Originally Posted by
al37919
для этого придется его как минимум выполнить
а я этого не делал.
Покажите ваш post-firewall и вывод iptables-save
post-firewall:
Code:
iptables -I INPUT -p tcp --dport 51778 -j ACCEPT
iptables -I INPUT -p udp --dport 51778 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 23 -j ACCEPT
и еще несколько правил для трансмиссии
iptables-save:
Code:
[xxx@ROUTER xxx]$ iptables-save
# Generated by iptables-save v1.3.8 on Thu Mar 11 21:09:51 2010
*nat
:PREROUTING ACCEPT [752319:1xx098567]
:POSTROUTING ACCEPT [12237:1240370]
:OUTPUT ACCEPT [12403:12780xx]
:VSERVER - [0:0]
-A PREROUTING -d 94.232.66.xx -j VSERVER
-A PREROUTING -d 192.168.2.150 -j VSERVER
-A POSTROUTING -s ! 94.232.66.xx -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 192.168.2.150 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j SNAT --to-source 192.168.1.1
COMMIT
# Completed on Thu Mar 11 21:09:51 2010
# Generated by iptables-save v1.3.8 on Thu Mar 11 21:09:51 2010
*mangle
:PREROUTING ACCEPT [6241657:4405638770]
:INPUT ACCEPT [2574276:2169647984]
:FORWARD ACCEPT [3288303:2134878418]
:OUTPUT ACCEPT [1313992:161526298]
:POSTROUTING ACCEPT [4602654:2296494463]
COMMIT
# Completed on Thu Mar 11 21:09:51 2010
# Generated by iptables-save v1.3.8 on Thu Mar 11 21:09:51 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [26700:2216347]
:OUTPUT ACCEPT [1313932:161512631]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51413 -j ACCEPT
-A INPUT -p udp -m udp --dport 65534 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 65534 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 51778 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51778 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -i eth0 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j BRUTE
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP
-A INPUT -p tcp -m tcp --dport 666 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A BRUTE -m recent --update --seconds 600 --hitcount 2 --name BRUTE --rsource -j DROP
-A BRUTE -m recent --set --name BRUTE --rsource -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Mar 11 21:09:51 2010