Ýêñïåðèìåíòåã.

[Lesnix]

Áåð¸ì íîâûé ASUS WL-500g Premium è íàñòðàèâàåì. Âñ¸ äåëàåì ïî èíñòðóêöèè.

Ìåíÿåì ïðîøèâêó(øüåì ïîñëåäíåå îò Îëåãà).
Íàñòðàèâàåì DHCP+PPTP. Âñ¸ ðàáîòàåò, âñ¸ çàìå÷àòåëüíî.
Ðàçðåøàåì icmp from WAN (ãàëî÷êà â Internet Firewall -> Basic Settings)
Ðàçðåøàåì Web-èíòåðôåéñ ïî ïîðòó 8080 èç WAN(ãàëî÷êà â Internet Firewall -> Basic Settings)
Ðàçðåøàåì ssh from WAN(ïî èíñòðóêöèè ñ ýòîãî ñàéòà, ïàðó ïðàâèë â iptables)
Íàñòðàèâàåì Wireless...

Èòîã:
1) Èíòåðíåò èç äîìàøíåé ñåòè - åñòü !
2) SSH, Web-interface èç WAN - åñòü !
È, êàæåòñÿ, âñ¸ çàìå÷àòåëüíî.
Íî òóò âûïëûâàåò îäíà î÷åíü èíòåðåñíàÿ ôè÷à(äà-äà, èìåííî ôè÷à NAT)...

Àäðåñà òðàíñëèðóþòñÿ â îáå ñòîðîíû. Âõîäÿùèå ñîåäèíåíèÿ, íå èìåþùèå ñîïîñòàâëåíèé â NAT-òàáëèöàõ, óñïåøíî òðàíñëèðóþòñÿ âî âíóòðåííþþ ïîäñåòü.
Ìû ìîæåì äîáðàòüñÿ äî âíóòðåííåé ïîäñåòè èç âíåøíåé !
È íà ýòîì íè÷åãî íå çàêàí÷èâàåòñÿ. Çàïóñêàÿ ðîóòåð â òàêîé êîíôèãóðàöèè, ìû ïðåäîñòàâëÿåì áåñïëàòíûé Èíòåðíåò âñåìó ñåãìåíòó ãîðîäñêîé ñåòè, çà ÷òî íàñ íåìåäëåííî îòêëþ÷àåò íàø ïðîâàéäåð. È îí òðèæäû ïðàâ.

Ýêñïåðèìåíò
Íàñòðàèâàåì ASUS êàê ÿ îïèñàë âûøå.
Åìó âûäàåòñÿ IP 10.7.14.88(MAN). Ðîóòåð êîííåêòèòñÿ ïî PPTP è ïîëó÷àåò IP 212.1.xxx.xx (ó ìåíÿ âíåøíèé).

Èä¸ì ê ñîñåäó. Ó íåãî íà êîìïå èï 10.7.14.89.
Ó ñîñåäà èíòåðíåòà íåò, áàëàíñ îòðèöàòåëüíûé, íà VPN íå ïóñêàåò.
Äåëàåì ó ñîñåäà:
route add -host ya.ru gw 10.7.14.88
route add -net 192.168.0.0/24(ìîÿ âíóòðåííÿÿ ñåòü) gw 10.7.14.88

È ïðîâåðÿåì:
ping 192.168.0.254 (âíóòðåííèé èï ðîóòåðà)
ping 192.168.0.8 (äîìàøíÿÿ òà÷êà)
ping ya.ru

ÂѨ ïèíãóåòñÿ !

....âûñêàçûâàåìñÿ.

Code:

[root@gw /tmp]$ iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state NEW
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     udp  --  anywhere             anywhere           udp spt:bootps dpt:bootpc
ACCEPT     tcp  --  anywhere             gw                 tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:7776
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:webcam
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere           state INVALID
TCPMSS     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
SECURITY   all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain MACS (0 references)
target     prot opt source               destination

Chain SECURITY (2 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5
RETURN     tcp  --  anywhere             anywhere           tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
RETURN     udp  --  anywhere             anywhere           limit: avg 5/sec burst 5
RETURN     icmp --  anywhere             anywhere           limit: avg 5/sec burst 5
DROP       all  --  anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere           state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere

[root@gw /tmp]$ cat nat_rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 212.1.xxx.xx -j VSERVER
-A PREROUTING -d 10.7.14.88 -j VSERVER
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.254:80
-A POSTROUTING -o ppp0 ! -s 212.1.xx.xx -j MASQUERADE
-A POSTROUTING -o vlan1 ! -s 10.7.14.88 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE
COMMIT

[gaaronk]

Äà. Èìåííî. NAT ýòî òðàíñëÿöèÿ. è íå áîëåå. äëÿ çàùèòû íóæíî èñïîëüçîâàòü firewall

ïîýòîìó ó ìåíÿ â ôàéðâîëëå â ìîìåíò ïîäíÿòèÿ ñîåäèíåíèÿ äîáàâëÿåòñÿ ïðàâèëî

â öåïî÷êó INPUT ïîñëå state INVALID ÷òî òî âðîäå

0 0 DROP all -- ppp0 * 0.0.0.0/0 !83.237.4.187

_ïðèìåðíî_ âîò òàê

iptables -I INPUT 2 -i $interface ! -d $ip -j DROP

(âñå ñîåäèíåíèÿ ÿ ïîäíèìàþ íå ñðåäñòâàìè ïðîøèâêè, à ñâîèìè ñêðèïòàìè)

òî åñòü äðîïàåì âñå âõîäÿùèå åñëè îíè àäðåñîâàíû íå íàøåìó ip

à òàê æå ìîäèôèöèðóþ FORWARD â post-firewall

iptables -P FORWARD DROP
iptables -A FORWARD -i br0 -s 192.168.0.0/24 -j ACCEPT

òî åñòü ðàçðåøàþ ôîðâàðäèòü ïàêåòû òîëüêî ñ àäðåñàìè ìîåé âíóòðåííåé ñåòè è ñ âíóòðåííåãî èíòåðôåñà, à âñå îñòàëüíîå - ïî óìîë÷àíèþ äðîïàåòñÿ

[Alexvaler]

â ôàê ýòîò ìîìåíò íåïðåìåííî!!! æåëàòåëüíî ñî ñòàíäàðòíûì ðåøåíèåì.

[Oleg]

Èñïðàâëÿòü íàäî. Òîëüêî ÷òî-òî ó ìåíÿ ïîêà â ãîëîâå íå ðèñóåòñÿ, ÷òî ñäåëàòü. Öåïî÷êó FORWARD íàäî èçìåíÿòü. ×òî-òî òèïà

iptables -A FORWARD ! -i br0 -j DROP

Íàäî ïðîâåðÿòü, íåò ëè êàêèõ ïîñëåäñòâèé îò òàêîé êîìàíäû.

[Lesnix]

Ðåøåíèå gaaronk, â ïðèíöèïå, ïîäõîäèò...
Òîëüêî ïðè ýòîì ñòàíîâèòñÿ íåâîçìîæíî äîáðàòüñÿ äî ðîóòåðà èç WAN ïî ïîðòó HTTP(8080)...
Âîîáùå ñòðàííî, ÷òî dropbear ssh ñëóøàåò íà âñåõ IP, à äîñòóï ïî http îðãàíèçîâàí òîëüêî ïðîáðàñûâàíèåì ïîðòà 8080 íà âíóòðåííèé èï... ýòî ñóäÿ ïî VSERVER...
ÿ ïðàâ ?

[gaaronk]

Ðåøåíèå gaaronk, â ïðèíöèïå, ïîäõîäèò...
Òîëüêî ïðè ýòîì ñòàíîâèòñÿ íåâîçìîæíî äîáðàòüñÿ äî ðîóòåðà èç WAN ïî ïîðòó HTTP(8080)...
Âîîáùå ñòðàííî, ÷òî dropbear ssh ñëóøàåò íà âñåõ IP, à äîñòóï ïî http îðãàíèçîâàí òîëüêî ïðîáðàñûâàíèåì ïîðòà 8080 íà âíóòðåííèé èï... ýòî ñóäÿ ïî VSERVER...
ÿ ïðàâ ?

à ïî÷åìó??

çàïðîñ ïðèõîäèò íà âíåøíèé ip ïðîïóñêàåòñÿ ôàéðâîëëîì, à ïîòîì îáðàáàòûâàåòñÿ ïîðòôîðâàðäèíãîì

imho òàê

[gaaronk]

Èñïðàâëÿòü íàäî. Òîëüêî ÷òî-òî ó ìåíÿ ïîêà â ãîëîâå íå ðèñóåòñÿ, ÷òî ñäåëàòü. Öåïî÷êó FORWARD íàäî èçìåíÿòü. ×òî-òî òèïà

iptables -A FORWARD ! -i br0 -j DROP

Íàäî ïðîâåðÿòü, íåò ëè êàêèõ ïîñëåäñòâèé îò òàêîé êîìàíäû.

áûòü íå äîëæíî. îòâåòû íà çàïðîñû îáðàáîòàþòñÿ ðàíåå ïðàâèëîì ñ RELATED,ESTABLISHED èëè DNAT (äëÿ ïîðòôîðâàðäèíãà)

ó ìåíÿ åùå áîëåå æåñòêîå óñëîâèå

iptables -A FORWARD -i br0 -s 192.168.0.0/24 -j ACCEPT

à îñòàëüíîå äðîïàåòñÿ. è ãîä ïî÷òè ïîëåò íîðìàëüíûé

âîò êóñîê post-firewall

lanaddr=`nvram get lan_ipaddr`
lanmask=`nvram get lan_netmask`
lan_net=`ipcalc -s -n $lanaddr $lanmask | awk '{print(substr($1,9))}'`/$lanmask

iptables -P FORWARD DROP
iptables -A FORWARD -i br0 -s $lan_net -j ACCEPT

[Diablo-AD]

Ðàçðåøàåì icmp from WAN (ãàëî÷êà â Internet Firewall -> Basic Settings)

OFF: à ãäå òàêàÿ ãàëî÷êà òàì?

[Lesnix]

Diablo-AD, ñìîòðè ïðèëîæåííûé ñêðèíøîò ñ ãàëî÷êîé

gaaronk, ÿ ñåáå post-firewall ïðàêòè÷åñêè àíàëîãè÷íûé ñäåëàë.

Code:

#!/bin/sh

inet_ip=`nvram get wan_ipaddr_t`
man_ip=`nvram get wanx_ipaddr`

lan_ip=`nvram get lan_ipaddr`
lan_mask=`nvram get lan_netmask`
lan_net=`ipcalc -s -n $lan_ip $lan_mask | awk '{print(substr($1,9))}'`/$lan_mask

# set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Remove last default rule
iptables -D INPUT -j DROP

# allow internal routing
iptables -A FORWARD -i br0 -j ACCEPT

# Allow access to ssh server from WAN
iptables -A INPUT -p tcp -i vlan1 --syn --dport 22 -j ACCEPT

# deny all packets with dst-ip !our_ip
iptables -I INPUT 2 -i ppp0 ! -d $inet_ip -j DROP
iptables -I INPUT 2 -i vlan1 ! -d $man_ip -j DROP

...è âîò ñ ýòèìè ïðàâèëàìè ìíå ÍÅ âèäåí ïîðò ðîóòåð:8080 íè èç MAN, íè èç èíåòà.
web-access from wan âêëþ÷åí. ïîðò 8080.