Problemy s DNS v VMWARE

Čtvrtek Červenec 17 16:15:21 CEST 2008

Jo, forward sice mate zaply, ale ve firewalu ho z toho hostonly rozhrani 
nemate povoleny (mate forward drop a pak ho povolite pro nektere smery, 
ale ten z rozhrani vmnetx (defaultne vmnet1 je hostonly) povoleny nemate.

Petr Vavra

Kovář Jan wrote:
>  
>
> -----Original Message-----
> From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf Of Petr Simek
> Sent: Thursday, July 17, 2008 2:51 PM
> To: Diskuse o Linuxu v cestine
> Subject: RE: Problemy s DNS v VMWARE
>
> On Thu, 17 Jul 2008, Kovář Jan wrote:
>
>   
>> Hmm, tak problem neni jen v DNS. Ale naprosto nerozumim logice tech 
>> chyb. :-(
>>
>> [root na gw ~]# telnet 192.168.10.2 25
>> Trying 192.168.10.2...
>> telnet: connect to address 192.168.10.2: No route to host
>> telnet: Unable to connect to remote host: No route to host
>>     
>
>   
>> [root na gw ~]# ssh 192.168.10.2
>> ssh: connect to host 192.168.10.2 port 22: Connection refused
>>     
>
>   
>> Proc to v prvnim pripade rekne No route to host? Vzdyt je to stejna adresa.
>>
>> Nerozumim tomu. Pritom polozka GATEWAY v /etc/sysconfig/network je a 
>> je tam spravne. :-( Jeden protokol funguje, druhy ne. Pripadam si jako debil.
>> :-(
>>     
>
>   
>> Neni tam nejaky firewall ? Jednou je pravidlo DROP a jindy REJECT ?
>>     
>
> Ano je, ale IMHO v tomto pripade je k nicemu. Posilam cely vypis scriptu. Dneska uz jsem to vzdal, jsem totalne vygumovany, ale zitra ho zkusim orezat na uplne minimum.
>
> #!/bin/sh
> #
> INET_IP="192.168.10.57"
> INET_IFACE="eth0"
>  
> LAN1_IP="10.0.1.1/32"
> LAN1_BCAST="10.0.1.255/32"
> LAN1_IFACE="eth1"
>  
> LO_IFACE="lo"
> LO_IP="127.0.0.1/32"
>  
> IPTABLES="/sbin/iptables"
>  
> /sbin/depmod -a
>  
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_REJECT
> /sbin/modprobe ipt_MASQUERADE
>  
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>  
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>  
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>  
>  
>  
> #
> # POSTROUTING
> #
>  
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
>  
>
> #
> # FORWARD
> #
>  
> $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP
>  
>
> $IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m limit --limit 12/h -j LOG --log-prefix "forward drop: "
>  
>
> #
> # INPUT
> #
>  
> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP
>  
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit 12/h -j LOG
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server
>  
> $IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT
> $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
> $IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
> $IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT
>  
> $IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT
> $IPTABLES -A INPUT -i $LAN1_IFACE -p udp --dport 67 -j ACCEPT
>  
> $IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "
>
> #
> # OUTPUT
> #
>  
> $IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
> $IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
> $IPTABLES -A OUTPUT -o $LAN1_IFACE -p UDP --dport 68 --sport 67 -j ACCEPT
> $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>   