POPTOP install (óñòàíîâêà â îñíîâíóþ ïàìÿòü)

[popow_sergei]

Iptables -L -nv ïîäêëþ÷åíèå VPN ñ ãàëî÷êîé (èíåò åñòü ëîêàëêè íåò)

Code:

Chain INPUT (policy ACCEPT 496 packets, 26956 bytes)
 pkts bytes target     prot opt in     out     source               destination

   23  3261 ACCEPT     all  --  ppp1   *       192.168.1.110        0.0.0.0/0

 4957 2013K ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0

  123  9056 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:1723
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state INVALID
 9069 1501K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        state NEW
23812 7265K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
        state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4
        udp dpt:!1900

Chain FORWARD (policy ACCEPT 23815 packets, 2630K bytes)
 pkts bytes target     prot opt in     out     source               destination

  197 68544 ACCEPT     all  --  ppp1   *       192.168.1.110        0.0.0.0/0

  600  181K ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.3
        udp dpt:30040
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.3
        tcp dpt:30040
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state INVALID
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4

10150  507K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 194K   96M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0

    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0

    2   104 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        ctstate DNAT

Chain OUTPUT (policy ACCEPT 40038 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain BRUTE (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x17/0x02 limit: avg 1/sec burst 5
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x17/0x04 limit: avg 1/sec burst 5
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 5/sec burst 5
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 5/sec burst 5
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW LOG flags 7 level 4 prefix `ACCEPT '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW LOG flags 7 level 4 prefix `DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

[popow_sergei]

Iptables -L -nv ïîäêëþ÷åíèå VPN áåç ãàëî÷êè (èíåò íåò ëîêàëêà åñòü)

Code:

Chain INPUT (policy ACCEPT 496 packets, 26956 bytes)
 pkts bytes target     prot opt in     out     source               destination

   14  1808 ACCEPT     all  --  ppp1   *       192.168.1.111        0.0.0.0/0

 6421 2471K ACCEPT     47   --  *      *       0.0.0.0/0            0.0.0.0/0

  135  9992 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:1723
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state INVALID
 9081 1502K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
        state NEW
23860 7281K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
        state NEW
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            224.0.0.0/4

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4
        udp dpt:!1900

Chain FORWARD (policy ACCEPT 23815 packets, 2630K bytes)
 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  ppp1   *       192.168.1.111        0.0.0.0/0

  600  181K ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.31
        udp dpt:30040
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.31
        tcp dpt:30040
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state INVALID
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.0/4

10151  507K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 195K   96M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   ppp0    0.0.0.0/0            0.0.0.0/0

    0     0 DROP       all  --  !br0   vlan1   0.0.0.0/0            0.0.0.0/0

    2   104 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        ctstate DNAT

Chain OUTPUT (policy ACCEPT 41463 packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain BRUTE (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination


Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x17/0x02 limit: avg 1/sec burst 5
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp flags:0x17/0x04 limit: avg 1/sec burst 5
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 5/sec burst 5
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
        limit: avg 5/sec burst 5
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW LOG flags 7 level 4 prefix `ACCEPT '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state NEW LOG flags 7 level 4 prefix `DROP '
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

[popow_sergei]

Code:

Jan  1 03:00:01 syslogd started: BusyBox v1.15.3
Jan  1 03:00:01 kernel: klogd started: BusyBox v1.15.3 (2010-04-03 04:44:46 MSD)
Jan  1 03:00:01 kernel: CPU revision is: 00029006
Jan  1 03:00:01 kernel: Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Jan  1 03:00:01 kernel: Primary data cache 16kB, 2-way, linesize 16 bytes.
Jan  1 03:00:01 kernel: Linux version 2.4.37.9 (root@localhost) (gcc version 3.4.6) #1 2010-04-03 04:54:21 MSD
Jan  1 03:00:01 kernel: Setting the PFC to its default value
Jan  1 03:00:01 kernel: Determined physical RAM map:
Jan  1 03:00:01 kernel:  memory: 08000000 @ 00000000 (usable)
Jan  1 03:00:01 kernel: On node 0 totalpages: 32768
Jan  1 03:00:01 kernel: zone(0): 32768 pages.
Jan  1 03:00:01 kernel: zone(1): 0 pages.
Jan  1 03:00:01 kernel: loop: loaded (max 8 devices)
Jan  1 03:00:01 kernel: PPP generic driver version 2.4.2
Jan  1 03:00:01 kernel: PPP Deflate Compression module registered
Jan  1 03:00:01 kernel: PPP BSD Compression module registered
Jan  1 03:00:01 kernel: MPPE/MPPC encryption/compression module registered
Jan  1 03:00:01 kernel: PPPoL2TP kernel driver, V0.15.1
Jan  1 03:00:01 kernel: PPTP driver version 0.8.5-rc1
Jan  1 03:00:01 kernel:  Amd/Fujitsu Extended Query Table v1.3 at 0x0040
Jan  1 03:00:02 dropbear[66]: Running in background
Jan  1 03:00:02 dnsmasq[73]: started, version 2.52 cachesize 512
Jan  1 03:00:02 dnsmasq[73]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-I18N DHCP no-scripts no-TFTP
Jan  1 03:00:02 dnsmasq-dhcp[73]: DHCP, IP range 192.168.1.10 -- 192.168.1.50, lease time 1d
Jan  1 03:00:02 dnsmasq[73]: read /etc/hosts - 2 addresses
Jan  1 03:00:02 kernel: usb.c: registered new driver usbdevfs
Jan  1 03:00:02 kernel: usb.c: registered new driver hub
Jan  1 03:00:02 kernel: usb-uhci.c: $Revision: 1.275 $ time 04:57:01 Apr  3 2010
Jan  1 03:00:02 kernel: usb-uhci.c: High bandwidth mode enabled
Jan  1 03:00:02 kernel: PCI: Enabling device 01:03.0 (0000 -> 0001)
Jan  1 03:00:02 kernel: UHCI: Enabling VIA 6212 workarounds
Jan  1 03:00:02 kernel: usb-uhci.c: USB UHCI at I/O 0x100, IRQ 12
Jan  1 03:00:02 kernel: usb-uhci.c: Detected 2 ports
Jan  1 03:00:02 kernel: usb.c: new USB bus registered, assigned bus number 1
Jan  1 03:00:02 kernel: hub.c: USB hub found
Jan  1 03:00:02 kernel: hub.c: 2 ports detected
Jan  1 03:00:02 kernel: PCI: Enabling device 01:03.1 (0000 -> 0001)
Jan  1 03:00:02 kernel: UHCI: Enabling VIA 6212 workarounds
Jan  1 03:00:02 kernel: usb-uhci.c: USB UHCI at I/O 0x120, IRQ 12
Jan  1 03:00:02 kernel: usb-uhci.c: Detected 2 ports
Jan  1 03:00:02 kernel: usb.c: new USB bus registered, assigned bus number 2
Jan  1 03:00:03 kernel: hub.c: USB hub found
Jan  1 03:00:03 kernel: hub.c: 2 ports detected
Jan  1 03:00:03 kernel: usb-uhci.c: v1.275:USB Universal Host Controller Interface driver
Jan  1 03:00:03 kernel: PCI: Enabling device 01:03.2 (0000 -> 0002)
Jan  1 03:00:03 kernel: ehci_hcd 01:03.2: PCI device 1106:3104
Jan  1 03:00:03 kernel: ehci_hcd 01:03.2: irq 12, pci mem c01a1000
Jan  1 03:00:03 kernel: usb.c: new USB bus registered, assigned bus number 3
Jan  1 03:00:03 kernel: EHCI: Enabling VIA 6212 workarounds
Jan  1 03:00:03 kernel: ehci_hcd 01:03.2: USB 2.0 enabled, EHCI 1.00, driver 10 Dec 2004/2.4
Jan  1 03:00:03 kernel: hub.c: USB hub found
Jan  1 03:00:03 kernel: hub.c: 4 ports detected
Jan  1 03:00:03 kernel: usb.c: registered new driver usblp
Jan  1 03:00:03 kernel: printer.c: v0.13: USB Printer Device Class driver
Jan  1 03:00:03 kernel: SCSI subsystem driver Revision: 1.00
Jan  1 03:00:03 kernel: Initializing USB Mass Storage driver...
Jan  1 03:00:03 kernel: usb.c: registered new driver usb-storage
Jan  1 03:00:03 kernel: USB Mass Storage support registered.
Jan  1 03:00:04 dhcp client: deconfig: lease is lost
Jan  1 03:00:07 dnsmasq[73]: read /etc/hosts - 2 addresses
Jan  1 03:00:07 dnsmasq[73]: using nameserver 193.203.60.1#53
Jan  1 03:00:07 dhcp client: bound IP : 172.21.104.115 from 172.21.104.113
Jan  1 03:00:07 pppd[104]: Plugin rp-pppoe.so loaded.
Jan  1 03:00:07 pppd[104]: RP-PPPoE plugin version 3.10 compiled against pppd 2.4.5
Jan  1 03:00:07 pppd[105]: pppd 2.4.5 started by root, uid 0
Jan  1 03:00:07 pppd[105]: PPP session is 35227 (0x899b)
Jan  1 03:00:07 pppd[105]: Connected to 00:00:cd:16:f1:96 via interface vlan1
Jan  1 03:00:07 pppd[105]: Using interface ppp0
Jan  1 03:00:07 pppd[105]: Connect: ppp0 <--> vlan1
Jan  1 03:00:07 pptpd[121]: MGR: Manager process started
Jan  1 03:00:07 pptpd[121]: MGR: Maximum of 41 connections available
Jan  1 03:00:07 bcrelay[122]: Running as child
Jan  1 03:00:09 dropbear[123]: Child connection from 172.24.6.18:1160
Jan  1 03:00:09 pppd[105]: CHAP authentication succeeded
Jan  1 03:00:09 pppd[105]: CHAP authentication succeeded
Jan  1 03:00:09 pppd[105]: peer from calling number 00:00:CD:16:F1:96 authorized
Jan  1 03:00:10 pppd[105]: local  IP address 172.17.44.9
Jan  1 03:00:10 pppd[105]: remote IP address 10.10.0.4
Jan  1 03:00:10 pppd[105]: primary   DNS address 193.203.60.1
Jan  1 03:00:10 pppd[105]: secondary DNS address 172.20.0.82
Jan  1 03:00:10 dnsmasq[73]: read /etc/hosts - 2 addresses
Jan  1 03:00:10 dnsmasq[73]: using nameserver 172.20.0.82#53
Jan  1 03:00:10 dnsmasq[73]: using nameserver 193.203.60.1#53
Jan  1 03:00:10 PPPoE: connected to ISP
Jan  1 03:00:10 dropbear[123]: password auth succeeded for 'root' from 172.24.6.18:1160
Apr  4 11:41:11 pppd[105]: System time change detected.
Apr  4 11:41:13 pptpd[141]: CTRL: Client 172.24.6.18 control connection started
Apr  4 11:41:13 pptpd[141]: CTRL: Starting call (launching pppd, opening GRE)
Apr  4 11:41:13 pppd[142]: pppd 2.4.5 started by root, uid 0
Apr  4 11:41:13 pppd[142]: Using interface ppp1
Apr  4 11:41:13 pppd[142]: Connect: ppp1 <--> /dev/pts/0
Apr  4 11:41:16 pptpd[141]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Apr  4 11:41:16 pppd[142]: found interface br0 for proxy arp
Apr  4 11:41:16 pppd[142]: local  IP address 192.168.1.1
Apr  4 11:41:16 pppd[142]: remote IP address 192.168.1.110
Apr  4 11:41:16 pppd[142]: MPPE 128-bit stateful compression enabled
Apr  4 11:41:16 root: vpn connected from 172.24.6.18
Apr  4 11:41:38 pppd[142]: LCP terminated by peer (!Z$M-^V^@<M-Mt^@^@^@^@)
Apr  4 11:41:38 pppd[142]: Connect time 0.4 minutes.
Apr  4 11:41:38 pppd[142]: Sent 7107 bytes, received 60763 bytes.
Apr  4 11:41:38 root: vpn connected from 172.24.6.18
Apr  4 11:41:38 pppd[142]: Modem hangup
Apr  4 11:41:38 pppd[142]: Connection terminated.
Apr  4 11:41:38 pppd[142]: Exit.
Apr  4 11:41:38 pptpd[141]: CTRL: Client 172.24.6.18 control connection finished
Apr  4 11:41:49 pptpd[153]: CTRL: Client 172.24.6.18 control connection started
Apr  4 11:41:49 pptpd[153]: CTRL: Starting call (launching pppd, opening GRE)
Apr  4 11:41:49 pppd[154]: pppd 2.4.5 started by root, uid 0
Apr  4 11:41:49 pppd[154]: Using interface ppp1
Apr  4 11:41:49 pppd[154]: Connect: ppp1 <--> /dev/pts/0
Apr  4 11:41:52 pptpd[153]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Apr  4 11:41:52 pppd[154]: found interface br0 for proxy arp
Apr  4 11:41:52 pppd[154]: local  IP address 192.168.1.1
Apr  4 11:41:52 pppd[154]: remote IP address 192.168.1.111
Apr  4 11:41:52 pppd[154]: MPPE 128-bit stateful compression enabled
Apr  4 11:41:52 root: vpn connected from 172.24.6.18
Apr  4 11:41:59 pppd[154]: LCP terminated by peer (iM-J*K^@<M-Mt^@^@^@^@)
Apr  4 11:41:59 pppd[154]: Connect time 0.2 minutes.
Apr  4 11:41:59 pppd[154]: Sent 0 bytes, received 2179 bytes.
Apr  4 11:41:59 root: vpn connected from 172.24.6.18
Apr  4 11:42:02 pppd[154]: Connection terminated.
Apr  4 11:42:02 pppd[154]: Modem hangup
Apr  4 11:42:02 pppd[154]: Exit.
Apr  4 11:42:02 pptpd[153]: GRE: read(fd=6,buffer=4205cc,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Apr  4 11:42:02 pptpd[153]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Apr  4 11:42:02 pptpd[153]: CTRL: Client 172.24.6.18 control connection finished
Apr  4 11:42:08 ntp client: Synchronizing time with ntp.psn.ru ...

[popow_sergei]

Code:

[root@WL500GP_PS root]$ iptables-save
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:48:45 2010
*nat
:PREROUTING ACCEPT [159:22110]
:POSTROUTING ACCEPT [18:4037]
:OUTPUT ACCEPT [18:4037]
:VSERVER - [0:0]
-A PREROUTING -d 172.17.44.9 -j VSERVER
-A PREROUTING -d 172.21.104.115 -j VSERVER
-A POSTROUTING -s ! 172.17.44.9 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 172.21.104.115 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0
-j SNAT --to-source 192.168.1.1
-A VSERVER -p tcp -m tcp --dport 30040 -j DNAT --to-destination 192.168.1.56:300
40
-A VSERVER -p udp -m udp --dport 30040 -j DNAT --to-destination 192.168.1.56:300
40
-A VSERVER -p udp -m udp --dport 6432 -j DNAT --to-destination 192.168.1.12:6432

-A VSERVER -p tcp -m tcp --dport 6432 -j DNAT --to-destination 192.168.1.12:6432

-A VSERVER -p udp -m udp --dport 51002 -j DNAT --to-destination 192.168.1.50:510
02
-A VSERVER -p tcp -m tcp --dport 51002 -j DNAT --to-destination 192.168.1.50:510
02
-A VSERVER -p tcp -m tcp --dport 30041 -j DNAT --to-destination 192.168.1.31:300
40
-A VSERVER -p udp -m udp --dport 30041 -j DNAT --to-destination 192.168.1.31:300
40
-A VSERVER -p tcp -m tcp --dport 4899 -j DNAT --to-destination 192.168.1.10:4899

-A VSERVER -p udp -m udp --dport 4899 -j DNAT --to-destination 192.168.1.10:4899

COMMIT
# Completed on Sun Apr  4 11:48:45 2010
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:48:45 2010
*mangle
:PREROUTING ACCEPT [1601:268959]
:INPUT ACCEPT [1255:197095]
:FORWARD ACCEPT [235:52416]
:OUTPUT ACCEPT [1358:970637]
:POSTROUTING ACCEPT [1792:1090439]
COMMIT
# Completed on Sun Apr  4 11:48:45 2010
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:48:45 2010
*filter
:INPUT ACCEPT [40:2044]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1319:960171]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -d 224.0.0.0/240.0.0.0 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec
 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec
 -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence -
-log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Apr  4 11:48:45 2010
[root@WL500GP_PS root]$

[popow_sergei]

Code:

[root@WL500GP_PS root]$ iptables-save
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:53:25 2010
*nat
:PREROUTING ACCEPT [210:26307]
:POSTROUTING ACCEPT [25:6354]
:OUTPUT ACCEPT [25:6354]
:VSERVER - [0:0]
-A PREROUTING -d 172.17.44.9 -j VSERVER
-A PREROUTING -d 172.21.104.115 -j VSERVER
-A POSTROUTING -s ! 172.17.44.9 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 172.21.104.115 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0
-j SNAT --to-source 192.168.1.1
-A VSERVER -p tcp -m tcp --dport 30040 -j DNAT --to-destination 192.168.1.56:300
40
-A VSERVER -p udp -m udp --dport 30040 -j DNAT --to-destination 192.168.1.56:300
40
-A VSERVER -p udp -m udp --dport 6432 -j DNAT --to-destination 192.168.1.12:6432

-A VSERVER -p tcp -m tcp --dport 6432 -j DNAT --to-destination 192.168.1.12:6432

-A VSERVER -p udp -m udp --dport 51002 -j DNAT --to-destination 192.168.1.50:510
02
-A VSERVER -p tcp -m tcp --dport 51002 -j DNAT --to-destination 192.168.1.50:510
02
-A VSERVER -p tcp -m tcp --dport 30041 -j DNAT --to-destination 192.168.1.31:300
40
-A VSERVER -p udp -m udp --dport 30041 -j DNAT --to-destination 192.168.1.31:300
40
-A VSERVER -p tcp -m tcp --dport 4899 -j DNAT --to-destination 192.168.1.10:4899

-A VSERVER -p udp -m udp --dport 4899 -j DNAT --to-destination 192.168.1.10:4899

COMMIT
# Completed on Sun Apr  4 11:53:25 2010
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:53:25 2010
*mangle
:PREROUTING ACCEPT [2511:459756]
:INPUT ACCEPT [1830:319443]
:FORWARD ACCEPT [529:117782]
:OUTPUT ACCEPT [1893:1072112]
:POSTROUTING ACCEPT [2697:1283589]
COMMIT
# Completed on Sun Apr  4 11:53:25 2010
# Generated by iptables-save v1.3.8 on Sun Apr  4 11:53:25 2010
*filter
:INPUT ACCEPT [43:2188]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1854:1061648]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -s 192.168.1.110 -i ppp1 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A FORWARD -s 192.168.1.110 -i ppp1 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -d 224.0.0.0/240.0.0.0 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec
 -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec
 -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen
ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence -
-log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Apr  4 11:53:25 2010
[root@WL500GP_PS root]$

[popow_sergei]

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.0.4       *               255.255.255.255 UH    0      0        0 WAN ppp0
193.203.60.1    172.21.104.113  255.255.255.255 UGH   1      0        0 WAN vlan1
172.21.104.112  *               255.255.255.248 U     0      0        0 WAN vlan1
192.168.1.0     *               255.255.255.0   U     0      0        0 LAN br0
83.234.112.0    172.21.104.113  255.255.255.0   UG    0      0        0 WAN vlan1
193.203.60.0    172.21.104.113  255.255.252.0   UG    0      0        0 WAN vlan1
82.179.144.0    172.21.104.113  255.255.240.0   UG    0      0        0 WAN vlan1
62.76.176.0     172.21.104.113  255.255.240.0   UG    0      0        0 WAN vlan1
93.186.96.0     172.21.104.113  255.255.240.0   UG    0      0        0 WAN vlan1
195.19.96.0     172.21.104.113  255.255.224.0   UG    0      0        0 WAN vlan1
213.135.128.0   172.21.104.113  255.255.224.0   UG    0      0        0 WAN vlan1
78.132.128.0    172.21.104.113  255.255.128.0   UG    0      0        0 WAN vlan1
192.168.0.0     172.21.104.113  255.255.0.0     UG    0      0        0 WAN vlan1
172.16.0.0      172.21.104.113  255.240.0.0     UG    0      0        0 WAN vlan1
10.0.0.0        172.21.104.113  255.0.0.0       UG    0      0        0 WAN vlan1
default         10.10.0.4       0.0.0.0         UG    0      0        0 WAN ppp0
default         172.21.104.113  0.0.0.0         UG    1      0        0 WAN vlan1

[3apa3a]

Òàê ðàáòàåò èëè íåò ???

Äà âñå òåïåðü ðàáîòàåò. Óñëóãà (áåñïëàòíàÿ) ïîäêëþ÷àåòñÿ â òå÷åíèè 2õ äíåé è ïîñëå åå âêëþ÷åíèÿ íóæíî ïîäêëþ÷èòü óñòðîéñòâî â ëè÷íîì êàáèíåòå.

Ïîäñêàæèòå êàê îòðóáèòü WEB ìîðäó (îñòàíîâèòü ñåðâèñ èëè íàñòðîèòü firewal) ðîóòåðà à òî ó ìåíÿ èç èíòåðíåòà ìîæíî íà íåãî çàéòè.

[popow_sergei]

Ïî ìîåé ïðîáëåìå íåò ñîîáðàæåíèé ?

[popow_sergei]

ðåøèë ïîýêñïåðèìåíòèðîâàòü ñ íàñòðîéêàìè .
è ïîìåíÿë
ñ

localip 192.168.1.1
remoteip 192.168.1.110-150

íà

localip 192.168.0.1
remoteip 192.168.0.110-150

â ðåçóëüòàòå çàìåòèë ÷òî ïðè ïîäêëþ÷åíèè ñ ãàëî÷êîé âñå îñòàëîñü áåç èçìåíåíèé (èíåò ðàáîòàåò ëîêàëêà íåò)

à âîò ñ ïîäêëþ÷åíèåì áåç ãàëî÷êè ðàíüøå áûëî - èíåò íåò ëîàëêà åñòü
ñòàëî - íåò íè ÷åãî.

â ôàéëå
nat_rules
ïðè ÷åì íå ÷åãî íå ìåíÿåòñÿ õîòÿ êàê ìíå êàæåòñÿ äîëæíî áû
òàê êàê ñåòü ïîìåíÿëàñü íà 192,168,0,1 à â ñòðîêå íèæå ïî ïðåæíåìó
192,168,1,1

-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.1

[roadstreamer]

À íà Dir320 poptop íå âñòàíåò? Ïîíèìàþ, ÷òî ôëýø 4Ì âñåãî, íî âåäü ñîôôò óñòàíàâëèâàåöà íà ïðèñîåäèíåííóþ ôëýõó, /opt/ppp

[popow_sergei]

À íà Dir320 poptop íå âñòàíåò? Ïîíèìàþ, ÷òî ôëýø 4Ì âñåãî, íî âåäü ñîôôò óñòàíàâëèâàåöà íà ïðèñîåäèíåííóþ ôëýõó, /opt/ppp

âñòàíåò . ñàì ïîñòàâèë POPTOP óæå ñâåðõó ïîñëå óñòàíîâêè ïðîãðàìì äëÿ ÷àéíèêà . Âñ¸ òîæå ñàìîå , ïî èíñòðóêöèè çà èñêëþ÷åíèåì òîãî ÷òî ïàïêè óæå åñòü , èõ ñîçäàâàòü íå íàäî .
Óñòàíàâëèâàåì POPTOP è íàñòðàèâàåì êîíôèãè.

[Gluk]

WAN: ñòàòè÷åñêèé ðåàëüíûé IP
LAN: 192.168.38.0/24 (DHCP âûäàåò 2-249)
çàäà÷à: ïîäêëþ÷àòüñÿ ñíàðóæè ê êîìïàì LAN


Íàñòðîéêè:

Code:

[admin@nano7 root]$ cat /opt/etc/pptpd.conf

option /opt/etc/ppp/options.pptpd
#noipparam
#logwtmp
localip 192.168.38.1
remoteip 192.168.38.251-254
[admin@nano7 root]$ cat /opt/etc/ppp/options.pptpd
name pptpd

# ðàçðåøàåòñÿ MPPE 128 è MSCHAP-V2
# {{{
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
# }}}
ms-dns 192.168.38.1
ms-dns 193.125.143.173
proxyarp
lock
nobsdcomp
novj
novjccomp
nodefaultroute
ip-up-script /opt/etc/ppp/ip-up
ip-down-script /opt/etc/ppp/ip-down

Code:

[admin@nano7 root]$ cat /opt/etc/ppp/ip-up
#!/bin/sh
[admin@nano7 root]$ cat /opt/etc/ppp/ip-down
#!/bin/sh
logger vpn disconnected from

Code:

[admin@nano7 root]$ cat /tmp/local/sbin/post-firewall
#!/bin/sh

iptables -t nat -nvL POSTROUTING | grep MASQUERADE | awk '{
    "ifconfig "$7" | grep Mask" | getline ip;
        split(ip,ip,":"); split(ip[2],ip," ");
            split($8,src,"!");
                if (src[1]=="") {src="! -s "src[2]} else {src="-s "src[1]};
                    if ($9=="0.0.0.0/0") {dst=""} else {dst="-d "$9};
                        system("iptables -t nat -A POSTROUTING -o "$7" "src" "dst" -j SNAT --to-source "ip[1]);
                            system("iptables -t nat -D POSTROUTING -o "$7" "src" "dst" -j MASQUERADE");
                            }'

# ban vkontakte.ru
iptables -A FORWARD -d 93.186.224.0/20 -j DROP

#îòêðûâàåì äîñòóï ê vpn ñíàðóæè
iptables -I INPUT -p tcp --dport 1723 -j ACCEPT
# ïðàâèëà äëÿ 47 ïîðòà íå îáÿçàòåëüíû, òàê êàê ñîåäèíåíèå ÷åðåç ýòîò ïîðò èíèöèàëèçèðóþòñÿ ðîóòåðîì. Îòêðûâàòü ïðè íåñòàíäàðòíûõ íàñòðîéêàé ôàåðâîëà ðîóòåðà.
iptables -I INPUT -p 47 -j ACCEPT
# Ñëåäóþùèå ïðàâèëà íóæíî ñîçäàâàòü èç-çà òîãî, ÷òî ðîóòåð ïî÷åìó-òî ñ÷èòàåò, ÷òî óñòðîéñòâî ppp îòíîñèòñÿ ê çîíå WAN. Åñëè çàñòàâèòü åãî ñ÷èòàòü, ÷òî ýòî LAN, òî ýòè ïðàâèëà ñòàíóò íå íóæíû. Îòêëþ÷åíèå ñëåäóþùèõ ïðàâèëà ïðèâåä¸ò ê òîìó, ÷òî ó vpn-êëèåíòîâ ïðîïàä¸ò äîñòóï ê èíòåðíåòó è ëîêàëüíîé ñåòè
iptables -I INPUT -i ppp+ -j ACCEPT
#iptables -I OUTPUT -o ppp+ -j ACCEPT
iptables -I FORWARD -i ppp+ -j ACCEPT

èç LAN ïîäêëþ÷àåòñÿ. èç WAN - íåò, îøèáêà 638 (timeout)
íå ïîíèìàþ ÷òî íå òàê

Ïðîñòèòå, ãîñïîäà, ñàìîâûïèëèâàþñü. Âñ¸ ðàáîòàåò ñ òàêèìè êîíôèãàìè.

Åñëè â âèíäå ïðè ïîäêëþ÷åíèè ïîñòàâèòü ãàëî÷êó íà îñíîâíîì øëþçå, òî âåñü òðàôèê ïîéäåò ÷åðåç ðîóòåð. Åñëè íå ïîñòàâèòü - ïîÿâèòñÿ ìàðøðóò äî LAN çà ðîóòåðîì è êîìïû áóäóò äîñòóïíû.

[VOVA_iS]

Ïðîøó ïîìîùè

Èìååì ñåòü
à) Èï àäðåñ ðîóòåðà (WL500gp) WAN 85.113.3xx.xxx (èíòåðíåò ïîäíÿò â ñåòè ñ ïîìîùüþ PPPoE)
Âíóòðåííÿÿ ñåòü 192.168.0.yyy
á) ÈÏ àäðåñ cåðâåðà WAN 85.113.5zz.zzz
Âíóòðåííÿÿ ñåòü 192.168.120.yyy
Íåîáõîäèìî:
1) ÷òîá ðîóòåð "a" ïîäíèìàë VPN ñîåäèíåíèå ñ ñåòü "á". Ò.å. Ðîóòåð äîëæåí áûòü êëèåíòîì
2) ×òîá êîìïüþòåðû â ñåòè 192.168.0.yyy âèäåëè ñåòü 192.168.120.yyy è íàîáîðîò. Èíòåðíåò ó êàæäîé ñåòè ñâîé.

PopTop ïîäíÿò ïîäêëþ÷àòüñÿ ê ðîóòåðó èç âíå ìîãó.

[popow_sergei]

Åñëè â âèíäå ïðè ïîäêëþ÷åíèè ïîñòàâèòü ãàëî÷êó íà îñíîâíîì øëþçå, òî âåñü òðàôèê ïîéäåò ÷åðåç ðîóòåð. Åñëè íå ïîñòàâèòü - ïîÿâèòñÿ ìàðøðóò äî LAN çà ðîóòåðîì è êîìïû áóäóò äîñòóïíû.

äîëæíî ïî èäåå ðàáîòàòü ñ ãàëêîé è èíåò è ëîêàëêà
õîòÿ ÿ ýòîãî ïîêà íå äîáèëñÿ

[Gluk]

äîëæíî ïî èäåå ðàáîòàòü ñ ãàëêîé è èíåò è ëîêàëêà
õîòÿ ÿ ýòîãî ïîêà íå äîáèëñÿ

Íå ïîíÿë âàñ...

Åñëè ñòîèò ãàëî÷êà, òî âåñü òðàôèê êëèåíòà èäåò ÷åðåç vpn
Åñëè íå ñòîèò, äîáàâëÿåòñÿ ìàðøðóò 192.168.38.0 mask 255.255.255.0 192.168.38.x â ìîåì ñëó÷àå è äîñòóïíà ñåòü çà vpn, à èíåò ÷åðåç îñíîâíîå ñîåäèíåíèå êëèåíòà