Problemy s DNS v VMWARE

Kovář Jan jan-kovar na meggle.cz
Čtvrtek Červenec 17 17:07:43 CEST 2008 

Aaaa, to si nerozumime. To neni firewall hostitelskeho stroje. Hostitelsky stroj je Windows 2003 Server R2 Ent Ed 64bit. A firewall jsem mu vypnul. Toto je firewall toho linuxu, ktery slouzi jako router a host only sitovka je eth1. Takze:

$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT

By melo zabrat. No nevim.

Honza

-----Original Message-----
From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf Of Petr Vavra
Sent: Thursday, July 17, 2008 4:15 PM
To: Diskuse o Linuxu v cestine
Subject: Re: Problemy s DNS v VMWARE

Jo, forward sice mate zaply, ale ve firewalu ho z toho hostonly rozhrani nemate povoleny (mate forward drop a pak ho povolite pro nektere smery, ale ten z rozhrani vmnetx (defaultne vmnet1 je hostonly) povoleny nemate.

Petr Vavra

Kovář Jan wrote:
>  
>
> -----Original Message-----
> From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf 
> Of Petr Simek
> Sent: Thursday, July 17, 2008 2:51 PM
> To: Diskuse o Linuxu v cestine
> Subject: RE: Problemy s DNS v VMWARE
>
> On Thu, 17 Jul 2008, Kovář Jan wrote:
>
>   
>> Hmm, tak problem neni jen v DNS. Ale naprosto nerozumim logice tech 
>> chyb. :-(
>>
>> [root na gw ~]# telnet 192.168.10.2 25
>> Trying 192.168.10.2...
>> telnet: connect to address 192.168.10.2: No route to host
>> telnet: Unable to connect to remote host: No route to host
>>     
>
>   
>> [root na gw ~]# ssh 192.168.10.2
>> ssh: connect to host 192.168.10.2 port 22: Connection refused
>>     
>
>   
>> Proc to v prvnim pripade rekne No route to host? Vzdyt je to stejna adresa.
>>
>> Nerozumim tomu. Pritom polozka GATEWAY v /etc/sysconfig/network je a 
>> je tam spravne. :-( Jeden protokol funguje, druhy ne. Pripadam si jako debil.
>> :-(
>>     
>
>   
>> Neni tam nejaky firewall ? Jednou je pravidlo DROP a jindy REJECT ?
>>     
>
> Ano je, ale IMHO v tomto pripade je k nicemu. Posilam cely vypis scriptu. Dneska uz jsem to vzdal, jsem totalne vygumovany, ale zitra ho zkusim orezat na uplne minimum.
>
> #!/bin/sh
> #
> INET_IP="192.168.10.57"
> INET_IFACE="eth0"
>  
> LAN1_IP="10.0.1.1/32"
> LAN1_BCAST="10.0.1.255/32"
> LAN1_IFACE="eth1"
>  
> LO_IFACE="lo"
> LO_IP="127.0.0.1/32"
>  
> IPTABLES="/sbin/iptables"
>  
> /sbin/depmod -a
>  
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_REJECT
> /sbin/modprobe ipt_MASQUERADE
>  
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>  
> echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > 
> /proc/sys/net/ipv4/tcp_syncookies
>  
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>  
>  
>  
> #
> # POSTROUTING
> #
>  
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
>  
>
> #
> # FORWARD
> #
>  
> $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP 
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN 
> -j DROP
>  
>
> $IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT $IPTABLES -A FORWARD -i 
> $INET_IFACE -o $LAN1_IFACE -m state --state ESTABLISHED,RELATED -j 
> ACCEPT $IPTABLES -A FORWARD -m limit --limit 12/h -j LOG --log-prefix "forward drop: "
>  
>
> #
> # INPUT
> #
>  
> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN 
> -j DROP
>  
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit 
> 12/h -j LOG $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j 
> REJECT --reject-with tcp-reset #AUTH server
>  
> $IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j 
> ACCEPT $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -i 
> $LAN1_IFACE -d $LAN1_IP -j ACCEPT $IPTABLES -A INPUT -i $LAN1_IFACE -d 
> $INET_IP -j ACCEPT
>  
> $IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT $IPTABLES 
> -A INPUT -i $LAN1_IFACE -p udp --dport 67 -j ACCEPT
>  
> $IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j 
> ACCEPT $IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "
>
> #
> # OUTPUT
> #
>  
> $IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -s 
> $LAN1_IP -j ACCEPT $IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT $IPTABLES 
> -A OUTPUT -o $LAN1_IFACE -p UDP --dport 68 --sport 67 -j ACCEPT 
> $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>   

_______________________________________________
Linux mailing list
Linux na linux.cz
http://www.linux.cz/mailman/listinfo/linux

Další informace o konferenci Linux