|
firewall
|
| marek123 |
Dodano 26-03-2010 09:13
|
User
Posty: 21
Dołączył: 08/11/2009 20:43
|
Witam! Mam taki problem mianowicie ustawilem przekierowanie na dyndns.org i połaczenie z zewnatrz przez www i putty jest.Natomiast na ruterze działa mpcs na portach 11111, 11114 i gdy sie łacze przez te porty nie moge sie dostac do rutera. Proszę o pomoc bo już mi ręce opadają. |
| |
|
|
| arteq |
Dodano 26-03-2010 09:18
|
VIP
Posty: 1918
Dołączył: 04/03/2006 17:42
|
przypomnij nam swój konfig firewala :-)
Pozdrawiam, Artur
http://digi-led.pl Elementy elektroniczne | urz?dzenia sieciowe | us?ugi informatyczne
http://openwrt.pl - Polskie Centrum OpenWrt
o p e n (your) r o u t e r . p l
|
| |
|
|
| marek123 |
Dodano 26-03-2010 09:31
|
User
Posty: 21
Dołączył: 08/11/2009 20:43
|
kamikaze 8.09
firewall.user
### Set up tables
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
##
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables -A input_wan -p tcp --dport 22 -j ACCEPT
##
## -- This allows port 80 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j ACCEPT
iptables -A input_wan -p tcp --dport 80 -j ACCEPT
##
### Port forwarding
## -- This forwards port 8100 on the WAN to port 80 on 192.168.1.100
iptables -t nat -A prerouting_wan -p tcp --dport 8100 -j DNAT --to 192.168.1.133:80
iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.133 -j ACCEPT
## -- This forwards port 5060-5061 on the WAN to 192.168.1.100
iptables -t nat -A prerouting_wan -p udp --dport 5060:5061 -j DNAT --to 192.168.1.133
iptables -A forwarding_wan -d 192.168.1.100 -j ACCEPT
##
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
iptables -t nat -A prerouting_wan -j DNAT --to 192.168.2.2
iptables -A forwarding_wan -d 192.168.2.2 -j ACCEPT
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
firewall.config
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
option 'mtu_fix' '1'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule' 'mpcs'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' '192.168.1.1'
option 'dest_ip' '192.168.1.1'
option 'dest_port' '11111'
option 'target' 'ACCEPT'
config 'rule'
option '_name' 'mpcs1'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'udp'
option 'dest_port' '11111'
config 'rule'
option '_name' 'FTP'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '21'
config 'rule'
option '_name' 'mpcs1'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '11111'
config 'rule'
option '_name' 'mpcs2'
option 'src' 'wan'
option 'target' 'ACCEPT'
option 'proto' 'tcp'
option 'dest_port' '11114'
Apropo ftp tez nie dziala wiec nie wiem widocznie cos zle skonfigurowalem. |
| |
|
|
| obsy |
Dodano 26-03-2010 09:37
|
VIP
Posty: 5775
Dołączył: 31/10/2006 20:06
|
Kto Ci to konfigurował? Przecież w firewall.user masz czyszczony cały input wan i ustawiany od nowa. Więc ustawienie w /etc/config/firewall nic nie da, bo tamten skrypt to nadpisuje.
Masz w nim przykłady dla portu 22 i 90. Skopiuj to na 21, 11111 i 11114.
|
| |
|
|
| marek123 |
Dodano 26-03-2010 09:41
|
User
Posty: 21
Dołączył: 08/11/2009 20:43
|
### Set up tables
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
##
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables -A input_wan -p tcp --dport 22 -j ACCEPT
##
## -- This allows port 80 to be answered by (dropbear on) the router
iptables -t nat -A prerouting_wan -p tcp --dport 21 -j ACCEPT
iptables -A input_wan -p tcp --dport 21 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 11111 -j ACCEPT
iptables -A input_wan -p tcp --dport 11111 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 11114 -j ACCEPT
iptables -A input_wan -p tcp --dport 11114 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j ACCEPT
iptables -A input_wan -p tcp --dport 80 -j ACCEPT
##
### Port forwarding
## -- This forwards port 8100 on the WAN to port 80 on 192.168.1.100
iptables -t nat -A prerouting_wan -p tcp --dport 8100 -j DNAT --to 192.168.1.133:80
iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.133 -j ACCEPT
## -- This forwards port 5060-5061 on the WAN to 192.168.1.100
iptables -t nat -A prerouting_wan -p udp --dport 5060:5061 -j DNAT --to 192.168.1.133
iptables -A forwarding_wan -d 192.168.1.100 -j ACCEPT
##
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
iptables -t nat -A prerouting_wan -j DNAT --to 192.168.2.2
iptables -A forwarding_wan -d 192.168.2.2 -j ACCEPT
iptables -I OUTPUT -o tap+ -j ACCEPT
iptables -I INPUT -i tap+ -j ACCEPT
iptables -I FORWARD -o tap+ -j ACCEPT
iptables -I FORWARD -i tap+ -j ACCEPT
jezeli dobrze zrozumiałem to o takie cos chodzi ? Ale powyzsza konfiguracja nie dziala putty i www ok ale polaczenie przez porty 11111, 11114 i 21 nie działa
Edytowany przez marek123 dnia 26-03-2010 09:50
|
| |
|
|
| obsy |
Dodano 26-03-2010 09:57
|
VIP
Posty: 5775
Dołączył: 31/10/2006 20:06
|
Musi. Zrestartowałeś ruter? Pokaż wynik iptables -v -L
|
| |
|
|
| marek123 |
Dodano 26-03-2010 10:10
|
User
Posty: 21
Dołączył: 08/11/2009 20:43
|
root@OpenWrt:~# iptables -v -L
Chain INPUT (policy ACCEPT 4 packets, 212 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap+ any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
788 99714 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 72 ACCEPT all -- lo any anywhere anywhere
20 1060 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
22 1722 input_rule all -- any any anywhere anywhere
22 1722 input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tap+ any anywhere anywhere
0 0 ACCEPT all -- any tap+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 337 forwarding_rule all -- any any anywhere anywhere
1 337 forward all -- any any anywhere anywhere
0 0 reject all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 23 packets, 5148 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tap+ anywhere anywhere
0 0 DROP all -- any any anywhere anywhere state INVALID
938 238K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 72 ACCEPT all -- any lo anywhere anywhere
106 34088 output_rule all -- any any anywhere anywhere
106 34088 output all -- any any anywhere anywhere
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain forward (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_lan_forward all -- br-lan any anywhere anywhere
1 337 zone_wan_forward all -- eth0.1 any anywhere anywhere
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
1 337 miniupnpd_wan_rule all -- any any anywhere anywhere
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere 192.168.1.133 tcp dpt:80
0 0 ACCEPT all -- any any anywhere 192.168.1.100
1 337 ACCEPT all -- any any anywhere 192.168.2.2
Chain input (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_lan all -- br-lan any anywhere anywhere
18 1510 zone_wan all -- eth0.1 any anywhere anywhere
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
5 284 ACCEPT tcp -- any any anywhere anywhere tcp dpt:22
5 260 ACCEPT tcp -- any any anywhere anywhere tcp dpt:80
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:21
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:11111
Chain miniupnpd_wan_rule (1 references)
pkts bytes target prot opt in out source destination
0 0 MINIUPNPD all -- eth0.1 !eth0.1 anywhere anywhere
Chain output (1 references)
pkts bytes target prot opt in out source destination
106 34088 zone_lan_ACCEPT all -- any any anywhere anywhere
26 5668 zone_wan_ACCEPT all -- any any anywhere anywhere
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
20 1060 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
0 0 input_lan all -- any any anywhere anywhere
0 0 zone_lan_ACCEPT all -- any any anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br-lan any anywhere anywhere
80 28420 ACCEPT all -- any br-lan anywhere anywhere
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- br-lan any anywhere anywhere
0 0 DROP all -- any br-lan anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any br-lan anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- br-lan any anywhere anywhere
0 0 reject all -- any br-lan anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_wan_MSSFIX all -- any any anywhere anywhere
0 0 zone_wan_ACCEPT all -- any any anywhere anywhere
0 0 forwarding_lan all -- any any anywhere anywhere
0 0 zone_lan_REJECT all -- any any anywhere anywhere
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:11112
6 304 ACCEPT tcp -- any any anywhere anywhere tcp dpt:11111
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:21
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:11111
0 0 ACCEPT tcp -- any any 192.168.1.1 192.168.1.1 tcp dpt:11111
12 1206 input_wan all -- any any anywhere anywhere
2 662 zone_wan_ACCEPT all -- any any anywhere anywhere
Chain zone_wan_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
2 662 ACCEPT all -- eth0.1 any anywhere anywhere
3 520 ACCEPT all -- any eth0.1 anywhere anywhere
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0.1 any anywhere anywhere
0 0 DROP all -- any eth0.1 anywhere anywhere
Chain zone_wan_MSSFIX (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any eth0.1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- eth0.1 any anywhere anywhere
0 0 reject all -- any eth0.1 anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
1 337 forwarding_wan all -- any any anywhere anywhere
0 0 zone_wan_REJECT all -- any any anywhere anywhere
root@OpenWrt:~# |
| |
|
|
| marek123 |
Dodano 26-03-2010 10:16
|
User
Posty: 21
Dołączył: 08/11/2009 20:43
|
obsy dziekuje działa zapomniałem odpalić mpcs po restarcie
 ftp tez działa |
| |
|
|
| obsy |
Dodano 27-03-2010 14:11
|
VIP
Posty: 5775
Dołączył: 31/10/2006 20:06
|
Ehhh...
|
| |
|
' target='_blank'>Link
