Portál AbcLinuxu, 10. května 2025 09:59

Dotaz: Problem s Firewallom

1.8.2008 17:59 deejay | skóre: 2
Problem s Firewallom
Přečteno: 807×
Odpovědět | Admin
Dobry den, mam postaveny kompletne cely firewall,ale mam problem a neviem si s nim rady.Neviem sa na svoj server cez ssh pripojit, pozeral som uz aj nastavenia ssh servera,ale stale badam,takze asi problem bude iba vo firewalle. Prikladam skript mojho firewallu..Este dolozim,ze z intranetu sa na ssh pripojim bez problemov a ze na ssh sa nechcem pripajat z internetu,ale cez vpn, ktoru mam na tap0 


#!/bin/bash

  IPT="/usr/sbin/iptables"
  IFC="/sbin/ifconfig"
  G="/bin/grep"
  SED="/bin/sed"
  AWK="/usr/bin/awk"
  ECHO="/bin/echo"

  # External interface
  EXTIF="eth1"
  EXTIP="192.168.3.2"
  EXTBC="255.255.255.255"
  EXTMSK="255.255.255.0"
  EXTNET="192.168.3.2/$EXTMSK"

  # Wifi siet
  WIFI="eth0"
  WIFINET="192.168.1.0"
  WIFIIP="192.168.1.254"
  WIFIMASK="255.255.255.0"
  WIFINETMASK="$WIFINET/$WIFIMASK"
  WIFIENABLE="yes"

  # Loop device/localhost
  LPDIF="lo"
  LPDIP="127.0.0.1"
  LPDMSK="255.0.0.0"
  LPDNET="$LPDIP/$LPDMSK"

  # services ENABLED from wifi network openvpn sa povoluje iba v cykle pre tap iface
  WIFI_SERVICE_TCP=(http domain ssh 67 10000 pop3 1194);
  WIFI_SERVICE_UDP=(http domain ssh 67 1194);

  # services ENABLED from external network
  EXTERNAL_SERVICE_TCP=(ssh http domain 445 139 2049 111 831 761 946 1629 1194);
  EXTERNAL_SERVICE_UDP=(ssh http domain 445 139 2049 111 831 761 946 1629 1194);

  # services ENABLED from localhost
  TCPSERV=(smtp http ftp ftps ftp-data ftps-data https mysql imap imaps pop3 pop3s domain ssh 445 139 2049 111 831 761 946 1629 1194)
  UDPSERV=(smtp http ftp ftps ftp-data ftps-data https mysql imap imaps pop3 pop3s domain ssh 445 139 2049 111 831 761 946 1629 1194)

start() {

  trap "" 2 3

  echo "Setting default policy:"
  $IPT -P INPUT DROP;
  $IPT -P OUTPUT ACCEPT;
  $IPT -P FORWARD DROP;

  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  for i in $CHAINS
  do
   $IPT -t $i -F
  done
  for i in $CHAINS
  do
   $IPT -t $i -X
  done

  echo "  INPUT -> DROP";
  echo " OUTPUT -> ACCEPT";
  echo "FORWARD -> DROP";

  echo 1 > /proc/sys/net/ipv4/ip_forward

  # DROP invalid packets
  $IPT -A INPUT -i $EXTIF -m state --state INVALID -j DROP

  # Block IP with bad destination
  $IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROP
 
  # allow localhost (local connections)
  $IPT -A INPUT -i tap0 -j ACCEPT
  $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
  $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
  # MASQUERADING internal network, if requested
  echo "MASQuerading outgoing connections"
  $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

  # input
  $IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

  # forward
  $IPT -A FORWARD -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
  $IPT -A FORWARD -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT
  $IPT -A FORWARD -i tap0 -o eth1 -j ACCEPT

    ## INPUT Z VONKU TCP
  ############################################################################
  echo -n "FW: ACCEPTing external TCP services... ";
  let a=0;
  for port in ${EXTERNAL_SERVICE_TCP[@]} ; do
      $IPT -A INPUT -p tcp -d $EXTIP -i $EXTIF --dport $port -j ACCEPT ;
      let a=$a+1;
  done;
  echo "($a)";
    ## INPUT Z VONKU UDP
  ############################################################################
  echo -n "FW: ACCEPTing external UDP services... ";
  let a=0;
  for port in ${EXTERNAL_SERVICE_UDP[@]} ; do
      $IPT -A INPUT -p udp -d $EXTIP -i $EXTIF --dport $port -j ACCEPT ;
      let a=$a+1;
  done;
  echo "($a)";

  ## INPUT Z WIFI TCP
  ############################################################################
  echo -n "FW: ACCEPTing wifi TCP services... ";
  let a=0;
  for port in ${WIFI_SERVICE_TCP[@]} ; do
      $IPT -A INPUT -i $WIFI -p tcp  --dport $port -j ACCEPT ;
      let a=$a+1;
  done;
  echo "($a)";
  ## INPUT Z WIFI UDP
  ############################################################################
  echo -n "FW: ACCEPTing wifi UDP services... ";
  let a=0;
  for port in ${WIFI_SERVICE_UDP[@]} ; do
      $IPT -A INPUT -i $WIFI -p udp  --dport $port -j ACCEPT ;
      let a=$a+1;
  done;
  echo "($a)";

  echo "Firewall rules applied!"
  trap - 2 3
}

stop() {
  trap "" 2 3
  echo "Stopping $prog: "


  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  for i in $CHAINS
  do
   $IPT -t $i -F
  done
  for i in $CHAINS
  do
   $IPT -t $i -X
  done

  echo "Setting default policies to ACCEPT"
  $IPT -P INPUT ACCEPT
  $IPT -P OUTPUT ACCEPT
  $IPT -P FORWARD ACCEPT

  trap - 2 3
}

restart() {
  stop
  start
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart}"
        exit 1
esac

exit $?

Nástroje: Začni sledovat (0) ?Zašle upozornění na váš email při vložení nového komentáře.

Odpovědi

1.8.2008 20:38 Dejv | skóre: 37 | blog: Jak ten blog nazvat ... ? | Ostrava
Rozbalit Rozbalit vše Re: Problem s Firewallom
Odpovědět | | Sbalit | Link | Blokovat | Admin

Strilim od boku, ale tipnul bych si, ze ta vpn by potrebovala jeste prohnat natem. Jake v ni mas adresy? Mozna to tam nekde mas, ale ja to nenasel. Jestli ve vpn mas jiny rozsah adres, (coz asi ano), tak k nemu jsem v tom skriptu nic nenasel, takze fw potom sice akceptuje vse, co prislo z tap0, ale ty pakety se pak asi routuji na vychozi branu a ne na mistni rozhrani.

No, tak jsem se tu ted pred zkusenejsima asi pekne ztrapnil, ze jo :-D, tak ty moje blaboly prosim nekdo uvedte na pravou miru :-) Diky :-D


Dejv
Pevně věřím, že zkušenější uživatelé mě s mými nápady usměrní a pošlou tam, kam tyto nápady patří...
1.8.2008 20:53 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Noo to je pravda,ze tam nic nemam co sa tyka natu,ale skusal som dopisat do firewallu 

> iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.0.1.0/255.255.255.0 -o tap0 -j MASQUERADE 
> iptables -t nat -A POSTROUTING -s 10.0.1.0/255.255.255.0 -o eth0 -j MASQUERADE 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
> iptables -A FORWARD -i tap0 -j ACCEPT
> iptables -A INPUT -i tap0 -j ACCEPT
> iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

ale aj tak mi ssh nefunguje,ostatne sluzby mam kompletne pristupne z vpn..Ale co je divne,ze sluzby ktore mam vypisane v external services tak vsetky funguju okrem ssh aj napriek tomu ze ho tam mam vypisany...
1.8.2008 22:08 tezkatlipoka | skóre: 35
Rozbalit Rozbalit vše Re: Problem s Firewallom
hrozne blbe se mi to cte, zlatej firewall s jednotlivejma pravidlama. Kazdopadne pokud jsem neprehlidnul nejakej drop, ne predřazené pravidlo o tap ci ssh, tak pravidlo

$IPT -A INPUT -i tap0 -j ACCEPT

by melo povolit vsechno z VPN, nehlede na ostatni pravidla. Jesli ti ostatni sluzby skrz VPN chodej, neni mozne ze je ssh omezeno akorat na nejake rozhrani? Pokud mas dobre routovani, zadnej NAT na VPN nepotrebujes, a pokud jde o pristup na SSH serveru, pravidla pro forward se na tebe nevztahuji.
Vaše řeč budiž ano, ano, ne, ne. Co je nad to, je od ďábla.
3.8.2008 22:33 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
no ale bohuzel ten accept mi nepomohl,sam se tomu cudujem, ked dam pripojenie na ssh tak vypise connection closed by remote host :-( ...Jedine ako sa viem na dany stroj napojit je,ze sa napojim na vpn,potom sa napojim na ssh dalsieho servera v sieti a z neho sa napojim na danu gateway,inak to proste nejde :-(
4.8.2008 08:43 tezkatlipoka | skóre: 35
Rozbalit Rozbalit vše Re: Problem s Firewallom
mas mznost na chvilku schodit celej firewall a nastavit vsechna default na ACCEPT? Jestli je to vubec problem FW.
Vaše řeč budiž ano, ano, ne, ne. Co je nad to, je od ďábla.
3.8.2008 22:44 jirkamailto | skóre: 31
Rozbalit Rozbalit vše Re: Problem s Firewallom
Odpovědět | | Sbalit | Link | Blokovat | Admin
Tohle sice neni odpoved na Vasi otazku, ale jen se zminim, pouzivam firehol, coz je velmi dobry a flexibilni generator pravidel do IPTABLES. Pouzivam vsude a jsem velmi spokojen, http://firehol.sourceforge.net/. Odpadlo me tim psani techto skriptu a pokud potrebuji povolit sluzbu apod, mam to hned. Jen mam trochu problem na debianu s nfs, ze se po restartu serveru firehol nenastartuje, ale myslim, ze je to jen o tom zvolit spravne poradi startovani sluzeb pri startu.
4.8.2008 01:29 Martin Šebek | skóre: 18 | blog: Tady je Indiánovo | Mladá Boleslav
Rozbalit Rozbalit vše Re: Problem s Firewallom
Odpovědět | | Sbalit | Link | Blokovat | Admin
Pošli výpis ip a, ip r a iptables -L INPUT.
12.8.2008 17:57 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Zdravim a vopred sa ospravedlnujem,ale bol som na dovolenke a teda dlhsiu dobu bez internetu..Posielam vypisy 

> ip a
1: lo: LOOPBACK,UP mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:b5:df:87:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth0
3: eth1: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 08:00:09:a9:2e:76 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.2/24 brd 192.168.3.255 scope global eth1
4: tap0: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:ff:ae:4d:75:92 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.100/24 brd 10.0.1.255 scope global tap0


> ip r
192.168.3.0/24 dev eth1  proto kernel  scope link  src 192.168.3.2 
10.0.1.0/24 dev tap0  proto kernel  scope link  src 10.0.1.100 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254 
127.0.0.0/8 dev lo  scope link 
default via 192.168.3.1 dev eth1 
default via 192.168.1.1 dev eth0  metric 1 

> iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
acct_int   all  --  anywhere             anywhere            
acct_ext   all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            state INVALID 
DROP       all  --  anywhere            !192.168.3.2         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  localhost            anywhere            
ACCEPT     all  --  192.168.3.2          anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:http 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:domain 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:microsoft-ds 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:netbios-ssn 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:nfsd 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:831 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:kpasswd 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:946 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:1629 
ACCEPT     tcp  --  anywhere             192.168.3.2         tcp dpt:1194 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:ssh 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:http 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:domain 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:microsoft-ds 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:netbios-ssn 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:nfsd 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:sunrpc 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:831 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:rxe 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:946 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:1629 
ACCEPT     udp  --  anywhere             192.168.3.2         udp dpt:1194 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10000 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1194 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:http 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:1194 
ACCEPT     all  --  anywhere             anywhere
13.8.2008 07:57 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Ahoj, skus spravit netstat -nta a pozriet sa ci vobec ssh napocuva na spravnom porte. Resp este kukni ps aux | grep ssh ci vobec bezi. BTW - ssh na UDP - hmm?
13.8.2008 08:04 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Esta ma napadla vec - ci ssh nieje nahodou zablokovane v tichto retazcoch (aj ked to je asi accounting ale predsa..)

acct_int all -- anywhere anywhere acct_ext all -- anywhere anywhere

Skus pastnut sem vypis

ps aux | grep ssh netstat -nta | grep LIST iptables -nvL acct_int iptables -nvL acct_ext
13.8.2008 08:06 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Pardon, tak to bude citatelne
ps aux | grep ssh
netstat -nta | grep LIST
iptables -nvL acct_int
iptables -nvL acct_ext
13.8.2008 18:32 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
No sshd demon mi bezi,tomu som si na 100% isty,kedze sa na ssh bezne pripojim z LAN pripajam ale vypisy ....co sa tyka acct_int a acct_ext tak to su iba chainy na prenesene data pre jednotlive IP...Pozeral som aj konfigurak pre sshd demon,ci to nie je tam obmedzene ale je to vsetko v poriadku..Dokazom je aj to,ze ked zhodim firewall a dam default vsetko na ACCEPT tak sa na ssh pripojim z netu bez problemov..Nooo ssh na udp nebezi,ale uz som bol bezmocny a snazil som sa prehovorit sshd na udp :-) 
> netstat -nta | grep LIST 
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN     
tcp        0      0 10.0.1.100:53           0.0.0.0:*               LISTEN     
tcp        0      0 192.168.3.2:53          0.0.0.0:*               LISTEN     
tcp        0      0 192.168.1.254:53        0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     
> iptables -nvL acct_int 
Chain acct_int (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 2237  157K            tcp  --  *      *       192.168.1.100        0.0.0.0/0           
 2279  332K            tcp  --  *      *       0.0.0.0/0            192.168.1.100       
14343  949K            udp  --  *      *       192.168.1.100        0.0.0.0/0           
  434  119K            udp  --  *      *       0.0.0.0/0            192.168.1.100       
   96  9120            icmp --  *      *       192.168.1.100        0.0.0.0/0           
   60  4704            icmp --  *      *       0.0.0.0/0            192.168.1.100       
16676 1115K            all  --  *      *       192.168.1.100        0.0.0.0/0           
 2773  456K            all  --  *      *       0.0.0.0/0            192.168.1.100       
 2177  152K            tcp  --  *      *       192.168.1.101        0.0.0.0/0           
 2218  328K            tcp  --  *      *       0.0.0.0/0            192.168.1.101       
55196 3555K            udp  --  *      *       192.168.1.101        0.0.0.0/0           
  434  119K            udp  --  *      *       0.0.0.0/0            192.168.1.101       
   96  9120            icmp --  *      *       192.168.1.101        0.0.0.0/0           
  360 21504            icmp --  *      *       0.0.0.0/0            192.168.1.101       
57469 3717K            all  --  *      *       192.168.1.101        0.0.0.0/0           
 3012  468K            all  --  *      *       0.0.0.0/0            192.168.1.101       
    0     0            tcp  --  *      *       192.168.1.102        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            udp  --  *      *       192.168.1.102        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            icmp --  *      *       192.168.1.102        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            all  --  *      *       192.168.1.102        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            tcp  --  *      *       192.168.1.103        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            udp  --  *      *       192.168.1.103        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            icmp --  *      *       192.168.1.103        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            all  --  *      *       192.168.1.103        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.103       
 2186  153K            tcp  --  *      *       192.168.1.104        0.0.0.0/0           
 2222  328K            tcp  --  *      *       0.0.0.0/0            192.168.1.104       
78248 5139K            udp  --  *      *       192.168.1.104        0.0.0.0/0           
  434  119K            udp  --  *      *       0.0.0.0/0            192.168.1.104       
   96  9120            icmp --  *      *       192.168.1.104        0.0.0.0/0           
  163 10472            icmp --  *      *       0.0.0.0/0            192.168.1.104       
80530 5301K            all  --  *      *       192.168.1.104        0.0.0.0/0           
 2819  458K            all  --  *      *       0.0.0.0/0            192.168.1.104       
    0     0            tcp  --  *      *       192.168.1.117        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            udp  --  *      *       192.168.1.117        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            icmp --  *      *       192.168.1.117        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            all  --  *      *       192.168.1.117        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.117       
15034 2226K            tcp  --  *      *       192.168.1.118        0.0.0.0/0           
23042   27M            tcp  --  *      *       0.0.0.0/0            192.168.1.118       
  814 84836            udp  --  *      *       192.168.1.118        0.0.0.0/0           
  385 90917            udp  --  *      *       0.0.0.0/0            192.168.1.118       
    2   168            icmp --  *      *       192.168.1.118        0.0.0.0/0           
   63  6506            icmp --  *      *       0.0.0.0/0            192.168.1.118       
15850 2311K            all  --  *      *       192.168.1.118        0.0.0.0/0           
23490   28M            all  --  *      *       0.0.0.0/0            192.168.1.118       
    0     0            tcp  --  *      *       192.168.1.119        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            udp  --  *      *       192.168.1.119        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            icmp --  *      *       192.168.1.119        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            all  --  *      *       192.168.1.119        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            tcp  --  *      *       192.168.1.120        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            udp  --  *      *       192.168.1.120        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            icmp --  *      *       192.168.1.120        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            all  --  *      *       192.168.1.120        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            tcp  --  *      *       192.168.1.121        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            udp  --  *      *       192.168.1.121        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            icmp --  *      *       192.168.1.121        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            all  --  *      *       192.168.1.121        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            tcp  --  *      *       192.168.1.122        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            udp  --  *      *       192.168.1.122        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            icmp --  *      *       192.168.1.122        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            all  --  *      *       192.168.1.122        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.122       
87226   10M            tcp  --  *      *       192.168.1.123        0.0.0.0/0           
 109K  101M            tcp  --  *      *       0.0.0.0/0            192.168.1.123       
 1278  151K            udp  --  *      *       192.168.1.123        0.0.0.0/0           
  726  279K            udp  --  *      *       0.0.0.0/0            192.168.1.123       
   21  1708            icmp --  *      *       192.168.1.123        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.123       
88525   11M            all  --  *      *       192.168.1.123        0.0.0.0/0           
 110K  101M            all  --  *      *       0.0.0.0/0            192.168.1.123       
    0     0            tcp  --  *      *       192.168.1.124        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            udp  --  *      *       192.168.1.124        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            icmp --  *      *       192.168.1.124        0.0.0.0/0           
   48  4032            icmp --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            all  --  *      *       192.168.1.124        0.0.0.0/0           
   48  4032            all  --  *      *       0.0.0.0/0            192.168.1.124       
> iptables -nvL acct_ext 
Chain acct_ext (4 references)
 pkts bytes target     prot opt in     out     source               destination
14.8.2008 13:54 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Este otazka - ked sa pripajaz cez VPN - na aku adresu? Lebo ak na adresu VPN iface tak to ti samozrejme nepojde kvoli pravidlu:
DROP all -- anywhere !192.168.3.2
Ak sa pripajas na 192.168.3.2 - mozes poslat sem lokalnu routovaciu tabulku? Este jedna vec - pls daj vystup
iptables -nvL
lebo nevidim rozhrania tabulkach na ktorych to filtruje.
Cakaaaam.... :)
15.8.2008 18:15 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Zdravim,takze ked sa pripajam na VPN skusal som ssh jak na 10.0.1.100,co je adresa tap0 rozhrania,skusal som i 192.168.3.2,co je adresa rozhrania eth0 a skusal som i 192.168.1.254,co je adresa rozhrania eth1, ale na vsetkych tie iste hlasky...Posielam teda vypis ;-) 
> iptables -nvL
Chain INPUT (policy DROP 17098 packets, 1602K bytes)
 pkts bytes target     prot opt in     out     source               destination         
24672 2070K acct_int   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
46374 4396K acct_ext   all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 2755 77140 DROP       all  --  eth1   *       0.0.0.0/0           !192.168.3.2         
 3908  823K ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           
22651 1742K ACCEPT     all  --  lo     *       127.0.0.1            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       192.168.3.2          0.0.0.0/0           
51610 9430K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   12   672 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:22 
  141  8156 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:80 
    1    48 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:53 
 1816  124K ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:445 
  362 16248 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:139 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:2049 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:111 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:831 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:761 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:946 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:1629 
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            192.168.3.2         tcp dpt:1194 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:22 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:80 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:53 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:445 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:139 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:2049 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:111 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:831 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:761 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:946 
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:1629 
    3   126 ACCEPT     udp  --  eth1   *       0.0.0.0/0            192.168.3.2         udp dpt:1194 
   81  3888 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
    1    52 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:10000 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:80 
 2982  180K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:22 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:67 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
    0     0 ACCEPT     all  --  tap0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 69285 packets, 4551K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 300K  299M acct_int   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
 495K   43M acct_int   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 acct_ext   all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 acct_ext   all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 509K  326M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 4000  513K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  188 11245 ACCEPT     all  --  tap0   eth1    0.0.0.0/0            0.0.0.0/0           
  776 46560 ACCEPT     tcp  --  eth0   eth1    192.168.1.100        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.100        0.0.0.0/0           multiport dports 80 
  775 46500 ACCEPT     tcp  --  eth0   eth1    192.168.1.101        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.101        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.102        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.102        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.103        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.103        0.0.0.0/0           multiport dports 80 
  770 46200 ACCEPT     tcp  --  eth0   eth1    192.168.1.104        0.0.0.0/0           multiport dports 80 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.104        0.0.0.0/0           multiport dports 80 
 210K   14M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   tap0    0.0.0.0/0            0.0.0.0/0           
   59  3588 ACCEPT     all  --  tap0   eth0    0.0.0.0/0            0.0.0.0/0           
    7   588 ACCEPT     all  --  eth1   tap0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 80,443,5190,22,110,995,143,993,25,465,1194,139 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 6669,21,20,990,989,873,5060,1194 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 80,443,5190,22,110,995,143,993,25,465,1194,139 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 6669,21,20,990,989,873,5060,1194 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 5222,5223 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.118        0.0.0.0/0           multiport dports 5222,5223 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 80,443,5190,22,110,995,143,993,25,465,1194,139 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 6669,21,20,990,989,873,5060,1194 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 80,443,5190,22,110,995,143,993,25,465,1194,139 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 6669,21,20,990,989,873,5060,1194 
    0     0 ACCEPT     tcp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 5222,5223 
    0     0 ACCEPT     udp  --  eth0   eth1    192.168.1.123        0.0.0.0/0           multiport dports 5222,5223 

Chain OUTPUT (policy ACCEPT 111K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination         
35162 4740K acct_int   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
46374 4396K acct_ext   all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain acct_ext (4 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain acct_int (4 references)
 pkts bytes target     prot opt in     out     source               destination         
 4448  311K            tcp  --  *      *       192.168.1.100        0.0.0.0/0           
 4524  663K            tcp  --  *      *       0.0.0.0/0            192.168.1.100       
74635 4925K            udp  --  *      *       192.168.1.100        0.0.0.0/0           
  864  327K            udp  --  *      *       0.0.0.0/0            192.168.1.100       
  191 18134            icmp --  *      *       192.168.1.100        0.0.0.0/0           
  207 14280            icmp --  *      *       0.0.0.0/0            192.168.1.100       
79274 5254K            all  --  *      *       192.168.1.100        0.0.0.0/0           
 5595 1004K            all  --  *      *       0.0.0.0/0            192.168.1.100       
 4345  304K            tcp  --  *      *       192.168.1.101        0.0.0.0/0           
 4421  655K            tcp  --  *      *       0.0.0.0/0            192.168.1.101       
63342 4079K            udp  --  *      *       192.168.1.101        0.0.0.0/0           
  864  327K            udp  --  *      *       0.0.0.0/0            192.168.1.101       
  192 18240            icmp --  *      *       192.168.1.101        0.0.0.0/0           
  444 27552            icmp --  *      *       0.0.0.0/0            192.168.1.101       
67879 4401K            all  --  *      *       192.168.1.101        0.0.0.0/0           
 5729 1009K            all  --  *      *       0.0.0.0/0            192.168.1.101       
    0     0            tcp  --  *      *       192.168.1.102        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            udp  --  *      *       192.168.1.102        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            icmp --  *      *       192.168.1.102        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            all  --  *      *       192.168.1.102        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.102       
    0     0            tcp  --  *      *       192.168.1.103        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            udp  --  *      *       192.168.1.103        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            icmp --  *      *       192.168.1.103        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.103       
    0     0            all  --  *      *       192.168.1.103        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.103       
 4341  304K            tcp  --  *      *       192.168.1.104        0.0.0.0/0           
 4422  655K            tcp  --  *      *       0.0.0.0/0            192.168.1.104       
 131K 8595K            udp  --  *      *       192.168.1.104        0.0.0.0/0           
  864  327K            udp  --  *      *       0.0.0.0/0            192.168.1.104       
  192 18240            icmp --  *      *       192.168.1.104        0.0.0.0/0           
  450 27888            icmp --  *      *       0.0.0.0/0            192.168.1.104       
 135K 8917K            all  --  *      *       192.168.1.104        0.0.0.0/0           
 5736 1010K            all  --  *      *       0.0.0.0/0            192.168.1.104       
    0     0            tcp  --  *      *       192.168.1.117        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            udp  --  *      *       192.168.1.117        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            icmp --  *      *       192.168.1.117        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.117       
    0     0            all  --  *      *       192.168.1.117        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.117       
25861 3831K            tcp  --  *      *       192.168.1.118        0.0.0.0/0           
40112   47M            tcp  --  *      *       0.0.0.0/0            192.168.1.118       
 3723  448K            udp  --  *      *       192.168.1.118        0.0.0.0/0           
 2571  412K            udp  --  *      *       0.0.0.0/0            192.168.1.118       
    3   252            icmp --  *      *       192.168.1.118        0.0.0.0/0           
  135 12534            icmp --  *      *       0.0.0.0/0            192.168.1.118       
29587 4280K            all  --  *      *       192.168.1.118        0.0.0.0/0           
42818   48M            all  --  *      *       0.0.0.0/0            192.168.1.118       
    0     0            tcp  --  *      *       192.168.1.119        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            udp  --  *      *       192.168.1.119        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            icmp --  *      *       192.168.1.119        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            all  --  *      *       192.168.1.119        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.119       
    0     0            tcp  --  *      *       192.168.1.120        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            udp  --  *      *       192.168.1.120        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            icmp --  *      *       192.168.1.120        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            all  --  *      *       192.168.1.120        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.120       
    0     0            tcp  --  *      *       192.168.1.121        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            udp  --  *      *       192.168.1.121        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            icmp --  *      *       192.168.1.121        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            all  --  *      *       192.168.1.121        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.121       
    0     0            tcp  --  *      *       192.168.1.122        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            udp  --  *      *       192.168.1.122        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            icmp --  *      *       192.168.1.122        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.122       
    0     0            all  --  *      *       192.168.1.122        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.122       
 188K   20M            tcp  --  *      *       192.168.1.123        0.0.0.0/0           
 245K  250M            tcp  --  *      *       0.0.0.0/0            192.168.1.123       
 2924  354K            udp  --  *      *       192.168.1.123        0.0.0.0/0           
 1614  671K            udp  --  *      *       0.0.0.0/0            192.168.1.123       
   42  3444            icmp --  *      *       192.168.1.123        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.123       
 191K   21M            all  --  *      *       192.168.1.123        0.0.0.0/0           
 247K  251M            all  --  *      *       0.0.0.0/0            192.168.1.123       
    0     0            tcp  --  *      *       192.168.1.124        0.0.0.0/0           
    0     0            tcp  --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            udp  --  *      *       192.168.1.124        0.0.0.0/0           
    0     0            udp  --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            icmp --  *      *       192.168.1.124        0.0.0.0/0           
   96  8064            icmp --  *      *       0.0.0.0/0            192.168.1.124       
    0     0            all  --  *      *       192.168.1.124        0.0.0.0/0           
   96  8064            all  --  *      *       0.0.0.0/0            192.168.1.124

a routrovacia tabulka 

> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tap0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.3.1     0.0.0.0         UG    0      0        0 eth1
0.0.0.0         192.168.1.1     0.0.0.0         UG    1      0        0 eth0
16.8.2008 08:39 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Jee, uz som in.
Hm, no pravidla vypadaju byt ok, skus spustit tcpdump -i tap0 -nv na smerovaci a skus sa pripoit na SSH cez VPN (asi budes musit to spravit z intranetu az mas pristup na ssh) - a pozri ake chodia pakety (mozes aj pastnut sem).
BWT - som sa zle vyjadril v prechadzajucom poste - lokalnu routovaciu tabulku na VPN kliente ked si pripojeny na VPN.
Este jedna vec - na konci tabuliek INPUT a FORWARD v firewalle docasne pridaj logovanie:
$IPT -A INPUT -j LOG --log-prefix "IN DROP: "
$IPT -A FORWARD -j LOG --log-prefix "FWD DROP: "
- bude podstatne jednoduchsy troubleshooting. (tail -f /var/log/messages)
17.8.2008 09:01 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Zdravim,takze posielam moju lokalnu routrovaciu tabulku 

>route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
91.127.61.32    10.0.0.138      255.255.255.255 UGH   0      0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 tap0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 tap0
este dodam,ze pripajam sa z internetu,tak preto ta divna destinacia ( O2 ;-)

Pridavam vypisy tcpdump,tie divne pripajania na port 10000 su na webmin ;-) 

07:50:08.995586 IP (tos 0x0, ttl  64, id 16636, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.43004 > 192.168.1.254.10000: F, cksum 0x2b40 (correct), 13315:13315(0) ack 17233 win 1347 nop,nop,timestamp 8863345 48110677
07:50:08.995692 IP (tos 0x0, ttl  64, id 42488, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.254.10000 > 10.0.1.1.43004: ., cksum 0x9f80 (correct), ack 13316 win 37100 nop,nop,timestamp 48110699 8863345
07:50:25.096541 IP (tos 0x0, ttl  64, id 27071, offset 0, flags [DF], proto: TCP (6), length: 60) 10.0.1.1.37890 > 192.168.1.254.22: S, cksum 0x00da (correct), 1512908695:1512908695(0) win 5488 mss 1337,sackOK,timestamp 8867368 0,nop,wscale 5
07:50:25.096645 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.254.22 > 10.0.1.1.37890: S, cksum 0x92dc (correct), 1356723669:1356723669(0) ack 1512908696 win 5792 mss 1460,sackOK,timestamp 48112309 8867368,nop,wscale 0
07:50:25.185012 IP (tos 0x0, ttl  64, id 27072, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.37890 > 192.168.1.254.22: ., cksum 0xd77f (correct), ack 1 win 172 nop,nop,timestamp 8867390 48112309
07:50:30.661216 IP (tos 0x0, ttl  64, id 55144, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.254.22 > 10.0.1.1.37890: F, cksum 0xbf5d (correct), 1:1(0) ack 1 win 5792 nop,nop,timestamp 48112866 8867390
07:50:30.750848 IP (tos 0x0, ttl  64, id 27073, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.37890 > 192.168.1.254.22: F, cksum 0xcfe2 (correct), 1:1(0) ack 2 win 172 nop,nop,timestamp 8868780 48112866
07:50:30.750963 IP (tos 0x0, ttl  64, id 55145, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.1.254.22 > 10.0.1.1.37890: ., cksum 0xb9e5 (correct), ack 2 win 5792 nop,nop,timestamp 48112875 8868780
07:50:37.346161 IP (tos 0x0, ttl  64, id 7346, offset 0, flags [DF], proto: TCP (6), length: 60) 10.0.1.1.46011 > 192.168.3.2.22: S, cksum 0xa998 (correct), 1705395886:1705395886(0) win 5488 mss 1337,sackOK,timestamp 8870428 0,nop,wscale 5
07:50:37.346321 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.3.2.22 > 10.0.1.1.46011: S, cksum 0xa891 (correct), 1361937350:1361937350(0) ack 1705395887 win 5792 mss 1460,sackOK,timestamp 48113534 8870428,nop,wscale 0
07:50:37.435479 IP (tos 0x0, ttl  64, id 7347, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.46011 > 192.168.3.2.22: ., cksum 0xed33 (correct), ack 1 win 172 nop,nop,timestamp 8870451 48113534
07:50:42.471158 IP (tos 0x0, ttl  64, id 42048, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.3.2.22 > 10.0.1.1.46011: F, cksum 0xd53d (correct), 1:1(0) ack 1 win 5792 nop,nop,timestamp 48114047 8870451
07:50:42.563147 IP (tos 0x0, ttl  64, id 7348, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.46011 > 192.168.3.2.22: F, cksum 0xe62f (correct), 1:1(0) ack 2 win 172 nop,nop,timestamp 8871732 48114047
07:50:42.563230 IP (tos 0x0, ttl  64, id 42049, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.3.2.22 > 10.0.1.1.46011: ., cksum 0xd032 (correct), ack 2 win 5792 nop,nop,timestamp 48114056 8871732
07:50:48.033087 IP (tos 0x0, ttl  64, id 27329, offset 0, flags [DF], proto: TCP (6), length: 60) 10.0.1.1.38552 > 10.0.1.100.22: S, cksum 0xa3a7 (correct), 1861619275:1861619275(0) win 5488 mss 1337,sackOK,timestamp 8873098 0,nop,wscale 5
07:50:48.033232 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 10.0.1.100.22 > 10.0.1.1.38552: S, cksum 0xb49f (correct), 1371958529:1371958529(0) ack 1861619276 win 5792 mss 1460,sackOK,timestamp 48114603 8873098,nop,wscale 0
07:50:48.122791 IP (tos 0x0, ttl  64, id 27330, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.38552 > 10.0.1.100.22: ., cksum 0xf941 (correct), ack 1 win 172 nop,nop,timestamp 8873121 48114603
07:50:53.151075 IP (tos 0x0, ttl  64, id 18102, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.100.22 > 10.0.1.1.38552: F, cksum 0xe14c (correct), 1:1(0) ack 1 win 5792 nop,nop,timestamp 48115115 8873121
07:50:53.241263 IP (tos 0x0, ttl  64, id 27331, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.1.38552 > 10.0.1.100.22: F, cksum 0xf240 (correct), 1:1(0) ack 2 win 172 nop,nop,timestamp 8874400 48115115
07:50:53.241316 IP (tos 0x0, ttl  64, id 18103, offset 0, flags [DF], proto: TCP (6), length: 52) 10.0.1.100.22 > 10.0.1.1.38552: ., cksum 0xdc43 (correct), ack 2 win 5792 nop,nop,timestamp 48115124 8874400
07:51:06.637279 IP (tos 0x0, ttl  64, id 30388, offset 0, flags [DF], proto: UDP (17), length: 58) 10.0.1.1.36934 > 10.0.1.100.53:  394+ A? www.danet.sk. (30)
07:51:06.638095 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 108) 10.0.1.100.53 > 10.0.1.1.36934:  394* 2/1/0 www.danet.sk. CNAME horus.danet.sk., horus.danet.sk. (80)
07:51:06.726574 IP (tos 0x0, ttl  64, id 52135, offset 0, flags [DF], proto: TCP (6), length: 60) 10.0.1.1.43008 > 192.168.1.254.10000: S, cksum 0xe0c8 (correct), 2160967021:2160967021(0) win 5488 mss 1337,sackOK,timestamp 8877770 0,nop,wscale 5
07:51:06.726683 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.254.10000 > 10.0.1.1.43008: S, cksum 0x3df1 (correct), 1414600441:1414600441(0) ack 2160967022 win 5792 mss 1460,sackOK,timestamp 48116472 8877770,nop,wscale 0
a nakoniec log z firewallu 

Aug 17 07:49:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19198 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:50:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19199 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:50:25 horus sshd[8927]: refused connect from 10.0.1.1 (10.0.1.1)
Aug 17 07:50:37 horus sshd[8952]: refused connect from 10.0.1.1 (10.0.1.1)
Aug 17 07:50:37 horus kernel: FWD DROP: IN=eth1 OUT=eth0 SRC=87.197.246.186 DST=192.168.1.104 LEN=56 TOS=0x00 PREC=0xC0 TTL=249 ID=2696 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.104 DST=172.16.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=57 ID=52077 DF PROTO=UDP SPT=3111 DPT=28007 LEN=52 ] 
Aug 17 07:50:48 horus sshd[8971]: refused connect from 10.0.1.1 (10.0.1.1)
Aug 17 07:50:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19200 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:51:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19201 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:51:27 horus kernel: IN DROP: IN=eth1 OUT= MAC=08:00:09:a9:2e:76:00:0e:f4:05:c4:9c:08:00 SRC=125.76.244.134 DST=192.168.3.2 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=1011 PROTO=TCP SPT=5222 DPT=16174 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 17 07:51:34 horus kernel: IN DROP: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.1.254 DST=192.168.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=27683 SEQ=1 
Aug 17 07:51:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19202 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:51:58 horus kernel: IN DROP: IN=eth1 OUT= MAC=08:00:09:a9:2e:76:00:0e:f4:05:c4:9c:08:00 SRC=125.76.244.134 DST=192.168.3.2 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=39024 PROTO=TCP SPT=5222 DPT=16174 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 17 07:51:58 horus kernel: IN DROP: IN=eth1 OUT= MAC=08:00:09:a9:2e:76:00:0e:f4:05:c4:9c:08:00 SRC=125.76.244.134 DST=192.168.3.2 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=50677 PROTO=TCP SPT=5222 DPT=16174 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 17 07:52:22 horus kernel: IN DROP: IN=eth1 OUT= MAC=08:00:09:a9:2e:76:00:0e:f4:05:c4:9c:08:00 SRC=125.76.244.134 DST=192.168.3.2 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=7767 PROTO=TCP SPT=5222 DPT=16174 WINDOW=0 RES=0x00 ACK RST URGP=0 
Aug 17 07:52:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19203 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:52:34 horus kernel: FWD DROP: IN=eth1 OUT=eth0 SRC=87.197.246.186 DST=192.168.1.101 LEN=56 TOS=0x00 PREC=0xC0 TTL=249 ID=2931 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.101 DST=172.16.1.1 LEN=77 TOS=0x00 PREC=0x00 TTL=57 ID=44894 DF PROTO=UDP SPT=3075 DPT=28007 LEN=57 ] 
Aug 17 07:52:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19204 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:53:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19205 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:53:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19206 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:54:20 horus kernel: IN DROP: IN=eth0 OUT= MAC= SRC=192.168.1.254 DST=192.168.1.255 LEN=242 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=222 
Aug 17 07:54:20 horus kernel: IN DROP: IN=eth0 OUT= MAC= SRC=192.168.1.254 DST=192.168.1.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
Aug 17 07:54:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19207 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:54:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19208 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:55:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19209 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:55:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19210 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:56:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19211 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:56:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19212 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:57:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19213 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:57:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19214 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:58:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19215 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:58:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19216 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:59:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19217 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 07:59:54 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19218 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 08:00:24 horus kernel: IN DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:a0:c5:72:60:5e:08:00 SRC=192.168.1.3 DST=192.168.1.255 LEN=72 TOS=0x00 PREC=0x00 TTL=1 ID=19219 PROTO=UDP SPT=520 DPT=520 LEN=52 
Aug 17 08:00:48 horus kernel: FWD DROP: IN=eth1 OUT=eth0 SRC=87.197.246.186 DST=192.168.1.104 LEN=56 TOS=0x00 PREC=0xC0 TTL=249 ID=3924 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.104 DST=172.16.1.1 LEN=65 TOS=0x00 PREC=0x00 TTL=57 ID=52506 DF PROTO=UDP SPT=3111 DPT=28007 LEN=45 ]
17.8.2008 09:38 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Ahoj, neideme sem postit kopu dumpov, 261837062
17.8.2008 10:43 deejay | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
Ahoj,nechapem tvojej odpovedi
17.8.2008 14:38 devicebusy | skóre: 2
Rozbalit Rozbalit vše Re: Problem s Firewallom
No to je moje ICQ, potom sem pastneme uz hotove riesenie, lebo uz to zacina byt necitatelne :)

Založit nové vláknoNahoru

Tiskni Sdílej: Linkuj Jaggni to Vybrali.sme.sk Google Del.icio.us Facebook

ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.