Problemy s DNS v VMWARE
Kovář Jan
jan-kovar na meggle.cz
Čtvrtek Červenec 17 17:07:43 CEST 2008
Aaaa, to si nerozumime. To neni firewall hostitelskeho stroje. Hostitelsky stroj je Windows 2003 Server R2 Ent Ed 64bit. A firewall jsem mu vypnul. Toto je firewall toho linuxu, ktery slouzi jako router a host only sitovka je eth1. Takze:
$IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT
By melo zabrat. No nevim.
Honza
-----Original Message-----
From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf Of Petr Vavra
Sent: Thursday, July 17, 2008 4:15 PM
To: Diskuse o Linuxu v cestine
Subject: Re: Problemy s DNS v VMWARE
Jo, forward sice mate zaply, ale ve firewalu ho z toho hostonly rozhrani nemate povoleny (mate forward drop a pak ho povolite pro nektere smery, ale ten z rozhrani vmnetx (defaultne vmnet1 je hostonly) povoleny nemate.
Petr Vavra
Kovář Jan wrote:
>
>
> -----Original Message-----
> From: linux-bounces na linux.cz [mailto:linux-bounces na linux.cz] On Behalf
> Of Petr Simek
> Sent: Thursday, July 17, 2008 2:51 PM
> To: Diskuse o Linuxu v cestine
> Subject: RE: Problemy s DNS v VMWARE
>
> On Thu, 17 Jul 2008, Kovář Jan wrote:
>
>
>> Hmm, tak problem neni jen v DNS. Ale naprosto nerozumim logice tech
>> chyb. :-(
>>
>> [root na gw ~]# telnet 192.168.10.2 25
>> Trying 192.168.10.2...
>> telnet: connect to address 192.168.10.2: No route to host
>> telnet: Unable to connect to remote host: No route to host
>>
>
>
>> [root na gw ~]# ssh 192.168.10.2
>> ssh: connect to host 192.168.10.2 port 22: Connection refused
>>
>
>
>> Proc to v prvnim pripade rekne No route to host? Vzdyt je to stejna adresa.
>>
>> Nerozumim tomu. Pritom polozka GATEWAY v /etc/sysconfig/network je a
>> je tam spravne. :-( Jeden protokol funguje, druhy ne. Pripadam si jako debil.
>> :-(
>>
>
>
>> Neni tam nejaky firewall ? Jednou je pravidlo DROP a jindy REJECT ?
>>
>
> Ano je, ale IMHO v tomto pripade je k nicemu. Posilam cely vypis scriptu. Dneska uz jsem to vzdal, jsem totalne vygumovany, ale zitra ho zkusim orezat na uplne minimum.
>
> #!/bin/sh
> #
> INET_IP="192.168.10.57"
> INET_IFACE="eth0"
>
> LAN1_IP="10.0.1.1/32"
> LAN1_BCAST="10.0.1.255/32"
> LAN1_IFACE="eth1"
>
> LO_IFACE="lo"
> LO_IP="127.0.0.1/32"
>
> IPTABLES="/sbin/iptables"
>
> /sbin/depmod -a
>
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_REJECT
> /sbin/modprobe ipt_MASQUERADE
>
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>
> echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" >
> /proc/sys/net/ipv4/tcp_syncookies
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
>
>
> #
> # POSTROUTING
> #
>
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
>
>
> #
> # FORWARD
> #
>
> $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A FORWARD -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN
> -j DROP
>
>
> $IPTABLES -A FORWARD -i $LAN1_IFACE -j ACCEPT $IPTABLES -A FORWARD -i
> $INET_IFACE -o $LAN1_IFACE -m state --state ESTABLISHED,RELATED -j
> ACCEPT $IPTABLES -A FORWARD -m limit --limit 12/h -j LOG --log-prefix "forward drop: "
>
>
> #
> # INPUT
> #
>
> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN -j LOG -m limit --limit 10/m --log-prefix="bogus packet: "
> $IPTABLES -A INPUT -p tcp -i $INET_IFACE --tcp-flags SYN,FIN SYN,FIN
> -j DROP
>
> $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -m limit --limit
> 12/h -j LOG $IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j
> REJECT --reject-with tcp-reset #AUTH server
>
> $IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j
> ACCEPT $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -i
> $LAN1_IFACE -d $LAN1_IP -j ACCEPT $IPTABLES -A INPUT -i $LAN1_IFACE -d
> $INET_IP -j ACCEPT
>
> $IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT $IPTABLES
> -A INPUT -i $LAN1_IFACE -p udp --dport 67 -j ACCEPT
>
> $IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j
> ACCEPT $IPTABLES -A INPUT -m limit --limit 12/h -j LOG --log-prefix "INPUT drop: "
>
> #
> # OUTPUT
> #
>
> $IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -s
> $LAN1_IP -j ACCEPT $IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT $IPTABLES
> -A OUTPUT -o $LAN1_IFACE -p UDP --dport 68 --sport 67 -j ACCEPT
> $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT drop: "
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>
_______________________________________________
Linux mailing list
Linux na linux.cz
http://www.linux.cz/mailman/listinfo/linux
Další informace o konferenci Linux