Administrace komentářů

Caute
Sorry ze stale otravujem ale mam linux webserver na nom mam nainstalovany apache a firewall UFW - Povolene porty 80 a 443 (skusal som aj vypnut firewall ale nepomohlo to).

Na mikrotiku pouzivam PPP klienta (premenovany na WAN) pre pripojenie cez DSL Telekom a modem je v rezime bridge
Dalej som na mikrotiku v tom rychlom sprievodcovi zaklikol NAT aby nebolo "vidiet" z vonku do lokalnej siete  
Okrem portu Eth1 mam vsetky porty prebridgovane a nazov bridgeu je LAN
V porte Eth2 mam zapojeny switch a v nom vsetky koncove zariadenia a AP
Mam zapnuty DHCP server
Pravidla firewallu na mikrotiku vyzeraju takto (aj tie som skusal vypnut nepomohlo):

[code]ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0    ;;; Accept established and related packets
chain=input action=accept connection-state=established,related log=no log-prefix=""

1    ;;; Accept all connections from local network
chain=input action=accept in-interface=LAN log=no log-prefix=""

2    ;;; Accept established and related packets
chain=forward action=accept connection-state=established,related log=no log-prefix=""

3    ;;; Drop invalid packets
chain=input action=drop connection-state=invalid log=yes log-prefix=""

4    ;;; Drop all packets which are not destined to routes IP address
chain=input action=drop dst-address-type=!local log=yes log-prefix=""

5    ;;; Drop all packets which does not have unicast source IP address
chain=input action=drop src-address-type=!unicast log=yes log-prefix=""

6    ;;; Drop all packets from public internet which should not exist in public network
chain=input action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix=""

7    ;;; Drop invalid packets
chain=forward action=drop connection-state=invalid log=yes log-prefix=""

8    ;;; Drop new connections from internet which are not dst-natted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix=""

9    ;;; Drop all packets from public internet which should not exist in public network
chain=forward action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix=""

10    ;;; Drop all packets from local network to internet which should not exist in public network
chain=forward action=drop dst-address-list=NotPublic in-interface=LAN log=yes log-prefix=""

11    ;;; Drop all packets in local network which does not have local network address
chain=forward action=drop src-address=!router.lan.ip.0/24 in-interface=LAN log=yes log-prefix=""

12    ;;; Drop new connections from internet which are not dst-natted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix="" [/code]

NAT (forwarding portov) vyzera takto:

[code]/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0    chain=srcnat action=masquerade src-address=router.lan.ip.0/24 out-interface=WAN log=no log-prefix=""

1    chain=dstnat action=dst-nat to-addresses=apache.webserver.lan.ip to-ports=80 protocol=tcp dst-address=router.lan.ip in-interface=WAN dst-port=80 log=no log-prefix=""

2    chain=dstnat action=dst-nat to-addresses=apache.webserver.lan.ip to-ports=443 protocol=tcp dst-address=router.lan.ip in-interface=WAN dst-port=443 log=no log-prefix="" [/code]

skusal som aj alternativu nastavenia dst-address priamo na verejnu IP routera ale ani to nepomohlo


vysledok je taky ze v ramci lan je apache pristupny ale neviem preco nepocuva aj na verejnej IP? Myslim ze pricina bude v mikrotiku a nie vo webservery aj ked neviem presne kde v mikrotiku.