Greške #13968
Zatvoren
router-wan-sa : otkazuje firewall skripta - internet http saobraćaj DNAT port forwarding x+1 bug
0%
Opis
nakon izvjesnog vremena firewall (transparentni proxi na 192.168.45.250 : 3128 otkaže)
Fajlovi
Povezani tiketi 1 (0 otvoreno — 1 zatvoren)
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Fajl iptables.txt iptables.txt dodano
Izmjenjeno od Ernad Husremović prije oko 17 godina
ponovo pokrenuo firewall, ali ništa
pa onda izolovao dio koji bi trebao obezbjediti http saobraćaj
#!/bin/sh IPTABLES=iptables PROXY_SERVER="192.168.45.250" ROUTER_IP="192.168.45.254" $IPTABLES -t nat -A PREROUTING -i br-lan -p tcp -m tcp -s ! $PROXY_SERVER -d ! $ROUTER_IP --dport 80 -j DNAT --to $PROXY_SERVER:3128 $IPTABLES -t nat -A POSTROUTING -o br-lan -d $PROXY_SERVER -j SNAT --to $ROUTER_IP $IPTABLES -A FORWARD -d $PROXY_SERVER -i br-lan -o br-lan -p tcp --dport 3128 -j ACCEPT
ali izgleda da ovaj prerouteing i postrouting ne radi ?!
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Naslov promijenjeno iz router-wan-sa : otkazuje firewall skripta u router-wan-sa : otkazuje firewall skripta - internet http saobraćaj
root@router-wan-sa-1:/tmp# iptables -L PREROUTING
iptables: No chain/target/match by that name
root@router-wan-sa-1:/tmp# iptables -L POSTROUTING
iptables: No chain/target/match by that name
Izmjenjeno od Ernad Husremović prije oko 17 godina
nakon restart-a pokupio iptables.txt stanje ali ono se uopšte ne razlikuje ?
sada kada http saobraćaj iz lan-a radi imam ovaj događaj (moja stanica je 192.168.45.45.153):
Apr 14 11:42:27 router-wan-sa-1 user.debug kernel: GP_LAN_OK IN=br-lan OUT=br-lan SRC=192.168.45.153 DST=192.168.45.250 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=2788 DF PROTO=TCP SPT=59687 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A003757FB0000000001030307)
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Fajl iptables_t_nat.txt iptables_t_nat.txt dodano
gore sam pogrešno pozvao treba navesti -t nat koja nije defaultna tabela
root@router-wan-sa-1:~# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:7071 to:192.168.45.188 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:5222 to:192.168.45.148 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:993 to:192.168.45.188 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:995 to:192.168.45.188 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:465 to:192.168.45.188 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:25 to:192.168.45.189 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp multiport dports 80,443 to:192.168.45.184 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:143 to:192.168.45.188 DNAT tcp -- anywhere SE400.PPPoE-4431.sa.bih.net.ba tcp dpt:110 to:192.168.45.188 DNAT tcp -- !192.168.45.250 !192.168.45.254 tcp dpt:80 to:192.168.45.250:3128
Izmjenjeno od Ernad Husremović prije oko 17 godina
man iptables:
-t, --table table
This option specifies the packet matching table which the com‐
mand should operate on. If the kernel is configured with auto‐
matic module loading, an attempt will be made to load the appro‐
priate module for that table if it is not already there.The tables are as follows:filter:
This is the default table (if no -t option is passed). It
contains the built-in chains INPUT (for packets destined to
local sockets), FORWARD (for packets being routed through
the box), and OUTPUT (for locally-generated packets).nat:
This table is consulted when a packet that creates a new
connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before rout‐
ing), and POSTROUTING (for altering packets as they are
about to go out).mangle:
This table is used for specialized packet alteration. Until
kernel 2.4.17 it had two built-in chains: PREROUTING (for
altering incoming packets before routing) and OUTPUT (for
altering locally-generated packets before routing). Since
kernel 2.4.18, three other built-in chains are also sup‐
ported: INPUT (for packets coming into the box itself), FOR‐
WARD (for altering packets being routed through the box),
and POSTROUTING (for altering packets as they are about to
go out).raw:
This table is used mainly for configuring exemptions from
connection tracking in combination with the NOTRACK target.
It registers at the netfilter hooks with higher priority and
is thus called before ip_conntrack, or any other IP tables.
It provides the following built-in chains: PREROUTING (for
packets arriving via any network interface) OUTPUT (for
packets generated by local processes)
Izmjenjeno od Ernad Husremović prije oko 17 godina
ostaje da pratim ponovo ovo čučnjavanje internet http saobraćaja
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Fajl iptables_t_nat_v.txt iptables_t_nat_v.txt dodano
- Fajl iptables_v.txt iptables_v.txt dodano
"-v" opcija mi je potrebna radi pregleda interfejsa
root@router-wan-sa-1:~# iptables -t nat -L -v > /tmp/iptables_t_nat_v.txt root@router-wan-sa-1:~# iptables -t filter -L -v > /tmp/iptables_v.txt
Izmjenjeno od Ernad Husremović prije oko 17 godina
e ovo je budaleština teška, iptables stanje je nedirnuto, međutim, proxiranje prolupa
kada prolupa dobijem ovo.
Apr 15 11:44:37 router-wan-sa-1 user.debug kernel: GP_LAN_OK IN=br-lan OUT=br-lan SRC=192.168.45.153 DST=192.168.45.250 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=3176 DF PROTO=TCP SPT=44932 DPT=3129 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A002883050000000001030307)
odakle čovječe DPT=3128 kada je u tabelama 3128, provjerio jeste 3128
najblentavije od svega je to što ovako sam uspio dobiti ponovo proksiranje:
root@router-wan-sa-1:/tmp# iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp -s ! 192.168.45.250 -d ! 192.168.45.254 --dport 80 -j DNAT --to 192.168.45.250:3128
root@router-wan-sa-1:/tmp# iptables -t nat -A PREROUTING -i br-lan -p tcp -m tcp -s ! 192.168.45.250 -d ! 192.168.45.254 --dport 80 -j DNAT --to 192.168.45.250:3127
znači stavio sam 3127 (a on je proxirao na 3127+1 - to sam išao logikom 3128+1 koju on napravi kada prolupa) ... ajoj
kada sam pokšao:
root@router-wan-sa-1:/tmp# iptables --flush
router se zaglvaio i morao sam ga hardwerski resetovati.
kad je sve uredu
Apr 15 16:18:30 kernel: GP_LAN_OK IN=br-lan OUT=br-lan SRC=192.168.45.153 DST=192.168.45.250 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21962 DF PROTO=TCP SPT=50301 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A006733F30000000001030307)
Izmjenjeno od Ernad Husremović prije oko 17 godina
hah naletio sam na bug
http://forum.openwrt.org/viewtopic.php?id=12165
Whenever I use DNAT to forward to port X, the kernel actually forwards packets to port X+1. So I need to forward to port 21 in order to forward ssh, etc. Here is a basic example of the bug:
koji je još otvoren https://dev.openwrt.org/ticket/2558
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Naslov promijenjeno iz router-wan-sa : otkazuje firewall skripta - internet http saobraćaj u router-wan-sa : otkazuje firewall skripta - internet http saobraćaj DNAT port forwarding x+1 bug
Izmjenjeno od Ernad Husremović prije oko 17 godina
http://forum.openwrt.org/viewtopic.php?pid=63571
zadnji poster kaže:
switching to Kamikaze 7.09 with kernel 2.6 (instead of 2.4) fixes this issue for me (linksys wrt54).
Izmjenjeno od Ernad Husremović prije oko 17 godina
hernad@nmraka-1:~/devel/hg/openwrt/openwrt/build_dir/linux-brcm47xx/iptables-1.3.8/extensions/libipt_DNAT.c
...
dash = strchr(colon, '-');
if (!dash) {
range.min.tcp.port
= range.max.tcp.port
= htons(port);
} else {
...
Izmjenjeno od Ernad Husremović prije oko 17 godina
na kraju parsiranja kaže
return &(append_range(info, &range)->t);
a ovo je ta funkcija
static struct ipt_natinfo *
append_range(struct ipt_natinfo *info, const struct ip_nat_range *range)
{
unsigned int size;
/* One rangesize already in struct ipt_natinfo */
size = IPT_ALIGN(sizeof(*info) + info->mr.rangesize * sizeof(*range));
info = realloc(info, size);
if (!info)
exit_error(OTHER_PROBLEM, "Out of memory\n");
info->t.u.target_size = size;
info->mr.range[info->mr.rangesize] = *range;
info->mr.rangesize++;
return info;
}
Izmjenjeno od Ernad Husremović prije oko 17 godina
ovdje naletih na squid podešenje transparent proxy-a po kome sam ja napravio podešenje, pa neka se nađe: http://www.ibiblio.org/pub/Linux/docs/HOWTO/TransparentProxy
Izmjenjeno od Ernad Husremović prije oko 17 godina
- Prioritet promijenjeno iz Odmah riješiti u Normalan
izbacio sam slanje http na squid do daljnjeg
Izmjenjeno od Ernad Husremović prije skoro 15 godina
- Status promijenjeno iz Dodijeljeno u Odbačeno