transparentne proxy v LAN a aj na serveri
Roman Fordinal
aben na webcom.sk
Úterý Leden 11 11:05:55 CET 2005
Lubor Kacian wrote:
> Dňa Nedeľa 09 Január 2005 11:29 popoludní Roman Fordinal napísal:
>> Peter Surda wrote:
>> > Roman Fordinal wrote:
>> >>toto vsak nefunguje na localne poziadavky priamo toho stroja
>> >> (192.168.5.1) to znamena, ze ked sa mi niekto prihlasi na Xserver na
>> >> 192.168.5.1 a pouziva browser, tak packety neprechadzaju pravidlom
>> >> PREROUTING. vie mi niekto poradit ako mam zariadit aby mi toto
>> >> fungovalo?
> Preco tak zlozito cez markovanie ?
> Pozri sem:
> http://www.spinics.net/lists/netfilter/msg29380.html
> a skontroluj IP_NF_NAT_LOCAL
no neviem, pravdepodobne robim niekde chybu s IP_NF_NAT_LOCAL.
prekompiloval som kernel s touto volbou, a tak som sa rozhodol to
otestovat:
iptables -t nat -p tcp -A PREROUTING -j LOG --log-prefix "NPRE: "
iptables -t nat -p tcp -A INPUT -j LOG --log-prefix "NIN: "
iptables -t nat -p tcp -A OUTPUT -j LOG --log-prefix "NOUT: "
iptables -t nat -p tcp -A POSTROUTING -j LOG --log-prefix "NPOST: "
iptables -t mangle -p tcp -A PREROUTING -j LOG --log-prefix "MPRE: "
iptables -t mangle -p tcp -A INPUT -j LOG --log-prefix "MIN: "
iptables -t mangle -p tcp -A FORWARD -j LOG --log-prefix "MFOR: "
iptables -t mangle -p tcp -A OUTPUT -j LOG --log-prefix "MOUT: "
iptables -t mangle -p tcp -A POSTROUTING -j LOG --log-prefix "MPOST: "
iptables -t filter -p tcp -A INPUT -j LOG --log-prefix "FIN: "
iptables -t filter -p tcp -A FORWARD -j LOG --log-prefix "FFOR: "
iptables -t filter -p tcp -A OUTPUT -j LOG --log-prefix "FOUT: "
$ wget tojejednoco.tld
Jan 11 00:01:20 [kernel] MOUT: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 00:01:20 [kernel] MPOST: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20622 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 11 00:01:21 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=64 TOS=0x00 PREC=0x00 TTL=61 ID=27451 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK SYN URGP=0
Jan 11 00:01:21 [kernel] MOUT: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=148 TOS=0x00 PREC=0x00 TTL=64 ID=20626 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=1460 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:21 [kernel] MPOST: IN= OUT=ppp0 SRC=10.192.3.174
DST=212.89.236.119 LEN=148 TOS=0x00 PREC=0x00 TTL=64 ID=20626 DF PROTO=TCP
SPT=32823 DPT=80 WINDOW=1460 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:22 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=27452 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=337 TOS=0x00 PREC=0x00 TTL=61 ID=27453 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1215 TOS=0x00 PREC=0x00 TTL=61 ID=27454 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:28 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27455 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27456 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27457 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27458 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:29 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=1500 TOS=0x00 PREC=0x00 TTL=61 ID=27459 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
Jan 11 00:01:30 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=755 TOS=0x00 PREC=0x00 TTL=61 ID=27460 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK PSH FIN URGP=0
Jan 11 00:01:31 [kernel] MPRE: IN=ppp0 OUT= MAC= SRC=212.89.236.119
DST=10.192.3.174 LEN=52 TOS=0x00 PREC=0x00 TTL=61 ID=27461 DF PROTO=TCP
SPT=80 DPT=32823 WINDOW=33304 RES=0x00 ACK URGP=0
nemozem mat nejaku hlupost v routovacej tabulke?
bash-2.05b# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.192.67.138 * 255.255.255.255 UH 0 0 0 ppp0
192.168.5.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 10.192.67.138 0.0.0.0 UG 0 0 0 ppp0
Další informace o konferenci Linux