Èçìåíÿòü virtual-server, íå ïåðåçàãðóæàÿ ðîóòåð?

[Tronix]

Äîáðîãî âðåìåíè ñóòîê.

Ó ìåíÿ îáû÷íî 21 ïîðò ïðîáðîøåí íà äåñêòîïíûé êîìïüþòåð (ò.å. â íàñòðîéêàõ âêëþ÷åíî Virtual Server). Íî êîãäà äåñêòîï âûêëþ÷àåòñÿ, ÿ âûêëþ÷àþ Virtual Server, è ñîîòâåòñòâåííî â êà÷åñòâå FTP âûñòóïàåò óæå íå äåñêòîï, à ñàì ðîóòåð. Åäèíñòâåííûé ìèíóñ - ïðèõîäèòñÿ êàæäûé ðàç ïåðåçàãðóæàòü ðîóòåð.

Âîïðîñ: íåëüçÿ-ëè êàêèìè-ëèáî ìàíèïóëÿöèÿìè ñ iptables äåëàòü òîæå-ñàìîå, íå ïåðåçàãðóæàÿñü? Åñëè âàì íå ñëîæíî, íàïèøèòå ïîæàëóéñòà ïîëíîñòüþ ýòè êîìàíäû. Ñàì ïûòàëñÿ ðàçîáðàòüñÿ, íî òùåòíî (

È åùå, ÿ âîîáùåì-òî ýòîò âîïðîñ óæå çàäàâàë, íî êîíêðåòíîãî îòâåòà òàê è íå ïîñëåäîâàëî: Âîçìîæíî-ëè êàê-òî îòñëåæèâàòü, åñòü-ëè ëèíê íà LAN ïîðòå èëè åãî íåòó? Â èäåàëå ñ ïîìîùüþ ñêðèïòà, êîòîðûé âûïîëíÿëñÿ áû ïî crontab'ó ñêàæåì êàæäûå 5 ìèíóò.

 èäåàëå õî÷åòñÿ àâòîìàòèçèðîâàòü ïðîöåññ: òîåñòü åñëè åñòü ëèíê íà ïåðâîì LAN ïîðòå, òî FTP ó íàñ íà äåñêòîïå. Åñëè ëèíê ïðîïàë - òî FTP ïåðåâîäèì íà ðîóòåð...

Çàðàíåå îãðîìíîå ñïàñèáî çà îòâåòû.

P.S. wl500gP + Oleg's pre7 firmware.

[Duke]

Âàðèàíò îäèí.
â post-firewall â êîíåö äîáàâëÿåì

Code:

iptables -t nat -I PREROUTING -p tcp --dport 21 -j DNAT --to-destination $VServerIP
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

âûêëþ÷àåì êîìï, äåëàåì

Code:

iptables -t nat -D PREROUTING 1

âêëþ÷àåì êîìï - ñíîâà äåëàåì.

Code:

iptables -t nat -I PREROUTING -p tcp --dport 21 -j DNAT --to-destination $VServerIP

Àëãîðèòì òàêîâ - ïðè âêëþ÷åííîì êîìïå âõîäÿùèé íà 21-é ïîðò òðàôôèê íàòèòñÿ íà êîìï, ïðè âûêëþ÷åííîì - íà÷èíàåò ðàáîòàòü âòîðîå ïðàâèëî è ðîóòåð ñàì ïðèíèìàåò ïàêåòû.

Âàðèàíò 2.
Ïðîáðîñèòü ñäðîãîã îïîðòà íà ÔÒÏ êîìïà, âðåçóëüòàòå îáà ÔÒÏ ìîãóò ðàáîòàòü îäíîâðåìåííî

Code:

iptables -t nat -I PREROUTING -p tcp --dport 2121 -j DNAT --to-destination $VServerIP:21
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

Çäåñü ïî 21-ìó ïîðòó äîñòóïåí ÔÒÏ ðîóòåðà, ïî 2121 - êîìïà.

[Lesnix]

÷òîáû àâòîìàòè÷åñêè âûïîëíÿòü êîìàíäû ïî ssh-ïðîòîêîëó, åñòü çàìå÷àòåëüíàÿ òóëçà â êîìïëåêòå ñ putty.
íàçûâàåòñÿ pslink, âðîäå.
ñòàâü â øåäóëåð ) ïðè âêëþ÷åíèè-âûêëþ÷åíèè

[Tronix]

Duke: ñïàñèáî áîëüøîå, ñåãîäíÿ âå÷åðîì ïîïðîáóþ. Âàðèàíò ñ äâóìÿ ïîðòàìè äëÿ ìåíÿ íå ïîäõîäèò, íåîáõîäèìî ÷òîáû ôòï áûë íà ñòàíäàðòíîì ïîðòó. Ïî ðåçóëüòàòàì îòïèøóñü.

Lesnix: ñïàñèáî çà ïîäñêàçêó, ïîñìîòðþ â ýòîì íàïðàâëåíèè.

2All: Âîò åùå ïîäóìàëîñü: âåäü ìîæíî îòñëåæèâàòü âêëþ÷åí äåñêòîï èëè âûêëþ÷åí ïî ïðîñòîìó ïèíãó ñ ðîóòåðà íà äåñêòîï. Òîëüêî íå çíàþ, âûäàåò ëè êîìàíäà ping êàêîé-ëèáî errorlevel, è ìîæíî ëè åãî îáðàáîòàòü â ñêðèïòå... Ïîëåç ÷èòàòü äîêè.

[Lesnix]

ìîæíî ïðîñòîé áàø-ñêðèïò íàïèñàòü òèïà

Code:

#!/bin/sh
       reply_count=`ping -c 2 <èï êîìïà> | grep "bytes from" | wc -l`
        if [ $reply_count -gt 0 ]; then
                <çäåñü íåîáõîäèìûå òåáå êîìàíäû>
        fi

Õîòÿ ÿ áû íà òâîåì ìåñòå âñå-òàêè ñäåëàë âñ¸ ýòî ñî ñòîðîíû êîìïà...

[Tronix]

ìîæíî ïðîñòîé áàø-ñêðèïò íàïèñàòü òèïà

Code:

#!/bin/sh
       reply_count=`ping -c 2 <èï êîìïà> | grep "bytes from" | wc -l`
        if [ $reply_count -gt 0 ]; then
                <çäåñü íåîáõîäèìûå òåáå êîìàíäû>
        fi

Îîîî, ñïàñèáî, òî, ÷òî íóæíî. Âå÷åðîì ïîïðîáóþ.

[gaaronk]

ìîæíî ïðîùå

if ! ping -c 2 $host1 > /dev/null 2>&1 ; then
<çäåñü íåîáõîäèìûå òåáå êîìàíäû>
fi

[Lesnix]

...ïîøåë ó÷èòü ìàò÷àñòü

[Tronix]

Áîëüøîå ñïàñèáî âñåì îòâåòèâøèì.  ðåçóëüòàòå ïîëó÷èëîñü ïðèìåðíî òàêîå:

Code:

#!/bin/sh

PIDFILE=/opt/var/run/ping.pid

    if ping -c 2 192.168.1.2 > /dev/null 2>&1 ; then
        if ! [ -f $PIDFILE ]; then
            echo "Desktop online" > $PIDFILE
            iptables -t nat -I PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2
        fi
    else
        if [ -f $PIDFILE ]; then
            rm -f $PIDFILE
            iptables -t nat -D PREROUTING 1
        fi
    fi

Çàñóíóë ýòî â /opt/etc/cron.5mins . Ïîêà âðîäå ïîëåò íîðìàëüíûé. Ïîñìîòðèì. Ïðîøó ìîäåðàòîðîâ òåìó ïîêà íå çàêðûâàòü, åñòü åùå íåêîòîðûå âîïðîñû ñ iptables, íî ïîïðîáóþ ïîêà ñàì ðàçîáðàòüñÿ. Åùå ðàç îãðîìíîå ñïàñèáî âñåì.

[Oleg]

ß áû äëÿ óäàëåíèÿ ïðàâèëà èñïîëüçîâàë

iptables -t nat -D PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2

[Tronix]

ß áû äëÿ óäàëåíèÿ ïðàâèëà èñïîëüçîâàë

iptables -t nat -D PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2

Ñïàñèáî, ïîôèêøåíî.

[Tronix]

Âñå áû õîðîøî, íî êîãäà ñ äåñêòîïíîé ìàøèíû ïûòàþñü çàéòè íà ëþáîé ôòï, ïîïàäàþ íà ñâîé ñîáñòâåííûé. Ïîäñêàæèòå, ïîæàëóéñòà, ÷òî íå òàê?
/tmp/filter_rules

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i vlan1 -m state --state NEW -j SECURITY
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i vlan1 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

/tmp/nat_rules

Code:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 10.37.160.254 -j VSERVER
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.2:8080
-A VSERVER -p tcp -m tcp --dport 24939 -j DNAT --to-destination 192.168.1.2:24939
-A VSERVER -p udp -m udp --dport 24939 -j DNAT --to-destination 192.168.1.2:24939
-A PREROUTING -p udp -d 10.37.160.254 --sport 6112 -j NETMAP --to 192.168.1.0/24
-A POSTROUTING -p udp -s 192.168.1.0/24 --dport 6112 -j NETMAP --to 10.37.160.254
-A POSTROUTING -o vlan1 ! -s 10.37.160.254 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
COMMIT

post-firewall:

Code:

#!/bin/sh
iptables -D INPUT -j DROP
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:8080
iptables -A INPUT -j DROP

iptables -t nat -I PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

Åñëè íóæíà åùå êàêàÿ-òî èíôîðìàöèÿ, ÿ åå ïðåäîñòàâëþ. Ñîâñåì ÿ çàïóòàëñÿ â iptables ( ×óâñòâóþ ÷òî ÷òî-òî ïåðåìóäðèë... Áóäó áëàãîäàðåí çà îòâåò, çàðàíåå ñïàñèáî.

[Duke]

Äîáàâü "-d 10.37.160.254" â ñêðèïòàõ â ñòðîêè ñ PREROUTING (íà ñêîëüêî ÿ ïîíèìàþ èìåííî íà ýòîò àäðåñ ëîìÿòñÿ íà ÔÒÏ ñíàðóæè?)

[Tronix]

Duke: äà, ñïàñèáî áîëüøîå. Òåïåðü âñå ðàáîòàåò êàê íàäî (òüôó-òüôó-òüôó). Åñëè áû åùå thttpd çàïóñêàëñÿ âñåãäà, à íå â çàâèñèìîñòè îò ôàçû ëóíû; è php íå âûâàëèâàëñÿ áû ñ Segmentation fault, áûëî áû âîîáùå ñóïåð

Åñëè êîìó-òî íàäî, òî â îêîí÷àòåëüíîì âàðèàíòå ñêðèïò âûãëÿäèò òàê:

Code:

#!/bin/sh

PIDFILE=/opt/var/run/ping.pid

    if ping -c 2 192.168.1.2 > /dev/null 2>&1 ; then
        if ! [ -f $PIDFILE ]; then
            echo "Desktop online" > $PIDFILE
            iptables -t nat -I PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2 -d 10.37.160.254
        fi
    else
        if [ -f $PIDFILE ]; then
            rm -f $PIDFILE
            iptables -t nat -D PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.1.2 -d 10.37.160.254
        fi
    fi

Çäåñü 192.168.1.2 - àäðåñ äåñêòîïà, 10.37.160.254 - àäðåñ ðîóòåðà âî âíåøíåì ìèðå (WAN).

 /tmp/local/sbin/post-firewall âñåãî îäíî ïðàâèëî:

Code:

iptables -I INPUT -p tcp --dport 21 -j ACCEPT

Ñïàñèáî âñåì çà ïîìîùü â ðàçðåøåíèè ïðîáëåììû.

[Duke]

âìåñòî

Code:

-d 10.37.160.254

ìîæíî ïðîïèñàòü

Code:

-d "$(nvram get wan_ipaddr)"

Íàäåþñü íåíàäî îáúÿñíÿòü ïî÷åìó ñ òàêèìè íàñòðîéêàìè ÔÒÏ áóäåò äîñòóïåí òîëüêî èç ëîêàëêè íî íå ÷åðåç íåò?