Problemy s DNS v VMWARE

Kovář Jan jan-kovar na meggle.cz
Čtvrtek Červenec 17 15:52:14 CEST 2008 

 

-----Original Message-----
From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf Of Petr Simek
Sent: Thursday, July 17, 2008 2:51 PM
To: Diskuse o Linuxu v cestine
Subject: RE: Problemy s DNS v VMWARE

On Thu, 17 Jul 2008, Kovář Jan wrote:

> Hmm, tak problem neni jen v DNS. Ale naprosto nerozumim logice tech 
> chyb. :-(
>
> [root na gw ~]# telnet 192.168.10.2 25
> Trying 192.168.10.2...
> telnet: connect to address 192.168.10.2: No route to host
> telnet: Unable to connect to remote host: No route to host

> [root na gw ~]# ssh 192.168.10.2
> ssh: connect to host 192.168.10.2 port 22: Connection refused

> Proc to v prvnim pripade rekne No route to host? Vzdyt je to stejna adresa.
>
> Nerozumim tomu. Pritom polozka GATEWAY v /etc/sysconfig/network je a 
> je tam spravne. :-( Jeden protokol funguje, druhy ne. Pripadam si jako debil.
> :-(

> Neni tam nejaky firewall ? Jednou je pravidlo DROP a jindy REJECT ?

Ano je, ale IMHO v tomto pripade je k nicemu. Posilam cely vypis scriptu. Dneska uz jsem to vzdal, jsem totalne vygumovany, ale zitra ho zkusim orezat na uplne minimum.

#!/bin/sh
#
INET_IP="192.168.10.57"
INET_IFACE="eth0"
 
LAN1_IP="10.0.1.1/32"
LAN1_BCAST="10.0.1.255/32"
LAN1_IFACE="eth1"
 
LO_IFACE="lo"
LO_IP="127.0.0.1/32"
 
IPTABLES="/sbin/iptables"
 
/sbin/depmod -a
 
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
 
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
 
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
 
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
 
 
 
#
# POSTROUTING
#
 
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
 

#
# FORWARD
#
 
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP
 

$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/h -j LOG --log-prefix "forward drop: "
 

#
# INPUT
#
 
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
$IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP
 
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit 12/h -j LOG
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server
 
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT
 
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -p udp --dport 67 -j ACCEPT
 
$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "

#
# OUTPUT
#
 
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN1_IFACE -p UDP --dport 68 --sport 67 -j ACCEPT
$IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "

Další informace o konferenci Linux