Íå ïîëó÷àåòñÿ îòêðûòü 80 ïîðò

**TReX** · 11-06-2011, 13:51

Originally Posted by Bolek

Òàê è äèðà sbin íå ñîçäàåòñÿ.

Code:

[root@VITLAN root]$ mkdir /usr/local/sbin
mkdir: can't create directory '/usr/local/sbin': File exists

À â ñëîâàðèêå ïîñìîòðåòü - File exists - çíà÷èò óæå ñóùåñòâóåò )

**Bolek** · 13-06-2011, 19:12

Ïðîøó ïðîùåíèÿ çà íåâíèìàòåëüíîñòü. Ïðàâèëî ñîõðàíèëîñü, íî ïîðò âñå ðàâíî ñíàðóæè çàêðûò.
Ýòî ìîæåò ïîìî÷ü â äèàãíîñòèêå?
Ïðè âûêëþ÷åííîì
Enable Web Access from WAN?

Code:

[root@VITLAN root]$ iptables-save | grep INPUT
:INPUT ACCEPT [454:51530]
:INPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP

**reiten** · 14-06-2011, 08:16

Â âûâîäå iptables-save èç ïîñòà #143 èìååòñÿ ïðàâèëî

Code:

-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.251:80

Ïîëó÷àåòñÿ, 80 ïîðò ó Âàñ ïðîáðîøåí êóäà-òî âî âíóòðåííþþ ñåòü. ×òîáû ïîëó÷èòü äîñòóï ê 80ìó ïîðòó ðîóòåðà, íóæíî îòìåíèòü åãî ïðîáðîñ.

**Bolek** · 14-06-2011, 08:50

Òàê ÿ æå è õî÷ó ïîïàñòü íà âåá ñåðâåð êîòîðûé íàõîäèòñÿ â ëîêàëüíîé ñåòè, 192.168.1.251:80, , ÿ õî÷ó îòêðûòü äîñòóï äëÿ ssh ïî 222

Code:

# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*nat
:PREROUTING ACCEPT [267:25264]
:POSTROUTING ACCEPT [10:688]
:OUTPUT ACCEPT [10:688]
:VSERVER - [0:0]
-A PREROUTING -d 46.243.196.15/32 -j VSERVER 
-A PREROUTING -d 10.28.226.174/32 -j VSERVER 
-A POSTROUTING ! -s 46.243.196.15/32 -o ppp0 -j MASQUERADE 
-A POSTROUTING ! -s 10.28.226.174/32 -o vlan1 -j MASQUERADE 
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE 
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.1:8080 
-A VSERVER -p tcp -m tcp --dport 32016 -j DNAT --to-destination 192.168.1.115:32016 
-A VSERVER -p udp -m udp --dport 32016 -j DNAT --to-destination 192.168.1.115:32016 
-A VSERVER -p tcp -m tcp --dport 30108 -j DNAT --to-destination 192.168.1.115:30108 
-A VSERVER -p udp -m udp --dport 30108 -j DNAT --to-destination 192.168.1.115:30108 
-A VSERVER -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.1.251:5000 
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.251:80 
-A VSERVER -p tcp -m tcp --dport 5001 -j DNAT --to-destination 192.168.1.251:5001 
COMMIT
# Completed on Tue Jun 14 11:46:27 2011
# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*mangle
:PREROUTING ACCEPT [3158:329218]
:INPUT ACCEPT [2907:306754]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3565:4007855]
:POSTROUTING ACCEPT [3565:4007855]
COMMIT
# Completed on Tue Jun 14 11:46:27 2011
# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3546:4006466]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m conntrack --ctstate INVALID -j DROP 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 222 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD ! -i br0 -o ppp0 -j DROP 
-A FORWARD ! -i br0 -o vlan1 -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A logaccept -m conntrack --ctstate NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logaccept -j ACCEPT 
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logdrop -j DROP 
COMMIT
# Completed on Tue Jun 14 11:46:27 2011

Ìíå êàæåòñÿ, ÷òî òóò êàêîé òî êîñÿê

netstat -lnt | grep 80
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

**reiten** · 14-06-2011, 10:31

Â òàêîì ñëó÷àå êîïàòü íàäî â ñòîðîíó íàñòðîåê ñåðâåðà íà 192.168.1.251:80
Ñî ñòîðîíû ðîóòåðà çàïèñè â òàáëèöå VSERVER äîñòàòî÷íî. ×òî êðóòèòñÿ íà ñåðâåðå?

Â ïðèâåäåííîì âûâîäå netstat êîñÿêîâ íåòó - ïî íåìó âèäíî, ÷òî âåá-èíòåðôåéñ ðîóòåðà âèñèò íà 8080.

Äîñòóï ïî ssh îòêðûòü ê ðîóòåðó èëè ê ñåðâåðó íà 192.168.1.251?

**Bolek** · 14-06-2011, 11:15

Äîñòóï ïî ssh õî÷ó îòêðûòü äîñòóï ê ðîóòåðó 192.168.1.1.
Íà 192.168.1.251:80 âèñèò âåá ñàéò, â ëîêàëêå îí ðàáîòàåò.
ß äóìàë, ÷òî â íîâûõ ïðîøèâêàõ ýíòóçèàñòîâ òàêèå âåùè ìîæíî ñäåëàòü ÷åðåç âåá èíòåðôåéñ ((.

**theMIROn** · 14-06-2011, 11:42

Originally Posted by Bolek

Äîñòóï ïî ssh õî÷ó îòêðûòü äîñòóï ê ðîóòåðó 192.168.1.1.
Íà 192.168.1.251:80 âèñèò âåá ñàéò, â ëîêàëêå îí ðàáîòàåò.
ß äóìàë, ÷òî â íîâûõ ïðîøèâêàõ ýíòóçèàñòîâ òàêèå âåùè ìîæíî ñäåëàòü ÷åðåç âåá èíòåðôåéñ ((.

ìîæíî. ðàáîòàåò. ÷òî íå òàê?

**reiten** · 14-06-2011, 12:10

Originally Posted by Bolek

Äîñòóï ïî ssh õî÷ó îòêðûòü äîñòóï ê ðîóòåðó 192.168.1.1.
Íà 192.168.1.251:80 âèñèò âåá ñàéò, â ëîêàëêå îí ðàáîòàåò.
ß äóìàë, ÷òî â íîâûõ ïðîøèâêàõ ýíòóçèàñòîâ òàêèå âåùè ìîæíî ñäåëàòü ÷åðåç âåá èíòåðôåéñ ((.

Íà ÷åì èìåííî âèñèò âåá-ñàéò? Êàêèå îïåðàöèîíêà, âåá-ñåðâåð, ôàéðâîëë?
Âåðîÿòíåå, ÷òî-òî áëîêèðóåò äîñòóï íà ñåðâåðå.

×òî äî ssh íà ðîóòåðå - â âåá-èíòåðôåéñå system setup>services>network services

**Bolek** · 14-06-2011, 12:10

Â âåá èíòåðôåéñå ñäåëàë òàê,
Enable SSH access: Yes
SSH Port: 222
Íå çàðàáîòàëà. ñäåëàë òàê
echo "iptables -I INPUT -p tcp --dport 222 -j ACCEPT" >> /usr/local/sbin/post-firewall
Òîæå íå çàðàáîòàëî.
Óäàëåííî ó ìåíÿ åñòü äîñòóï ê ðîóòåðó ïî ïîðòó 8080, ïðè Enable Web Access from WAN? Yes , Port of Web Access from WAN:8080 , êîãäà ñòîÿë 80 ïîðò, òî òîæå íè÷åãî íå âûõîäèëî.
È ÿ ìîãó ïîïàñòü íà óñòðîéñòâî â ìîåé ñåòè äî êîòîðîãî ïðîáðîøåíû ïîðòû 5000 è 5001.

**theMIROn** · 14-06-2011, 12:17

íå íàäî íè÷åãî äîïîëíèòåëüíî äåëàòü, âêëþ÷èòå ssh íà ïîðòó 1222

**Bolek** · 14-06-2011, 12:17

×òî äî ssh íà ðîóòåðå - â âåá-èíòåðôåéñå system setup>services>network services

Ïðîáîâàë, íå ïîëó÷èëîñü.

Íà ÷åì èìåííî âèñèò âåá-ñàéò? Êàêèå îïåðàöèîíêà, âåá-ñåðâåð, ôàéðâîëë?
Âåðîÿòíåå, ÷òî-òî áëîêèðóåò äîñòóï íà ñåðâåðå.

Ýòî ìàëåíüêèé NAS synology ds109, îí íà ëèíóêñå, ôàéðâîëë îòêëþ÷åí

**vectorm** · 14-06-2011, 12:42

Originally Posted by Bolek

Â âåá èíòåðôåéñå ñäåëàë òàê,
Enable SSH access: Yes
SSH Port: 222
Íå çàðàáîòàëà. ñäåëàë òàê
echo "iptables -I INPUT -p tcp --dport 222 -j ACCEPT" >> /usr/local/sbin/post-firewall
Òîæå íå çàðàáîòàëî.
Óäàëåííî ó ìåíÿ åñòü äîñòóï ê ðîóòåðó ïî ïîðòó 8080, ïðè Enable Web Access from WAN? Yes , Port of Web Access from WAN:8080 , êîãäà ñòîÿë 80 ïîðò, òî òîæå íè÷åãî íå âûõîäèëî.
È ÿ ìîãó ïîïàñòü íà óñòðîéñòâî â ìîåé ñåòè äî êîòîðîãî ïðîáðîøåíû ïîðòû 5000 è 5001.

À ïðîâàéäåð ó Âàñ ïîðòû íèæå 1024 íå áëîêèðóåò ïî-óìîë÷àíèþ?
Âîò ÷òî âèäíî ñíàðóæè:

Code:

PORT     STATE
5000/tcp open
5001/tcp open
8080/tcp open

**theMIROn** · 14-06-2011, 12:44

Originally Posted by theMIROn

íå íàäî íè÷åãî äîïîëíèòåëüíî äåëàòü, âêëþ÷èòå ssh íà ïîðòó 1222

ñêàçàíî æå. 1222 ïîðò.

**Bolek** · 14-06-2011, 13:03

À ïðîâàéäåð ó Âàñ ïîðòû íèæå 1024 íå áëîêèðóåò ïî-óìîë÷àíèþ?

Ìîåãî ïðåä. ïðîâàéäåðà âûêóïèëà áîëåå êðóïíàÿ êîíòîðà, è ñåé÷àñ èäåò ïðîöåññ ïåðåäà÷è êëèåíòîâ. ß ïðåäâàðèòåëüíî ïîçâîíèë è óòî÷íèë, áëîêèðóåòå ëè ïîðòû, è ìíå îòâåòèëè , ÷òî íåò.

ñêàçàíî æå. 1222 ïîðò.

Ïîõîæå, ÷òî èõ âñå æå áëîêèðóþò, ò.ê äîñòóï ssh íå çàðàáîòàë íà 1222, à çàðàáîòàë íà 5030

Ñïàñèáî.

**theMIROn** · 14-06-2011, 13:11

Originally Posted by Bolek

Ïîõîæå, ÷òî èõ âñå æå áëîêèðóþò, ò.ê äîñòóï ssh íå çàðàáîòàë íà 1222, à çàðàáîòàë íà 5030

ìåòîäîì "òûêà" ìîæåòå ïðîâåðèòü íà÷èíàÿ ñ êîòîðîãî áëîêèðóþò, èëè óáåäèòüñÿ â "èçáèðàòåëüíîñòè" áëîêèðîâîê

Thread: Íå ïîëó÷àåòñÿ îòêðûòü 80 ïîðò

Thread Tools

Rate This Thread

Display

Similar Threads

Mini PCI mod: äåëàåì èç WL-500gPv1 WL-500W è ïîëó÷àåì Wi-Fi N !

Asus WL-500gP: êàê ïðîâåðèòü WAN ïîðò ?

Îòïðàâêà è ïîëó÷åíèå SMS ñ ðîóòåðà

Mini PCI mod: âòîðîé ïîðò äëÿ PCI/PCMCIA/IDE/CardBus íà WL500gP/W

Íå ïîäêëþ÷àåòñÿ USB HDD

Tags for this Thread

Posting Permissions