Íåñêîëüêî DNS è dnsmasq

**mixir** · 13-07-2011, 10:12

Originally Posted by reiten

Ñòðàííî. Åñëè âñå ñäåëàíî ïðàâèëüíî, äîëæíî ðàáîòàòü. Êàêàÿ ïðîøèâêà? 53-é ïîðò ïðîáðàñûâàåòñÿ è äëÿ tcp-, è äëÿ udp-ñîåäèíåíèé?

Êàê âàðèàíò - âïèñàòü â post-firewall

Code:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.x
iptables -t nat -A VSERVER -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.x

Íî ýòî êðàéíÿÿ ìåðà.

Ïðîøèâêà 1.9.2.7-10 ïðîáðàñûâàë îáà TCP è UPD ÷åðåç BOTH, udp ïðîáðîñèëñÿ è ðàáîòàåò, à TCP íåò. Ñåðâåð íà ëîêàëüíîé ìàøèíå bind îòêðûâàåò è tcp è udp.

ïî÷åìó òî post-firewall òàì ãäå îí äîëæåí ëåæàòü ÿ íå íàøåë ó ñåáÿ íà ðîóòåðå

âïèñûâàíèå ÷åðåç telnet íå äàëî ðåçóëüòàòîâ, 53 ïîðò çàêðûò íàðóæó..

**mixir** · 13-07-2011, 14:23

53 UDP ïðîáðàñûâàåòñÿ íîðìàëüíî, èç èíòåðíåòà âèäíî è ìîæíî ðåçîëâèòü àäðåñà, à âîò 53 TCP çàêðûò....âñå áû íè÷åãî íî 53 TCP íóæåí äëÿ AXFR

**mixir** · 13-07-2011, 18:32

Õåëï

âîò ëèñòèíã IPTABLES

Code:

IP Tables

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
 3787 1146K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           ctstate NEW 
  172 37632 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           ctstate NEW 
    4   128 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         udp dpt:!1900 
   15  6981 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
  983 79078 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 1303 packets, 77261 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4         
  820 42000 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 4927 1231K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0           
  132 10040 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT 

Chain OUTPUT (policy ACCEPT 4404 packets, 1150K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain BRUTE (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.10        udp dpt:60669 

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate NEW LOG flags 39 level 4 prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate NEW LOG flags 39 level 4 prefix `DROP ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           


IP Tables NAT

Chain PREROUTING (policy ACCEPT 1871 packets, 133K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  332 25807 VSERVER    all  --  *      *       0.0.0.0/0            85.21.63.199        
  192 10109 VSERVER    all  --  *      *       0.0.0.0/0            10.86.68.141        

Chain POSTROUTING (policy ACCEPT 47 packets, 4283 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  544 31737 MASQUERADE  all  --  *      ppp0   !85.21.63.199         0.0.0.0/0           
  143  7796 MASQUERADE  all  --  *      vlan1  !10.86.68.141         0.0.0.0/0           
   28  2250 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24      

Chain OUTPUT (policy ACCEPT 49 packets, 4595 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain UPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    80 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:60669 to:192.168.1.10:60669 

Chain VSERVER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  524 35916 UPNP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:9300:9600 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 to:192.168.1.5 
    8   516 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 to:192.168.1.5 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:60 to:192.168.1.5:80

**mixir** · 13-07-2011, 18:40

È åùå ïî÷åìó òî åùå îäíî ïðàâèëî èç VSERVER íå îáðàáàòûâàåòñÿ
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:60 to:192.168.1.5:80

äîñòóï èç âíåøêè íà 60 ñ ôîðâàðäèíãîì íà HTTP

ïðîøèâêó îáíîâèë äî 1.9.2.7-rtn-r3121 - òåæå ãðàáëè

**reiten** · 13-07-2011, 19:29

Ïîäðîáíî ðàçîáðàë âûâîä iptables è ñðàâíèë ñ ñèòóàöèåé íà ñâîåì RT-N16. Íèêàêîé êðàìîëû íå íàøåë.

Êàê âðåìåííóþ ìåðó, ìîæíî ïîïðîáîâàòü íà ðîóòåðå ÷òî-òî âðîäå

Code:

iptables -I FORWARD -d 192.168.1.5 -p tcp -m tcp --dport 53 -j ACCEPT

Ýòî íà ñëó÷àé, åñëè ÿ ÷òî-òî ïðîãëÿäåë, è ñ ôèëüòðàìè ÷òî-òî íàõîìóòàëè.

Â ïðîòèâíîì ñëó÷àå õîòåëîñü áû ãëÿíóòü ëîã iptables ñ êîìïüþòåðà 192.168.1.5 - ìîæåò íà íåì ÷òî-òî èíòåðåñíîå ïðîïèñàíî.
Êñòàòè, ÷òî ïðîèñõîäèò, åñëè ñ ðîóòåðà ïîïðîáîâàòü çàïóñòèòü:

Code:

 telnet 192.168.1.5 53

?

**mixir** · 13-07-2011, 20:15

Originally Posted by reiten

Ïîäðîáíî ðàçîáðàë âûâîä iptables è ñðàâíèë ñ ñèòóàöèåé íà ñâîåì RT-N16. Íèêàêîé êðàìîëû íå íàøåë.

Êàê âðåìåííóþ ìåðó, ìîæíî ïîïðîáîâàòü íà ðîóòåðå ÷òî-òî âðîäå

Code:

iptables -I FORWARD -d 192.168.1.5 -p tcp -m tcp --dport 53 -j ACCEPT

Ýòî íà ñëó÷àé, åñëè ÿ ÷òî-òî ïðîãëÿäåë, è ñ ôèëüòðàìè ÷òî-òî íàõîìóòàëè.

Â ïðîòèâíîì ñëó÷àå õîòåëîñü áû ãëÿíóòü ëîã iptables ñ êîìïüþòåðà 192.168.1.5 - ìîæåò íà íåì ÷òî-òî èíòåðåñíîå ïðîïèñàíî.
Êñòàòè, ÷òî ïðîèñõîäèò, åñëè ñ ðîóòåðà ïîïðîáîâàòü çàïóñòèòü:

Code:

 telnet 192.168.1.5 53

?

iptables ñ 192.168.1.5:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ISPCP_INPUT  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spt:domain 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spt:domain 
 2839 2015K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spt:www 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ISPCP_OUTPUT  all  --  any    any     anywhere             anywhere            
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 

Chain ISPCP_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:submission 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:ssmtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:smtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:imaps 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3s 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:submission 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:ssmtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:imap2 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:https 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:www 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:domain 
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain ISPCP_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:submission 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:ssmtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:imaps 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:pop3s 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:submission 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:ssmtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:smtp 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:imap2 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:pop3 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:https 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:www 
    0     0            tcp  --  any    any     anywhere             anywhere            tcp spt:domain 
    0     0 RETURN     all  --  any    any     anywhere             anywhere

åñëè ñ ðîóòåðà çàïóñòèòü telnet 192.168.1.5 53 òî îí ïîäêëþ÷èòüñÿ è áóäåò ïðåäëàãàòü ââîäèòü ÷òî íèáóäü, âèäèìî íàäî ôîðìèðîâàòü ïðàâèëüíûé çàãîëîâîê ÷òîáû ÷òî-òî òàì â îòâåò ïîëó÷èòü...

êîìïüþòåð 192.168.1.10 òîæå ïîäêëþ÷àåòñÿ ê 192.168.1.5:53, çíà÷èò âñåòàêè äåëî â ðîóòåðå

**reiten** · 14-07-2011, 12:42

Ñîãëàñåí, ïðîáëåìà â ðîóòåðå.
Åùå èäåÿ: ïîïðîáóéòå îòêëþ÷èòü fast-nat:

Code:

nvram set misc_fastnat_x=0
nvram commit && reboot

**mixir** · 17-07-2011, 21:53

Originally Posted by reiten

Ñîãëàñåí, ïðîáëåìà â ðîóòåðå.
Åùå èäåÿ: ïîïðîáóéòå îòêëþ÷èòü fast-nat:

Code:

nvram set misc_fastnat_x=0
nvram commit && reboot

Ê ñîæàëåíèþ è ýòî íå ïîäîøëî

53 TCP ïîðò òàê è íå îòêðûëñÿ...

íà âñÿêèé ñëó÷àé, ïðîâåðÿþ ïîðòû ýòèì http://canyouseeme.org/

**reiten** · 18-07-2011, 13:42

Òîãäà ó ìåíÿ êîí÷èëèñü èäåè

Ðàçâå ÷òî ïîïðîáîâàòü ïîäêëþ÷èòü èíåò íàïðÿìóþ ê íóæíîìó êîìïüþòåðó, ÷òîáû óáåäèòüñÿ, ÷òî ýòî íå êîçíè ïðîâàéäåðà.

×òî äî ïðîâåðêè ïîðòîâ - ÿ ïðîáîâàë ñòó÷àòüñÿ íà Âàø IP (îí ìåëüêàåò â ëîãàõ iptables). 53é è 60é ïîðò çàêðûòû, òîãäà êàê òîò æå 80é îòâå÷àåò áåç ïðîáëåì.

**mixir** · 19-07-2011, 11:05

Originally Posted by reiten

Òîãäà ó ìåíÿ êîí÷èëèñü èäåè

Ðàçâå ÷òî ïîïðîáîâàòü ïîäêëþ÷èòü èíåò íàïðÿìóþ ê íóæíîìó êîìïüþòåðó, ÷òîáû óáåäèòüñÿ, ÷òî ýòî íå êîçíè ïðîâàéäåðà.

×òî äî ïðîâåðêè ïîðòîâ - ÿ ïðîáîâàë ñòó÷àòüñÿ íà Âàø IP (îí ìåëüêàåò â ëîãàõ iptables). 53é è 60é ïîðò çàêðûòû, òîãäà êàê òîò æå 80é îòâå÷àåò áåç ïðîáëåì.

À ó âàñ íà ðîóòåðå åñëè ïîïðîáûâàòü 53 ïîðò ïðîáðîñèòü, îí ïðîáðîñèòüñÿ èëè òê æå áóäåò? ß êñòàòè äåëàë ïðîáðîñ ñ 60 âíåøíåãî íà 80 âíóòðåííèé (192.168.1.5) è òîæå íå ïîëó÷èëîñü ÷òî ïî÷åìó-òî íàâîäèò íà ìûñëü î òîì ÷òî òàì äèàïàçîí çàáëîêèðîâàí, õîòÿ ìîæåò áûòü îïÿòü ñïåöèôèêà ðîóòåðà, îí ìíå óæå ñòîëüêî ìó÷åíèé ïðèíåñ, ðàíüøå íà ñòàðîé ïðîøèâêå âðåìåíàìè âîîáùå íè÷åãî íå ïðîáðàñûâàë.

ß íå îñîáûé çíàòîê ëèíóêñà íî dnsmasq âûïîëíÿåòñÿ îò èìåíè nobody ìîæåò â ýòîì ïðîáëåìà?

**TReX** · 19-07-2011, 11:28

Originally Posted by mixir

À ó âàñ íà ðîóòåðå åñëè ïîïðîáûâàòü 53 ïîðò ïðîáðîñèòü, îí ïðîáðîñèòüñÿ èëè òê æå áóäåò? ß êñòàòè äåëàë ïðîáðîñ ñ 60 âíåøíåãî íà 80 âíóòðåííèé (192.168.1.5) è òîæå íå ïîëó÷èëîñü ÷òî ïî÷åìó-òî íàâîäèò íà ìûñëü î òîì ÷òî òàì äèàïàçîí çàáëîêèðîâàí, õîòÿ ìîæåò áûòü îïÿòü ñïåöèôèêà ðîóòåðà, îí ìíå óæå ñòîëüêî ìó÷åíèé ïðèíåñ, ðàíüøå íà ñòàðîé ïðîøèâêå âðåìåíàìè âîîáùå íè÷åãî íå ïðîáðàñûâàë.

ß íå îñîáûé çíàòîê ëèíóêñà íî dnsmasq âûïîëíÿåòñÿ îò èìåíè nobody ìîæåò â ýòîì ïðîáëåìà?

Îáû÷íî äèàïàçîí íèæå 1000 ó ïðîâàéäåðà çàáëîêèðîâàí, òàê ÷òî ïðîáðîñ íàïðèìåð 2080 -> 80 ðàáîòàåò ïðåêðàñíî )

**reiten** · 19-07-2011, 11:38

Ó ìåíÿ íà ðîóòåðå êðîìå dnsmasq ðàáîòàåò bind (ïîëíîöåííûé dns-ñåðâåð, êîòîðûé äåðæèò äîìåííóþ çîíó), à ïîòîìó 53é ïîðò ïðîáðîøåí íà ñàì æå ðîóòåð:

Code:

iptables -t nat -A VSERVER -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1:553
iptables -t nat -A VSERVER -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1:553

È ýòà ñâÿçêà îòëè÷íî ðàáîòàåò.

dnsmasq òóò íàâåðíÿêà íå ïðè ÷åì.
×òî äî áëîêèðîâêè äèàïàçîíà àäðåñîâ - âïîëíå âîçìîæíî. Òàêèìè ôîêóñàìè ãðåøàò è íåêîòîðûå ïðîâàéäåðû. Ïîýòîìó è åñòü ñìûñë ïîïðîáîâàòü ïîäêëþ÷èòü êîìïüþòåð íàïðÿìóþ - ìîæåò áûòü ðîóòåð òóò è íå ïðè ÷åì.

UPD

Originally Posted by TReX

Îáû÷íî äèàïàçîí íèæå 1000 ó ïðîâàéäåðà çàáëîêèðîâàí, òàê ÷òî ïðîáðîñ íàïðèìåð 2080 -> 80 ðàáîòàåò ïðåêðàñíî )

Âåñü äèàïàçîí òàì òî÷íî íå áëîêèðîâàí: 80é ïîðò ó íåãî îòêðûò, ÿ ïðîâåðÿë.

**mixir** · 19-07-2011, 12:07

Ñåãîäíÿ âå÷åðîì ïðèäó ñ ðàáîòû ïðîâåðþ, ñåé÷àñ ïðîñòî âîçìîæíîñòè íåò, åùå âû÷èòàë íà ôîðóìå ïðî nvram show | grep forward_port ìîæåò òàì ÷òî-òî èíòåðåñíîå íàéäåòñÿ... 53 UDP ðàáîòàåò, íàïðèìåð åñëè ÷åðåç nslookup äåëàòü òî âñå ïàøåò, äðóãîå äåëî ÷òî åùå íóæíî TCP äëÿ îáìåíà...

**mixir** · 19-07-2011, 19:01

reiten ñïàñèáî çà ïîìîùü!

Ïîòðàòèë âå÷åðîì 3 ÷àñà íà æåñòêèé è ñòðàñòíûé ïðîöåññ ïîäíÿòèÿ âïí øòàòíûìè ñðåäñòâàìè óáóíòû....è êàê âûÿñíèëîñü 53 ïîðò çàêðûò

òåïåðü íàäî âûÿñíèòü êòî åãî çàêðûâàåò óáóíòà èëè ïðîâàéäåð

**reiten** · 19-07-2011, 19:52

Çíà÷èò, íóæíî òðåòèðîâàòü ïîääåðæêó ïðîâàéäåðà.
Ubuntu âíå ïîäîçðåíèé - åå èñêëþ÷èëè ïðîâåðêè èç ïîñòà #121.

Thread: Íåñêîëüêî DNS è dnsmasq

Thread Tools

Rate This Thread

Display

Similar Threads

Ôèëüòðàöèÿ íåæåëàòåëüíîãî êîíòåíòà (dnsmasq+adsuck+dnscrypt)

Íåñêîëüêî âîïðîñîâ ïî Samba è USB HDD

problem with edited dnsmasq.conf

Dnsmasq, could this be a problem/security risk ?

New firmware - dnsmasq

Tags for this Thread

Posting Permissions