Ñëîìàííûé NAT

**garillka** · 01-03-2010, 17:12

Ðîóòåð asus wl-500gP, ïðîøèâêà 1.9.2.7-10 îò Îëåãà, ðàáîîòàë ãäå òî 2 ãîäà, ñêà÷èâàë/ðàçäàâàë òîððåíòû, âñå áûëî õîðîøî, íî â îäèí ïðåêðàñíûé ìîìåíò ñëîìàëñÿ NAT.
Ïðè÷åì êàê íàñòðàèâàòü nat ñâîèìè ðóêàìè ÿ ñîâñåì íå çíàþ.
iptales -L -v âûäàåò âîò ýòî.

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere           state INVALID 
25305 5709K ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED 
  174 10440 ACCEPT     all  --  lo     any     anywhere             anywhere           state NEW 
 1352  392K ACCEPT     all  --  br0    any     anywhere             anywhere           state NEW 
    4   112 ACCEPT     igmp --  any    any     anywhere             BASE-ADDRESS.MCAST.NET/4
    0     0 ACCEPT     udp  --  any    any     anywhere             BASE-ADDRESS.MCAST.NET/4udp dpt:!upnp 
   11  3608 ACCEPT     udp  --  any    any     anywhere             anywhere           udp spt:bootps dpt:bootpc 
14695 1378K DROP       all  --  any    any     anywhere             anywhere           

Chain FORWARD (policy ACCEPT 1456 packets, 92998 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere           
    0     0 DROP       all  --  any    any     anywhere             anywhere           state INVALID 
    0     0 ACCEPT     udp  --  any    any     anywhere             BASE-ADDRESS.MCAST.NET/4
  799 47940 TCPMSS     tcp  --  any    any     anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU 
47861   34M ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED 
    0     0 DROP       all  --  !br0   ppp0    anywhere             anywhere           
    0     0 DROP       all  --  !br0   vlan1   anywhere             anywhere           
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere           ctstate DNAT 
    0     0 DROP       all  --  any    br0     anywhere             anywhere           

Chain OUTPUT (policy ACCEPT 35510 packets, 33M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain MACS (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain SECURITY (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  any    any     anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 
    0     0 RETURN     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 
    0     0 RETURN     udp  --  any    any     anywhere             anywhere           limit: avg 5/sec burst 5 
    0     0 RETURN     icmp --  any    any     anywhere             anywhere           limit: avg 5/sec burst 5 
    0     0 DROP       all  --  any    any     anywhere             anywhere           

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP ' 
    0     0 DROP       all  --  any    any     anywhere             anywhere

Â post-firewall äîáàâèë ñëåäóþùåå:

Code:

$ cat /tmp/local/sbin/post-firewall 
# NAT
iptables -N PREROUTING
iptables -N POSTROUTING
iptables -N VSERVER 
iptables -A PREROUTING -d 172.16.30.71 -j VSERVER
iptables -A PREROUTING -d 10.5.0.10 -j VSERVER
#iptables -A VSERVER -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.1.70:22
iptables -t nat -A POSTROUTING -o ppp0 ! -s 172.16.30.71 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan1 ! -s 10.5.0.10 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

NAT Çàðàáîòàë, íî â âûâîäå iptables -L -v íè÷åãî íå èçìåíèëîñü, òàê æå âîçíèêëà ïðîáëåìà, êàê ïðîáðîñèòü ïîðòû? Ñîîòâåòñòâóþùàÿ ìåíþøêà â âåá èíòåðôåéñå íå ðàáîòàåò.

Íàñòðîéêè äëÿ nat âçÿë âçÿë èç ýòîãî ôàéëà, ïðè÷åì åñëè åãî êàêèì íèáóäü îáðàçîì ìåíÿòü òëî íèêàêèå íàñòðîéêè íå ñîõðàíÿþòüñÿ.

Code:

$ cat /tmp/nat_rules 
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 172.16.30.71 -j VSERVER
-A PREROUTING -d 10.5.0.10 -j VSERVER
-A VSERVER -p udp -m udp --dport 53167 -j DNAT --to-destination 192.168.1.163:53167
-A VSERVER -p udp -m udp --dport 57098 -j DNAT --to-destination 192.168.1.70:57098
-A VSERVER -p udp -m udp --dport 13979 -j DNAT --to-destination 192.168.1.163:13979
-A VSERVER -p tcp -m tcp --dport 59903 -j DNAT --to-destination 192.168.1.70:59903
-A VSERVER -p tcp -m tcp --dport 4584 -j DNAT --to-destination 192.168.1.70:4584
-A VSERVER -p udp -m udp --dport 22641 -j DNAT --to-destination 192.168.1.163:22641
-A VSERVER -p tcp -m tcp --dport 6876 -j DNAT --to-destination 192.168.1.235:6875
-A VSERVER -p tcp -m tcp --dport 22641 -j DNAT --to-destination 192.168.1.163:22641
-A VSERVER -p udp -m udp --dport 65322 -j DNAT --to-destination 192.168.1.137:65322
-A VSERVER -p udp -m udp --dport 60664 -j DNAT --to-destination 192.168.1.163:60664
-A VSERVER -p tcp -m tcp --dport 52019 -j DNAT --to-destination 192.168.1.137:52019
-A VSERVER -p udp -m udp --dport 62894 -j DNAT --to-destination 192.168.1.163:62894
-A VSERVER -p tcp -m tcp --dport 13979 -j DNAT --to-destination 192.168.1.163:13979
-A POSTROUTING -o ppp0 ! -s 172.16.30.71 -j MASQUERADE
-A POSTROUTING -o vlan1 ! -s 10.5.0.10 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

Âîîáùåì ïîìîãèòå ïîæàëóéñòà ðàçîáðàòüñÿ ïî÷åìó ýòî ñëó÷èëîñü è ñ ïðîïáðîñîì ïîðòîâ.

çàðàíåå ñïàñèáî

**garillka** · 01-03-2010, 18:32

Ìåíþøêà âñå òàêè çàðàáîòàëà, íî âñå ðàâíî îñòàëñÿ âîïðîñ, êàê ýòî ñäåëàòü ðóêàìè?
È âîïðîñ ïî÷åìó ýòî ñëó÷èëîñü?
Ëþáûå íóæíûå ñâåäåíèÿ ÿ ïðåäîñòàâëþ.

**Power** · 01-03-2010, 22:24

iptables -L -v è íå ïîêàæåò nat. Íóæíî ñìîòðåòü òàê

Code:

iptables -L -nv -t nat

Íå çíàþ, êàê âû îïðåäåëèëè, ÷òî ó âàñ îòêëþ÷èëñÿ nat, íî, âîçìîæíî, âàì ïîìîæåò âûêëþ÷åíèå UPnP.

**garillka** · 01-03-2010, 22:33

Ñïàñèáî çà îòâåò. Ïîïðîáóþ óáðàòü, ÷òî ÿ äîáàâèë â post-firewall è ïîñìîòðåòü, ÷òî áóäåò.
Îïðåäåëèë, ÷òî íå ðàáîòàåò nat òåì, ÷òî íà ðîóòåðå èíòåðíåò åñòü, à ó ïîäêëþ÷åííûõ ê íåìó êîìïüþòåðîâ íåòó.

**TReX** · 02-03-2010, 03:40

Originally Posted by garillka

Ñïàñèáî çà îòâåò. Ïîïðîáóþ óáðàòü, ÷òî ÿ äîáàâèë â post-firewall è ïîñìîòðåòü, ÷òî áóäåò.
Îïðåäåëèë, ÷òî íå ðàáîòàåò nat òåì, ÷òî íà ðîóòåðå èíòåðíåò åñòü, à ó ïîäêëþ÷åííûõ ê íåìó êîìïüþòåðîâ íåòó.

À çà÷åì òàêèå ìó÷åíèÿ, íå ïðîùå ïðîøèòü ñâåæóþ ïðîøèâêó îòñþäà http://code.google.com/p/wl500g/ è ÷åðåç web èíòåðôåéñ âñå çà 5 ìèíóò íàñòðîèòü?
(åñòåñòâåííî äî è ïîñëå ïðîøèâêè äåëàòü reset to factory default) è äàëüøå ñïîêîéíî íàñòðîèòü ÷åðåç web ìîðäî÷êó, òåì áîëåå ÷òî â íîâîé ïðîøèâêå ïîÿâèëîñü ìíîãî ïðèÿòíûõ ôóíêöèéè èñïðàâëåííà òó÷à îøèáîê))

Thread: Ñëîìàííûé NAT

Thread Tools

Rate This Thread

Display

Ñëîìàííûé NAT

Similar Threads

Íàñòðîéêà NAT íà WL-500gP èëè ïðîáëåìà ñ ïî÷òîé (smtp)

Oops, I broke NAT

wl-700ge + kamikaze/x-wrt: wie ports für emule/bittorrent freigeben

Posting Permissions