DNAT: Neforwardovani tcp spojeni [trosku delsi]
Dal Horinek
dallinux na centrum.cz
Sobota Prosinec 30 16:04:55 CET 2006
Zdravim konferenci,
uz nekolik dni resim zvlastni problem s forwardovanim portu. Z nejakeho
duvodu, kdyz zkusim forwardovat tcp spojeni, tak nedojde. Nevim uz kde
hledat chybu, tak se obracim na vas.
Moje situace je takovato:
server
eth0 85.207.88.24
eth1 192.168.88.1
notebook1
eth0 192.168.88.88
notebook2
eth0 192.168.88.208
Na serveru je nat a chci forwardovat port 5900 na notebook2, tedy vnc,
coz je tcp.
Pokud na notebook2 pustim:
netcat -l -p 5900
a z notebook1 se na nej pripojim pres netcat server 5900 (ted by melo
probihat forwardovani)
tak zadna data netecou, pritom pokud dam v iptables misto destination
DNAT, ale LOG, v logu se objevi, takze je to matchnute.
Prime spojeni, tedy pres netcat notebook2 5900 z notebook1 to funguje fajn.
Jestlize vyzkousim UDP spojeni, tak to i s forwardovanim projde take.
Krome toho, funguje to jen v pripade, ze se nesnazim pripojit z
pocitace, kde to bezi a nebo serveru, v tech pripadech to nefunguje take.
Zkousel jsem i tcpdump, ktery nejak tok dat ukazuje, ale tim to asi tak
konci.
Takze nastaveni na serveru:
jadro:
2.6.19.1 (zkouseno i na 2.6.19)
(config jadra v priloze)
iptables:
*filter
:INPUT DROP [5159:435760]
:FORWARD ACCEPT [555346:267151164]
:OUTPUT ACCEPT [70023:54171609]
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
-A INPUT -s 192.168.88.0/255.255.255.0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--set --name DEFAULT --rsource
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--update --seconds 60 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 835 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 836 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Sat Dec 30 15:49:07 2006
# Generated by iptables-save v1.2.11 on Sat Dec 30 15:49:07 2006
*nat
:PREROUTING ACCEPT [11430:759167]
:POSTROUTING ACCEPT [1524:151341]
:OUTPUT ACCEPT [1303:110892]
-A PREROUTING -p udp -m udp --dport 13896 -j DNAT --to-destination
192.168.88.88
-A PREROUTING -p tcp -m tcp --dport 13896 -j DNAT --to-destination
192.168.88.88
-A PREROUTING -p tcp -m tcp --dport 5900 -j DNAT --to-destination
192.168.88.208
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
85.207.88.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0
192.168.88.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 85.207.88.17 0.0.0.0 UG 0 0 0 eth0
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:50:04:69:6B:0C
inet addr:85.207.88.24 Bcast:85.207.88.31 Mask:255.255.255.240
inet6 addr: fe80::250:4ff:fe69:6b0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:366682 errors:0 dropped:0 overruns:0 frame:0
TX packets:286573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:224061096 (213.6 MiB) TX bytes:64105452 (61.1 MiB)
Interrupt:11 Base address:0xcf80
eth1 Link encap:Ethernet HWaddr 00:0E:2E:36:9B:2A
inet addr:192.168.88.1 Bcast:192.168.88.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fe36:9b2a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:289118 errors:0 dropped:0 overruns:0 frame:0
TX packets:341323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63359453 (60.4 MiB) TX bytes:270660342 (258.1 MiB)
Interrupt:12 Base address:0xc400
Na obou notebookach je vsechno ACCEPT.
Pozn:
Jestlize jsem zkusil udelat z notebook1 nat a forwardovat pres nej, vse
fungovalo ok, ale vazne nevim, kde problem je, protoze co se tyce
iptables, problem by tam nemel byt.
Pokud by nekdo vedel, kde by mohl byt problem, pripadne jakym zpusobem
ho nejlepe najit, budu velmi rad za kazdou pomoc.
S pozdravem
Dalibor Horinek
--
== www.horinek.net ==
Dalibor Horinek
ICQ: 178217372
------------- další část ---------------
A non-text attachment was scrubbed...
Name: 2.6.19.1-config.bz2
Type: application/x-bzip
Size: 9954 bytes
Desc: [žádný popis není k dispozici]
URL: <http://www.linux.cz/pipermail/linux/attachments/20061230/1677995d/attachment.bin>
Další informace o konferenci Linux