Íàñòðîéêà IPTables

**Power** · 25-06-2010, 14:18

Originally Posted by Timuchin

ïðîñòèòå çà íåêðîïîñò, íî ýòî âðîäå êàê åäèíñòâåííàÿ òåìà ïðî Iptables.

ñòîèò çàäà÷à îãðàíè÷èòü âíåøíèé äîñòóï ê æåëåçêå.
ñ âíåøíåãî àäðåñà (èçâåñòíîãî) ïîëó÷èòü äîñòóï ê âåá èíòåðôåéñó ìîäåìà,
âåá èíòåðôåéñó òîððåíòà è åñòåñòâåííî SSH èçâíå ñ ëþáîãî àäðåñà.
âñå îñòàëüíûå äîñòóïû ïåðåêðûòü.

äîñòóï èçíóòðè íàðóæó îñòàâèòü îòêðûòûì.

ÿ â íàñòðîéêå Iptables ñîâñåì ÷àéíèê. íå ñóäèòå ñòðîãî.
ïîêà ÷òî ó ìåíÿ òîêà 2 ñòðî÷êè...
iptables -I INPUT -s (àäðåñ âíåøíåãî èñòî÷íèêà) -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 51778 -j ACCEPT

ssh îòêðûò âðîäå êàê, ñòîèò ëè ïåðåêðûâàòü òåëíåò?

çàðàíåå ñïàñèáî çà ñîâåòû.

Âàì íóæíî ÷òî-òî âðîäå

Code:

iptables -P INPUT DROP
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s àäðåñ_âíåøíåãî_èñòî÷íèêà -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -s àäðåñ_âíåøíåãî_èñòî÷íèêà -p tcp -m tcp --dport 8080 -j ACCEPT

**Fly3110** · 13-07-2010, 11:43

Âñåì ïðèâåò!

Íå ïîíèìàþ, ÷åì

Code:

iptables -t mangle -A PREROUTING -s 192.168.0.2 -j MARK --set-mark 1
ip rule add fwmark 1 table 1

îòëè÷àåòñÿ îò

Code:

ip rule add from 192.168.02 table 1

?

ïåðâîå íå ðàáîòàåò, âòîðîå ðàáîòàåò.
â table 1 - îäíà ñòðî÷êà, çàâîðîò òðàôèêà íà îïðåäåëåííûé èíòåðôåéñ.

Åùå íå ïîíèìàþ, ïî÷åìó åñëè ñäåëàòü

Code:

iptables -t mangle -A PREROUTING -d 192.168.0.2 -j LOG --log-prefix "mangle: "
iptables -t nat -A PREROUTING -d 192.168.0.2 -j LOG --log-prefix "nat: "

è ïîïûòàòüñÿ ñ 192.168.0.2 âûéòè íà êàêîé ëèáî ñàéò, òî â ëîãàõ âèäíû òîëüêî ïàêåòû (îòâåòû ñàéòà) èç òàáëèöû mangle, äî nat îíè íå äîõîäÿò òàêîå îùóùåíèå, êàê ýòî ìîæåò áûòü, íå ïîíèìàþ.

Åñëè æå èç èíòåðíåòà ïîïðîáîâàòü çàéòè íà 192.168.0.2 - âèäíî è mangle è nat.

Âîîáùå èçíà÷àëüíî çàäà÷à áûëà òàêàÿ - åñòü 2 èíòåðôåéñà, ppp0 è ppp1. default gw - ppp1. Íàäî ÷òîáû 192.168.0.2 áûë äîñòóïåí ïî 80ó ïîðòó ïî ppp0

**Fly3110** · 13-07-2010, 13:21

Âñåì ïðèâåò.

asus wl520gu, ïðîøèâêà îò ýíòóçèàñòîâ.

Code:

[root@WL-485B39175DEB root]$ ip rule list
0:      from all lookup local
32764:  from 192.168.0.2 lookup 2
32765:  from all fwmark        1 lookup 1
32766:  from all lookup main
32767:  from all lookup 253


[root@WL-485B39175DEB root]$ ip route list table 1
default dev ppp0  scope link

[root@WL-485B39175DEB root]$ ip route list table 2
default dev ppp0  scope link

[root@WL-485B39175DEB root]$ iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  192.168.0.2          anywhere            MARK set 0x1
... (îñòàëüíîå â mangle ïóñòî)

Â ýòîì ñëó÷àå âñå ðàáîòàåò êàê íàäî, âñå õîäÿò ïî óìîë÷àíèþ ÷åðåç ppp1, à 192.168.0.2 õîäèò ÷åðåç ppp0
íî ñòîèò óáðàòü èç ip rule ñòðî÷êó from 192.168.0.2 lookup 2, êàê 192.168.0.2 âîîáùå ïåðåñòàåò õîäèòü â èíòðåíåò.

ñòàâèë â "ip route table 2" ïåðåíàïðàâëåíèå íà äðóãîé èíòåðôåéñ (íå ppp0 èëè ppp1) è ñìîòðåë, åñòü ëè òàì ÷òî-òî îò 192.168.0.2 - íåòó
Ñèñòåìà - ðîóòåð asus wl520gu

ïî÷åìó ìåíÿ íå óñòðàèâàåò ïåðâûé âàðèàíò, êîãäà ïðîïèñàíî from 192.168.0.2 - ïîòîìó ÷òî ÿ õî÷ó ÷òîáû 192.168.0.2 õîäèë â èíòåðíåò ÷åðåç ppp1, à âîò òî, ÷òî èäåò ñ åãî 80ãî ïîðòà - øëî ÷åðåç ppp0. Íî ñäåëàòü ýòî, åñëè çàñòàâèòü ðàáîòàòü iproute2 òîëüêî ïî fwmark - 5 ñåêóíä.

**AndreyPopov** · 13-07-2010, 13:37

âû çàäà÷ó êàê-òî çàäîì-íàïåðåä îïèñûâàåòå!!!

÷òî çíà÷èò "âñå ÷òî ñ åãî 80-ãî ïîðòà"?????

âû õîòèòå, ÷òîáû ê âàøåìó Web ñåðâåðó, êîòîðûé íàõîäèòñÿ íà 80-ì ïîðòó 192.168.0.2 îáðàùàëèñü ÷åðåç èíòåðôåéñ ppp0 ????

òàê?

**vectorm** · 13-07-2010, 14:25

Originally Posted by Fly3110

Âñåì ïðèâåò.

Âû åùå òðåòüþ òåìó ñîçäàéòå ïî ýòîé ïðîáëåìå.
Áóäåòå ïðîäîëæàòü - ïîåäåòå âî "Ôëóäèëüíþ".

**Fly3110** · 13-07-2010, 14:53

Originally Posted by AndreyPopov

âû çàäà÷ó êàê-òî çàäîì-íàïåðåä îïèñûâàåòå!!!

÷òî çíà÷èò "âñå ÷òî ñ åãî 80-ãî ïîðòà"?????

âû õîòèòå, ÷òîáû ê âàøåìó Web ñåðâåðó, êîòîðûé íàõîäèòñÿ íà 80-ì ïîðòó 192.168.0.2 îáðàùàëèñü ÷åðåç èíòåðôåéñ ppp0 ????

òàê?

Äà. Ýòî è õî÷ó. Íî è õî÷ó ïîíÿòü ïî÷åìó íå ðàáîòàåò â òîì âàðèàíòå, êîòîðûé ÿ îïèñàë

vectorm ïðèíîøó èçâèíåíèÿ, ðåàëüíî ãîëîâà óæå êðóãîì îò ýòîãî

**YVM** · 13-07-2010, 17:23

Ìîæåò áûòü êòî-òî ñòàëêèâàëñÿ ñ òàêîé ïðîáëåìîé?
Èñõîäíûå:
1. Ðîóòåð 1 RT-N16 (ïðîøèâêà 1.9.2.7-rtn-r1764) IP 172.XX.XX.2 ðàáîòàåò êàê îñíîâíîé.
2. Ðîóòåð 2 WL500gpV2 (OpenWRT Backfire â ðåæèìå bridged client) IP 172.XX.XX.100- íà íåì ïîäíÿò IPSEC c óäàëåííîé âíóòðåííåé ñåòüþ 192.168.XX.0. IPSEC íàïðàâëÿåò ïàêåòû â äîìàøíþþ ñåòü 172.XX.XX.0/24.
3. ×òîáû íàïðàâèòü ïàêåòû ñ ðîóòåðà 1 íà IPSEC èñïîëüçóþ
route add -net 192.168.XX.0 netmask 255.255.255.0 gw 172.XX.XX.100
4. Âñå ðàáîòàåò, íî ïîíèìàþ, ÷òî ýòî íå ïðàâèëüíî è íóæíî ïðîïèñàòü à iptables
Âîïðîñ: Êàê, ÷òîáû íå íà îäèí IP à íà âñþ ñåòü 192.168.XX.0?

**Dale_C** · 22-07-2010, 20:54

Êîìðàäû, ïîìîãèòå, âåñü ìîçã ñëîìàë óæå.
Çàäà÷à: ïî àäðåñó õõõ.õõõ.õõõ.õõõ ñòîèò è ðàáîòàåò SSH ñåðâåð íà ïîðòó tcp3033.
Ðîóòåð WL500gpv2 ñ ïðîøèâêîé 1.9.2.7-d-r1445 è âíåøíèì àäðåñîì óóó.óóó.óóó.óóó.
Ñ ðîóòåðà äåëàþ òåëíåò - âñå îê.

Code:

[root@router root]$ telnet õõõ.õõõ.õõõ.õõõ 3033
SSH-2.0-1.2.2 VShell

íî ñ êîìïüþòåðà â ëîêàëêå ðàáîòàþùåãî ïî wifi ñ àäðåñîì 192.168.1.101 - òåëíåò íå ïðîõîäèò.

ñìîòðèì iptables:

Code:

Chain PREROUTING (policy ACCEPT 8134 packets, 815K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  any    any     õõõ.õõõ.õõõ.õõõ       anywhere            udp dpt:https to:72.14.203.188:5228
    0     0 DNAT       tcp  --  any    any     õõõ.õõõ.õõõ.õõõ       anywhere            tcp dpt:https to:72.14.203.188:5228
 7200  765K VSERVER    all  --  any    any     anywhere             óóó.óóó.óóó.óóó

Chain POSTROUTING (policy ACCEPT 13069 packets, 886K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       udp  --  any    any     anywhere             tx-in-f188.1e100.net udp dpt:5228 to:óóó.óóó.óóó.óóó
    0     0 SNAT       tcp  --  any    any     anywhere             tx-in-f188.1e100.net tcp dpt:5228 to:óóó.óóó.óóó.óóó
  692 33216 MASQUERADE  all  --  any    vlan1  !óóó.óóó.óóó.óóó         anywhere
   14  3112 SNAT       all  --  any    br0     192.168.1.0/24       192.168.1.0/24      to:192.168.1.1

Chain OUTPUT (policy ACCEPT 13087 packets, 889K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:3478 to:192.168.1.199:3478
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:3479 to:192.168.1.199:3479
    0     0 DNAT       udp  --  any    any     anywhere             anywhere            udp dpt:3658 to:192.168.1.199:3658

è öåïî÷êà Forward

Code:

Chain FORWARD (policy ACCEPT 711 packets, 34128 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  any    any     õõõ.õõõ.õõõ.õõõ       anywhere            udp dpt:5228
    0     0 ACCEPT     tcp  --  any    any     õõõ.õõõ.õõõ.õõõ       anywhere            tcp dpt:5228
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
    0     0 DROP       all  --  any    any     anywhere             anywhere            state INVALID
72542   65M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   vlan1   anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere            ctstate DNAT
    0     0 DROP       all  --  any    br0     anywhere             anywhere

×òî íå òàê? Ïî÷åìó íå ðàáîòàåò ñ ìàøèíû èç ëîêàëêè? Êàê ÿ ïîíèìàþ âåäü ñîåäèíåíèå ïðèõîäèò ñ 192.168.1.101, ìàñêàðàäèòñÿ íà âûõîäå è äàëüøå óñïåøíî ìàñêàðàäèòñÿ è ïðîõîäèò Forward ñî ñòàòóñîì Established. Íî ïî÷åìó æå íå ðàáîòàåò â èòîãå? Ïðè òîì ó ìåíÿ âïå÷àòëåíèå ÷òî ñîåäèíåíèå äàæå óñòàíàâëèâàåòñÿ, íî ïàêåòû íàçàä íå ïðèõîäÿò...

**Dale_C** · 26-07-2010, 15:00

íó íåóæåëè íè ó êîãî èäåé íåòó ãäå ñîáàêà ìîãëà ïîðûòüñÿ? óæå âåñü ìîçã ðàñïëàâëåí..

**Spartach** · 18-08-2010, 07:18

Ïîäñêàæèòå, ïîæàëóéñòà, êàê ðåàëèçîâàòü ðîóòèíã â çàâèñèìîñòè îò ñåðâèñà?
Íà ðîóòåðå îïóáëèêîâàíû ñëóæáû (SSH, Web-ìîðäà óïðàâëåíèÿ, PPTP ñåðâåð), ñàì ðîóòåð óñòàíàâëèâàåò PPTP ïîäêëþ÷åíèå ê äðóãîé ñåòè, ñîîòâåòñòâåííî 2 ìàðøðóòà ïî óìîë÷àíèþ ÷åðåç vlan1 è ÷åðåç ppp0, ïðè÷åì ìåòðèêà 0 ó ppp0.
Êàê çàñòàâèòü ðîóòåð ïðè îáðàùåíèè ê íåìó íà îïðåäåëåííûå ïîðòû îòâå÷àòü ÷åðåç øëþç íà vlan1 à íå ÷åðåç ppp0?
Íàøåë òàêîå ðåøåíèå, íî áóäåò ëè îíî ðàáîòàòü íà íàøèõ ðîóòåðàõ?

_http://www.linux.org.ru/forum/admin/443040;jsessionid=A5E451EB947FD96BD8BDB61C76966D68 #comment-443774

Ìîæåò áûòü êòî-òî ñòàëêèâàëñÿ ñ òàêîé çàäà÷åé, èëè ïðîñòî èìååò ìûñëè ïî äàííîìó âîïðîñó?

**Virtuals** · 18-08-2010, 11:39

ñìîòðåòü â ñòîðîíó VSERVER

ïîïðîáóé â ðàçäåëå
NAT Setting - Virtual Server
äîáàâèòü ïðîáðîñ,
à äàëåå ãëÿíóòü
Status & Log - Diagnostic Information

äóìàþ ïðîñâåòëåíèå íàñòóïèò! 100%
âîò äëÿ ïðèìåðà ïîïðîáîâàë

Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8887 to:192.168.200.7:8887

**Spartach** · 18-08-2010, 11:50

Íå ñîâñåì ïîíÿë, ê ñîæàëåíèþ...
Ìíå ïðîáðîñ êàê òàêîâîé íå íóæåí.
Åñòü ðîóòåð, WAN ñìîòðèò â èíåò ñî ñòàòèêîé + ïîäíèìàåòñÿ PPTP â äðóãóþ ñåòü.
Íà ðîóòåðå îòêðûòû ïîðòû SSH, WEB ìîðäà óïðàâëåíèÿ, è çàïóùåí POPTOP.
Ïîêà PPTP íå ïîäíÿëîñü, èç èíåòà äîñòóïíû âñå óêàçàííûå ïîðòû.
Êàê òîëüêî ïîäíèìàåòñÿ PPTP, òàê øëþçîì ñ ìåòðèêîé 0 ñòàíîâèòñÿ ppp0, ñîîòâåòñòâåííî ïðè îáðàùåíèè ê ðîóòåðó íà åãî "ðîäíîé" âíåøíèé ñòàòè÷åñêèé IP ïîðòû íå äîñòóïíû, ò.ê. ðîóòåð îòâå÷àåò ÷åðåç øëþç PPTP.
Åñëè ÿ äîáàâëÿþ ñòàòè÷åñêèé ìàðøðóò, ÷òîáû íà âòîðîé (ñ êîòîðîãî îñóùåñòâëÿþ äîñòóï) IP ïàêåòû ïðîäîëæàëè õîäèòü ÷åðåç øëþç vlan1 à íå ppp0, òî âñå îòëè÷íî, íî ýòî íå êðàñèâî, ò.ê. äîñòóï ìîæåò ïîíàäîáèòñÿ èç ðàçíûõ ìåñò.
Îò ñþäÿ åäèíñòâåííîå íà ìîé âçãëÿä ðåøåíèå, çàñòàâèòü ðîóòåð ïðè îáðàùåíèè ê íåìó íà îïðåäåëåííûé ïåðå÷åíü ïîðòîâ îòâå÷àòü ÷åðåç øëþç vlan1 à íå ppp0.

**Virtuals** · 18-08-2010, 13:18

õì ÷åò ìíå ýòî íàïîìèíàåò.....

à òî÷íî
ðóñ VPN
äóàë PPTP

êîðî÷å èíåò íà Ðóññêèé ìàíåð, ëîêàë áåç âïí è èíåò ñ âïí.

âîïðîñ íåîäíîêðàòíî ïîäûìàëñÿ, è ðåøåíèå íàéäåíî. ÷óòîê ïîèñêîì ïî ôîðóìó ïðîéäèñü

**Spartach** · 18-08-2010, 13:33

Âñå áû íè ÷åãî, åñëè áû MAN íå áûë èíåòîì... :-)
Êîíå÷íî æå ìàðøðóòû äëÿ ïîäñåòè ñäåëàë áû è âñå.
Íî òóò çàãâîçäêà â òîì ÷òî MAN ýòî èíåò, è ìàðøðóòèçèòü íóæíî íà îñíîâàíèè ïîðòà. Êàê ðàç â ïåðâîì ïîñòå ñûëü äàë, òàì íå÷òî ïîäîáíîå ðåàëèçîâàíî. Íî äîëæåí áûòü ïàò÷ íà iptables.
À åñòü îí èëè íåò â íàøèõ ðîóòåðàõ è ìîæíî ëè åãî ïðèêðóòèòü ïîíÿòèÿ íå èìåþ :-) Ïî ýòîìó è èíåòåðåñóþñü, ìîæåò åñòü ó êîãî îïûò?

**agros** · 19-08-2010, 08:05

Originally Posted by Spartach

Âñå áû íè ÷åãî, åñëè áû MAN íå áûë èíåòîì... :-)
Êîíå÷íî æå ìàðøðóòû äëÿ ïîäñåòè ñäåëàë áû è âñå.
Íî òóò çàãâîçäêà â òîì ÷òî MAN ýòî èíåò, è ìàðøðóòèçèòü íóæíî íà îñíîâàíèè ïîðòà. Êàê ðàç â ïåðâîì ïîñòå ñûëü äàë, òàì íå÷òî ïîäîáíîå ðåàëèçîâàíî. Íî äîëæåí áûòü ïàò÷ íà iptables.
À åñòü îí èëè íåò â íàøèõ ðîóòåðàõ è ìîæíî ëè åãî ïðèêðóòèòü ïîíÿòèÿ íå èìåþ :-) Ïî ýòîìó è èíåòåðåñóþñü, ìîæåò åñòü ó êîãî îïûò?

íàâåðíîå íóæíî ñìîòðåòü â ñòîðîíó iptables MARK... ìåòèòü ïàêåòû â çàâèñèìîñòè îò èíòåðôåéñà, áîëåå òî÷íî ê ñîæàëåíèþ íå ïîäñêàæó, â shorewall (÷òî â ñâîþ î÷åðåäü òðàíñëèðóåòñÿ â iptables) ýòî äåëàåòñÿ ëåãêî, ïðàâäà íóæíî óòî÷íèòü, ðàáîòàåò ëè çäåñü ìàðêèðîâêà ïàêåòîâ.

Thread: Íàñòðîéêà IPTables

Thread Tools

Rate This Thread

Display

ñëîìàë ãîëîâó ñ iptables :)

íå ïîíèìàþ iproute2

ïåðåíàïðàâèòü ïàêåòû â ñåòü

iptables, ssh - ïîìîãèòå ïëèç!

Ðîóòèíã â çàâèñèìîñòè îò ñåðâèñà.

Ïîÿñíþ.

Åùå óòî÷íþ :-)

Similar Threads

Help with IPTABLES

Iptables

How to configure Firewall/iptables

iptables vs web interface

Iptables

Tags for this Thread

Posting Permissions