 10.3.0.0/24 -m state -–state ESTABLISHED,RELATED -j ACCEPT' | hexdump -vC
00000000 69 70 74 61 62 6c 65 73 20 2d 41 20 46 4f 52 57 |iptables -A FORW|
00000010 41 52 44 20 2d 64 20 31 30 2e 33 2e 30 2e 30 2f |ARD -d 10.3.0.0/|
00000020 32 34 20 2d 6d 20 73 74 61 74 65 20 2d e2 80 93 |24 -m state -...|
00000030 73 74 61 74 65 20 45 53 54 41 42 4c 49 53 48 45 |state ESTABLISHE|
00000040 44 2c 52 45 4c 41 54 45 44 20 2d 6a 20 41 43 43 |D,RELATED -j ACC|
00000050 45 50 54 0a |EPT.|
00000054

Äà, íå ïîâåðþ, èáî ýòî íåïðàâäà: È äåéñòâèòåëüíî :eek:
ß ïðîâåðÿë àíàëîãè÷íî ïîä âèíäîé, òàì ýòîò 0xE2 ñàì ñêîíâåðòèðîâàëñÿ â 0x2D, çàðàçà :o
Íó çíà÷èò ó àâòîðà áûëî äâå îøèáêè, ò.ê. ýòîò ñèìâîë ó íåãî â èñõîäíîì ïîñòå ñèäèò, ÿ òîëüêî íîðìàëüíûé ìèíóñ äîáàâèë :D

Áëàãîäàðþ âàñ âñåõ. Ïðèìó íà âîîðóæåíèå ïðîñìîòð â hex-ðåæèìå.
À íåëüçÿ ëè êàê-íèáóäü äîáàâèòü ïîäñòâåòêó ïî ñèìâîëàì, íàïðèìåð, çåëåíûì âûäåëÿòü ïðîáåëû 20 ? Ïðîñòî òàê óäîáíåå àíàëèçèðîâàòü, åñëè ÷òî.

Äåíü äîáðûé, äîðîãèå ôîðóì÷àíå!
Âñþ ãîëîâó ïðåëîìàë, ðàçìûøëÿÿ íàä ïðîáëåìîé, êîòîðàÿ çàêëþ÷àåòñÿ â ñëåäóþùåì:
åñòü òàêàÿ ñâÿçêà

{èíòåðíåò} > {wl500w(br0-192.168.0.1)} > {(192.168.0.2-eth1)ëîêàëüíûé FTP - ñåðâåð(br0-192.168.1.1)} > (192.168.1.0/24)ëîêàëêà

Ñ äîñòóïîì ê ëîêàëüíîìó FTP - ñåðâåðó íèêàêèõ ïðîáëåì íåò, ïîðò íà ðîóòåðå ïðîáðîøåí.
Êàêîå ïðàâèëî ïðîïèñàòü â iptables ëîêàëüíîãî FTP-ñåðâåðà , ÷òîáû êëèåíòû èç ëîêàëüíîé ñåòè èìåëè äîñòóï ê ftp-ñåðâåðàì â èíòåðíåòå?
P.S äîñòóï ê ftp-ñåðâåðàì â èíòåðíåòå ñ ëîêàëüíîãî FTP- ñåðâåðà åñòü

iptables -A FORWARD -i br0 -p tcp --source-port 21 --destination-port 21 -o eth1 -d ! 192.168.1.1 -j ACCEPT
íå ïðîêàòûâàåò

"Ëîêàëüíûé FTP-ñåðâåð" - ýòî, ÿ òàê ïîíèìàþ, íå ðîóòåð. Ò.å. âîïðîñ íå ïðî ðîóòåð?
Ó âàñ íà í¸ì ìàñêàðàäèíã/ñíàò âêëþ÷åí?
Åñëè âû íè÷åãî íå çàïðåùàëè, òî äîñòóï è òàê äîëæåí áûòü (ñ ó÷¸òîì ï. 2). Òàê ÷òî ïîêàçûâàéòå òåêóùèå òàáëèöû ïðàâèë.

Òàêæå ñòîèò óïîìÿíóòü ïîëåçíóþ êîìàíäó modprobe nf_nat_ftp.

Òàêæå ñòîèò óïîìÿíóòü ïîëåçíóþ êîìàíäó modprobe nf_nat_ftp.
â îðèãèíàëüíûõ àñóñîâñêèõ è âñåõ íà íèõ îñíîâàííûõ îíî óæå â ÿäðå

"Ëîêàëüíûé FTP-ñåðâåð" - ýòî, ÿ òàê ïîíèìàþ, íå ðîóòåð. Ò.å. âîïðîñ íå ïðî ðîóòåð?
Ó âàñ íà í¸ì ìàñêàðàäèíã/ñíàò âêëþ÷åí?
Åñëè âû íè÷åãî íå çàïðåùàëè, òî äîñòóï è òàê äîëæåí áûòü (ñ ó÷¸òîì ï. 2). Òàê ÷òî ïîêàçûâàéòå òåêóùèå òàáëèöû ïðàâèë.

Òàêæå ñòîèò óïîìÿíóòü ïîëåçíóþ êîìàíäó modprobe nf_nat_ftp.

1 - äà, ýòî îòäåëüíàÿ æåëåçêà
2 - âêëþ÷åí ñíàò

iptables -t nat -A POSTROUTING -o br0 -j SNAT --to-source 192.168.0.2
3 - ïðàâèëà iptables FTP-ñåðâåðà


iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables --new-chain car1
iptables --insert OUTPUT 2 -p tcp --destination-port 21 -o eth1 --jump car1
iptables --append car1 -m limit --limit 15/sec --jump RETURN
iptables --append car1 --jump DROP
iptables -A INPUT -p TCP --syn --dport 21 -m recent --name proftpd --set
iptables -A INPUT -p TCP --syn --dport 21 -m recent --name proftpd --update --seconds 600 --hitcount 10 -j DROP
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to-source 192.168.0.2

2 - âêëþ÷åí ñíàò

iptables -t nat -A POSTROUTING -o br0 -j SNAT --to-source 192.168.0.2


Ýì, åñëè âíåøíèé èíòåðôåéñ - ýòî eth1, òî äîëæíî áûòü òàê:


iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.2






3 - ïðàâèëà iptables FTP-ñåðâåðà


iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables --new-chain car1
iptables --insert OUTPUT 2 -p tcp --destination-port 21 -o eth1 --jump car1
iptables --append car1 -m limit --limit 15/sec --jump RETURN
iptables --append car1 --jump DROP
iptables -A INPUT -p TCP --syn --dport 21 -m recent --name proftpd --set
iptables -A INPUT -p TCP --syn --dport 21 -m recent --name proftpd --update --seconds 600 --hitcount 10 -j DROP
iptables -t nat -A POSTROUTING -o br0 -j SNAT --to-source 192.168.0.2


Ó âàñ òóò íåò îáùèõ çàïðåùàþùèõ ïðàâèë, òàê ÷òî òðàôèê äîëæåí ïðîõîäèòü (åñëè òîëüêî ïîëèòèêà FORWARD íå óñòàíîâëåíà â DROP). Ëó÷øå âçãëÿíóòü íà ðåçóëüòèðóþùèå òàáëèöû:


iptables-save








Òàêæå ñòîèò óïîìÿíóòü ïîëåçíóþ êîìàíäó modprobe nf_nat_ftp.
â îðèãèíàëüíûõ àñóñîâñêèõ è âñåõ íà íèõ îñíîâàííûõ îíî óæå â ÿäðå

ß ýòî íàïèñàë, ïðåäïîëàãàÿ, ÷òî ìû ãîâîðèì íå ïðî ðîóòåð (è ìî¸ ïðåäïîëîæåíèå ïîäòâåðäèëîñü).

Ýì, åñëè âíåøíèé èíòåðôåéñ - ýòî eth1, òî äîëæíî áûòü òàê:


iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.2



Óððà! Çàðàáîòàëî. Áîëüøîå Âàì ÷åëîâå÷åñêîå ñïàñèáî, Power! :)

Äîáðîå âðåìÿ ñóòîê.
Ïðèøëà â ãîëîâó îäíà áðåäîâàÿ ìûñëü, èäåÿ òàêîâà:
Åñòü óäàë¸ííûé ñåðâàê $ip_1 êîòîðûé ñëóøàåò ïîðò $port_1.
Åñòü wl-500w c áåëûì ip $ip_2.
Âîçìîæíî ëè ñðåäñòâàìè iptables ñäåëàòü òàê ÷òî áû êîãäà ÿ îáðàùàëñÿ áû íà WAN èíòåðôåéñ ðîóòåðà ê ïîðòó $port_2 îí ôîðâàðäèë áû ïàêåòû íà $ip_1:$port_1 ?

Äà, âîçìîæíî.

Äà, âîçìîæíî.

è êàê âñåãäà ðàçâ¸ðíóòûé è àáñîëþòíî òî÷íûé îòâåò îò ìåñòíûõ ãóðó!

è êàê âñåãäà ðàçâ¸ðíóòûé è àáñîëþòíî òî÷íûé îòâåò îò ìåñòíûõ ãóðó!
Ìîãó ïðåäëîæèòü åùå ïàðó:
man iptables (http://www.opennet.ru/cgi-bin/opennet/ks.cgi?mask=linux+postscript+ip+man+iptables)
iptables + port forwarding (http://www.google.ru/search?q=iptables+%2B+port+forwarding&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:ru:official&client=firefox)

Ïðîáîâàë òàê + êèäàë ïðàâèëî â ôîðâàðä è èíïóò, íå ðàáîòàåò :(
-A PREROUTING -d IPlocal -i eth1 -p udp -m udp --dport 27016 -j DNAT --to-destination IPkuda

Ïðîáîâàë òàê + êèäàë ïðàâèëî â ôîðâàðä è èíïóò, íå ðàáîòàåò :(
-A PREROUTING -d IPlocal -i eth1 -p udp -m udp --dport 27016 -j DNAT --to-destination IPkuda

Âàì íóæíî òàêîå:


iptables -t nat -A PREROUTING -d ExtIP -i eth1 -p udp -m udp --dport 27016 -j DNAT --to-destination IPkuda
iptables -I FORWARD -i eth1 -o eth1 -m state --state NEW -m conntrack --ctstate DNAT -j ACCEPT

ãäå ExtIP - âíåøíèé àäðåñ, à eth1 - âíåøíèé èíòåðôåéñ (ò.å. ó âàñ íåò íèêàêèõ PPP).

Ñïàñèáî çà ýòî:

iptables -I FORWARD -i eth1 -o eth1 -m state --state NEW -m conntrack --ctstate DNAT -j ACCEPT
Íå ïðàâèëüíî öåïî÷êó FORWARD þçàë.

ÿ æóòêî èçâèíÿþñü çà âîïðîñ ïðî iptables, íî íå äàþòñÿ îíè ìíå íèêàê.
 ëîãàõ ðîóòåðà êàæäûå 5 ìèí

vsftpd[307]: [anonymous] FAIL LOGIN: Client "10.180.40.131"
ýòî ftp-ïîèñê îáìåííîé ñåòè ïûòàåòñÿ êî ìíå çàéòè.
Õî÷ó ÷òîáû ëîã íå "çàñîðÿëñÿ".
 post-firewall äîáàâèë

iptables -A INPUT -s 10.180.40.131 -j DROP
âèæó â öåïî÷êå INPUT ïðàâèëî

0 0 DROP all -- * * 10.180.40.131 0.0.0.0/0

íî â ëîãå ïîïûòêè ñîåäèíåíèÿ ïðîäîëæàþòñÿ.

Íî âåäü åñëè ÿ çàïðåòèë IP, òî òàê áûòü íå äîëæíî?

Ïðèâåäèòå ðåçóëüòàò âûïîëíåíèÿ êîìàíäû
iptables -vnL INPUT

Ïðèâåäèòå ðåçóëüòàò âûïîëíåíèÿ êîìàíäû
iptables -vnL INPUT



pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:51777:51780
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:51777:51780
39434 2238K MACS all -- br0 * 0.0.0.0/0 0.0.0.0/0
31 4336 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
617K 78M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
386 23700 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
1432 743K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
502 36188 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
122 3664 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4 udp dpt:!1900
63 4611 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
12 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80
9 422 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 10.180.40.131 0.0.0.0/0

Ïîñìîòðèòå íà òàáëèöó: âàøå ïðàâèëî äîáàâèëîñü â êîíåö, ïðè ÷åì âûøå ñòîèò ïðàâèëî, êîòîðîå ñðàáàòûâàåò âî âñåõ ñëó÷àÿõ, ò.å. äî âàøåãî ïðàâèëà íè îäèí ïàêåò íå äîõîäèò.
âàì íóæíî èñïîëüçîâàòü iptables -I INPUT <íîìåð ïðàâèëà, íà êîòîðûé íóæíî âñòàâèòü>

iptables -I INPUT -s 10.180.40.131 -j DROP
èëè

iptables -I INPUT 13 -s 10.180.40.131 -j DROP

Basile
ñïàñèáî ïîìîãëî

Êîëëåãè, äîáðîãî äíÿ!

Óìó÷àëñÿ óæå, íàñòðàèâàÿ iptables. È âåäü íàñòðàèâàòü ðàíüøå ïðèõîäèëîñü, ìîæåò ïîäçàáûë ÷åãî..

Äëÿ íà÷àëà õîòåëîñü áû, ÷òîáû ðîóòåð (ASUS WL500GPv2) ìîæíî áûëî ñíàðóæè ïèíãàíóòü. Ïåðåáðàë âñå âîçìîæíûå âàðèàíòû ñ öåïî÷êàìè INPUT è OUTPUT - íåò ïèíãà è âñå.

Ðîóòåð ïîäêëþ÷àåòñÿ ê ïðîâàéäåðó ïî PPTP, ò.î ïîÿâëÿåòñÿ âèðò. èíòåðôåéñ ppp0.

Äëÿ ÷èñòîòû ýêñïåðèìåíòà óáðàë âñå ñóùåñòâóþùèå ïðàâèëà â öåïî÷êàõ ïîñðåäñòâîì êîìàíä

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F PREROUTING -t nat
iptables -F POSTROUTING -t nat

Ïîëèòèêè ïî óìîë÷àíèþ - îòáðàñûâàòü ïàêåòû:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

À äàëåå ïèøó äëÿ icmp:

iptables -A INPUT -p icmp -i ppp0 -d <my_ext_ip> -j ACCEPT

iptables -A OUTPUT -p icmp -o ppp0 -s <my_ext_ip> -j ACCEPT

Ñ ó÷åòîì ðàçëè÷íûõ êîìáèíàöèÿ ñîñòàâëåííûõ ïðàâèë, èìåþ ñëåäóþùèé âûâîä êîìàäû iptables ñ êëþ÷îì L

[admin@Bentley sbin]$ iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT gre -- anywhere ppp-vpdn-85.158.51.108.yarnet.ru
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere ppp-vpdn-85.158.51.108.yarnet.ru
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- Bentley anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- 192.168.2.2 192.168.2.1
ACCEPT icmp -- 85-113-200-155.ip.yaroslavl.ru ppp-vpdn-85.158.51.108.yarnet.ru

[admin@Bentley sbin]$ iptables -L OUTPUT
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- ppp-vpdn-85.158.51.108.yarnet.ru anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- 192.168.2.1 192.168.2.2
ACCEPT icmp -- ppp-vpdn-85.158.51.108.yarnet.ru 85-113-200-155.ip.yaroslavl.ru

[admin@Bentley sbin]$ iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.2
ACCEPT tcp -- 192.168.1.2 anywhere
ACCEPT tcp -- anywhere 192.168.1.2
ACCEPT tcp -- 192.168.1.2 anywhere
ACCEPT udp -- anywhere 192.168.1.2
ACCEPT udp -- 192.168.1.2 anywhere
ACCEPT udp -- anywhere 192.168.1.2
ACCEPT udp -- 192.168.1.2 anywhere

[admin@Bentley sbin]$ iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere ppp-vpdn-85.158.51.108.yarnet.rutcp dpt:51234 to:192.168.1.2
DNAT udp -- anywhere ppp-vpdn-85.158.51.108.yarnet.ruudp dpt:51234 to:192.168.1.2

[admin@Bentley sbin]$ iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere anywhere to:85.158.51.108
SNAT udp -- anywhere anywhere to:85.158.51.108

Èçíóòðè íàðóæó ïèíã èäåò, ñíàðóæè íå ïðîõîäèò...
Ïîìîãèòå ïîæàëóéñòà ðàçîáðàòüñÿ.... Ìîæåò äëÿ pptp è ppp äîëæíû áûòü êàêèå-òî îñîáûå íàñòðîéêè â iptables? Íóæíî ëò äëÿ INPUT ðàçðåøàòü ê ïðèìåðó GRE?

Äëÿ íà÷àëà õîòåëîñü áû, ÷òîáû ðîóòåð (ASUS WL500GPv2) ìîæíî áûëî ñíàðóæè ïèíãàíóòü.Äîñòàòî÷íî îäíîé êîìàíäû:
iptables -I INPUT -p icmp -j ACCEPT

Âî-ïåðâûõ, áóäåò ïîíÿòíåå, åñëè âû âûïîëíèòå ýòè êîìàíäû


iptables -L -nv
iptables -L -nv -t nat

Âî-âòîðûõ, áóäåò ëåã÷å ÷èòàòü, åñëè âû ðåçóëüòàò èõ âûïîëíåíèÿ çàêëþ÷èòå â òåã [CODE].

Êîëëåãè, äîáðîãî äíÿ!

Óìó÷àëñÿ óæå, íàñòðàèâàÿ iptables. È âåäü íàñòðàèâàòü ðàíüøå ïðèõîäèëîñü, ìîæåò ïîäçàáûë ÷åãî..

Äëÿ íà÷àëà õîòåëîñü áû, ÷òîáû ðîóòåð (ASUS WL500GPv2) ìîæíî áûëî ñíàðóæè ïèíãàíóòü. Ïåðåáðàë âñå âîçìîæíûå âàðèàíòû ñ öåïî÷êàìè INPUT è OUTPUT - íåò ïèíãà è âñå.

Ðîóòåð ïîäêëþ÷àåòñÿ ê ïðîâàéäåðó ïî PPTP, ò.î ïîÿâëÿåòñÿ âèðò. èíòåðôåéñ ppp0.

Äëÿ ÷èñòîòû ýêñïåðèìåíòà óáðàë âñå ñóùåñòâóþùèå ïðàâèëà â öåïî÷êàõ ïîñðåäñòâîì êîìàíä

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F PREROUTING -t nat
iptables -F POSTROUTING -t nat

Ïîëèòèêè ïî óìîë÷àíèþ - îòáðàñûâàòü ïàêåòû:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

À äàëåå ïèøó äëÿ icmp:

iptables -A INPUT -p icmp -i ppp0 -d <my_ext_ip> -j ACCEPT

iptables -A OUTPUT -p icmp -o ppp0 -s <my_ext_ip> -j ACCEPT

Ñ ó÷åòîì ðàçëè÷íûõ êîìáèíàöèÿ ñîñòàâëåííûõ ïðàâèë, èìåþ ñëåäóþùèé âûâîä êîìàäû iptables ñ êëþ÷îì L

[admin@Bentley sbin]$ iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 anywhere
ACCEPT gre -- anywhere ppp-vpdn-85.158.51.108.yarnet.ru
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere ppp-vpdn-85.158.51.108.yarnet.ru
ACCEPT all -- localhost.localdomain anywhere
ACCEPT all -- Bentley anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- 192.168.2.2 192.168.2.1
ACCEPT icmp -- 85-113-200-155.ip.yaroslavl.ru ppp-vpdn-85.158.51.108.yarnet.ru

[admin@Bentley sbin]$ iptables -L OUTPUT
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- ppp-vpdn-85.158.51.108.yarnet.ru anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- 192.168.2.1 192.168.2.2
ACCEPT icmp -- ppp-vpdn-85.158.51.108.yarnet.ru 85-113-200-155.ip.yaroslavl.ru

[admin@Bentley sbin]$ iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.2
ACCEPT tcp -- 192.168.1.2 anywhere
ACCEPT tcp -- anywhere 192.168.1.2
ACCEPT tcp -- 192.168.1.2 anywhere
ACCEPT udp -- anywhere 192.168.1.2
ACCEPT udp -- 192.168.1.2 anywhere
ACCEPT udp -- anywhere 192.168.1.2
ACCEPT udp -- 192.168.1.2 anywhere

[admin@Bentley sbin]$ iptables -L PREROUTING -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere ppp-vpdn-85.158.51.108.yarnet.rutcp dpt:51234 to:192.168.1.2
DNAT udp -- anywhere ppp-vpdn-85.158.51.108.yarnet.ruudp dpt:51234 to:192.168.1.2

[admin@Bentley sbin]$ iptables -L POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere anywhere to:85.158.51.108
SNAT udp -- anywhere anywhere to:85.158.51.108

Èçíóòðè íàðóæó ïèíã èäåò, ñíàðóæè íå ïðîõîäèò...
Ïîìîãèòå ïîæàëóéñòà ðàçîáðàòüñÿ.... Ìîæåò äëÿ pptp è ppp äîëæíû áûòü êàêèå-òî îñîáûå íàñòðîéêè â iptables? Íóæíî ëò äëÿ INPUT ðàçðåøàòü ê ïðèìåðó GRE?


À ãàëî÷êó â web èíòåðôåéñå â ñåêöèè ôàéðâîëäà ñëàáî ïîñòàâèòü :)

Ðåøèë ñäåëàòü æóðíàëèðîâàíèå òðàôèêà ÷åðåç ulog-acctd íà DIR-320. Äî ýòîãî çàâåë fprobe + flow-capture, ðàáîòàåò çàìå÷àòåëüíî, ëîãè ïàðñÿòñÿ íà äðóãîé ìàøèíå, íî òàêàÿ ñèñòåìà íå óñòðàèâàåò ïî ðÿäó ïðè÷èí.
Èòàê, â ðåïàõ áûë òîëüêî ïàêåò ulogd, íî äëÿ åãî ðàáîòû òðåáóåòñÿ ÁÄ, ïîýòîìó ðåøèë ñîáðàòü ulog-acctd èç èñõîäíèêîâ. Ñîáðàëîñü, çàïóñòèëîñü - âèñèò â ïàìÿòè, æäåò ëîãîâ îò iptables.

Äàëåå äàþ êîìàíäó

iptables --append FORWARD -j ULOG --ulog-nlgroup 1 --ulog-cprange 48 --ulog-qthr
eshold 50 --ulog-prefix "FORWARD"
à îíî ìíå

iptables v1.3.8: Unknown arg `--ulog-nlgroup'
Try `iptables -h' or 'iptables --help' for more information.

Îïûòíûì ïóòåì âûÿñíèëîñü, ÷òî îíî ðóãàåòñÿ äàæå áåç ïàðàìåòðîâ ULOG:

[root@erouter root]$ iptables -A FORWARD -j ULOG
iptables v1.3.8: Couldn't load target `ULOG':File not found

Try `iptables -h' or 'iptables --help' for more information.
Ñëåäîâàòåëüíî, êàê ÿ ïîíÿë, â iptables âîîáùå íåò ïîääåðæêè ULOG.
Êàê áûòü? Áûòü ìîæåò åñòü ñïîñîá ïåðåñîáðàòü iptables, èëè îòïðàâëÿòü òðàôèê â ulog-acctd êàêèì-òî äðóãèì ñïîñîáîì?
Ïðîáîâàë ñîáðàòü ïîñëåäíþþ âåðñèþ iptables (v1.4.6), ñîáèðàåòñÿ âðîäå íîðìàëüíî, íî ïîñëå óñòàíîâêè íå ðàáîòàåò.

Ïîêîâûðÿâøèñü âûÿñíèë, ÷òî äëÿ ìîåé öåëè (äëÿ ïåðåñáîðà iptables) ïðèäåòñÿ ïåðåñîáèðàòü ïðîøèâêó ñàìîñòîÿòåëüíî. Ñîáñòâåííî, ïî ìàíóàëó (http://code.google.com/p/wl500g/wiki/CompilingCustomFirmware) âñå îñèëèë, âñå ñîáèðàåòñÿ, âîò òîëüêî íå ïîéìó, ãäå è íà êàêîì ýòàïå ìîæíî óêàçàòü ïàðàìåòðû ñáîðêè îòäåëüíîãî ïàêåòà, â äàííîì ñëó÷àå - iptables ?  òàðáîëå iptables ëåæàò âñå íóæíûå ìîäóëè, â ò.÷. è ulog, íî ïîñëå ñáîðêè ïðîøèâêè iptables îïÿòü îêàçûâàåòñÿ áåç ïîääåðæêè ulog.

Ñî âñåì óäàëîñü ðàçîáðàòüñÿ ñàìîñòîÿòåëüíî. Ñàì ñïðîñèë - ñàì îòâå÷àþ :) Ðàñïèøó ïîäðîáíî, êàê è ÷òî äåëàë, ìîæåò êîìó ïðèãîäèòñÿ.

Èòàê, êàê âûÿñíèëîñü, äëÿ ðàáîòû ULOG íå äîñòàòî÷íî ñîáðàòü iptables íóæíûì îáðàçîì, òàêæå íåîáõîäèìî ñîáðàòü ÿäðî ñ íóæíûìè ïàðàìåòðàìè.

Äåëàåòñÿ âñå îïèðàÿñü íà ýòîò (http://code.google.com/p/wl500g/wiki/CompilingCustomFirmware?wl=ru) ìàíóàë ñ íåêîòîðûìè äîïîëíåíèÿìè, à èìåííî:

Âûïîëíÿåì âñå ïî ìàíóàëó äî ïóíêòà 4.1. Ìóæäó ïóíêòàìè 4.1 è 4.2 íóæíî ñäåëàòü äâå âåùè:

1. îòêðûâàåì ôàéë /whatever-you-want/broadcom/src/gateway/iptables/extensions/Makefile, ñàìîé ïåðâîé íåçàêîììåíòèðîâàííîé ñòðî÷êîé òàì áóäåò ÷òî-òî âðîäå

PF_EXT_SLIB:=tcp udp mac standard state SNAT DNAT REDIRECT REJECT MASQUERADE TCPMSS LOG autofw mark MARK length limit tcpmss icmp TTL ttl TARPIT MIRROR connlimit conntrack connmark CONNMARK multiport CLASSIFY NETMAP time nth psd random quota TOS tos
Äîáàâèì ñþäà ïàðàìåòð ULOG, ÿ ýòî ñäåëàë ñðàçó ïîñëå ïàðàìåòðà LOG, âîò ÷òî ïîëó÷èëîñü:

PF_EXT_SLIB:=tcp udp mac standard state SNAT DNAT REDIRECT REJECT MASQUERADE TCPMSS LOG ULOG autofw mark MARK length limit tcpmss icmp TTL ttl TARPIT MIRROR connlimit conntrack connmark CONNMARK multiport CLASSIFY NETMAP time nth psd random quota TOS tos

2. Ïåðåõîäèì â äèðåêòîðèþ /whatever-you-want/broadcom/src/linux/linux-2.4.37.7 è çàïóñêàåì êîíôèãóðàòîð ÿäðà:

make menuconfig
×åðåç ïñåâäî-ãðàôè÷åñêîå ìåíþ äîáèðàåìñÿ äî ïóíêòà
Networking Options ->
IP: Netfilter Configuration ->
è âêëþ÷àåì îïöèþ ULOG target support
(ÿ âûáðàë ñòàòè÷åñêè (*), íî ìîæíî, íàâåðíîå, è äèíàìè÷åñêè â âèäå ìîäóëÿ (M)).
Æìåì íåñêîëüêî ðàç Exit äëÿ âûõîäà, è â êîíöå, êîãäà îíî ïðåäëàãàåò ñîõðàíèòü êîíôèãóðàöèþ, ñîãëàøàåìñÿ (Yes).
Âñå, äàëåå âñå âûïîëíÿåì ïî ìàíóàëó, ò.å. íà÷èíàÿ ñ ïóíêòà 4.2 è äî êîíöà, è íà âûõîäå ïîëó÷àåì ïðîøèâêó ñ ïîëíîñòüþ ðàáî÷èì ULOG'îì.
Ýëåìåíòàðíî ;)

Ïîñëå ïðàçäíèêîâ, êîãäà ïîÿâèòñÿ Ëåîíèä, ÿ äóìàþ èìååò ñìûñë ïîïðîñèòü åãî â òåìå ïðî ïðîøèâêó ýíòóçèàñòîâ äîáàâèòü â îñíîâíóþ âåòêó ñáîðêó ýòîé øòóêè â âèäå âíåøíåãî ìîäóëÿ. ß äóìàþ âîçðàæåíèé áûòü íå äîëæíî (ò.ê. ñîáèðàåòñÿ è ðàáîòàåò ;) )

Ê ïîñëå-ïðàçäíèêàì äîáàâèì âíåøíèì ìîäóëåì
Ñïàñèáî çà ïðîâåðêó ðàáîòîñïîñîáíîñòè

Áóäó ðàä :)

Âîøëî â r1023 (http://code.google.com/p/wl500g/source/detail?r=1023).

Ñïàñèáî!

Âîçìîæíî ãëóïûé âîïðîñ: à êîãäà îáíîâèòñÿ âåðñèÿ íà ãëàâíîé ñòðàíèöå ïðîåêòà íà ãóãëîêîäå? À òî òàì äî ñèõ ïîð ëåæèò 1.9.2.7-d-r1000

Ïûòàëñÿ èñïîëüçîâàòü àíàëîãè÷íóþ êîíñòðóêöèþ äëÿ ôîðìèðîâàíèÿ ñâîåãî ðîäà ïðîêñè ê àñüêå.



iptables -I INPUT -p tcp --dport 5190 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 5190 -j DNAT --to 64.12.202.116:5190
iptables -t nat -I POSTROUTING -p tcp --dst 64.12.202.116 --dport 5190 -j MASQUERADE


Íå ðàáîòàåò...:(

Ïûòàëñÿ èñïîëüçîâàòü àíàëîãè÷íóþ êîíñòðóêöèþ äëÿ ôîðìèðîâàíèÿ ñâîåãî ðîäà ïðîêñè ê àñüêå.

äëÿ àñüêè ïîñòàâüòå 3proxy è áóäåò âàì ñ÷àñòüå ;)

Ïåðèîäè÷åñêè ðàç â íåñêîëüêî äíåé ïàäàåò èíåò (âåðîÿòíî ó ïðîâàéäåðà).
Ïîñëå ïåðåïîäíÿòèÿ ñåññèè pppoe, âåðîÿòíî òàáëèöà îáíîâëåííàÿ ñòàðòîâûì ñêðèïòîì - âîçâðàùàåòñÿ ê äåôîëòíûì íàñòðîéêàì.
Êàê íå äåðãàÿ êðîí, áåç ëèøíèõ ïðîâåðîê, çàñòàâëÿòü ïðè ïåðåïîäêëþ÷åíèÿõ îáíîâëÿòü è iptables??? (Èëè ñîõðàíèòü â nvram??? Õîòÿ áû íà ïðèìåðå ïîðòà 80).

Ïåðèîäè÷åñêè ðàç â íåñêîëüêî äíåé ïàäàåò èíåò (âåðîÿòíî ó ïðîâàéäåðà).
Ïîñëå ïåðåïîäíÿòèÿ ñåññèè pppoe, âåðîÿòíî òàáëèöà îáíîâëåííàÿ ñòàðòîâûì ñêðèïòîì - âîçâðàùàåòñÿ ê äåôîëòíûì íàñòðîéêàì.
Êàê íå äåðãàÿ êðîí, áåç ëèøíèõ ïðîâåðîê, çàñòàâëÿòü ïðè ïåðåïîäêëþ÷åíèÿõ îáíîâëÿòü è iptables??? (Èëè ñîõðàíèòü â nvram??? Õîòÿ áû íà ïðèìåðå ïîðòà 80).

À âû, ñîáñòâåííî, êàê èõ ìåíÿåòå? Ïðàâèëüíûé ñïîñîá - çàãíàòü âñå êîìàíäû â ñêðèïò /usr/local/sbin/post-firewall.

À âû, ñîáñòâåííî, êàê èõ ìåíÿåòå? Ïðàâèëüíûé ñïîñîá - çàãíàòü âñå êîìàíäû â ñêðèïò /usr/local/sbin/post-firewall.
Áîëüøîå ñïàñèáî. ß ïî äóðîñòè ñäåëàë ñòàðòîâûé ñêðèïò S99iptables â ïàïêå /opt/etc/init.d/ :-)
Êîòîðûé åñòåñòâåííî çàïóñêàëñÿ èç post-mount :-D

Ïðîøó ïîìîùè ðàçîáðàòüñÿ ñ iptables.
Ñèòóàöèÿ:
. OpenVPN-ñîåäèíåíèå ìåæäó ðîóòåðîì ASUS è âíåøíèì ñåðâåðîì SERVER
. Ðîóòåð ÿâëÿåòñÿ êëèåíòîì

Òðåáóåòñÿ:
. Èìåòü äîñòóï ñ SERVER íà êîìïüþòåðû â ëîêàëüíîé ñåòè, ÷òî çà ASUS.

×òî èìååòñÿ óæå:
Ñ ñåðâåðà ìîæíî ïðèñîåäèíèòüñÿ ê ñàìîìó ðîóòåðó:

filimonov@serverx:~$ ping 172.20.3.1
PING 172.20.3.1 (172.20.3.1) 56(84) bytes of data.
64 bytes from 172.20.3.1: icmp_seq=1 ttl=64 time=251 ms
64 bytes from 172.20.3.1: icmp_seq=2 ttl=64 time=15.6 ms
64 bytes from 172.20.3.1: icmp_seq=3 ttl=64 time=15.2 ms

filimonov@serverx:~$ sudo tracert 172.20.3.1
traceroute to 172.20.3.1 (172.20.3.1), 30 hops max, 40 byte packets
1 172.20.3.1 (172.20.3.1) 15.881 ms 29.723 ms 29.816 ms

filimonov@serverx:~$ sudo telnet 172.20.3.1 5190 (òàì SSH)
Trying 172.20.3.1...
Connected to 172.20.3.1.
Escape character is '^]'.
SSH-2.0-dropbear_0.50


Òàáëèöà ìàðøðóòîâ íà SERVERX

filimonov@serverx:~$ sudo route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.0.2.1 * 255.255.255.255 UH 0 0 0 venet0
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
172.20.3.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun0
default 192.0.2.1 0.0.0.0 UG 0 0 0 venet0


Ïðîøó ïîìîùè!

Åñòü ðîóòåð ñ dual access
èíòåðôåéñ ñ èíåòîì ppp0 c âíåøíèì IP
â ñåòè NAT ïîäíÿò VPN ñåðâåð
Íàäî ñäåëàòü òàê ÷òîáû ê íåìó ìîæíî áûëî ïîäêëþ÷àòüñÿ ïðè îáðàùåíèè íà âøåííèé IP
Íàñêîëüêî ÿ ñåáå ïðåäñòàâëÿþ íàäî ïðîêèíóòü ïîðò tcp 1723 äëÿ VPN ïîðò udp 500 äëÿ àâòîðèçàöèè vpn è gre
Íî ìàëî òîãî íàäî åùå è êàê òî ðåàëèçîâàòü íîðìàëüíûå îòâåòû VPN ñåðâåðà...
Âîáùåì î÷åíü íàäåþñü ÷òî îáùèìè ñèëàìè ýòîò âîïðîñ ïîëó÷èòñÿ ðåøèòü..
À òî ïåðåðûë óæå êó÷ó ìàíóàëîâ ïî ëèíóêñó è íàñòðîéêå iptables íî ñâîèì óìîì òàê è íå ñìîã äîéòè äî òîãî êàê ïîáåäèòü ýòó ïðîáëåìó

ïîêà ó ìåíÿ åñòü ïðàâèëà òîëüêî âîò òàêèå

iptables -t nat -i ppp0 -I PREROUTING -p tcp --dport 1723 -j DNAT --to 192.168.1.3:1723
iptables -I FORWARD -p tcp -d 192.168.1.3 --dport 1723 -j ACCEPT
iptables -t nat -i ppp0 -I PREROUTING -p 47 -j DNAT --to 192.168.1.3
iptables -I FORWARD -p 47 -d 192.168.1.3 -j ACCEPT
iptables -t nat -i ppp0 -I PREROUTING -p udp --dport 500 -j DNAT --to 192.168.1.3:500
iptables -I FORWARD -p udp -d 192.168.1.3 --dport 500 -j ACCEPT

íî åñòü ïîäîçðåíèå, ÷òî îíè òîæå íå ïðàâèëüíûå.. âñåðàâíî íè÷åãî íå ðàáîòàåò :-)

Äëÿ àâòîðèçàöèè íè÷åãî ïåðåíàïðàâëÿòü íå íàäî. Êàê ÿ ïîíÿë åñòü pptp ñåðâåð, äëÿ íåãî äîñòàòî÷íî ÷åðåç âåá èíòåðôåéñ ðîóòåðà ïåðåíàïðàâèòü ïîðò 1723. Âî âñÿêîì ñëó÷àå ó ìåíÿ ðàáîòàåò èìåííî òàê.

âñå áû íè÷åãî åñëè áû òîëüêî íå îäíî íî...
ó ìåíÿ dd-wrt à ó íèõ ìåðòâûé ôîðóì..
iptables âåäü âñåì íóæåí.. âîò ÿ è îáðàòèëñÿ ñþäà.

Подcскажите, плз, как добавить модуль?

ïðîñòèòå çà íåêðîïîñò, íî ýòî âðîäå êàê åäèíñòâåííàÿ òåìà ïðî Iptables.

ñòîèò çàäà÷à îãðàíè÷èòü âíåøíèé äîñòóï ê æåëåçêå.
ñ âíåøíåãî àäðåñà (èçâåñòíîãî) ïîëó÷èòü äîñòóï ê âåá èíòåðôåéñó ìîäåìà,
âåá èíòåðôåéñó òîððåíòà è åñòåñòâåííî SSH èçâíå ñ ëþáîãî àäðåñà.
âñå îñòàëüíûå äîñòóïû ïåðåêðûòü.

äîñòóï èçíóòðè íàðóæó îñòàâèòü îòêðûòûì.

ÿ â íàñòðîéêå Iptables ñîâñåì ÷àéíèê. íå ñóäèòå ñòðîãî.
ïîêà ÷òî ó ìåíÿ òîêà 2 ñòðî÷êè...
iptables -I INPUT -s (àäðåñ âíåøíåãî èñòî÷íèêà) -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 51778 -j ACCEPT

ssh îòêðûò âðîäå êàê, ñòîèò ëè ïåðåêðûâàòü òåëíåò?

çàðàíåå ñïàñèáî çà ñîâåòû.

âíåñ èçìåíåíèÿ

iptables -I INPUT -s (àäðåñ âíåøíåãî èñòî÷íèêà) -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP

ïðè çàïðîñå èçâíå âûâîäèò äåôîëòíóþ ñòðàíè÷êó lighttpd òèïà:
Îñíîâíûå ïðîãðàììû ïðè óñòàíîâêå ñ ôîðìàòèðîâàíèåì ("Äæåíòåëüìåíñêèé" íàáîð): --- èòä...

è ïåðåêðûâàåòñÿ äîñòóï èçâíå ñ ðàçðåøåííîãî àäðåñà íà âåá èíòåðôåéñû òîððåíòà, è òä.

ãäå ÿ íàêîñÿ÷èë?

ïðîñòèòå çà íåêðîïîñò, íî ýòî âðîäå êàê åäèíñòâåííàÿ òåìà ïðî Iptables.

ñòîèò çàäà÷à îãðàíè÷èòü âíåøíèé äîñòóï ê æåëåçêå.
ñ âíåøíåãî àäðåñà (èçâåñòíîãî) ïîëó÷èòü äîñòóï ê âåá èíòåðôåéñó ìîäåìà,
âåá èíòåðôåéñó òîððåíòà è åñòåñòâåííî SSH èçâíå ñ ëþáîãî àäðåñà.
âñå îñòàëüíûå äîñòóïû ïåðåêðûòü.

äîñòóï èçíóòðè íàðóæó îñòàâèòü îòêðûòûì.

ÿ â íàñòðîéêå Iptables ñîâñåì ÷àéíèê. íå ñóäèòå ñòðîãî.
ïîêà ÷òî ó ìåíÿ òîêà 2 ñòðî÷êè...
iptables -I INPUT -s (àäðåñ âíåøíåãî èñòî÷íèêà) -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 51778 -j ACCEPT

ssh îòêðûò âðîäå êàê, ñòîèò ëè ïåðåêðûâàòü òåëíåò?

çàðàíåå ñïàñèáî çà ñîâåòû.

Âàì íóæíî ÷òî-òî âðîäå


iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s àäðåñ_âíåøíåãî_èñòî÷íèêà -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -s àäðåñ_âíåøíåãî_èñòî÷íèêà -p tcp -m tcp --dport 8080 -j ACCEPT

Âñåì ïðèâåò!

Íå ïîíèìàþ, ÷åì


iptables -t mangle -A PREROUTING -s 192.168.0.2 -j MARK --set-mark 1
ip rule add fwmark 1 table 1

îòëè÷àåòñÿ îò

ip rule add from 192.168.02 table 1
?

ïåðâîå íå ðàáîòàåò, âòîðîå ðàáîòàåò.
â table 1 - îäíà ñòðî÷êà, çàâîðîò òðàôèêà íà îïðåäåëåííûé èíòåðôåéñ.

Åùå íå ïîíèìàþ, ïî÷åìó åñëè ñäåëàòü

iptables -t mangle -A PREROUTING -d 192.168.0.2 -j LOG --log-prefix "mangle: "
iptables -t nat -A PREROUTING -d 192.168.0.2 -j LOG --log-prefix "nat: "

è ïîïûòàòüñÿ ñ 192.168.0.2 âûéòè íà êàêîé ëèáî ñàéò, òî â ëîãàõ âèäíû òîëüêî ïàêåòû (îòâåòû ñàéòà) èç òàáëèöû mangle, äî nat îíè íå äîõîäÿò òàêîå îùóùåíèå, êàê ýòî ìîæåò áûòü, íå ïîíèìàþ.

Åñëè æå èç èíòåðíåòà ïîïðîáîâàòü çàéòè íà 192.168.0.2 - âèäíî è mangle è nat.

Âîîáùå èçíà÷àëüíî çàäà÷à áûëà òàêàÿ - åñòü 2 èíòåðôåéñà, ppp0 è ppp1. default gw - ppp1. Íàäî ÷òîáû 192.168.0.2 áûë äîñòóïåí ïî 80ó ïîðòó ïî ppp0

Âñåì ïðèâåò.

asus wl520gu, ïðîøèâêà îò ýíòóçèàñòîâ.


[root@WL-485B39175DEB root]$ ip rule list
0: from all lookup local
32764: from 192.168.0.2 lookup 2
32765: from all fwmark 1 lookup 1
32766: from all lookup main
32767: from all lookup 253


[root@WL-485B39175DEB root]$ ip route list table 1
default dev ppp0 scope link

[root@WL-485B39175DEB root]$ ip route list table 2
default dev ppp0 scope link

[root@WL-485B39175DEB root]$ iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 192.168.0.2 anywhere MARK set 0x1
... (îñòàëüíîå â mangle ïóñòî)


 ýòîì ñëó÷àå âñå ðàáîòàåò êàê íàäî, âñå õîäÿò ïî óìîë÷àíèþ ÷åðåç ppp1, à 192.168.0.2 õîäèò ÷åðåç ppp0
íî ñòîèò óáðàòü èç ip rule ñòðî÷êó from 192.168.0.2 lookup 2, êàê 192.168.0.2 âîîáùå ïåðåñòàåò õîäèòü â èíòðåíåò.

ñòàâèë â "ip route table 2" ïåðåíàïðàâëåíèå íà äðóãîé èíòåðôåéñ (íå ppp0 èëè ppp1) è ñìîòðåë, åñòü ëè òàì ÷òî-òî îò 192.168.0.2 - íåòó
Ñèñòåìà - ðîóòåð asus wl520gu

ïî÷åìó ìåíÿ íå óñòðàèâàåò ïåðâûé âàðèàíò, êîãäà ïðîïèñàíî from 192.168.0.2 - ïîòîìó ÷òî ÿ õî÷ó ÷òîáû 192.168.0.2 õîäèë â èíòåðíåò ÷åðåç ppp1, à âîò òî, ÷òî èäåò ñ åãî 80ãî ïîðòà - øëî ÷åðåç ppp0. Íî ñäåëàòü ýòî, åñëè çàñòàâèòü ðàáîòàòü iproute2 òîëüêî ïî fwmark - 5 ñåêóíä.

âû çàäà÷ó êàê-òî çàäîì-íàïåðåä îïèñûâàåòå!!!

÷òî çíà÷èò "âñå ÷òî ñ åãî 80-ãî ïîðòà"?????

âû õîòèòå, ÷òîáû ê âàøåìó Web ñåðâåðó, êîòîðûé íàõîäèòñÿ íà 80-ì ïîðòó 192.168.0.2 îáðàùàëèñü ÷åðåç èíòåðôåéñ ppp0 ????

òàê?

Âñåì ïðèâåò.

Âû åùå òðåòüþ òåìó ñîçäàéòå ïî ýòîé ïðîáëåìå.
Áóäåòå ïðîäîëæàòü - ïîåäåòå âî "Ôëóäèëüíþ".

âû çàäà÷ó êàê-òî çàäîì-íàïåðåä îïèñûâàåòå!!!

÷òî çíà÷èò "âñå ÷òî ñ åãî 80-ãî ïîðòà"?????

âû õîòèòå, ÷òîáû ê âàøåìó Web ñåðâåðó, êîòîðûé íàõîäèòñÿ íà 80-ì ïîðòó 192.168.0.2 îáðàùàëèñü ÷åðåç èíòåðôåéñ ppp0 ????

òàê?

Äà. Ýòî è õî÷ó. Íî è õî÷ó ïîíÿòü ïî÷åìó íå ðàáîòàåò â òîì âàðèàíòå, êîòîðûé ÿ îïèñàë

vectorm ïðèíîøó èçâèíåíèÿ, ðåàëüíî ãîëîâà óæå êðóãîì îò ýòîãî :(

Ìîæåò áûòü êòî-òî ñòàëêèâàëñÿ ñ òàêîé ïðîáëåìîé?
Èñõîäíûå:
1. Ðîóòåð 1 RT-N16 (ïðîøèâêà 1.9.2.7-rtn-r1764) IP 172.XX.XX.2 ðàáîòàåò êàê îñíîâíîé.
2. Ðîóòåð 2 WL500gpV2 (OpenWRT Backfire â ðåæèìå bridged client) IP 172.XX.XX.100- íà íåì ïîäíÿò IPSEC c óäàëåííîé âíóòðåííåé ñåòüþ 192.168.XX.0. IPSEC íàïðàâëÿåò ïàêåòû â äîìàøíþþ ñåòü 172.XX.XX.0/24.
3. ×òîáû íàïðàâèòü ïàêåòû ñ ðîóòåðà 1 íà IPSEC èñïîëüçóþ
route add -net 192.168.XX.0 netmask 255.255.255.0 gw 172.XX.XX.100
4. Âñå ðàáîòàåò, íî ïîíèìàþ, ÷òî ýòî íå ïðàâèëüíî è íóæíî ïðîïèñàòü à iptables
Âîïðîñ: Êàê, ÷òîáû íå íà îäèí IP à íà âñþ ñåòü 192.168.XX.0?

Êîìðàäû, ïîìîãèòå, âåñü ìîçã ñëîìàë óæå.
Çàäà÷à: ïî àäðåñó õõõ.õõõ.õõõ.õõõ ñòîèò è ðàáîòàåò SSH ñåðâåð íà ïîðòó tcp3033.
Ðîóòåð WL500gpv2 ñ ïðîøèâêîé 1.9.2.7-d-r1445 è âíåøíèì àäðåñîì óóó.óóó.óóó.óóó.
Ñ ðîóòåðà äåëàþ òåëíåò - âñå îê.

[root@router root]$ telnet õõõ.õõõ.õõõ.õõõ 3033
SSH-2.0-1.2.2 VShell

íî ñ êîìïüþòåðà â ëîêàëêå ðàáîòàþùåãî ïî wifi ñ àäðåñîì 192.168.1.101 - òåëíåò íå ïðîõîäèò.

ñìîòðèì iptables:

Chain PREROUTING (policy ACCEPT 8134 packets, 815K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- any any õõõ.õõõ.õõõ.õõõ anywhere udp dpt:https to:72.14.203.188:5228
0 0 DNAT tcp -- any any õõõ.õõõ.õõõ.õõõ anywhere tcp dpt:https to:72.14.203.188:5228
7200 765K VSERVER all -- any any anywhere óóó.óóó.óóó.óóó

Chain POSTROUTING (policy ACCEPT 13069 packets, 886K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT udp -- any any anywhere tx-in-f188.1e100.net udp dpt:5228 to:óóó.óóó.óóó.óóó
0 0 SNAT tcp -- any any anywhere tx-in-f188.1e100.net tcp dpt:5228 to:óóó.óóó.óóó.óóó
692 33216 MASQUERADE all -- any vlan1 !óóó.óóó.óóó.óóó anywhere
14 3112 SNAT all -- any br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1

Chain OUTPUT (policy ACCEPT 13087 packets, 889K bytes)
pkts bytes target prot opt in out source destination

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- any any anywhere anywhere udp dpt:3478 to:192.168.1.199:3478
0 0 DNAT udp -- any any anywhere anywhere udp dpt:3479 to:192.168.1.199:3479
0 0 DNAT udp -- any any anywhere anywhere udp dpt:3658 to:192.168.1.199:3658


è öåïî÷êà Forward


Chain FORWARD (policy ACCEPT 711 packets, 34128 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any õõõ.õõõ.õõõ.õõõ anywhere udp dpt:5228
0 0 ACCEPT tcp -- any any õõõ.õõõ.õõõ.õõõ anywhere tcp dpt:5228
0 0 ACCEPT all -- br0 br0 anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
72542 65M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan1 anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere ctstate DNAT
0 0 DROP all -- any br0 anywhere anywhere


×òî íå òàê? Ïî÷åìó íå ðàáîòàåò ñ ìàøèíû èç ëîêàëêè? Êàê ÿ ïîíèìàþ âåäü ñîåäèíåíèå ïðèõîäèò ñ 192.168.1.101, ìàñêàðàäèòñÿ íà âûõîäå è äàëüøå óñïåøíî ìàñêàðàäèòñÿ è ïðîõîäèò Forward ñî ñòàòóñîì Established. Íî ïî÷åìó æå íå ðàáîòàåò â èòîãå? Ïðè òîì ó ìåíÿ âïå÷àòëåíèå ÷òî ñîåäèíåíèå äàæå óñòàíàâëèâàåòñÿ, íî ïàêåòû íàçàä íå ïðèõîäÿò...

íó íåóæåëè íè ó êîãî èäåé íåòó ãäå ñîáàêà ìîãëà ïîðûòüñÿ? óæå âåñü ìîçã ðàñïëàâëåí.. :(

Ïîäñêàæèòå, ïîæàëóéñòà, êàê ðåàëèçîâàòü ðîóòèíã â çàâèñèìîñòè îò ñåðâèñà?
Íà ðîóòåðå îïóáëèêîâàíû ñëóæáû (SSH, Web-ìîðäà óïðàâëåíèÿ, PPTP ñåðâåð), ñàì ðîóòåð óñòàíàâëèâàåò PPTP ïîäêëþ÷åíèå ê äðóãîé ñåòè, ñîîòâåòñòâåííî 2 ìàðøðóòà ïî óìîë÷àíèþ ÷åðåç vlan1 è ÷åðåç ppp0, ïðè÷åì ìåòðèêà 0 ó ppp0.
Êàê çàñòàâèòü ðîóòåð ïðè îáðàùåíèè ê íåìó íà îïðåäåëåííûå ïîðòû îòâå÷àòü ÷åðåç øëþç íà vlan1 à íå ÷åðåç ppp0?
Íàøåë òàêîå ðåøåíèå, íî áóäåò ëè îíî ðàáîòàòü íà íàøèõ ðîóòåðàõ?

_http://www.linux.org.ru/forum/admin/443040;jsessionid=A5E451EB947FD96BD8BDB61C76966D68 #comment-443774

Ìîæåò áûòü êòî-òî ñòàëêèâàëñÿ ñ òàêîé çàäà÷åé, èëè ïðîñòî èìååò ìûñëè ïî äàííîìó âîïðîñó?

ñìîòðåòü â ñòîðîíó VSERVER ;)

ïîïðîáóé â ðàçäåëå
NAT Setting - Virtual Server
äîáàâèòü ïðîáðîñ,
à äàëåå ãëÿíóòü
Status & Log - Diagnostic Information
:) äóìàþ ïðîñâåòëåíèå íàñòóïèò! 100%
âîò äëÿ ïðèìåðà ïîïðîáîâàë


Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8887 to:192.168.200.7:8887

Íå ñîâñåì ïîíÿë, ê ñîæàëåíèþ...
Ìíå ïðîáðîñ êàê òàêîâîé íå íóæåí.
Åñòü ðîóòåð, WAN ñìîòðèò â èíåò ñî ñòàòèêîé + ïîäíèìàåòñÿ PPTP â äðóãóþ ñåòü.
Íà ðîóòåðå îòêðûòû ïîðòû SSH, WEB ìîðäà óïðàâëåíèÿ, è çàïóùåí POPTOP.
Ïîêà PPTP íå ïîäíÿëîñü, èç èíåòà äîñòóïíû âñå óêàçàííûå ïîðòû.
Êàê òîëüêî ïîäíèìàåòñÿ PPTP, òàê øëþçîì ñ ìåòðèêîé 0 ñòàíîâèòñÿ ppp0, ñîîòâåòñòâåííî ïðè îáðàùåíèè ê ðîóòåðó íà åãî "ðîäíîé" âíåøíèé ñòàòè÷åñêèé IP ïîðòû íå äîñòóïíû, ò.ê. ðîóòåð îòâå÷àåò ÷åðåç øëþç PPTP.
Åñëè ÿ äîáàâëÿþ ñòàòè÷åñêèé ìàðøðóò, ÷òîáû íà âòîðîé (ñ êîòîðîãî îñóùåñòâëÿþ äîñòóï) IP ïàêåòû ïðîäîëæàëè õîäèòü ÷åðåç øëþç vlan1 à íå ppp0, òî âñå îòëè÷íî, íî ýòî íå êðàñèâî, ò.ê. äîñòóï ìîæåò ïîíàäîáèòñÿ èç ðàçíûõ ìåñò.
Îò ñþäÿ åäèíñòâåííîå íà ìîé âçãëÿä ðåøåíèå, çàñòàâèòü ðîóòåð ïðè îáðàùåíèè ê íåìó íà îïðåäåëåííûé ïåðå÷åíü ïîðòîâ îòâå÷àòü ÷åðåç øëþç vlan1 à íå ppp0.

õì ÷åò ìíå ýòî íàïîìèíàåò.....

à òî÷íî
ðóñ VPN
äóàë PPTP

êîðî÷å èíåò íà Ðóññêèé ìàíåð, ëîêàë áåç âïí è èíåò ñ âïí. ;) âîïðîñ íåîäíîêðàòíî ïîäûìàëñÿ, è ðåøåíèå íàéäåíî. ÷óòîê ïîèñêîì ïî ôîðóìó ïðîéäèñü :)

Âñå áû íè ÷åãî, åñëè áû MAN íå áûë èíåòîì... :-)
Êîíå÷íî æå ìàðøðóòû äëÿ ïîäñåòè ñäåëàë áû è âñå.
Íî òóò çàãâîçäêà â òîì ÷òî MAN ýòî èíåò, è ìàðøðóòèçèòü íóæíî íà îñíîâàíèè ïîðòà. Êàê ðàç â ïåðâîì ïîñòå ñûëü äàë, òàì íå÷òî ïîäîáíîå ðåàëèçîâàíî. Íî äîëæåí áûòü ïàò÷ íà iptables.
À åñòü îí èëè íåò â íàøèõ ðîóòåðàõ è ìîæíî ëè åãî ïðèêðóòèòü ïîíÿòèÿ íå èìåþ :-) Ïî ýòîìó è èíåòåðåñóþñü, ìîæåò åñòü ó êîãî îïûò?

Âñå áû íè ÷åãî, åñëè áû MAN íå áûë èíåòîì... :-)
Êîíå÷íî æå ìàðøðóòû äëÿ ïîäñåòè ñäåëàë áû è âñå.
Íî òóò çàãâîçäêà â òîì ÷òî MAN ýòî èíåò, è ìàðøðóòèçèòü íóæíî íà îñíîâàíèè ïîðòà. Êàê ðàç â ïåðâîì ïîñòå ñûëü äàë, òàì íå÷òî ïîäîáíîå ðåàëèçîâàíî. Íî äîëæåí áûòü ïàò÷ íà iptables.
À åñòü îí èëè íåò â íàøèõ ðîóòåðàõ è ìîæíî ëè åãî ïðèêðóòèòü ïîíÿòèÿ íå èìåþ :-) Ïî ýòîìó è èíåòåðåñóþñü, ìîæåò åñòü ó êîãî îïûò?

íàâåðíîå íóæíî ñìîòðåòü â ñòîðîíó iptables MARK... ìåòèòü ïàêåòû â çàâèñèìîñòè îò èíòåðôåéñà, áîëåå òî÷íî ê ñîæàëåíèþ íå ïîäñêàæó, â shorewall (÷òî â ñâîþ î÷åðåäü òðàíñëèðóåòñÿ â iptables) ýòî äåëàåòñÿ ëåãêî, ïðàâäà íóæíî óòî÷íèòü, ðàáîòàåò ëè çäåñü ìàðêèðîâêà ïàêåòîâ.

Äà, òîæå ðåøèë ÷òî òóäà ñìîòðåòü íóæíî, íî îïÿòü ïðîáëåìà...
Ýêñïåðèìåíò ñòàâëþ íàä ïîðòîì SSH (22).
Äåëàþ òàê:
#ñîçäàþ ìàðøðóò ÷åðåç íóæíûé GW â òàáëèöå 200.
ip route add default via xx.xx.xx.xx table 200
#äîáàâëÿþ ïðàâèëî ìàðêèðîâàíèÿ èñõîäÿùèõ ïàêåòîâ ñ ðîóòåðà ñ 22 ïîðòà.
iptables -t mangle -A PREROUTING -p tcp -s 10.76.0.1 --sport 22 -j MARK --set-mark 1
#äîáàâëÿþ ïðàâèëî äëÿ âûáîðà òàáëèöû ìàðøðóòîâ äëÿ ìàðêèðîâàííûõ ïàêåòîâ.
ip rule add fwmark 1 table 200
ip route flush cache

Íå ðàáîòàåò.
Äåëàþ âñå òî-æå ñàìîå äëÿ äðóãîãî âíóòðåííåãî IP, ðàáîòàåò.

Ïðîáîâàë èãðàòü ñ IP ðîóòåðà, è 127.0.0.1 è èìÿ ðîóòåðà ïðîáîâàë, íå õî÷åò.  ÷åì ìîæåò áûòü êîñÿê?

Äà, òîæå ðåøèë ÷òî òóäà ñìîòðåòü íóæíî, íî îïÿòü ïðîáëåìà...
Ýêñïåðèìåíò ñòàâëþ íàä ïîðòîì SSH (22).
Äåëàþ òàê:
#ñîçäàþ ìàðøðóò ÷åðåç íóæíûé GW â òàáëèöå 200.
ip route add default via xx.xx.xx.xx table 200
#äîáàâëÿþ ïðàâèëî ìàðêèðîâàíèÿ èñõîäÿùèõ ïàêåòîâ ñ ðîóòåðà ñ 22 ïîðòà.
iptables -t mangle -A PREROUTING -p tcp -s 10.76.0.1 --sport 22 -j MARK --set-mark 1
#äîáàâëÿþ ïðàâèëî äëÿ âûáîðà òàáëèöû ìàðøðóòîâ äëÿ ìàðêèðîâàííûõ ïàêåòîâ.
ip rule add fwmark 1 table 200
ip route flush cache

Íå ðàáîòàåò.
Äåëàþ âñå òî-æå ñàìîå äëÿ äðóãîãî âíóòðåííåãî IP, ðàáîòàåò.

Ïðîáîâàë èãðàòü ñ IP ðîóòåðà, è 127.0.0.1 è èìÿ ðîóòåðà ïðîáîâàë, íå õî÷åò.  ÷åì ìîæåò áûòü êîñÿê?

ß òóò ïîäóìàë, âîçìîæíî âñå ïðîùå, ó âàñ ÷òî åñòü wan? è åùå ïîêàæèòå ôàéë îïöèé pptp ñîåäèíåíèÿ ñ äðóãèì îôèñîì (áåç ëîãèíà ïàðîëÿ è àäðåñà :))

WAN - ñòàòè÷åñêèé IP.
+ PPTP
noauth refuse-eap
user 'xxxx'
password 'xxxx'
plugin pptp.so
pptp_server xxx.server.ru
nomppe-stateful +mppe-128 mtu 1400
maxfail 0
persist
ipcp-accept-remote ipcp-accept-local noipdefault
ktune
default-asyncmap nopcomp noaccomp
novj nobsdcomp nodeflate
lcp-echo-interval 10
lcp-echo-failure 6
unit 0

PS: âåñü òðàôèê èç ëîêàëêè äîëæåí óõîäèòü â ppp0.

ïîõîæå, ÷òî íóæíà ïîääåðæêà CONNMARK â ÿäðå è iptables, ÿäðî, â ñâîþ î÷åðåäü, íóæíî 2.6, ìîæåò êòî ïîïðàâèò ìåíÿ?

Ìåòîäîì ÷òåíèÿ äîêè íà iptables íàøåë ðåøåíèå :-)
Íàïèøó, ìàëî-ëè êîìó ïðèãîäèòñÿ...
#Ñîçäàþ òàáëèöó ìàðøðóòèçàéèè, ãäå xxx.xxx.xxx.xxx - íåîáõîäèìûé gw.
ip route add default via xxx.xxx.xxx.xxx table 200
#Ïðàâèëî ìàðêèðîâêè ïàêåòîâ, êðàñèòü ëþáîé ïàêåò óõîäÿùèé ñ ðîóòåðà ñ àäðåñîì îòïðàâèòåëÿ yyy.yyy.yyy.yyy (ïðèíàäëåæèò èíòåðôåéñó ñ êîòîðîãî íóæíî îòâå÷àòü, ò.å. íà êîòîðûé ïðèøåë çàïðîñ).
iptables -t mangle -A OUTPUT -s yyy.yyy.yyy.yyy -j MARK --set-mark 1
#Ïðèìåíÿòü òàáëèöó ìàðøðóòèçàöèè äëÿ êðàøåíûõ ïàêåòîâ.
ip rule add fwmark 1 table 200
ip route flush cache

Ìîæíî ñäåëàòü äëÿ îïðåäåëåííûõ ïîðòîâ, íî â ñâîåì ñëó÷àå ðåøèë âåñü òðàôèê ïóñòèòü.
Òåìó ìîæíî çàêðûâàòü.

Ãîñïîäà èìååòñÿ ðîóòåð ñ asus wl500w ñ ïðîøèêîâîé îò îëåãà 1.9.2.7-10.
Ïîäñêàæèòå ïîæàëóéñòà êàê ñäåëàòü òàê ÷òîáû ïðàâèëà ñîçäàííûå â êîììàíäíîé ñòðîêå ÷åðåç iptable (à íå ÷åðåç web èíòåðôåéñ) ñîõðàíÿëèñü ïîñëå ïåðåçàãðóçêè ðîóòåðà.

Ïîìåñòèòü (http://oleg.wl500g.info/#postfw) èõ â ôàéë /usr/local/sbin/post-firewall.

Âñåì ïðèâåò,

Èìååì ïðîøèâêó îò ýíòóçèàñòîâ. Íåîáõîäèìî êîìïüþòåðàì â ëîêàëüíîé ñåòè ðàçðåøèòü îòïðàâêó ïî÷òû òîëüêî ÷åðåç îäèí smtp ñåðâåð. Ïîäêëþ÷åíèÿ ê îñòàëüíûì çàðåçàòü.
Âîçìîæíî ëè ýòî êàê-òî êðàñèâî âïèñàòü â ñóùåñòâóþùèå ïðàâèëà.

Ïîäîçðåâàþ, ÷òî ðàç òðàíçèòíûé òðàôèê ðàçðóëèâàòü âñå íàäî â öåïî÷êå FORWARD. Âûâîä iptables -nvL FORWARD â äåôîëòå:


Chain FORWARD (policy ACCEPT 76044 packets, 4682K bytes)
pkts bytes target prot opt in out source destination
6423 2499K ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.0/4
48033 2616K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
2811K 2306M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 logdrop all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 logdrop all -- !br0 vlan1 0.0.0.0/0 0.0.0.0/0
580 33272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 logdrop all -- * br0 0.0.0.0/0 0.0.0.0/0



Ïîêà ìîè èçûñêàíèþ ïðèâåëè ê òàêèì ïðàâèëàì


LAN=br0
iptables -I FORWARD -p TCP -i $LAN -d 0/0 --dport 25 -j DROP
iptables -I FORWARD -p TCP -i $LAN -d $SMTP2 --dport 25 -j ACCEPT
iptables -I FORWARD -p TCP -i $LAN -d $SMTP1 --dport 25 -j ACCEPT


 òàêîì âàðèàíòå íå ðàáîòàåò.
Ìîæåò êòî-òî ñòàëêèâàëñÿ è ïîäñêàæåò êàê ðåàëèçîâàòü èëè íàïðàâèò â íóæíîå ðóñëî

Çàðàíåå ñïàñèáî

2 levgen:



Èìååì ïðîøèâêó îò ýíòóçèàñòîâ. Íåîáõîäèìî êîìïüþòåðàì â ëîêàëüíîé ñåòè ðàçðåøèòü îòïðàâêó ïî÷òû òîëüêî ÷åðåç îäèí smtp ñåðâåð. Ïîäêëþ÷åíèÿ ê îñòàëüíûì çàðåçàòü.


Ïî ïðèâåäåííîìó êîäó smtp-ñåðâåðîâ äâà - $SMTP1 è $SMTP2.
Ïðàâèëà â öåïî÷êàõ âûïîëíÿþòñÿ ïîñëåäîâàòåëüíî, ïîýòîìó ïðàâèëî íîìåð ðàç òóò:



LAN=br0
iptables -I FORWARD -p TCP -i $LAN -d 0/0 --dport 25 -j DROP
iptables -I FORWARD -p TCP -i $LAN -d $SMTP2 --dport 25 -j ACCEPT
iptables -I FORWARD -p TCP -i $LAN -d $SMTP1 --dport 25 -j ACCEPT


íå äàåò âûïîëíèòüñÿ ïðàâèëàì 2 è 3. Ïåðåíåñè åãî â êîíåö è äîëæíî çàðàáîòàòü :)

Ïîðÿäîê ñàìèõ ïðàâèë ìåíÿë. è â íà÷àëî -I è â êîíåö -A öåïî÷êè ïðîáîâàë. ðåçóëüòàò íóëåâîé

Îíî ëèáî ðåæåòñÿ íà ýòîì ïðàâèëå:



iptables -I FORWARD -p TCP -i br0 -d 0/0 --dport 25 -j DROP


ëèáî âñå ïðîïóñêàåòñÿ.

âèäèìî íå ñèëüíî ýòè ïðàâèëà âïèñûâàþòñÿ â default policy

Åñëè ýòî ïðàâèëî:

iptables -I FORWARD -p TCP -i br0 -d 0/0 --dport 25 -j DROP
ñòîèò ïåðâûì, òî îíî ðåæåò âñ¸ îñòàëüíîå ïî 25-ìó ïîðòó, ò.ê. destination ó íåãî - ÂÑÅ.
Ïîêàæè âûâîä êîìàíäû iptables -nvxL FORWARD ïîñëå ïðèìåíåíèÿ òâîèõ ïðàâèë.

PS êñòàòè, êðîìå 25-ãî ïîðòà åñòü åùå 465 (SMTP ïîâåðõ SSL) è 587 (e-mail message submission (SMTP))

Ïîäñêàæèòå êàê â iptables ñäåëàòü ëîãèðîâàíèå ïî ñðàáàòûâàíèþ îïðåäåëåííîãî ïðàâèëà, íàïðèìåð äîñòóï ïî ïîðòó 22? Êàê ñàìî ïðàâèëî ïðîïèñàòü ÿ äóìàþ ñîîáðàæó, âîïðîñ áîëüøå ïî ïàðàìåòðàì ëîãà (ÿ òàê ïîíÿë îí ìîæåò áûòü ðàçíîé ñòåïåíè ïîäðîáíîñòè) è ñàìîå ãëàâíîå ÿ íå ìîãó ïîíÿòü êóäà áóäåò ñîõðàíÿòñÿ ëîã?

Ïîäñêàæèòå êàê â iptables ñäåëàòü ëîãèðîâàíèå ïî ñðàáàòûâàíèþ îïðåäåëåííîãî ïðàâèëà, íàïðèìåð äîñòóï ïî ïîðòó 22? Êàê ñàìî ïðàâèëî ïðîïèñàòü ÿ äóìàþ ñîîáðàæó, âîïðîñ áîëüøå ïî ïàðàìåòðàì ëîãà (ÿ òàê ïîíÿë îí ìîæåò áûòü ðàçíîé ñòåïåíè ïîäðîáíîñòè) è ñàìîå ãëàâíîå ÿ íå ìîãó ïîíÿòü êóäà áóäåò ñîõðàíÿòñÿ ëîã?

Âîò òóò ïî÷èòàé (http://ftp.bspu.unibel.by/pub/NetWorks/Internet/firewall/IPtables.pdf). À ïèøåòñÿ âðîäå â log/kernel/info è â log/messages

Ñåé÷àñ ìàðêèðóþ ïàêåòû ñ ïîìîùüþ öåïî÷êè ïðàâèë â Iptables, íî òàê êàê êîìïüþòåðîâ â ñåòè ìíîãî, òî è ïðàâèë ìíîãî... Ìîæíî ëè ñîêðàòèòü ýòî êàê-íèáóäü äî îäíîãî ïðàâèëà?

Íàïðèìåð òàê

iptables -t mangle -A labels_in -j MARK --set-mark @srcip

Ïðèìåð òîãî, ÷òî ñåé÷àñ ïðîèñõîäèò:

*mangle
:PREROUTING ACCEPT [61197570:39908422354]
:INPUT ACCEPT [1574141:975304771]
:FORWARD ACCEPT [59262832:38892196704]
:OUTPUT ACCEPT [759365:97242599]
:POSTROUTING ACCEPT [60017173:38989130939]
:labels_in - [0:0]
:labels_out - [0:0]
-A PREROUTING -s 192.168.1.0/24 -j labels_out
-A POSTROUTING -d 192.168.1.0/24 -j labels_in
-A labels_in -d 192.168.1.4/32 -j MARK --set-mark 0x68
-A labels_in -d 192.168.1.5/32 -j MARK --set-mark 0x69
-A labels_in -d 192.168.1.6/32 -j MARK --set-mark 0x6a
-A labels_in -d 192.168.1.7/32 -j MARK --set-mark 0x6b
-A labels_in -d 192.168.1.8/32 -j MARK --set-mark 0x6c
-A labels_in -d 192.168.1.9/32 -j MARK --set-mark 0x6d
-A labels_in -d 192.168.1.10/32 -j MARK --set-mark 0x6e
-A labels_in -d 192.168.1.11/32 -j MARK --set-mark 0x6f
-A labels_in -d 192.168.1.12/32 -j MARK --set-mark 0x70
-A labels_in -d 192.168.1.13/32 -j MARK --set-mark 0x71
-A labels_in -d 192.168.1.14/32 -j MARK --set-mark 0x72
-A labels_in -d 192.168.1.15/32 -j MARK --set-mark 0x73
-A labels_in -d 192.168.1.16/32 -j MARK --set-mark 0x74
-A labels_in -d 192.168.1.17/32 -j MARK --set-mark 0x75
-A labels_in -d 192.168.1.18/32 -j MARK --set-mark 0x76
-A labels_in -d 192.168.1.19/32 -j MARK --set-mark 0x77
-A labels_in -d 192.168.1.20/32 -j MARK --set-mark 0x78
-A labels_in -d 192.168.1.21/32 -j MARK --set-mark 0x79
-A labels_in -d 192.168.1.22/32 -j MARK --set-mark 0x7a
-A labels_in -d 192.168.1.23/32 -j MARK --set-mark 0x7b
-A labels_in -d 192.168.1.24/32 -j MARK --set-mark 0x7c
-A labels_in -d 192.168.1.25/32 -j MARK --set-mark 0x7d
-A labels_in -j RETURN
-A labels_out -s 192.168.1.4/32 -j MARK --set-mark 0xcc
-A labels_out -s 192.168.1.5/32 -j MARK --set-mark 0xcd
-A labels_out -s 192.168.1.6/32 -j MARK --set-mark 0xce
-A labels_out -s 192.168.1.7/32 -j MARK --set-mark 0xcf
-A labels_out -s 192.168.1.8/32 -j MARK --set-mark 0xd0
-A labels_out -s 192.168.1.9/32 -j MARK --set-mark 0xd1
-A labels_out -s 192.168.1.10/32 -j MARK --set-mark 0xd2
-A labels_out -s 192.168.1.11/32 -j MARK --set-mark 0xd3
-A labels_out -s 192.168.1.12/32 -j MARK --set-mark 0xd4
-A labels_out -s 192.168.1.13/32 -j MARK --set-mark 0xd5
-A labels_out -s 192.168.1.14/32 -j MARK --set-mark 0xd6
-A labels_out -s 192.168.1.15/32 -j MARK --set-mark 0xd7
-A labels_out -s 192.168.1.16/32 -j MARK --set-mark 0xd8
-A labels_out -s 192.168.1.17/32 -j MARK --set-mark 0xd9
-A labels_out -s 192.168.1.18/32 -j MARK --set-mark 0xda
-A labels_out -s 192.168.1.19/32 -j MARK --set-mark 0xdb
-A labels_out -s 192.168.1.20/32 -j MARK --set-mark 0xdc
-A labels_out -s 192.168.1.21/32 -j MARK --set-mark 0xdd
-A labels_out -s 192.168.1.22/32 -j MARK --set-mark 0xde
-A labels_out -s 192.168.1.23/32 -j MARK --set-mark 0xdf
-A labels_out -s 192.168.1.24/32 -j MARK --set-mark 0xe0
-A labels_out -s 192.168.1.25/32 -j MARK --set-mark 0xe1
-A labels_out -j RETURN
COMMIT

À ìîæíî ëè êàê-íèáóäü äîáàâèòü ôèëüòð flow â iptables ?


>$ tc filter add dev ppp1 ip parent 1: prio 1 flow hash keys nfct-src devisor 1024
Unknown filter "flow", hence option "hash" is unparsable

Не получается добавить правило для iptables

[admin@WL-90E6BA51D379 root]$ iptables -A SECURITY -m length --length 878 -j DROP
iptables: No chain/target/match by that name

Как я понимаю, нет нужного мне модуля -m length
Вопросы:
Как убедится, что модуля действительно нет?
Если его нет, как установить?

P.S.
[admin@WL-90E6BA51D379 root]$ uname -a
Linux WL-90E6BA51D379 2.4.37.10 #1 2010-11-26 21:53:28 MSK mips GNU/Linux

Да и ещё, прошивка Олега, что-то вроде последней или предпоследней. Но дело думаю не в этом.

Заранее спасибо

Ïðèâåò âñåì! Êóïèë asus rt n16 , çàëèë ïðîøèêó Ýíòóçèàñòîâ 1.9.2.7-rtn-r2274 . Ïîäêëþ÷èë ñåòü , ðàáîòàåò. Íî íèãäå íå ìîãó íàéòè èíòñòðóêöèþ ïî íàñòðîéêå ôàåðâîëà.  ÷àñòíîñòè , â êàêîì ôîðìàòå ïðîïèñûâàòü äèàïïàçîíû àéïè àäðåñîâ è ïîðòîâ. Êòî çíàåò , êèíüòå ññûëêó ïëç.

Ïðèâåò âñåì! Êóïèë asus rt n16 , çàëèë ïðîøèêó Ýíòóçèàñòîâ 1.9.2.7-rtn-r2274 . Ïîäêëþ÷èë ñåòü , ðàáîòàåò. Íî íèãäå íå ìîãó íàéòè èíòñòðóêöèþ ïî íàñòðîéêå ôàåðâîëà.  ÷àñòíîñòè , â êàêîì ôîðìàòå ïðîïèñûâàòü äèàïïàçîíû àéïè àäðåñîâ è ïîðòîâ. Êòî çíàåò , êèíüòå ññûëêó ïëç.

1024:1028 - êàê ïðèìåð ïðîáðîñà ïîðòîâ ñ 1024 ïî 1028, Äåëàåòñÿ âñå â NAT Setting/Virtual Server

Ïðèâåò âñåì! Êóïèë asus rt n16 , çàëèë ïðîøèêó Ýíòóçèàñòîâ 1.9.2.7-rtn-r2274 . Ïîäêëþ÷èë ñåòü , ðàáîòàåò. Íî íèãäå íå ìîãó íàéòè èíòñòðóêöèþ ïî íàñòðîéêå ôàåðâîëà.  ÷àñòíîñòè , â êàêîì ôîðìàòå ïðîïèñûâàòü äèàïïàçîíû àéïè àäðåñîâ è ïîðòîâ. Êòî çíàåò , êèíüòå ññûëêó ïëç.
Êàê è ëþáîé ôàéðâîëë íà ëèíóêñå http://www.opennet.ru/docs/RUS/iptables/

Íå ïîäñêàæåòå êàê ÷åðåç IPTables íà ðîóòåðå "ïåðåíàïðàâèòü" ïàêåòû ñ ïîðòà 1234 íà ïîðò 22 (ssh) - òî åñòü â PUTTY ïðîïèñûâàåì ïîðò íàçíà÷åíèÿ 1234, à ïîïàäàåì íà 22 êîòîðûé è ñëóøàåò dropbear ïî óìîë÷àíèþ.

 îáùåì íàâàÿë òàêîå:

iptables -t nat -A PREROUTING -p tcp--dport 1234 -j REDIRECT --to-port 22

Íå íàøåë ïîèñêîì, åñëè áûëî òàêîå, ïðîøó ïðîñòèòü.

Ïîìîãèòå íàñòðîèòü post-firewall.
Íóæíî çàïðåòèòü äîñòóï ê IP 192.168.111.250 ñî âñåõ IP ïîñëå 64-ãî. Íèæåïðèâåäåííûé êîä íå ðàáîòàåò. Ãäå ÿ îáëàæàëñÿ?


#!/bin/sh
iptables -A FORWARD -s 192.168.111.0/26 -d 192.168.111.250 -j ACCEPT
iptables -A FORWARD -d 192.168.111.0/26 -s 192.168.111.250 -j ACCEPT
iptables -A FORWARD -s 192.168.111.0/24 -d 192.168.111.250 -j REJECT
iptables -A FORWARD -s 192.168.111.250 -d 192.168.111.0/24 -j REJECT
Ñ òàêèì ïîñò-ôàéðâîëëîì ê 250-ìó èìåþò äîñòóï âñå (îí ïîäêëþ÷åí ÷åðåç ðîóòåð).

Êàê è ëþáîé ôàéðâîëë íà ëèíóêñå http://www.opennet.ru/docs/RUS/iptables/

Åñëè áû ÿ åùå è Ëèíóêñ çíàë, ìíå áû öåíû íå áûëî:)
À êîíêðåòíåå, êàê óêàçàòü äèàïïàçîí àäðåñîâ ñ 192.168.1.11 ïî 192.168.1.55, è êàê óêàçàòü äèàïïàçîí 213.23.12.0 ñ ìàñêîé 255.255.0.0 ?
Êàê óêàçàòü äèàïïàçîí ïîðòîâ?
Êàê óêàçûâàþòñÿ Ëþáûå àäðåñà è Ëþáûå ïîðòû?
Ïðàâèëà ïðèìåíÿþòñÿ ñîãëàñíî ïîðÿäêó â òàáëèöå èëè ïîðÿäîê íå èìååò çíà÷åíèÿ?

Ïîãóãëè êîìàíäû linux iptables

Ïîãóãëè êîìàíäû linux iptables

À íà ñ÷åò î÷åðåäíîñòè ïðèìåíåíèÿ ïðàâèë? Íàäî äóìàòü áóäåò ñîâåò - Ïîãóãëè "Î÷åðåäíîñòü ïðèìåíåíèÿ ïðàâèë" :)
È êàê ïðîïèñûâàòü Ëþáîé IP è Ëþáîé Ïîðò ?
Ìîæåò êòî çíàåò ïðîøèâêó ñïåöèàëüíî àäàïòèðîâàííóþ íà ôàéåâîë? Íàïðèìåð ÷òîáû ìîæíî áûëî ñîáèðàòü Àéïè àäðåñà â ãðóïïû.

À íà ñ÷åò î÷åðåäíîñòè ïðèìåíåíèÿ ïðàâèë? Íàäî äóìàòü áóäåò ñîâåò - Ïîãóãëè "Î÷åðåäíîñòü ïðèìåíåíèÿ ïðàâèë" :)
È êàê ïðîïèñûâàòü Ëþáîé IP è Ëþáîé Ïîðò ?
Ìîæåò êòî çíàåò ïðîøèâêó ñïåöèàëüíî àäàïòèðîâàííóþ íà ôàéåâîë? Íàïðèìåð ÷òîáû ìîæíî áûëî ñîáèðàòü Àéïè àäðåñà â ãðóïïû.
Ïî ññûëêå ÷òî ÿ äàë íàïèñàíû îòâåòû íà ÂÑÅ âàøè âîïðîñû... Åñëè ëåíü èçó÷àòü ïðåäìåò, òî çà÷åì çàäàâàòüñÿ âîïðîñîì êàê ýòî ñäåëàòü...
Ïðàâèëà ïðèìåíÿþòñÿ â òîì ïîðÿäêå êàê îíè èäóò ...
Íàïðèìåð:
1) Ìíå íóæíî ðåøåíèå ìîåé ïðîáëåìû ...
2) Áëèí ìíå íå äàþò ãîòîâîãî ðåøåíèÿ è çàñòàâëÿþò âíèêàòü âî âñÿêóþ ôèãíþ ...
3) ß íå çàõîòåë âíèêàòü.
 äàííîì ñëó÷àå ïðàâèëà áóäóò ðàáîòàòü òàê:
1) Ñèòóàöèÿ ïîêà íå ïîäõîäèò ïîä ïðàâèëî (ðàç â êîíöå íå ñòîèò îòáðîñèòü ïàêåò ïðîâåðÿåì äàëüøå ïî öåïî÷êå)
2) Òàê è íå ïîäõîäèò ïðàâèëî, äåéñòâóåì êàê â ïóíêòå 1.
3) Òàê è íå íàøëè ïðàâèëî êîòîðîå ïîäõîäèò ê ïàêåòó ... Èäåì êàê â öåïî÷êå ïî óìîë÷àíèþ ïðèíÿòî ...

Ïî ññûëêå ÷òî ÿ äàë íàïèñàíû îòâåòû íà ÂÑÅ âàøè âîïðîñû... Åñëè ëåíü èçó÷àòü ïðåäìåò, òî çà÷åì çàäàâàòüñÿ âîïðîñîì êàê ýòî ñäåëàòü...

Ìíå íå ëåíü, îáû÷íî íàñòðîéêà ôàéåðâîëà ðàçîâàÿ ïðîöåäóðà, íàñòðîèë è çàáûë, çà÷åì æå òðàòèòü êó÷ó âðåìåíè íà ðàçîâûå ïðîöåäóðû. Âåäü îòâåò íà ìîè âîïðîñû çàéìåò ïàðó ñòðîê, à ìû óæå 2 äíÿ ïåðåïèñûâàåìñÿ è îòâåòà ïðÿìîãî ÿ òàê è íå ïîëó÷èë. Ñþäà âåäü ïðèõîäÿò è çà ïîìîùüþ â òîì ÷èñëå. Ïî÷åìó áû ïðîñòî íå íàïèñàòü ÷åëîâåêó ÷òî ôîðìàò äîëæåí áûòü òàêîé-òî , à Ëþáîé àäðåñ íàäî íàïèñàòü òàê-òî.
Ñîððè , íàâåðíîå ìåíÿ íå òàê ïîíÿëè, ìåíÿ èíòåðåñóþò òîëüêî íàñòðîéêè ôàéåðâîëà äîñòóïíûå èç âåá èíòåðôåéñà.

Íå íàøåë ïîèñêîì, åñëè áûëî òàêîå, ïðîøó ïðîñòèòü.

Ïîìîãèòå íàñòðîèòü post-firewall.
Íóæíî çàïðåòèòü äîñòóï ê IP 192.168.111.250 ñî âñåõ IP ïîñëå 64-ãî. Íèæåïðèâåäåííûé êîä íå ðàáîòàåò. Ãäå ÿ îáëàæàëñÿ?


#!/bin/sh
iptables -A FORWARD -s 192.168.111.0/26 -d 192.168.111.250 -j ACCEPT
iptables -A FORWARD -d 192.168.111.0/26 -s 192.168.111.250 -j ACCEPT
iptables -A FORWARD -s 192.168.111.0/24 -d 192.168.111.250 -j REJECT
iptables -A FORWARD -s 192.168.111.250 -d 192.168.111.0/24 -j REJECT
Ñ òàêèì ïîñò-ôàéðâîëëîì ê 250-ìó èìåþò äîñòóï âñå (îí ïîäêëþ÷åí ÷åðåç ðîóòåð).

Íó õîòü íàôèã ïîøëèòå :)

Íó õîòü íàôèã ïîøëèòå :) ëåãêî :)

#!/bin/sh
iptables -I FORWARD -s 192.168.111.0/24 -d 192.168.111.250 -j REJECT
iptables -I FORWARD -s 192.168.111.250 -d 192.168.111.0/24 -j REJECT
iptables -I FORWARD -s 192.168.111.0/26 -d 192.168.111.250 -j ACCEPT
iptables -I FORWARD -d 192.168.111.0/26 -s 192.168.111.250 -j ACCEPT


êëþ÷ -A äîáàâëÿåò ïðàâèëî ê òàáëèöå, íî óâû ïàêåò íå äîõîäèò äî ýòîãî ïðàâèëà - ñðàáàòûâàþò âûøåñòîÿùèå (iptables -nvxL)

ñèòóàöèÿ...
íóæíî ïðîáðîñèòü ñ èíòåðôåéñà vpn ïîðò íà èíòåðôåéñ wan (âíåøíàÿ ëîêàëêà ïðîâàéäåðà)
åñëè íå ñëîæíî ïîäñêàæèòå ñèíòàêñèñ ïðàâèëà

ëåãêî :)

#!/bin/sh
iptables -I FORWARD -s 192.168.111.0/24 -d 192.168.111.250 -j REJECT
iptables -I FORWARD -s 192.168.111.250 -d 192.168.111.0/24 -j REJECT
iptables -I FORWARD -s 192.168.111.0/26 -d 192.168.111.250 -j ACCEPT
iptables -I FORWARD -d 192.168.111.0/26 -s 192.168.111.250 -j ACCEPT


êëþ÷ -A äîáàâëÿåò ïðàâèëî ê òàáëèöå, íî óâû ïàêåò íå äîõîäèò äî ýòîãî ïðàâèëà - ñðàáàòûâàþò âûøåñòîÿùèå (iptables -nvxL)

Ê ñîæàëåíèþ, íå ïîìîãëî.
Òðàôèê, ãóëÿþùèé ïî ëîêàëüíîé ñåòè, âîîáùå íå ïðîñìàòðèâàåòñÿ ôàéâîëëîì? Äåëî â òîì, ÷òî ñåòü èìååò âåñüìà ñïåöèôè÷åñêóþ ñòðóêòóðó:
Íà ðîóòåðå ïîäíÿò DHCP, à IP 250 ïðèñâîåí ìîäåìó. Èç-çà îñîáåííîñòåé ðîóòåðà è ìîäåìà (ðîóòåð íå âèäèòñÿ ìîäåìîì â óïîð) íå ïîëó÷àåòñÿ ïîäêëþ÷èòü åãî, êàê WAN, ïîýòîìó îí ïîäêëþ÷åí ê ðîóòåðó, êàê îäèí èç ó÷àñòíèêîâ âíóòðåííåé ëîêàëêè. Ïðè ýòîì â DHCP ïðîïèñàí øëþç ñ IP 250. È ðàçðåøåííûå IP âûäàþòñÿ òîëüêî îãðàíè÷åííîìó êðóãó êîìïîâ. Âñåì IP áîëüøå 64 íàäî çàêðûòü äîñòóï ê 250-ìó IP.
Âîçìîæíî, ÿ ñèëüíî ñãëóïèë, îñòàâèâ ðåæèì ðàáîòû ðîóòåðà Home Gateway, íàäî áûëî ïîñòàâèòü Router, è òîãäà ïðàâèëà çàðàáîòàþò äëÿ ëîêàëüíîãî òðàôèêà?
Ðîóòåð - N16.
Ïîìîãèòå, ïîæàëóéñòà!

Ê ñîæàëåíèþ, íå ïîìîãëî. È íå ìîãëî ïîìî÷ü.


Òðàôèê, ãóëÿþùèé ïî ëîêàëüíîé ñåòè, âîîáùå íå ïðîñìàòðèâàåòñÿ ôàéâîëëîì? Åñòåñòâåííî, îí îáðàáàòûâàåòñÿ ÑÂÈ×ÅÌ è äî ÏÎ âîîáùå íå äîõîäèò ;)


Äåëî â òîì, ÷òî ñåòü èìååò âåñüìà ñïåöèôè÷åñêóþ ñòðóêòóðó:
Íà ðîóòåðå ïîäíÿò DHCP, à IP 250 ïðèñâîåí ìîäåìó. Èç-çà îñîáåííîñòåé ðîóòåðà è ìîäåìà (ðîóòåð íå âèäèòñÿ ìîäåìîì â óïîð) íå ïîëó÷àåòñÿ ïîäêëþ÷èòü åãî, êàê WAN, ïîýòîìó îí ïîäêëþ÷åí ê ðîóòåðó, êàê îäèí èç ó÷àñòíèêîâ âíóòðåííåé ëîêàëêè. Ýòî ïðîñòî íå ïðàâèëüíîå ïîäêëþ÷åíèå.


Âîçìîæíî, ÿ ñèëüíî ñãëóïèë, îñòàâèâ ðåæèì ðàáîòû ðîóòåðà Home Gateway, íàäî áûëî ïîñòàâèòü Router, è òîãäà ïðàâèëà çàðàáîòàþò äëÿ ëîêàëüíîãî òðàôèêà? Íåò, òîãäà âîîáùå WANà íå áóäåò, à áóäåò òîëüêî ñâè÷ ;)

×òî áû òðàôèê ïðîõîäèë, ÷åðåç ÏÎ, íàäî âûíîñèòü ïîðò ñ ìîäåìîì â îòäåëüíûé vlan, ïî äðóãîìó íèêàê.

Íàðîä, ïîäñêàæèòå ïëèç...
Ïî äóðîñòè/íåâíèìàòåëüíîñòè â post-firewall çàDROPèë âñþ öåïî÷êó INPUT. Åñòåññòâåííî òåïåðü íà ðîóòåð ïîïàñòü íå ìîãó íèêàêèì ñïîñîáîì((
Êàê ëó÷øå èñïðàâèòü ñâîþ ãëóïîñòü?)
 ïðèíöèïå åñòü âîçìîæíîñòü ïîäðóáèòü âíåøíèé âèíò îò ðîóòåðà ê êîìïó è òàì åñòü ñêðèïò â /opt/etc/init.d êîòîðûé ñòàðòóåò òîððåíò. ß ïðîáîâàë â íåãî âñòàâëÿòü òàêîå:
cp /usr/local/sbin/post-firewall /tmp/harddisk/torrent
echo "#!/bin/bash" > /usr/local/sbin/post-firewall
(ïîòîì êîìèò èçìåíåíèé áåç ðåáóòà)
Îêàçàëîñü ÷òî íè÷åãî íå ñêîïèðîâàëîñü íà âíåøíèé âèíò, à çíà÷èò è post-firewall íå ïåðåçàïèñàëñÿ((
Ìîæåò iptables - F INPUT ïðîêàòèò (åñëè çàïèõíóòü â ñêðèïò çàïóñêà òîððåíòà)? Ñáðîñ â äåôîëò óæ î÷åíü íå õî÷åòñÿ äåëàòü

Ìîæåò iptables - F INPUT ïðîêàòèò (åñëè çàïèõíóòü â ñêðèïò çàïóñêà òîððåíòà)? Ñáðîñ â äåôîëò óæ î÷åíü íå õî÷åòñÿ äåëàòü

Ñîáñòâåííî âîïðîñ ñíÿò. Ïðîêàòèëî)

Ñâîèì óìîì íå ìîãó äîéòè ïî÷åìó ê shh íå ïîäêëþ÷èòüñÿ ïî wan.
ssh âèñèò íà 1987 ïîðòó, ïî lan ïîäêëþ÷àåòñÿ.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1987
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt: bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:1987 flags: FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain BRUTE (0 references)
target prot opt source destination

Chain MACS (0 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec bu rst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec bu rst 5
DROP all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere


Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere xxx

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !xxx anywhere
MASQUERADE all -- 192.168.1.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:27015 to:192.168.1.3:27015
DNAT udp -- anywhere anywhere udp dpt:27015 to:192.168.1.3:27015
DNAT tcp -- anywhere anywhere tcp dpt:5999 to:192.168.1.3:5999
DNAT tcp -- anywhere anywhere tcp dpt:45710 to:192.168.1.1:45710
DNAT udp -- anywhere anywhere udp dpt:45710 to:192.168.1.1:45710
DNAT tcp -- anywhere anywhere tcp dpt:1988 to:192.168.1.3:1988
DNAT all -- anywhere anywhere to:192.168.1.5


tcp 0 0 0.0.0.0:1987 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 :::53 :::* LISTEN

Íè ó êîãî íåò èäåé?

Íè ó êîãî íåò èäåé?
Ìîæåò IP "ñåðûé"?
Áåç ëîãîâ ìîæåì òîëüêî ãàäàòü.
Íå õîòèòå ïîêàçûâàòü ëîãè - íàì ìåíüøå çàáîòû ;)

Íó ïî÷åìó æå íå õî÷ó, õî÷ó! Êàêèå íóæíû ëîãè, ãîâîðèòå âûëîæó.
IP âûäåëåíûé

Íó ïî÷åìó æå íå õî÷ó, õî÷ó! Êàêèå íóæíû ëîãè, ãîâîðèòå âûëîæó.
IP âûäåëåíûé
Ëîã ðîóòåðà äëÿ íà÷àëà.
System & Log - îòñþäà.
Ó Âàñ êîìï 192.168.1.5 â DMZ?
Åñëè äà, òî íà íåãî âñå è ñâàëèâàåòñÿ.

DNAT all -- anywhere anywhere to:192.168.1.5

192.168.1.5 - ýòî xbox

192.168.1.5 - ýòî xbox
 ïðèëîæåííîì ëîãå ðîóòåð äàæå íå çàãðóçèëñÿ äî êîíöà ...

Ïîëíîñòüþ.
Âîò ïîñëå 30 ìèí. äîáàâèëîñü òîëüêî ýòî.

Mar 10 21:41:26 ntp client: Synchronizing time with time.nist.gov...
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPDISCOVER(br0) 192.168.1.3 00:17:31:e3:1c:ef
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPOFFER(br0) 192.168.1.3 00:17:31:e3:1c:ef
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPREQUEST(br0) 192.168.1.3 00:17:31:e3:1c:ef

Ïîëíîñòüþ.
Âîò ïîñëå 30 ìèí. äîáàâèëîñü òîëüêî ýòî.

Mar 10 21:41:26 ntp client: Synchronizing time with time.nist.gov...
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPDISCOVER(br0) 192.168.1.3 00:17:31:e3:1c:ef
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPOFFER(br0) 192.168.1.3 00:17:31:e3:1c:ef
Mar 10 21:44:17 dnsmasq-dhcp[56]: DHCPREQUEST(br0) 192.168.1.3 00:17:31:e3:1c:ef

Õ.Ç. ... iptables-save ïîëíûé ïåðå÷åíü ïðàâèë ... â ñòóäèþ ...

# Generated by iptables-save v1.3.8 on Fri Mar 11 00:06:22 2011
*nat
:PREROUTING ACCEPT [34208:4778451]
:POSTROUTING ACCEPT [10136:544621]
:OUTPUT ACCEPT [267:19736]
:VSERVER - [0:0]
-A PREROUTING -d xxx -j VSERVER
-A POSTROUTING -s ! xxx -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.3:27015
-A VSERVER -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.3:27015
-A VSERVER -p tcp -m tcp --dport 1988 -j DNAT --to-destination 192.168.1.3:1988
-A VSERVER -j DNAT --to-destination 192.168.1.5
COMMIT
# Completed on Fri Mar 11 00:06:22 2011
# Generated by iptables-save v1.3.8 on Fri Mar 11 00:06:22 2011
*mangle
:PREROUTING ACCEPT [964941:168782607]
:INPUT ACCEPT [34349:4144137]
:FORWARD ACCEPT [929608:163587326]
:OUTPUT ACCEPT [1882:899243]
:POSTROUTING ACCEPT [930706:164442353]
COMMIT
# Completed on Fri Mar 11 00:06:22 2011
# Generated by iptables-save v1.3.8 on Fri Mar 11 00:06:22 2011
*filter
:INPUT DROP [26636:2240454]
:FORWARD ACCEPT [1152:94283]
:OUTPUT ACCEPT [1858:897157]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 1987 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1987 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth1 -j DROP
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Fri Mar 11 00:06:22 2011

# Generated by iptables-save v1.3.8 on Fri Mar 11 00:06:22 2011
*nat
:PREROUTING ACCEPT [34208:4778451]
:POSTROUTING ACCEPT [10136:544621]
:OUTPUT ACCEPT [267:19736]
:VSERVER - [0:0]
-A PREROUTING -d xxx -j VSERVER
-A POSTROUTING -s ! xxx -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.1.3:27015
-A VSERVER -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.1.3:27015
-A VSERVER -p tcp -m tcp --dport 1988 -j DNAT --to-destination 192.168.1.3:1988
-A VSERVER -j DNAT --to-destination 192.168.1.5

Êàê óæå ñêàçàë vectorm âñå âõîäÿùèå ïàêåòû âõîäÿùèå íà "õõõ" ïîïàäàþò â öåïî÷êó VSERVER è âñå ÷òî íå ïîïàëî â ïðàâèëà äî:
-A VSERVER -j DNAT --to-destination 192.168.1.5
óõîäèò ïî íàçíà÷åíèþ ... Èëè óäàëèòå ýòî ïðàâèëî èëè íå ïðîòèâîðå÷üòå åìó ...
Åùå ìîæíî â âåá-ìîðäå äîáàâèòü ïåðåàäðåñàöèþ ïîðòà SSH íà ëîêàëüíûé àäðåñ ðîóòåðà

Ñïàñèáî, äà äåéñòâèòåëüíî óäàëèë â âåá-ìîðäå ïðàâèëî

-A VSERVER -j DNAT --to-destination 192.168.1.5
è ssh çàðàáîòàë ïî wan.
À êàê äîáàâèòü ïåðåàäðåñàöèþ ïîðòà SSH íà ëîêàëüíûé àäðåñ ðîóòåðà?

Ñïàñèáî, äà äåéñòâèòåëüíî óäàëèë â âåá-ìîðäå ïðàâèëî

-A VSERVER -j DNAT --to-destination 192.168.1.5
è ssh çàðàáîòàë ïî wan.
À êàê äîáàâèòü ïåðåàäðåñàöèþ ïîðòà SSH íà ëîêàëüíûé àäðåñ ðîóòåðà?
Êàê îáû÷íî... (VIRTUAL SERVER ...) äîáàâëÿåì ïåðåàäðåñàöèþ ïîðòà â âåá-ìîðäå íà àäðåñ ðîóòåðà (ëîêàëüíûé 192.168.õõõ.õõõ).

Ïîíÿë, ñïàñèáî!

Âñòàâëþ ñâîè 5 êîïååê.

Îáíîâëÿþ ðàç â ìåñÿö RT-N16. Ñåé÷àñ óñòàíîâëåíà 1.9.2.7-rtn-r2857.
Òðóäíî ñêàçàòü êîãäà, íî òî÷íî ïîñëå 2011-02-06 23:25 (ýòî äàòà ïîñëåäíåé ìîåé ïðàâêè /tmp/local/sbin/pre-boot), òîãäà òî÷íî âñå ðàáîòàëî êàê ïîëîæåíî.

Ïåðåñòàëè ãðóçèòüñÿ ìîäóëè. Âîò ÷òî ïîêàçûâàåò modprobe:

[root@RT-N16 root]$ modprobe
modprobe: QM_MODULES: Function not implemented

modprobe: Nothing to load ???
Specify at least a module or a wildcard like \*

[root@RT-N16 root]$ modprobe -a
modprobe: QM_MODULES: Function not implemented

modprobe: Nothing to load ???
Specify at least a module or a wildcard like \*

È ïåðåçàïèñûâàë ìîäóëè ïîâòîðíî, è îáíîâëÿë ïðîøèâêó - ðåçóëüòàò îäèí. Êðèâî, íî ðàáîòàåò iptables, ïåðåñòàëè ðàáîòàòü ïðàâèëà SSH BRUTE. Ïî íèì è îáíàðóæèë íåëàäíîå.

Êóäà êîïàòü?

Âñòàâëþ ñâîè 5 êîïååê.

Ïåðåñòàëè ãðóçèòüñÿ ìîäóëè. Âîò ÷òî ïîêàçûâàåò modprobe:

[root@RT-N16 root]$ modprobe
modprobe: QM_MODULES: Function not implemented

Êóäà êîïàòü?
Ó âàñ êàøà â /opt, à êîíêðåòíî - ëåâûé modprobe äëÿ ÿäðà 2.4.
Òî æå ñàìîå ñ iptables - âåðñèÿ èç ïðîøèâêè 1.4.3.2, âñå îñòàëüíûå íå áóäóò ðàáîòàòü êîððåêòíî.

Ó âàñ êàøà â /opt, à êîíêðåòíî - ëåâûé modprobe äëÿ ÿäðà 2.4. Òî æå ñàìîå ñ iptables - âåðñèÿ èç ïðîøèâêè 1.4.3.2, âñå îñòàëüíûå íå áóäóò ðàáîòàòü êîððåêòíî.

[root@RT-N16 2.6.22.19]$ iptables -V
iptables v1.4.9, óäàëèë. Òåïåðü:

[root@RT-N16 root]$ iptables -I INPUT -i vlan2 -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACKER --rsource -j DROP
iptables v1.4.3.2: Couldn't load match `state':File not found

[root@RT-N16 2.6.22.19]$ ls -al /opt/lib/modules/2.6.22.19/modules.dep
-rw-r--r-- 1 root root 15860 2011-03-27 01:41 /opt/lib/modules/2.6.22.19/modules.dep

Âñå, ÷òî â modules.dep óêàçûâàåò íà /opt/lib/modules/2.6.22.19/.

Âåðñèÿ modutils áûëà 2.4:
insmod version 2.4.27
modprobe 2.4.27, óäàëèë.

Ðàíüøå â pre-boot ãðóçèëñÿ xt_recent è iptables ðàáîòàëè êîððåêòíî.

Òåïåðü:

[root@RT-N16 root]$ insmod /opt/lib/modules/2.6.22.19/kernel/net/netfilter/xt_recent.ko
insmod: can't insert '/opt/lib/modules/2.6.22.19/kernel/net/netfilter/xt_recent.ko': invalid module format


Êóäà êîïàòü?

iptables v1.4.3.2: Couldn't load match `state':File not found
Èñïîëüçóåòå íî÷íûå ñáîðêè - ïîòðóäèòåñü ïî÷èòàòü ñïèñîê èçìåíåíèé. Ñì. r2792, r2793 - state çàìåí¸í íà conntrack


[root@RT-N16 root]$ insmod /opt/lib/modules/2.6.22.19/kernel/net/netfilter/xt_recent.ko
insmod: can't insert '/opt/lib/modules/2.6.22.19/kernel/net/netfilter/xt_recent.ko': invalid module format
Ìíå êàæåòñÿ, îøèáêà íå íóæäàåòñÿ â ïåðåâîäå, íåò? :rolleyes:

P.S. Ñîâåòóþ çàãëÿäûâàòü èíîãäà â /lib/modules/2.6.22.19/

Èñïîëüçóåòå íî÷íûå ñáîðêè - ïîòðóäèòåñü ïî÷èòàòü ñïèñîê èçìåíåíèé. Ñì. r2792, r2793 - state çàìåí¸í íà conntrack


Îê, ñïàñèáî!

Ãîäà 3 íàçàä íàñòðàèâàë nat â ìàðøðóòèçàòîðå ïî òîé âåðñèè ôàêà, êîòîðàÿ ñóùåñòâîâàëà íà òîò ìîìåíò.  ÷àñòíîñòè â post-firewall ó ìåíÿ ïðîïèñàíî:

# VPN
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 37000 -j DNAT --to-destination 192.168.0.8:37000
iptables -I FORWARD -i ppp0 -p tcp -m udp -d 192.168.0.8 --dport 37000 -j ACCEPT
iptables -I FORWARD -o ppp0 -p tcp -m udp -s 192.168.0.8 --sport 37000 -j ACCEPT
iptables -t nat -A POSTROUTING -p udp -o ppp0 -s 192.168.0.8 --sport 37000 -j MASQUERADE

Ñîîòâåòñâåííî âñå, ÷òî ïðèõîäèò èç èíòåðíåòîâ íà ïîðò 37000 (äèíàìè÷åñêèé ip) ôîðâàðäèòñÿ íà âíóòðåííèé ñåðâåð.

Ñåé÷àñ âîçíèêëà çàäà÷à, ÷òîáû îáðàùåíèÿ èç âíóòðåííåé ñåòè (192.168.0.0/24), îòïðàâëåííûå íà àäðåñ âíåøíåãî èíòåðôåéñà (ppp0, èìååòñÿ ïðèâÿçêà ê äîìåííîìó èìåíè) ôîðâàðäèëàñü îáðàòíî íà âíóòðåííèé ñåðâåð 192.168.0.8. Ò.å. ÷òîáû îáðàùåíèÿ ïî äîìåííîìó èìåíè òèïà myip.dyndns.com îäèíàêîâî ðàáîòàëè êàê èç èíòåðíåòà, òàê è èç äîìàøíåé ñåòè.

Ïîäñêàæèòå, êàê ýòî äåëàåòñÿ? ×òî-òî ìíå ôàíòàçèè (è çíàíèé ïî iptables) íå õâàòàåò, îñîáåííî ñ ó÷åòîì òîãî, ÷òî âíóòðè post-firewall ÿ äàæå íå çíàþ ip-àäðåñà íà ppp0.

ß òî÷íî ïîìíþ, ÷òî â òîì ñòàðîì ôàêå áûë ïðèìåð íà ýòîò ñ÷åò, íî, ê ñîæàëåíèþ, âñå ïîèñêè ïðèâîäÿò íà óäàëåííóþ òåìó http://www.wl500g.info/showthread.php?t=4921 è íåñóùåñòâóþùóþ àðõèâíóþ http://wl500g.info/archive/index.php/t-5920.html

Æåëåçî WL500gp, ïðîøèâêà ïîñëåäíÿÿ (?) îò Îëåãà: 1.9.2.7-10.

Áóäó âåñüìà ïðèçíàòåëåí çà ïîìîùü.

Всем доброго дня!
Имею вышеозначенный девайс, накатил на него прошивку от Олега версии 1.9.2.7-d-r2624.
Не получается сохранить новые правила iptables. Гуглил долго, предлагали сохранять так iptables-save > <имя файла>. файл сохраняется, да, но после рестарта прибора правила остаются старыми, а файла сохраненного нет.
Вопрос к знающим людям: где лежит реальный файл с правилами iptables?
Чтобы его и поправить, в него сохранить новые правила.
Спасибо.

Ôàéë post-firewall, ëåæàùèé òóò: /tmp/local/sbin
Ïðè èçìåíåíèè íå çàáûâàéòå äåëàòü:
flashfs save && flashfs commit && flashfs enable && reboot

ykpacmb, спасибо за ответ, но не помогло. Файл, кстати, лежит в /tmp/ и называется filter_rules. добавляю новые правила, сохраняю iptables-save > /tmp/filter_rules, делаю flashfs save && flashfs commit && flashfs enable && reboot
и - все то же самое при загрузке: старые правила.
Что делать?

filter_rules ãåíåðèòñÿ àâòîìàòîì íà îñíîâå äàííûõ èç âåáìîðäû. Òàê ÷òî ðåäàêòèðîâàòü åãî áåñïîëåçíî. Êàê áûëî îòìå÷åíî ñâîè ïðàâèëà ñëåäóåò äîáàâëÿòü â /usr/local/sbin/post-firewall, æåëàòåëüíî ïðè ýòîì îçíàêîìèòüñÿ ñ èíñòðóêöèåé ïî íà÷àëüíîé íàñòðîéêå --- ýòî ñíèìåò ìàññó áàçîâûõ âîïðîñîâ.

Печально, но такой папки /usr/local/sbin/ нет вообще, при попытке сохранить post-firewall в другой каталог, например /tmp/etc/, он сохраняется, далее повторяю процедуру с командами flashfs - при загрузке получаю то же самое. Файла нет, правила старые. Насчет инструкции - подскажите, где взять.
Спасибо.

Ïå÷àëüíî, íî òàêîé ïàïêè /usr/local/sbin/ íåò âîîáùå, ïðè ïîïûòêå ñîõðàíèòü post-firewall â äðóãîé êàòàëîã, íàïðèìåð /tmp/etc/, îí ñîõðàíÿåòñÿ, äàëåå ïîâòîðÿþ ïðîöåäóðó ñ êîìàíäàìè flashfs - ïðè çàãðóçêå ïîëó÷àþ òî æå ñàìîå. Ôàéëà íåò, ïðàâèëà ñòàðûå. Íàñ÷åò èíñòðóêöèè - ïîäñêàæèòå, ãäå âçÿòü.
Ñïàñèáî.
À äëÿ êîãî òåìû ïðèêðåïëÿëè??? http://wl500g.info/showthread.php?t=24854

Óâàæàåìûé tempik, íà ýòîì ôîðóìå ÿ ìíîãî ïåðå÷èòàë èíôû, ïûòàÿñü ðåøèòü ñâîþ ïðîáëåìó - íåñëîæíóþ, â îáùåì-òî. Íî èíôà ýòà ìíå íå ïîìîãëà, ïîòîìó è çàïîñòèë âîïðîñ. Åñëè åñòü ÷òî îòâåòèòü ïî ìîåé ïðîáëåìå - ïîæàëóéñòà, à òûêàòü â ïðèêðåïëåííûå òåìû íå íóæíî, ÿ èõ ÷èòàë.
Åùå åñòü çíàþùèå ëþäè, ñïîñîáíûå ïîìî÷ü?

Óâàæàåìûé tempik, íà ýòîì ôîðóìå ÿ ìíîãî ïåðå÷èòàë èíôû, ïûòàÿñü ðåøèòü ñâîþ ïðîáëåìó - íåñëîæíóþ, â îáùåì-òî. Íî èíôà ýòà ìíå íå ïîìîãëà, ïîòîìó è çàïîñòèë âîïðîñ. Åñëè åñòü ÷òî îòâåòèòü ïî ìîåé ïðîáëåìå - ïîæàëóéñòà, à òûêàòü â ïðèêðåïëåííûå òåìû íå íóæíî, ÿ èõ ÷èòàë.
Åùå åñòü çíàþùèå ëþäè, ñïîñîáíûå ïîìî÷ü?
http://wl500g.info/showthread.php?t=3171 Òåìû íå çðÿ çàêðåïèëè è â íèõ åñòü ññûëêè íà âñå òåìû íåîáõîäèìûå äëÿ íà÷àëüíîãî ïîíèìàíèÿ êàê ýòà ïðîøèâêà ðàáîòàåò ... Åñëè áû âû èõ ïðî÷èòàëè, òî òàêèå âîïðîñû íå âîçíèêàëè áû ... Õîòèòå ÷òîá ñäåëàëè âñå çà âàñ íàéìèòå ñïåöèàëèñòà ....

Óâàæàåìûé tempik, íà ýòîì ôîðóìå ÿ ìíîãî ïåðå÷èòàë èíôû, ïûòàÿñü ðåøèòü ñâîþ ïðîáëåìó - íåñëîæíóþ, â îáùåì-òî. Íî èíôà ýòà ìíå íå ïîìîãëà, ïîòîìó è çàïîñòèë âîïðîñ. Åñëè åñòü ÷òî îòâåòèòü ïî ìîåé ïðîáëåìå - ïîæàëóéñòà, à òûêàòü â ïðèêðåïëåííûå òåìû íå íóæíî, ÿ èõ ÷èòàë.
Åùå åñòü çíàþùèå ëþäè, ñïîñîáíûå ïîìî÷ü?

flashfs enable

Çäðàâñòâóéòå î÷åíü ñïåöôè÷åñêàÿ ïðîáëåìà, íàáëþäàåòñÿ íà ðîóòåðå dir-320
Ñèòóàöèÿ ñëåäóþùàÿ, èìååòñÿ:
1. Ëîêàëüíàÿ ñåòü ñ ëîêàëüíûì ip ïðåäîñòàâëÿåìûì ïðîâàéäåðîì.
2. Èìååòñÿ ñòàòè÷åñêèé ip â internet êîòîðûé ïðåäîñòàâëÿåòñÿ ïðîâàéäåðîì ñ ïðèìåíåíèåì pptp.
Ìîé äåéñòâèÿ:
1. Ïîñûëàþ ýõî çàïðîñ èç ëîêàëüíîé ñåòè íà ðîóòåð, âñå çàìå÷àòåëüíî ðîóòåð îòâå÷àåò.
2. Ïîñûëàþ ýõî çàïðîñ ñ âíåøíåãî ip íà ðîóòåð, òèøèíà ðîóòåð ïðîñòî ïðîãëàòûâàåò òðàôèê.
3. Ñòó÷èìñÿ ïî ëîêàëüíîé ñåòè íà ðîóòåð íà 22 ïîðò ïðîõîäèì àâòîðèçàöèþ, è øëåì ýõî íà âíåøíèé êîìïüþòåð èñïîëüçóÿ pptp. Âíåøíèé êîìïüþòåð îòâå÷àåò.
Ëîãè÷íî ïðåäïîëîæèòü ÷òî ãäå-òî â iptables åñòü DROP, èäåì òóäà è ñìîòðèì, íè÷åãî òàêîãî, íèêàêèõ REJECT òàêæå íå íàáëþäàåì. Ñìîòðèì iproute ïî óìîë÷àíèþ ìàðøðóò íàïðàâëåí â ppp0.
4. Íå äóìàÿ ëóêàâî, ãîâîðèì iptables ëîãèðîâàòü òðàôèê íà âûõîäå ñ NAT PREROUTING:

-A PREROUTING -j LOG --log-prefix "NPRE " --log-level 7
Øëåì ñ âíåøíåãî êîìïüþòåðà ýõî, âèäèì ïàêåòû, äëÿ áîëüøåé óâåðåííîñòè ÷òî ïàêåòû òå ñàìûå, óâåëè÷èâàåì èõ ðàçìåð äî 128. Âñå âèäèì.
5. Èäåì äàëüøå âåøàåì ëîãèðîâàíèå â MANGLE INPUT è MANGLE FORWARD:

-A INPUT -j LOG --log-prefix "MINP " --log-level 7
-A FORWARD -j LOG --log-prefix "MFORW " --log-level 7
Íè÷åãî íåò :eek: . Êóäà îíè äåëèñü, óìà íå ïðèëîæó.
Òðåáóåòñÿ èìåòü äîñòóï ê ðîóòåðó èç âíåøíåé ñåòè.
iptables-save:

# Generated by iptables-save v1.3.8 on Sat Apr 9 11:50:10 2011
*nat
:PREROUTING ACCEPT [143613:11711818]
:POSTROUTING ACCEPT [8755:523186]
:OUTPUT ACCEPT [7022:422728]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination HOME_WS
-A PREROUTING -i vlan1 -p tcp -m tcp --dport 80 -j DNAT --to-destination HOME_WS
-A PREROUTING -j LOG --log-prefix "NPRE " --log-level 7
-A POSTROUTING -o ppp0 -j SNAT --to-source WAN_IP
-A POSTROUTING -o vlan1 -j SNAT --to-source LAN_IP
COMMIT
# Completed on Sat Apr 9 11:50:10 2011
# Generated by iptables-save v1.3.8 on Sat Apr 9 11:50:10 2011
*mangle
:PREROUTING ACCEPT [4348620:1117124629]
:INPUT ACCEPT [2535956:621071184]
:FORWARD ACCEPT [1715797:487287823]
:OUTPUT ACCEPT [2435077:643826133]
:POSTROUTING ACCEPT [4184554:1143679984]
-A INPUT -j LOG --log-prefix "MINP " --log-level 7
-A FORWARD -j LOG --log-prefix "MFORW " --log-level 7
COMMIT
# Completed on Sat Apr 9 11:50:10 2011
# Generated by iptables-save v1.3.8 on Sat Apr 9 11:50:10 2011
*filter
:INPUT ACCEPT [2179568:557947968]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2435076:643826056]
-A INPUT -i vlan1 -j ACCEPT
-A INPUT -i ppp0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -s 72.18.198.8 -i ppp0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8100:8999 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5060 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
COMMIT
# Completed on Sat Apr 9 11:50:10 2011

Ñäóðó âêëþ÷èë port trigering. Ïîäñêàæèòå êàê åãî îòêëþ÷èòü íå ÷åðåç âåá à ïðè ïîäêëþ÷åíèè ïî telnet?
 êàêóþ öåïî÷êó ïðàâèë ïîïàäàåò ïîðò òðèãåðèíã?
Îæèäàë åãî óäàëèòü òàê

iptables -t nat -D PREROUTING 3

Íî ïîñëå ýòîãî òîëüêî àñüêà çàðàáîòàëà.! à ñàéòû òàê è íå äîñòóïíû.

Ñåé÷àñ ïðàâèëà
$iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 31.162.121.163
NETMAP udp -- anywhere 31.162.121.163 udp spt:6112 192.168.0.0/24

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
NETMAP udp -- 192.168.0.0/24 anywhere udp dpt:6112 31.162.121.163/32
MASQUERADE all -- !31.162.121.163 anywhere
MASQUERADE all -- 192.168.0.0/24 192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain VSERVER (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:61924 to:192.168.0.20:61924
DNAT udp -- anywhere anywhere udp dpt:61924 to:192.168.0.20:61924
DNAT udp -- anywhere anywhere udp dpt:3658 to:192.168.0.102:3658
DNAT udp -- anywhere anywhere udp dpt:47946 to:192.168.0.199:47946
DNAT tcp -- anywhere anywhere tcp dpt:61925 to:192.168.0.4:61924
DNAT udp -- anywhere anywhere udp dpt:61925 to:192.168.0.4:61924
DNAT tcp -- anywhere anywhere tcp dpt:15376 to:192.168.0.3:15376
DNAT tcp -- anywhere anywhere tcp dpt:61926 to:192.168.0.193:61924
DNAT udp -- anywhere anywhere udp dpt:61926 to:192.168.0.193:61924
DNAT tcp -- anywhere anywhere tcp dpt:47370 to:192.168.0.101:47370
DNAT udp -- anywhere anywhere udp dpt:47370 to:192.168.0.101:47370
DNAT tcp -- anywhere anywhere tcp dpt:47946 to:192.168.0.199:47946
DNAT tcp -- anywhere anywhere tcp dpt:45885 to:192.168.0.1:45885
DNAT udp -- anywhere anywhere udp dpt:45885 to:192.168.0.1:45885
DNAT udp -- anywhere anywhere udp dpt:61439 to:192.168.0.123:61439




$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MACS all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logaccept all -- anywhere anywhere state NEW
logaccept all -- anywhere anywhere state NEW
SECURITY all -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp spt:bootps dpt:bootpc
logdrop all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
MACS all -- anywhere anywhere
logaccept all -- anywhere anywhere
logdrop all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
logdrop all -- anywhere anywhere
logdrop all -- anywhere anywhere
SECURITY all -- anywhere anywhere state NEW
logaccept all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MACS (2 references)
target prot opt source destination

Chain SECURITY (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN udp -- anywhere anywhere limit: avg 5/sec burst 5
RETURN icmp -- anywhere anywhere limit: avg 5/sec burst 5
logdrop all -- anywhere anywhere

Chain logaccept (5 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (6 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP all -- anywhere anywhere

Áðàòöû. Ïîäñîáèòå çàïðåòèòü íåñêîëüêèì êîìïàì èç áîëüøîãî ñïèñêà, ïîëó÷àþùèì äîñòóï ê ðîóòåðó ïî âàôëå, âûõîä â èíòåðíåò ñåðèåé ñàéòîâ(http è https) + âíåøíèé ñòàòè÷åñêèé ftp + outlook íà gmail. Ñ ðîóòåðà òàêæå íàñòðîåí openVPN â ñåòü ïðåäïðèÿòèÿ, ê íåìó îãðàíè÷åíèé áûòü íå äîëæíî.
Èçó÷àòü IPTABLES ñåé÷àñ íåò âðåìåíè, ïîýòîìó ïðîøó øàðÿùèõ ïîìî÷ü.
Íà ñêîëüêî ÿ ïîíèìàþ, íóæíî âåñü òðàôèê ÷åðåç br0 íóæíûì êîìïàì çàêðóòèòü â íîâóþ òàáëèöó, à òàì çàïðåòèòü âñå, êðîìå íóæíîãî. Íî âîò çíàíèé íå õâàòàåò äëÿ ðåàëèçàöèè.
RT-N16, 1.9.2.7-rtn-r2274
Çàðàíåå áëàãîäàðåí.

Íàðîä, à ïîäñêàæèòå ïîæàëóéñòà â êàêîì ôàéëå ñîäåðæàòñÿ íàñòðîéêè òàáëèö iptables (êîíêðåòíî -t nat VSERVER) â ïðîøèâêå 1.9.2.7-rtn-r2775 ?

Íàðîä, à ïîäñêàæèòå ïîæàëóéñòà â êàêîì ôàéëå ñîäåðæàòñÿ íàñòðîéêè òàáëèö iptables (êîíêðåòíî -t nat VSERVER) â ïðîøèâêå 1.9.2.7-rtn-r2775 ?

nvram show | grep vts_

Ïåðåïðîøèëñÿ äëÿ âåðñèè óêàçàííîé â ñàáæå
Âûïîëíÿþ
iptables -I FORWARD 1 -p udp -o br0 -d 192.168.138.44 --dport 51413 -m state --state NEW -j ACCEPT
Îòâå÷àåò

iptables v1.4.3.2: Couldn't load match `state':File not found

Êàêîé ìîäóëü íóæíî ïîäãðóçèòü, ÷òîáû ïîñòïðîèòü ôàåðâîë ñ ïðèâû÷íûìè îïöèÿìè àëÿ
-m state --state NEW

Ïåðåïðîøèëñÿ äëÿ âåðñèè óêàçàííîé â ñàáæå
Âûïîëíÿþ
iptables -I FORWARD 1 -p udp -o br0 -d 192.168.138.44 --dport 51413 -m state --state NEW -j ACCEPT
Îòâå÷àåò

iptables v1.4.3.2: Couldn't load match `state':File not found

Êàêîé ìîäóëü íóæíî ïîäãðóçèòü, ÷òîáû ïîñòïðîèòü ôàåðâîë ñ ïðèâû÷íûìè îïöèÿìè àëÿ
-m state --state NEW

http://segfault.kiev.ua/smart-questions-ru.html#itsabug
http://code.google.com/p/wl500g/source/detail?r=2792

Êàêîé ìîäóëü íóæíî ïîäãðóçèòü, ÷òîáû ïîñòïðîèòü ôàåðâîë ñ ïðèâû÷íûìè îïöèÿìè àëÿ
-m state --state NEW

À ÷åì Âàñ íå óñòðàèâàåò "-m conntrack --ctstate NEW"? :)

Ïîäñêàæèòå ïëèç òîâàðèùè-ñïåöèàëèñòû!

êàê íà äàííîé ïðîøèâêå îðãàíèçîâàòü ñëåäóþùóþ ñõåìó?

èç îäíîãî îôèñà, ãäå âíåøíèé ip 80.249.1.1 íóæíî ïîäñîåäèíèòüñÿ ïî óäàëåííîìó ðàáñòîëó (rdp) â äðóãîé îôèñ (46.252.1.1), ãäå ñîáñòâåííî è ñòîèò óñòðîéñòâî ñ äàííîé ïðîøèâêîé

êàê ñäåëàòü òàê ÷òîáû äîñòóï ê rdp áûë òîëüêî ó 80.249.1.1

ÿ ïûòàëñÿ ñäåëàòü ÷åðåç DMZ, íî òîãäà ìîæíî çàõîäèòü ñ ëþáîâîãî ip

çàðàíåå ñïàñèáî

êàê ñäåëàòü òàê ÷òîáû äîñòóï ê rdp áûë òîëüêî ó 80.249.1.1


Ïîñòàâèòü ïðîøèâêó íå íèæå r2962 äëÿ d-âåòêè èëè r2963 äëÿ rtn-âåòêè. Èëè ïðîïèñàòü ïðàâèëî äëÿ ïðîáðîñà â post-firewall (http://wiki.vectormm.net/index.php/%D0%9F%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D 1%82%D0%B5%D0%BB%D1%8C%D1%81%D0%BA%D0%B8%D0%B5_%D1 %81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B):

iptables -t nat -A VSERVER -p tcp -m tcp -s 80.249.1.1 --dport 3389 -j DNAT --to-destination X.X.X.X:3389

Ïîñòàâèòü ïðîøèâêó íå íèæå r2962 äëÿ d-âåòêè èëè r2963 äëÿ rtn-âåòêè. Èëè ïðîïèñàòü ïðàâèëî äëÿ ïðîáðîñà â post-firewall (http://wiki.vectormm.net/index.php/%D0%9F%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D 1%82%D0%B5%D0%BB%D1%8C%D1%81%D0%BA%D0%B8%D0%B5_%D1 %81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B):

iptables -t nat -A VSERVER -p tcp -m tcp -s 80.249.1.1 --dport 3389 -j DNAT --to-destination X.X.X.X:3389

à ìîæíî ëè ýòî ñäåëàòü â âýá-èíòåðôåéñå??? è êàê?

à ìîæíî ëè ýòî ñäåëàòü â âýá-èíòåðôåéñå???

Åñëè õîòèòå äåëàòü â âåá-èíòåðôåéñå, òî îáíîâëÿéòå ïðîøèâêó. Òîãäà â íàñòðîéêàõ ïðàâèë Virtual Server ïîÿâèòñÿ ïóíêò Source IP. Êóäà è ïðîïèøèòå àäðåñ 80.249.1.1

Âñåì ïðèâåò ,âîò äîáàâèë ÿ íàïðèìåð òàêîå ïðàâèëî ÷åðåç êîíñîëü

iptables -t nat -A PREROUTING -s 192.168.1.2 -p tcp -m tcp -j DNAT --to-destination 192.168.1.1:82
Êàê åãî óäàëèòü íå ïåðåãðóæàÿ ðîóòåð , òîêî óäàëüòü íàäî òàê ÷òîáû îíî ïåðåñòàëî èñïîëíÿòñÿ . Ñïàñèáî !!

Âñåì ïðèâåò ,âîò äîáàâèë ÿ íàïðèìåð òàêîå ïðàâèëî ÷åðåç êîíñîëü

iptables -t nat -A PREROUTING -s 192.168.1.2 -p tcp -m tcp -j DNAT --to-destination 192.168.1.1:82
Êàê åãî óäàëèòü íå ïåðåãðóæàÿ ðîóòåð , òîêî óäàëüòü íàäî òàê ÷òîáû îíî ïåðåñòàëî èñïîëíÿòñÿ . Ñïàñèáî !!
Áëèí! ãóãë ñîâñåì çàïðåòèëè??? Çàìåíèòü êëþ÷ -A èëè -I íà -D ...

Áëèí! ãóãë ñîâñåì çàïðåòèëè??? Çàìåíèòü êëþ÷ -A èëè -I íà -D ...
Äà íå íå îòìåíèëè , íî ÷¸òî êàêòî íå äîãíàë , íàø¸ë îïèñàíèå êàê óäàëÿòü ïðàâèëî ïî åãî íîìåðó â òàáëèöå ,à âîò êàê óçíàòü åãî íîìåð òî õ.ç. Ìîæåò íå òàì èñêàë , à âàì çà ïîäñêàçêó îãðîìíîå ñïàñèáî !!!

Äà íå íå îòìåíèëè , íî ÷¸òî êàêòî íå äîãíàë , íàø¸ë îïèñàíèå êàê óäàëÿòü ïðàâèëî ïî åãî íîìåðó â òàáëèöå ,à âîò êàê óçíàòü åãî íîìåð òî õ.ç. Ìîæåò íå òàì èñêàë , à âàì çà ïîäñêàçêó îãðîìíîå ñïàñèáî !!!
Íå ìà çà øî :)

Äîáðîãî âðåìåíè ñóòîê. Èìååòñÿ ip-êàìåðà dlink-2102, ïîäêëþ÷åííàÿ ê ðîóòåðó. Âñå ïðåêðàñíî ðàáîòàåò, êàê ñ ïèñþêà, òàê è ñî ñìàðòà íî â ëîêàëêå. Åñò-íî ñëåäóþùèé øàã - ýòî îãðàíèçàöèÿ äîñóïà ñíàðóæè. Íî î÷åíü íå õî÷åòñÿ îòêðûâàòü ïîðò íà ïîñòîÿííî. Åñëè áû â Putty íà ñèìáèàí 9.3 (êàê â îáû÷íîì âèíäîâîì putty) áûë ðåàëèçîâàí port forwarding, òî íèêàêèõ ïðîáëåì íå áûëî áû, çàãíàë áû âñå â ssh òóííåë(õîòÿ òàì æå åùå è RTP íàäî ïðîáðàñûâàòü).... ââîáùåì ñ òóíåëåì ïîêà ïîëíûé îáëîì.

Ïîýòîìó âîçíèêëà ìûñëü ïðî ïîðò òðèããåð. ß ãäå-òî íàõîäèë êëàññíîå îïèñàíèå ýòîé ôóíêöèè ñ ðåàëüíûì ïðèìåðîì, à ñ÷àñ êèíóëñÿ èñêàòü - îáëîìñ...
À çàäóìêà ïðîñòà, çàõîäèì ïî â ðîóòåð, çàïóñêàåì íå÷òî, êòîðîå ïîøëåò ÷òî-íèáóäü íà incommig port è òîãäà ïî òåîðèè äîëæíû îòðûòüñÿ ïîðòû ñíàðóæè (ïðè ñîîòâ--èå íàñòðîéêè port trigger åñò-íî). À äàëüøå óæå ñòàðòîâàòü ñíàðóæè îáðàùåíèå ê ñàìîé ip-êàìåðå.

Ñîððè, åñëè êîðÿâî èçëîæèë... Áûëî áû î÷åíü èíòåððåñíî ïîñëóøàòü çíàþùèõ ëþäåé ïðî ýòî... Çàðàíåå ñïàñèáî.

Ïîýòîìó âîçíèêëà ìûñëü ïðî ïîðò òðèããåð. ß ãäå-òî íàõîäèë êëàññíîå îïèñàíèå ýòîé ôóíêöèè ñ ðåàëüíûì ïðèìåðîì, à ñ÷àñ êèíóëñÿ èñêàòü - îáëîìñ...
À çàäóìêà ïðîñòà, çàõîäèì ïî â ðîóòåð, çàïóñêàåì íå÷òî, êòîðîå ïîøëåò ÷òî-íèáóäü íà incommig port è òîãäà ïî òåîðèè äîëæíû îòðûòüñÿ ïîðòû ñíàðóæè (ïðè ñîîòâ--èå íàñòðîéêè port trigger åñò-íî). À äàëüøå óæå ñòàðòîâàòü ñíàðóæè îáðàùåíèå ê ñàìîé ip-êàìåðå.

Ñîððè, åñëè êîðÿâî èçëîæèë... Áûëî áû î÷åíü èíòåððåñíî ïîñëóøàòü çíàþùèõ ëþäåé ïðî ýòî... Çàðàíåå ñïàñèáî.
Ýòî íàçûâàåòñÿ "äèíàìè÷åñêîå îòêðûòèå ïîðòà ïî çàïðîñó".
Âàì ñþäà (http://wiki.enchtex.info/howto/iptables/ssh-guard#%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D 0%B5%D1%81%D0%BA%D0%BE%D0%B5_%D0%BE%D1%82%D0%BA%D1 %80%D1%8B%D1%82%D0%B8%D0%B5%D0%B7%D0%B0%D0%BA%D1%8 0%D1%8B%D1%82%D0%B8%D0%B5_ssh_%D0%BF%D0%BE%D1%80%D 1%82%D0%B0).

Ýòî íàçûâàåòñÿ "äèíàìè÷åñêîå îòêðûòèå ïîðòà ïî çàïðîñó".
Âàì ñþäà (http://wiki.enchtex.info/howto/iptables/ssh-guard#%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D 0%B5%D1%81%D0%BA%D0%BE%D0%B5_%D0%BE%D1%82%D0%BA%D1 %80%D1%8B%D1%82%D0%B8%D0%B5%D0%B7%D0%B0%D0%BA%D1%8 0%D1%8B%D1%82%D0%B8%D0%B5_ssh_%D0%BF%D0%BE%D1%80%D 1%82%D0%B0).

Ñïàñèáî Âàì ÁÀÀÀËÜØÎÅ! Ïîõîæå ýòî "ñïàñ¸ò..." Ñåé÷àñ áóì ðàçáèðàòüñÿ...
-----------------------------------------------------------------------------------------
ìàëåíüêî ðàçáèðàþñü... È íà÷èíàþ ïîíèìàòü, ÷òî "äèíàìè÷åñêèé ïðîáðîñ" - ýòî åùå öâåòî÷êè... À âîò êàê áûòü ñ òåì ÷òî RTP íå èìååò ïîñòîÿííîãî íîìåðà UDP ïîðòà. À UpP - ýòî ïîìîåìó íå åñòü ãóò. Òåì áîëåå ÷òî ðîóòåð ó ìåíÿ çà ADSL ìîäåìîì... È ïîëó÷åòñÿ, ÷òî è íà íåì íàäî âêëþ÷àòü UpP...  îáùåì ïîêà ïðîñìîòð ñ ìàáèëêè ñèëüíî îñëîæíÿåòñÿ...

Ïîäñêàæèòå êàê çàêðûòü 53 ïîðò èç èíòåðíåòà?
Ïðàâèëà íå ðàáîòàþò:
iptables -A INPUT -p udp -i ppp0 -d 53 -j REJECT
iptables -A INPUT -p tcp -i ppp0 -d 53 -j REJECT

Ïîäñêàæèòå êàê çàêðûòü 53 ïîðò èç èíòåðíåòà?
Ïðàâèëà íå ðàáîòàþò:
iptables -A INPUT -p udp -i ppp0 -d 53 -j REJECT
iptables -A INPUT -p tcp -i ppp0 -d 53 -j REJECT

îíè ïî óìîë÷àíèþ è òàê çàêðûòû, åñëè âêëþ÷åí firewall â íàñòðîéêàõ.

îíè ïî óìîë÷àíèþ è òàê çàêðûòû, åñëè âêëþ÷åí firewall â íàñòðîéêàõ.
Íó åñëè áû áûëè çàêðûòû, ÿ á íå ñïðàøèâàë. )
Ñêàíèðóþ:

$ nmap ***.no-ip.info

Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-28 01:48 YEKT
Nmap scan report for ***.no-ip.info (**.**.228.67)
Host is up (0.031s latency).
rDNS record for **.**.228.67:
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

Íó åñëè áû áûëè çàêðûòû, ÿ á íå ñïðàøèâàë.
ñêàíèðóåòñÿ èçâíå èëè èç ëîêàëêè - âíåøíèé àäðåñ?

Ñêàíèðóþ ñ ëîêàëêè âíåøíèé àäðåñ (*.no-ip.com).

Ñêàíèðóþ ñ ëîêàëêè âíåøíèé àäðåñ (*.no-ip.com).

ÒÀê òû ñíàðóæè äëÿ ïðèëè÷èÿ ïîñêàíèðóé ))

Ñ íàðóæè 53 - closed.
Íî êàê ñäåëàòü ÷òî áû âîîáùå íå âèäíî ïîðò áûëî.

Ñ íàðóæè 53 - closed.
Íî êàê ñäåëàòü ÷òî áû âîîáùå íå âèäíî ïîðò áûëî.

Åñëè íóæíà áåçîïàñíîñòü, äåëàåòå íàïðèìåð ïîëíîå ñêàíèðîâíèå ñ ïîìîùüþ Xspider, ïîñëåäíåé äåìî âåðñèè, â ðåæèìå ñêàíèðîâàíèÿ âñåõ ïîðòîâ, è ñïèòå ñïîêîéíî, åñëè ïàðàíîþ ïîòåøèòü, ðóáèòå êàáåëü, òîïîðèêîì, èáî ëþáîå êóäà-ëèáî ïîäêëþ÷åííîå óñòðîéñòâî ïîòåíöèàëüíî íåáåçîïàñíî ))

Ñ íàðóæè 53 - closed.
Íî êàê ñäåëàòü ÷òî áû âîîáùå íå âèäíî ïîðò áûëî.

À çà÷åì? Îí æå óæå closed.

Îñòàâèì òàê, ñïàñèáî. Ïî÷åìó íåëüçÿ ñêàíèðîâàòü ñ ëîêàëêè. Ñêàíèðóåòñÿ æå âíåøíèé àäðåñ, ïëþñ ÷åðåç DDns.

Ïî÷åìó íåëüçÿ ñêàíèðîâàòü ñ ëîêàëêè. Ñêàíèðóåòñÿ æå âíåøíèé àäðåñÒàê èç ëîêàëêè æå.

Âñå ïðèâåò, íåîáõîäèìî îðãàíèçîâàòü çàäà÷ó ïî áëîêèðîâêå äîñòóïà ê IP àäðåñàì ëîêàëüíîé ñåòè
Ñõåìà ñåòè

Inet-----------Router1(192.168.1.1)---------------router2(192.168.2.0/24)
____________local net1(192.168.1.2-255)________local net1(192.168.2.2-255)

òðåáóåòñÿ îãðàíè÷èòü äîñòóï èç local net2 ê local net1,
ò.å. ÷òîáû ip àäðåñà 192.168.2.2-255 íå äîñòóêèâàëèñü ê ip àäðåñàì 192.168.1.2-255
êàê äàííîå îðãàíèçîâàòü â IPtables ??

Îãðàíè÷èòü äîñòóï òðåáóåòñÿ òîëüêî ê IP àäðåñàì ïåðâîé ëîêàëêå, ò.å. äàííûå ïðàâèëà áóäóò ïðîïèñûâàòüñÿ íà ðîóòåðå2

Îñòàâèì òàê, ñïàñèáî. Ïî÷åìó íåëüçÿ ñêàíèðîâàòü ñ ëîêàëêè. Ñêàíèðóåòñÿ æå âíåøíèé àäðåñ, ïëþñ ÷åðåç DDns.
Íó äëÿ ïðèìåðà ó Âàñ â êâàðòèðå íàâåðíÿêà åñòü äâåðü íà ëåñòíè÷íóþ êëåòêó. Âîò è ïîïðîáóéòå îòêðûòü åå èçíóòðè êâàðòèðû è ñíàðóæè. Âðîäå äâåðü îäíà, à ðàçíèöà íà ëèöî :D

Äîáðûé äåíü!!
Ïîäñêàæèòå ïîæàëóéñòà. Èìåþ ðîóòåð ñ ïðîøèâêîé open wrt. Âîò çàñàäà, íå ìîãó çàéòè èç ëîêàëüíîé ñåòè íà âíåøíèé ïîðò ðîóòåðà. Çíàêîìûå èç èíòåðíåòà çàõîäÿò ñâîáîäíî, ïîëó÷àåòñÿ ïîðò îòêðûò. À ÿ íå ìîãó èç ñâîåé æå ñåòè çàéòè.Ïîäñêàæèòå êàê íàñòðîèòü ïðàâèëî, ÷òîáû ÿ ìîã çàõîäèòü íà âåøíèé àäðåñ ðîóòåðà , ïðè ýòîì ÷òîáû ÿ ñòó÷àëñÿ íà íåãî âíåøíèì àäðåñîì, à íå âíóòðåííèì.

Äîáðûé äåíü!!
Ïîäñêàæèòå ïîæàëóéñòà. Èìåþ ðîóòåð ñ ïðîøèâêîé open wrt. Âîò çàñàäà, íå ìîãó çàéòè èç ëîêàëüíîé ñåòè íà âíåøíèé ïîðò ðîóòåðà. Çíàêîìûå èç èíòåðíåòà çàõîäÿò ñâîáîäíî, ïîëó÷àåòñÿ ïîðò îòêðûò. À ÿ íå ìîãó èç ñâîåé æå ñåòè çàéòè.Ïîäñêàæèòå êàê íàñòðîèòü ïðàâèëî, ÷òîáû ÿ ìîã çàõîäèòü íà âåøíèé àäðåñ ðîóòåðà , ïðè ýòîì ÷òîáû ÿ ñòó÷àëñÿ íà íåãî âíåøíèì àäðåñîì, à íå âíóòðåííèì.
Íó âî ïåðâûõ ýòî âîïðîñ ê ôîðóìó openwrt, à âî âòîðûõ ìîæåò ïðèâåäåòå òàáëèöó ïðàâèë ... ýêñòðàñåíñû â îòïóñêå

Åñëè ÿ ïðàâèëüíî ïîíèìàþ, ýòî íàçûâàåòñÿ transparent proxy. Íóæíî ïåðåíàïðàâëÿòü çàïðîñû ê 520gu èç åãî vlan íà 192.168.1.1:3128 âíóòðåííåé ñåòè îðãàíèçàöèè.

íàøåë íåêèé ñêðèïò


#!/bin/sh
INTERNAL_NETWORK="172.16.1.0/24" // ÿ òàê ïîíÿë äëÿ vlan ñåòè ðîóòåðà ëó÷øå ïîñòàâèòü äðóãîé äèàïàçîí, îòëè÷íûé îò èñïîëüçóåìîãî â ëîêàëêå îðãàíèçàöèè
ROUTER_IP="192.168.1.55" // ýòî ip wan ðîóòåðà â ëîêàëêå îðãàíèçàöèè?
PROXY_SERVER="192.168.1.1"
PROXY_PORT="3128"

iptables -t nat -A PREROUTING -i br0 -s $INTERNAL_NETWORK -d $INTERNAL_NETWORK -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! $PROXY_SERVER -p tcp --dport 80 -j DNAT --to $PROXY_SERVER:$PROXY_PORT // àíàëîãè÷íî íàäî ñäåëàòü äëÿ 443 ïîðòà?
iptables -t nat -A POSTROUTING -o br0 -s $INTERNAL_NETWORK -d $PROXY_SERVER -p tcp -j SNAT --to $ROUTER_IP
iptables -I FORWARD -i br0 -o br0 -s $INTERNAL_NETWORK -d $PROXY_SERVER -p tcp --dport $PROXY_PORT -j ACCEPT
fi

êàê ìíå ýòî âñ¸ âïèõíóòü â ðîóòåð? sftp èç putty ãîâîðèò ÷òî íå óñòàíîâëåí êàêîé-òî ïàêåò.  êàêîé ôàéë ýòî ëó÷øå äîáàâèòü?

ïðîøèâêà îò ýíòóçèàñòîâ WL520gu-1.9.2.7-d-r1222.trx, íî ìîæíî íàêàòèòü è ïîíîâåå WL520gu-1.9.2.7-d-r2624.trx

Äîáðûé äåíü!!
Ïîäñêàæèòå ïîæàëóéñòà. Èìåþ ðîóòåð ñ ïðîøèâêîé open wrt. Âîò çàñàäà, íå ìîãó çàéòè èç ëîêàëüíîé ñåòè íà âíåøíèé ïîðò ðîóòåðà. Çíàêîìûå èç èíòåðíåòà çàõîäÿò ñâîáîäíî, ïîëó÷àåòñÿ ïîðò îòêðûò. À ÿ íå ìîãó èç ñâîåé æå ñåòè çàéòè.Ïîäñêàæèòå êàê íàñòðîèòü ïðàâèëî, ÷òîáû ÿ ìîã çàõîäèòü íà âåøíèé àäðåñ ðîóòåðà , ïðè ýòîì ÷òîáû ÿ ñòó÷àëñÿ íà íåãî âíåøíèì àäðåñîì, à íå âíóòðåííèì.

 OpenWRT íåò íåîáõîäèìîìòè äåëàòü ýòî ÷åðåç iptab. ×åðåç âåáìîðäó âûáðàòü ðåæèì Administration è â ìåíþ Network - Swich âêëþ÷èòü òî, ÷òî Âàì íóæíî.

 OpenWRT íåò íåîáõîäèìîìòè äåëàòü ýòî ÷åðåç iptab. ×åðåç âåáìîðäó âûáðàòü ðåæèì Administration è â ìåíþ Network - Swich âêëþ÷èòü òî, ÷òî Âàì íóæíî.

ñìûñë - çàéòè èç âíóòðåííåé ñåòè ïî âíåøíåìó àäðåñó, îòêóäà ïðîáðîñ îïÿòü âî âíóòðåííþþ ñåòü
äåëî íå â ñâè÷å, à â òîì ÷òî â openwrt ýòî, âèäèìî, íå ðåàëèçîâàíî.

Äîáðîãî âðåìåíè!
wl500gpv1
Ïîäñêàæèòå ïîæàëóéñòà, êàê çàñòàâèòü iptables ïîíèìàòü

-m addrtype
â ìîäóëÿõ íå íàøåë ipt_addrtype
íàäî åãî íàéòè è ïîäãðóçèòü, èëè âñå ãîðàçäî ñëîæíåå (êîìïèëèòü íå óìåþ)?

Äîáðîãî âðåìåíè!
wl500gpv1
Ïîäñêàæèòå ïîæàëóéñòà, êàê çàñòàâèòü iptables ïîíèìàòü

-m addrtype
â ìîäóëÿõ íå íàøåë ipt_addrtype
íàäî åãî íàéòè è ïîäãðóçèòü, èëè âñå ãîðàçäî ñëîæíåå (êîìïèëèòü íå óìåþ)?

À â âåòêå d (íà ÿäðå 2.4) åãî è íå áóäåò. À â âåòêå rtn (íà ÿäðå 2.6) ìîäóëü íå êîìïèëèðóåòñÿ, ò.ê. îí îòêëþ÷åí â kernel.config :cool:

Äîáðîãî âðåìåíè!
wl500gpv1
Ïîäñêàæèòå ïîæàëóéñòà, êàê çàñòàâèòü iptables ïîíèìàòü

-m addrtype
â ìîäóëÿõ íå íàøåë ipt_addrtype
íàäî åãî íàéòè è ïîäãðóçèòü, èëè âñå ãîðàçäî ñëîæíåå (êîìïèëèòü íå óìåþ)?

åãî âîîáùåò ìîæíî çàìåíèòü äðóãèìè.
êàêàÿ èìåííî çàäà÷à?

Ñïàñèáî çà îòâåòû!
1) Çàäà÷à - äðîïàòü áðîàäêàñòû äàáû íå çàñîðÿòü ëîã (óæ î÷åíü ìíîãî èõ ó íàñ â ñåòè), êàê-òî òàê:

iptables -I logdrop -i vlan1 -p udp -m addrtype --dst-type BROADCAST -m multiport --dports 67,137,138 -j DROP
ïðè÷åì áðîàäêàñòû ðàçíûå: 255.255.255.255, 46.188.õõ.255, 10.122.õõ.255, IP-øíèêè äèíàìè÷åñêèå
×òî ïîñîâåòóåòå?
2) Äàâíî âîëíóåò âîïðîñ - êàê ïðîùå è æåëàòåëüíî áåç usb-flash âûâîäèòü iptables-ëîã â îòäåëüíûé ôàéë âìåñòî syslog.log, æåëàòåëüíî ñ íàñòðîéêîé åãî ðàçìåðà è log-rotate-îì?
Ñëûøàë âðîäå ulogd ýòî óìååò èëè syslog-ng?
Èëè åùå êàêèå âàðèàíòû?

Доброго времени суток) Как Я могу на роутере сделать Open NAT? Заранее спасибо.

Äîáðîãî âðåìåíè ñóòîê) Êàê ß ìîãó íà ðîóòåðå ñäåëàòü Open NAT? Çàðàíåå ñïàñèáî.

ìîæåò áûòü òàê (http://www.youtube.com/watch?v=_pjsXAN3KSY)?

Äîáðîãî âðåìåíè ñóòîê) Êàê ß ìîãó íà ðîóòåðå ñäåëàòü Open NAT? Çàðàíåå ñïàñèáî.
What do you mean???
Êàêîé ðîóòåð? Ïðîøèâêà?
Íà ðîóòåðàõ (ëþáûõ) ïî-óìîë÷àíèþ NAT âñåãäà â êîìïëåêòå.
È êðîññ ïîñòèíãîì íå íàäî çàíèìàòüñÿ.

Çäðàâñòâóéòå, çàìó÷èëà ïðîáëåìà ñ äîñ àòàêàìè, â îñíîâíîì äîñÿò 27015 ïîðò.

Æåëåçî WL-500GP v1 + FlashRam, ïðîøèâêà (1.9.2.7-rtn-r3300)

 íîìèíàëå ïðîö â ðîóòîðå çàãðóæåí 25%, ïðè äîñå 100% è âñÿ ñåòü îòâàëèâàåòñÿ îò èíòåðíåòà.
Ïûòàëñÿ îáíîâèòü ïðîøèâêó, è íå ðàç.

â post-firewall ïîðòû îòêðûòû ïî òàêîìó ïðèöåïó.


#CounterStrike
iptables -A INPUT -p udp -m udp --dport 27015:27020 -m conntrack --ctstate NEW -m limit --limit 100/sec --limit-burst 100 -j A CCEPT
iptables -A INPUT -p udp --dport 27015:27020 -j DROP
iptables -t nat -A PREROUTING -p udp -d 213.141.157.254 --dport 27015:27016 -j DNAT --to-destination 192.168.1.11

#TeamSpeak3+Download+Uploads
iptables -t nat -A VSERVER -p tcp -m tcp --dport 9987:9997 -j DNAT --to 192.168.1.9
iptables -t nat -A VSERVER -p udp -m udp --dport 9987:9997 -j DNAT --to 192.168.1.9
iptables -t nat -A VSERVER -p tcp -m tcp --dport 30033 -j DNAT --to 192.168.1.9
iptables -t nat -A VSERVER -p tcp -m tcp --dport 10011 -j DNAT --to 192.168.1.9

Âñå ïîðòû îòêðûòû ïî àíàëîãèè ÷åðåç VSERVER, äî íåäàâíåãî âðåìåíè è ÊÑ ñåðâåðà òàê ðàáîòàëè, ïîòîì ïûòàëñÿ íàéòè ðåøåíèå,
è íàòêíóëñÿ íà (... --limit 100/sec ...) íî ðåçóëüòàòîâ íå äàëî.

ß òàê ïîíÿë ÷òî âñÿ ñåòü ïàäàåò èìåííî èç çà òîãî ÷òî ðîóòåð ÷òî òî òàì ôèëüòðóåò è èç çà ñëàáåíüêîãî ïðîöà âñ¸ âûëåòàåò.
È òóò ìíîãî âîïðîñîâ:

- Åñòü ëè ñïîñîáû ïðîòèâîñòîÿòü äîñó ?
- Åñëè æå íåòó ñïîñîáîâ, ìîæíî ëè êàê íèáóäü ïî äðóãîìó îòêðûâàòü ïîðòû, ÷òîá ïðè äîñå âñå ïàêåòèêè øëè ìèíóÿ ðîóòåð ïðÿì ê ñåðâåðó - ïóñü îäèí âèñèò.
- Êàê ïðàâèëüíî ÁÀÍÈÒÜ è ïîìîæåò ëè ýòî îò ÄÎÑà ? (ïðîáîâàë âîò òàê áàíèòü// iptables -A INPUT -s õõ.õõ.õõ.õõ -j DROP //ýôåêòà 0 )?
- Ìîæíî ëè ñäåëàòü Ëîãèðîâàíèå â ñòàíäàðòíîé âåáìîðäå áîëåå èíôîðìàòèâíîå ÷åì ïðîñòîé ëîã êîíåêòà è íàáëþäåíèå ÷åðåç tcpdump.(íó ê ïðèìåðó ïîêàçûâàëîñü êòî äîñèë, êîãî çà äîñ çàáàíèëî).?
- Èëè ìîæåò ñóùåñòâóþò áîëåå èíôîðìàòèâíûå ñåðâèñû\ïàêåòû êîòîðûå ìîãóò ëîãèðîâàòü è áàíèòü ê äîïîëíåíèþ ñòàíäàðòíîé âåáìîðäû.?

p.s. Íåñêîëüêî ðàç èñêàë ïî ôîðóìó ÷òîá ïîòîì íå ãîâîðèëè "èñêàë ïëîõî" âîçìîæíî è âïðàâäó èñêàë ïëîõî, íî ïîïàäàë ïðè çàïðîñàõ (DDOS\DOS\ÄÎÑ ÀÒÀÊÀ\áëîêèðîâêà àäðåñà) íà àíãëîÿçû÷íûå ïîñòû èëè æå íà òåìû ñ êîëè÷åñòâîì ïîñòîâ ïðåâûøàþùèõ çà òûñÿ÷ó.
Óæå óãðîçàì - "òåáÿ îòêëþ÷àò" îíè íå âåðÿò, à åñëè è îòêëþ÷èòü, òî âñåõ âñå ðàâíî íå ïåðåáàíþ âðó÷íóþ, óæ î÷åíü èõ ìíîãî ñòàëî.

UPD çíà÷èò ïðèìåðíî òàêîå ïðàâèëî äîëæíî ðàáîòàòü â îáõîä îãðîìíîé öåïî÷êè


iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 27015:27017 -j DNAT --to-destination 192.168.1.11
iptables -A FORWARD -i ppp0 -d 192.168.1.11 -p tcp --dport 27015:27017 -j ACCEPT
ìèíèìàëüíî çàãðóæàÿ ðîóòåð. Îñòàëîñü ÷òî íèáóäü íàéòè äëÿ ëîãèðîâàíèÿ âñåõ àòàê è àâòî-áàíà.

Çäðàâñòâóéòå, çàìó÷èëà ïðîáëåìà ñ äîñ àòàêàìè, â îñíîâíîì äîñÿò 27015 ïîðò.
ïî óìîë÷àíèþ åñòü òàêàÿ òàáëèöà SECURITY, â êîòîðóþ ïîïàäàåò òðàôèê, åñëè âêëþ÷èòü DoS protection èç web èíòåðôåéñà.
ïðåäëàãàþ âêëþ÷èòü è ïîñìîòðåòü (iptables-save), êàê îíà èñïîëüçóåòñÿ.
p.s iptables -A äîáàâëÿåò ïðàâèëà ê ñóùåñòâóþùèì â êîíåö, ò.å äî äîáàâëåííûõ äåëî ìîæåò è íå äîéòè, â çàâèñèìîòè îò ýòèõ ñàìûõ ñóùåñòâóþùèõ

Ïðè ïåðåçàãðóçêå óñòðîéñòâà íóæíî áóäåò ïîâòîðíî äåëàòü êîìàíäó:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
?

Ïðè ïåðåçàãðóçêå óñòðîéñòâà íóæíî áóäåò ïîâòîðíî äåëàòü êîìàíäó:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
?
ìîæíî äîáàâèòü â post-firewall

ìîæíî äîáàâèòü â post-firewall
Òûêíèòå ïîæàëóéñòà ãäå îí äîëæåí íàõîäèòüñÿ è êàê åãî ïðàâèëüíî óñòàíàâëèâàòü (êàêèå äîï. äåéñòâèÿ íóæíî ïðåäïðèíÿòü äëÿ åãî ñîõðàíåíèÿ ïðè ïåðåçàãðóçêå).
ñïàñèáî!

Òûêíèòå ïîæàëóéñòà ãäå îí äîëæåí íàõîäèòüñÿ è êàê åãî ïðàâèëüíî óñòàíàâëèâàòü (êàêèå äîï. äåéñòâèÿ íóæíî ïðåäïðèíÿòü äëÿ åãî ñîõðàíåíèÿ ïðè ïåðåçàãðóçêå).
ñïàñèáî!
À äëÿ êîãî ïèñàëè ÔÀÊ (http://wl500g.info/showthread.php?t=2391)

Íó ïåðåàäðåñàöèÿ âðîäå íîðìàëüíî âñòàëà, à âîò ðàçðåøåíèÿ íà äîñòóï ê 80 ïîðòó ñíàðóæè íåò. Íóæíî ÿâíî ðàçðåøèòü (õîòÿ âåáìîðäà äîëæíà áûëà ñäåëàòü) äîñòóï èçâíå íà ïîðò 80 ...
÷òî-òî òèïà:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
ó âàñ ýòîãî íåò ...
Äîáàâëåíî, îäíàêî ñíàðóæè òàê è íå çàðàáîòàëî.
Ìîæåò áûòü êòî-òî ïîäñêàæåò, êàêèå ïðàâèëà íóæíî ïðîïèñàòü â iptables, ÷òîáû âõîäÿùèå ñíàðóæè ñîåäèíåíèÿ ïî ïîðòó X ïåðåáðàñûâàëèñü íà ïîðò Y îïðåäåëåííîãî IP, êîòîðûé òîæå íàõîäèòñÿ ñíàðóæè?
Íàñòðîéêè âîò:
http://wl500g.info/showpost.php?p=242421&postcount=359
Ñòðîêà

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
òóäà äîáàâëåíà, íî íå ðàáîòàåò.

Ïîõîæå ïðîáëåìà â:

-A FORWARD -i ! br0 -o vlan1 -j DROP
ò.ê. îòáðàñûâàþòñÿ ïàêåòû

kernel: DROP IN=vlan1 OUT=vlan1
Äîáàâëÿþ ïðàâèëî:

iptables -A FORWARD -p tcp -i vlan1 -o vlan1 -d xxx.xxx.xxx.xxx -j ACCEPT
Íî îíî äîáàâëÿåòñÿ ïîñëåäíèì â FORWARD, ïîýòîìó äî íåãî íå äîõîäèò õîä?
Êàê ñäåëàòü òàê, ÷òîáû ïðàâèëî ñòîÿëî âûøå, ÷åì çàïðåò:
FORWARD -i ! br0 -o vlan1 -j DROP

Íó åñëè áû áûëè çàêðûòû, ÿ á íå ñïðàøèâàë. )
Ñêàíèðóþ:

$ nmap ***.no-ip.info

Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-28 01:48 YEKT
Nmap scan report for ***.no-ip.info (**.**.228.67)
Host is up (0.031s latency).
rDNS record for **.**.228.67:
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Âîò âîò, è ó ìåíÿ òàêàÿ æå ôèãíÿ. Ïåðåïðîáîâàë ìíîãî ñïîñîáîâ, íè îäèí íå ðàáîòàåò. Ìíå òîæå êàê è òîâàðèùó Satoorn íóæíî çàêðûòü ïîðòû èç èíòåðíåòà. Ïîâòîðÿþ, íå îòêðûòü à ÇÀÊÐÛÒÜ! Ãóðó, please help!! Åñëè ýòî íå âîçìîæíî, òî ñêàæèòå ñðàçó, ÷åãî òÿíóòü êîòà çà ÿéöà.

êîðî÷å íîâûé âîïðîñ: ïðè âûâîäå êîìàíäû iptables-save âîò ÷òî ìíå âûäàëî:

# Generated by iptables-save v1.3.8 on Sun Jan 15 20:01:56 2012
*nat
:PREROUTING ACCEPT [4303:377290]
:POSTROUTING ACCEPT [80:5033]
:OUTPUT ACCEPT [87:6425]
:VSERVER - [0:0]
-A PREROUTING -d 193.169.4.220 -j VSERVER
-A POSTROUTING -s ! 193.169.4.220 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
COMMIT
# Completed on Sun Jan 15 20:01:56 2012
# Generated by iptables-save v1.3.8 on Sun Jan 15 20:01:56 2012
*mangle
:PREROUTING ACCEPT [8734:1632129]
:INPUT ACCEPT [1358:191309]
:FORWARD ACCEPT [3563:1112594]
:OUTPUT ACCEPT [1442:1215040]
:POSTROUTING ACCEPT [5089:2348536]
COMMIT
# Completed on Sun Jan 15 20:01:56 2012
# Generated by iptables-save v1.3.8 on Sun Jan 15 20:01:56 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [292:18364]
:OUTPUT ACCEPT [1364:1178248]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i vlan1 -p udp -m udp --dport 27015 -j ACCEPT
-A INPUT -i vlan1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i vlan1 -p udp -m udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i vlan1 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j logaccept
-A INPUT -i br0 -m state --state NEW -j logaccept
-A INPUT -i vlan1 -m state --state NEW -j SECURITY
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -j logaccept
-A INPUT -j logdrop
-A INPUT -d 80.0.0.0 -i vlan1 -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -d 80.0.0.0 -i vlan1 -p tcp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan1 -j logdrop
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j logaccept
-A FORWARD -o br0 -j logdrop
-A BRUTE -m recent --update --seconds 600 --hitcount 3 --name BRUTE --rsource -j logdrop
-A BRUTE -m recent --set --name BRUTE --rsource -j logaccept
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j logdrop
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Jan 15 20:01:57 2012

Òåïåðü ñîáñíà ñàì âîïðîñ: ìîæíî ëè êàêèì íèáóäü ñïîñîáîì óáðàòü èç ôàéëà iptables ñòðî÷êè ãäå îòêðûâàåòüñÿ 80, 21 è ò.ä ïîðòû?

Íî îíî äîáàâëÿåòñÿ ïîñëåäíèì â FORWARD, ïîýòîìó äî íåãî íå äîõîäèò õîä?
Êàê ñäåëàòü òàê, ÷òîáû ïðàâèëî ñòîÿëî âûøå, ÷åì çàïðåò:
FORWARD -i ! br0 -o vlan1 -j DROP
-A add äîáàâèòü â êîíåö
-I insert âñòàâèòü (â äàííîì ñëó÷àå â íà÷àëî)
man iptables ... íó ñêîëüêî ìîæíî???


Âîò âîò, è ó ìåíÿ òàêàÿ æå ôèãíÿ. Ïåðåïðîáîâàë ìíîãî ñïîñîáîâ, íè îäèí íå ðàáîòàåò. Ìíå òîæå êàê è òîâàðèùó Satoorn íóæíî çàêðûòü ïîðòû èç èíòåðíåòà. Ïîâòîðÿþ, íå îòêðûòü à ÇÀÊÐÛÒÜ! Ãóðó, please help!! Åñëè ýòî íå âîçìîæíî, òî ñêàæèòå ñðàçó, ÷åãî òÿíóòü êîòà çà ÿéöà.

Òåïåðü ñîáñíà ñàì âîïðîñ: ìîæíî ëè êàêèì íèáóäü ñïîñîáîì óáðàòü èç ôàéëà iptables ñòðî÷êè ãäå îòêðûâàåòüñÿ 80, 21 è ò.ä ïîðòû?
Âíèìàòåëüíî èçó÷èòü ÂÅÑÜ âåá-èíòåðôåéñ ïðîøèâêè ... Îòêëþ÷èòü âñå ÷òî íå íóæíî ... È ïîèñê íèêòî íå îòìåíÿë... È èçó÷åíèå ìàò÷àñòè ...

Óâàæàåìûå ïîëüçîâàòåëè äàííîé ïðîøèâêè!
Íó êàê åùå äî Âàñ äîâåñòè áàíàëüíûå èñòèíû???
"Ýíòóçèàñòû" êîòîðûå ïðîäîëæèëè ïóòü Îëåãà (ñïàñèáî èì) óæå ñäåëàëè âñå âîçìîæíîå äëÿ äâóõ âåùåé:
1) Ïî óìîë÷àíèþ ïðîøèâêà ïî ìàêñèìóìó çàùèùåíà èçâíå.
2) Áîëüøèíñòâî íàñòðîåê êîòîðûå íóæíû 95% ïîëüçîâàòåëåé âûíåñåíû â âåá-ìîðäó.
Ñäåëàòü óíèâåðñàëüíî äëÿ âñåõ íå âûéäåò. Åñëè âû õîòèòå áîëüøåãî òî íå ïîëåíèòåñü èçó÷èòü ìàò÷àñòü è õîòÿ-áû ÔÀÊ ýòîãî ôîðóìà ...
Âîïðîñû êîòîðûå âû çàäàåòå óæå íå ðàç îáñóæäàëèñü ... È ïîéìèòå ÷òî êîïèðîâàòü êîä èç ôîðóìà è âñòàâëÿòü åãî â êîìàíäíóþ ñòðîêó òåðìèíàëà (ÍÅ ÏÎÍÈÌÀß ×ÒÎ îí çíà÷èò ìîæåò îáåðíóòüñÿ ïðîòèâ âàñ ñàìèõ) ... Ñòðî÷êè êîäà ïðèâîäÿò äëÿ òîãî ÷òî áû íàãëÿäíî ïîêàçàòü ïðèìåð èñïîëüçîâàíèÿ êîìàíäû, à íå êàê íåïðåëîæíîå äåéñòâèå ... Âîò ïðîñòîé ïðèìåð (åùå èç ñòàðûõ *NIX ôîðóìîâ):

rm -r /tmp
ïðîñòî î÷èñòèò âðåìåííóþ äèðåêòîðèþ, à êîìàíäà

rm -r / tmp
çàïóùåííàÿ ïîä ðóòîì ñäåëàåò î÷åíü ïëîõî ... Ïðîñòî óáüåò âñå ...

Ðàçîáðàëñÿ ÿ ñ ýòèì iptables. Âñå îêàçàëîñü íàìíîãî ïðîùå! Äåëî â òîì, ÷òî ÿ ñêàíèðîâàë ïîðòû èç ëîêàëüíîé ñåòè, ïîýòîìó îíè äëÿ ìåíÿ áûëè îòêðûòû. Íî ïðîâåðèâ ïîðòû ñ ïîìîùüþ http://www.t1shopper.com/tools/port-scan/, âñå ñîìíåíèÿ ïðîïàëè. Òîâàðèù Satoorn, ñîâåòóþ Âàì òîæå âîñïîëüçîâàòüñÿ ïðèâåäåííûì âûøå ñàéòîì, ìîæåò ó Âàñ âñå íå òàê óæ è ïëîõî.

Ïîäñêàæèòå, ïîæàëóéñòà, êàê ìîæíî ñîõðàíèòü íàñòðîéêè iptables?
Äîáàâëÿþ ñïåöèôè÷íûå ðàçðåøåíèÿ êîìàíäîé iptables ******, âñå ðàáîòàåò, íî ïîñëå ïåðåçàãðóçêè ðîóòåðà îíè ïðîïàäàþò.
Ðîóòåð: WL-500gP
Ïðîøèâêà: WL500gp-1.9.2.7-d-r2624

 Linux î÷åíü íå ñèëåí... :(

Çàðàíåå ñïàñèáû çà îòâåòû! :)

Ïîäñêàæèòå, ïîæàëóéñòà, êàê ìîæíî ñîõðàíèòü íàñòðîéêè iptables?
Äîáàâëÿþ ñïåöèôè÷íûå ðàçðåøåíèÿ êîìàíäîé iptables ******, âñå ðàáîòàåò, íî ïîñëå ïåðåçàãðóçêè ðîóòåðà îíè ïðîïàäàþò.
Ðîóòåð: WL-500gP
Ïðîøèâêà: WL500gp-1.9.2.7-d-r2624

 Linux î÷åíü íå ñèëåí... :(

Çàðàíåå ñïàñèáû çà îòâåòû! :)

Ñíà÷àëà èçó÷èòü http://wl500g.info/showthread.php?t=15068 ... åñëè íå ïîìîæåò ïîèñê ïî ôîðóìó "post-firewall"

Ïðèâåòñòâóþ!
Äåëàþ äîìàøíèé ñåðâåð èç íåòáóêà áåç ìàòðèöû. Äîøåë äî íàñòðîéêè ôàéðâîëà. Êîãäà ó ìåíÿ áûë ðîóòåð wl500gp ñ ïðîøèâêîé îò ýíòóçèàñòîâ - âñå óñòðàèâàëî è ïðîáëåì íå áûëî.

Ïîäñêàæèòå, ïîæàëóéñòà, êàêèå ïðàâèëà iptables ïî óìîë÷àíèþ äåéñòâóþò â ïðîøèâêå îò ýíòóçèàñòîâ? Èíòåðôåéñ èíòåðíåòà ppp0 (USB-ìîäåì).

Êàìðàäåí, ïèøó ñ êàëüêóëÿòîðà â ðîóìèíãå ÷åðåç ïðîêñè, ïîèñê ãëþ÷èò.

íàïîìíèòå, åñëè íåòðóäíî, êàê íà RT-16 ïðîáðîñèòü 10000 íà 80 íà àäðåñ, íàïðèìåð, 10.10.0.10.
âîò òàê ðàáîòàëî

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 10.10.0.10:80

à ïîòîì âíåçàïíî ïðåêðàòèëî. è òåëíåòîì íå ñòó÷èò, è áðàóçåðîì.

ñïàñèáî çà ïîíèìàíèå.

êîíêðåòèçèðóþ. íà âåá-ñåðâåðå âíóòðè ñåòè èäåò ðåäèðåêò ñ 80 íà 443 (SSL). åñëè ïðàâèëî âîò òàê

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 10.10.0.10:443
òî, çàõîäÿ ñíàðóæè íà site:10000, ÿ âèæó îøèáêó ñåðòèôèêàòà, íàæèìàþ "âñå ðàâíî èäòè", è âñå. íå îòêðûâàåòñÿ íè÷åãî.
åñëè ëåçòü ïåðâûì âàðèàíòîì (ãäå ïðîáðîñ íà 80), òî íå ïðîèñõîäèò âîîáùå íè÷åãî.

íà âåá-ñåðâåðå âíóòðè ñåòè èäåò ðåäèðåêò ñ 80 íà 443 (SSL)
Êàê êîíêðåòíî íàñòðîåí ýòîò ðåäèðåêò?

Êàê êîíêðåòíî íàñòðîåí ýòîò ðåäèðåêò?

Ðåäèðåêò ñòàíäàðòíî ÷åðåç CGI íà Àïà÷å, ñåé÷àñ ïîïðîáîâàë ñ ìîáèëüíîãî, çàõîäèò. Çíà÷èò äåëî íå â áîááèíå, ïî õîäó.

Æåëåçî Asus RT-N12 1.9.2.7-rtn-r3121
Ïîìîãèòå îòðåçàòü òðàô àéïèøíèêó ñðåäñòðàìè ðîóòåðà.
 ïðîøèâêå îáíàðóæèë iptables è ðåøèë çàáëî÷èòü ÷åðåç íåãî.
iptables -A INPUT -s 91.219.194.29 -j DROP

Âûâîæó ñïèñîê ïðàâèë iptables -L -n
çàïèñü åñòü

DROP all -- 91.219.194.29 0.0.0.0/0

Íî òðàôèê ñ ýòîãî àäðåñà íå áëîêèðóåòñÿ :mad:

PING 91.219.194.29 (91.219.194.29): 56 data bytes
64 bytes from 91.219.194.29: seq=0 ttl=58 time=32.768 ms
64 bytes from 91.219.194.29: seq=1 ttl=58 time=32.499 ms
64 bytes from 91.219.194.29: seq=2 ttl=58 time=32.528 ms
64 bytes from 91.219.194.29: seq=3 ttl=58 time=32.139 ms

--- 91.219.194.29 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 32.139/32.483/32.768 ms

Ïî÷åìó ïðàâèëà íå ïðèìåíÿþòñÿ?
Ìîæåò íóæíî ðåñòàðòèòü ñåðâèñ iptables?
Ïîäñêàæèòå ïðîøó.
-------------
Ïðî÷èòàë ÿ ïðî post-firewall.
Áåç ðåáóòà íèêàê íåëüçÿ ïðèìåíÿòü ïðàâèëà? Ýòî î÷åíü íå óäîáíî.