Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: Corsair 26 Února 2013, 08:43:12
-
Ahoj,
Nějak zapísím se shorewalem s přístupen z vpn klienta který běží na net kartě a potřebuji ping na loc na určitou adresu.
Mám dvě lan karty br0 eth0
br0 je internet a také zde běží vpnserver
eth0 je interní síť v maškarádě za br0.
br0 je bridg openvpn která dává klientům stejné rozsah 192.168.2.x
na eth0 je rozsaho 192.168.0.x
Zajímavé je že z loc mám ping na vpn klienta ale nemůžu nijak docílit pingu z vpn klienta na loc.
vpn client má adresu 192.168.2.53 a loc klient 192.168.0.102
Zkoušel jsem povolovat pravidla v rules také přidávat interface tap0 ale stále mne to nejde, zřejmě někde něco přehlížím.
Děkuji za případné rady.
-
ukaz vystup z `ip r' a `sysctl -a | grep ip_f' ..
mozna ukaz taky `iptables -vL; iptables -vL -t nat'
-
Příkládám výstupy:
ip r:
ip r
default via 192.168.2.254 dev br0
169.254.0.0/16 dev eth0 scope link metric 1000
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.253
sysctl:
net.ipv4.ip_forward = 1
iptables -vL:
sudo iptables -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 vpn2fw all -- tap0 any anywhere anywhere
4782 1006K net2fw all -- br0 any anywhere anywhere
715 121K loc2fw all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:INPUT:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 vpn_frwd all -- tap0 any anywhere anywhere
469 51309 net_frwd all -- br0 any anywhere anywhere
37 2796 loc_frwd all -- eth0 any anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:FORWARD:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 fw2vpn all -- any tap0 anywhere anywhere
6620 1362K fw2net all -- any br0 anywhere anywhere
950 83044 fw2loc all -- any eth0 anywhere anywhere
0 0 ACCEPT all -- any lo anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:OUTPUT:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain %Invalid (3 references)
pkts bytes target prot opt in out source destination
29 1160 DROP all -- any any anywhere anywhere ctstate INVALID
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- any any anywhere base-address.mcast.net/4
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere
0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth /* Auth */
0 0 Broadcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded /* Needed ICMP types */
0 0 Invalid all -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
0 0 DROP tcp -- any any anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpt:1900 /* UPnP */
0 0 NotSyn tcp -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Invalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
Chain NotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN
Chain Reject (8 references)
pkts bytes target prot opt in out source destination
0 0 all -- any any anywhere anywhere
0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth /* Auth */
0 0 Broadcast all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded /* Needed ICMP types */
0 0 Invalid all -- any any anywhere anywhere
0 0 reject udp -- any any anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
0 0 reject udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
0 0 reject udp -- any any anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
0 0 reject tcp -- any any anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
0 0 DROP udp -- any any anywhere anywhere udp dpt:1900 /* UPnP */
0 0 NotSyn tcp -- any any anywhere anywhere
0 0 DROP udp -- any any anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
722 50696 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* Ping */
0 0 ACCEPT icmp -- any any anywhere anywhere
228 32348 ACCEPT all -- any any anywhere anywhere
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
6114 1297K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
31 2091 ACCEPT udp -- any any anywhere anywhere udp dpt:domain /* DNS */
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain /* DNS */
0 0 ACCEPT icmp -- any any anywhere anywhere
475 63572 ACCEPT all -- any any anywhere anywhere
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:fw2vpn:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
244 36244 dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
471 85052 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* SSH */
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request /* Ping */
244 36244 ACCEPT all -- any any anywhere anywhere
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
37 2796 ACCEPT all -- any any anywhere anywhere
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:loc2vpn:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
37 2796 dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
0 0 loc2vpn all -- any tap0 anywhere anywhere
37 2796 loc2net all -- any br0 anywhere anywhere
0 0 ACCEPT all -- any eth0 anywhere anywhere
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any any anywhere anywhere
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
950 114K dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
3832 892K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
7 396 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* SSH */
943 113K %Invalid all -- any any anywhere anywhere
914 112K LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:net2fw:ACCEPT:"
914 112K ACCEPT all -- any any anywhere anywhere
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
37 2776 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere 192.168.0.102 tcp dpt:webmin /* Webmin */
0 0 ACCEPT icmp -- any any mail.mesa-parts.cz 192.168.0.102 icmp echo-request /* Ping */
0 0 ACCEPT tcp -- any any wdpc02 192.168.0.102 tcp dpt:3389 /* RDP */
0 0 %Invalid all -- any any anywhere anywhere
0 0 Drop all -- any any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain net2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh /* SSH */
432 48533 ACCEPT all -- any any anywhere anywhere
Chain net2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 %Invalid all -- any any anywhere anywhere
0 0 Drop all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:net2vpn:DROP:"
0 0 DROP all -- any any anywhere anywhere
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
432 48533 dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
0 0 net2vpn all -- any tap0 anywhere anywhere
432 48533 net2net all -- any br0 anywhere anywhere
37 2776 net2loc all -- any eth0 anywhere anywhere
Chain reject (15 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere ADDRTYPE match src-type BROADCAST
0 0 DROP all -- any any base-address.mcast.net/4 anywhere
0 0 DROP igmp -- any any anywhere anywhere
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT icmp -- any any anywhere anywhere reject-with icmp-host-unreachable
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:vpn2fw:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:vpn2loc:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain vpn2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix "Shorewall:vpn2net:REJECT:"
0 0 reject all -- any any anywhere anywhere [goto]
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- any any anywhere anywhere ctstate INVALID,NEW
0 0 ACCEPT all -- any tap0 anywhere anywhere
0 0 vpn2net all -- any br0 anywhere anywhere
0 0 vpn2loc all -- any eth0 anywhere anywhere
-
nerozumim tomu ohyzdnemu shorewallu ..
muzes prosim docasne vypnout showrewall a:
- zapnout forwarding
- zapnout maskaradu rucne maskaradu
- ujistit se, ze klient ma push()nute spravne routy
- otestovat pingy
- pripadne zkusit povolit `promisc on' na vbr0 a znovu opingat ?
-
Jo, dík za radu zkusím.
-
Tak jsem to zkoušel po vypnutí shorewall a nakonfigurování ip forward tak to jde.
Ale rád bych šel cestou shorewallu přeci jen v iptables nejsem tak sběhlej a shorewall se mne zdá dost přehledný.
-
shorewall se mi vubec nezda prehledny - ty tam snad ten problem vidis ? ;)
-
Ač nerad musím uznat že máš pravdu po několika hodinovém bádání jsem to vzdal:-), neznáš něco jiného na způsob shorewallu.
Ještě mám dotaz z jiného soudku.
Dnes jsem si pomocí Bind9 balíčku nakonfiguroval dns cache server dle návodu
http://soledadpenades.com/articles/ubuntu/using-bind-as-a-local-caching-name-server/vše funguje jak má, jde udělat abych tímto nahradil i soubor /etc/hosts
V návodu jsem viděl že se tam přidávájí lokální pc a také jsem tam zadal ty co mám v síti ale pokud v hosts zakážu adresy tak samotný jmenný bez hosts ping nefunguje.
-
ja osobne mam na svem VPN klientu presne tenhle jednoduchy firewall:
# cat *
#!/bin/bash
echo "executing traskfw script"
sleep 1
INET_IP="***.***.171.107/25"
INET_IFACE="eth1"
LAN_IP="172.23.46.1/24"
LAN_SRC="172.23.46.0/24"
LAN_BCAST="172.23.46.255"
LAN_IFACE="eth0"
LO_IP="127.0.0.1"
LO_IFACE="lo"
## modules
modprobe ip_tables
modprobe ipt_REJECT
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ip_nat_ftp
#modprobe ip_nat_irc
modprobe ip_conntrack_ftp
modprobe nf_conntrack
#modprobe ip_conntrack_irc
## clearing old table
iptables -F
iptables -t nat -F
iptables -X
# Default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Maskarada..
iptables -t nat -A POSTROUTING -o "$INET_IFACE" -s "$LAN_SRC" -j MASQUERADE
iptables -t nat -A PREROUTING -i "$INET_IFACE" -p tcp --dport 3389 -j DNAT --to 172.23.46.2:3389
#Input/Output/Forward rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## ssh
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 52022 -j ACCEPT
#iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s "$LAN_SRC" -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -p tcp --dport 3389 -i eth1 -j ACCEPT
### forward rules jdou vyspecifikovat presneji na zaklade subnetu/interfacu
iptables -A FORWARD -s 172.23.46.32/32 -o eth1 -j REJECT
iptables -A FORWARD -s 172.23.46.33/32 -o eth1 -j REJECT
iptables -A FORWARD -s 172.23.46.34/32 -o eth1 -j REJECT
iptables -A FORWARD -j ACCEPT
ten Tvuj shorewall jsem nezkoumal, ale osobne si myslim, ze to zarizne ten DROP ve forwardu .. vsimni si jak to mam ja u sebe .. nezapominej prosim, ze forwardujes mezi vice rozhranima .. nejen mezi WAN<->LAN, ale hlavne mezi TUN<->LAN