dnsko ti zjevne jde ... ukaz nam prosim vystup z ``ip a; ip r; arp -an'' pri pripojenem klientovi ... schovej si tam prosim verejnou ip adresu, lokalni rozsahy jsou samozrejme jedno .. asi to ukaz jak ze serveru, tak z klienta ...
dalsi vec co to muze (as mozna i zpusobuje) je firewall ... tzn pridej vypis z iptables-save ze serveru
ze serveru, klient je Win7
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
link/ether 00:13:3b:10:17:f7 brd ff:ff:ff:ff:ff:ff
3: p2p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether d0:50:99:53:b8:72 brd ff:ff:ff:ff:ff:ff
inet X.X.226.54/27 brd X.X.226.63 scope global p2p1
valid_lft forever preferred_lft forever
inet6 fe80::d250:99ff:fe53:b872/64 scope link
valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 00:c2:c6:99:d7:cf brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 00:13:3b:10:17:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::213:3bff:fe10:17f7/64 scope link
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
ip r
default via X.X.226.33 dev p2p1
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
X.X.226.32/27 dev p2p1 proto kernel scope link src X.X.226.54
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
ip r
default via X.X.226.33 dev p2p1
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
X.X.226.32/27 dev p2p1 proto kernel scope link src X.X.226.54
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
root@skynet:~# arp -an
? (192.168.1.30) na <nekompletní> na br0
? (192.168.1.75) na <nekompletní> na br0
? (192.168.1.12) na cc:af:78:2a:fe:f4 [ether] na br0
? (192.168.1.46) na <nekompletní> na br0
? (192.168.1.5) na 00:04:9f:00:27:5f [ether] na br0
? (192.168.1.21) na <nekompletní> na br0
? (192.168.1.11) na <nekompletní> na br0
? (10.153.226.33) na 00:0c:42:c5:ac:f3 [ether] na p2p1
? (192.168.1.74) na <nekompletní> na br0
? (192.168.1.15) na <nekompletní> na br0
? (192.168.1.47) na <nekompletní> na br0
? (192.168.1.10) na <nekompletní> na br0
? (192.168.1.26) na 8c:c1:21:9d:0a:e8 [ether] na br0
++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++
# Generated by iptables-save v1.4.21 on Wed Apr 6 12:17:35 2016
*nat
:PREROUTING ACCEPT [45773:3616875]
:INPUT ACCEPT [20850:1647773]
:OUTPUT ACCEPT [13306:1102514]
:POSTROUTING ACCEPT [13585:1136285]
-A POSTROUTING -s 192.168.1.0/24 -o p2p1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o p2p1 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o p2p1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o p2p1 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o p2p1 -j MASQUERADE
COMMIT
# Completed on Wed Apr 6 12:17:35 2016
# Generated by iptables-save v1.4.21 on Wed Apr 6 12:17:35 2016
*filter
:INPUT DROP [11788:980592]
:FORWARD ACCEPT [865:48180]
:OUTPUT ACCEPT [7:336]
:fail2ban-apache - [0:0]
:fail2ban-apache-multiport - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-dovecot-pop3imap - [0:0]
:fail2ban-owncloud - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -j fail2ban-dovecot-pop3imap
-A INPUT -p tcp -j fail2ban-apache-overflows
-A INPUT -p tcp -j fail2ban-apache-noscript
-A INPUT -p tcp -j fail2ban-apache-multiport
-A INPUT -p tcp -j fail2ban-apache
-A INPUT -p tcp -j fail2ban-owncloud
-A INPUT -p tcp -j fail2ban-ssh-ddos
-A INPUT -p tcp -j fail2ban-ssh
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A fail2ban-apache -j RETURN
-A fail2ban-apache-multiport -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-dovecot-pop3imap -j RETURN
-A fail2ban-owncloud -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -i br0 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 587 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 587 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 2234 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 1194 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Wed Apr 6 12:17:35 2016