Так я же и хочу попасть на веб сервер который находится в локальной сети, 192.168.1.251:80, , я хочу открыть доступ для ssh по 222
Code:
# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*nat
:PREROUTING ACCEPT [267:25264]
:POSTROUTING ACCEPT [10:688]
:OUTPUT ACCEPT [10:688]
:VSERVER - [0:0]
-A PREROUTING -d 46.243.196.15/32 -j VSERVER
-A PREROUTING -d 10.28.226.174/32 -j VSERVER
-A POSTROUTING ! -s 46.243.196.15/32 -o ppp0 -j MASQUERADE
-A POSTROUTING ! -s 10.28.226.174/32 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.1:8080
-A VSERVER -p tcp -m tcp --dport 32016 -j DNAT --to-destination 192.168.1.115:32016
-A VSERVER -p udp -m udp --dport 32016 -j DNAT --to-destination 192.168.1.115:32016
-A VSERVER -p tcp -m tcp --dport 30108 -j DNAT --to-destination 192.168.1.115:30108
-A VSERVER -p udp -m udp --dport 30108 -j DNAT --to-destination 192.168.1.115:30108
-A VSERVER -p tcp -m tcp --dport 5000 -j DNAT --to-destination 192.168.1.251:5000
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.251:80
-A VSERVER -p tcp -m tcp --dport 5001 -j DNAT --to-destination 192.168.1.251:5001
COMMIT
# Completed on Tue Jun 14 11:46:27 2011
# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*mangle
:PREROUTING ACCEPT [3158:329218]
:INPUT ACCEPT [2907:306754]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3565:4007855]
:POSTROUTING ACCEPT [3565:4007855]
COMMIT
# Completed on Tue Jun 14 11:46:27 2011
# Generated by iptables-save v1.4.3.2 on Tue Jun 14 11:46:27 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3546:4006466]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 222 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o ppp0 -j DROP
-A FORWARD ! -i br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m conntrack --ctstate NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logaccept -j ACCEPT
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
-A logdrop -j DROP
COMMIT
# Completed on Tue Jun 14 11:46:27 2011
Мне кажется, что тут какой то косяк
netstat -lnt | grep 80
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN