originally posted here : http://forum.softpedia.com/index.php?showtopic=303417
Azi dimineaţă Clicknet mi-a făcut cadou un downtime de vreo 6 ore :rantcurse: . Fără să mă uit la modem, m-am aruncat repede să dau flush la firewall şi la alte prostii, crezând că de-acolo e problema, însă apoi am văzut speedtouch-ul 330 desincronizat. am restartat pc-ul (ca să nu mai bag manual toate liniile de firewall şi-aşa mai departe) setând un cron care să dea dial ppp0 din oră-n oră, ca să prindă momentu' când îşi revine conexiunea. asta s-a întâmplat pe la 8 şi ceva, înainte să plec la ore.
mă rog, m-am întors de la liceu pe la 3 şi un pic tot desincronizat era modemul, aşa că am şters cron-ul şi-am sunat la 08008-CLICK. Toate bune şi frumoase, mi-au spus că mai durează :confuzzled: . din fericire pe la 4 şi câteva minute şi-a revenit.
dau dial şi mă conectez la net. numa' că pe la 8 vine unchiul meu la mine (cu care împart netu') şi-mi zice că nu merge :rolleyes: .
dau repede fuguţa până acolo, crezând că iar şi-a băgat nasu' prin setări, dar totul era ok :mellow: .
Ip-ul, netmask, dns, gateway luate prin DHCP fără probleme, deci ... el iese din discuţie. Atunci, problema trebuie să fie de la mine, mi-am zis.
bun..
dau ifconfig :
[root@pc1 afaith]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0A:E6:2F:A0:05 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20a:e6ff:fe2f:a005/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:40883 errors:0 dropped:0 overruns:0 frame:0 TX packets:7662 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2955488 (2.8 MiB) TX bytes:2911066 (2.7 MiB) Interrupt:20 Base address:0xf00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:78649 errors:0 dropped:0 overruns:0 frame:0 TX packets:78649 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:18751738 (17.8 MiB) TX bytes:18751738 (17.8 MiB) nas0 Link encap:Ethernet HWaddr 00:0E:50:DB:45:A0 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::20e:50ff:fedb:45a0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57781 errors:0 dropped:0 overruns:0 frame:0 TX packets:47135 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:60912740 (58.0 MiB) TX bytes:7928094 (7.5 MiB) ppp0 Link encap:Point-to-Point Protocol inet addr:92.80.200.* P-t-P:92.80.192.254 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:57621 errors:0 dropped:0 overruns:0 frame:0 TX packets:46963 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:60444342 (57.6 MiB) TX bytes:6417827 (6.1 MiB) [root@pc1 afaith]#
totul în regulă
ping google.ro
[root@pc1 afaith]# ping google.ro -c 5 PING google.ro (72.14.221.104) 56(84) bytes of data. 64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=1 ttl=244 time=45.5 ms 64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=2 ttl=244 time=47.5 ms 64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=3 ttl=244 time=45.4 ms 64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=4 ttl=244 time=44.3 ms 64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=5 ttl=244 time=48.2 ms --- google.ro ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 44.352/46.221/48.294/1.466 ms
mă gândesc apoi la vechea mea problemă, default route.
[root@pc1 afaith]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 92.80.192.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 [root@pc1 afaith]#
totul pare şi aici în regulă (deşi sincer, parcă ar fi mai puţine decât de obicei)
firewall-ul, îmi zic eu în minte.
folosesc un shorewall care vine default cu mandriva, pe care-l ţin în frâu din Webmin.
[root@pc1 afaith]# iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Ifw 0 -- 0.0.0.0/0 0.0.0.0/0 eth0_in 0 -- 0.0.0.0/0 0.0.0.0/0 ppp0_in 0 -- 0.0.0.0/0 0.0.0.0/0 Reject 0 -- 0.0.0.0/0 0.0.0.0/0 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' reject 0 -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination eth0_fwd 0 -- 0.0.0.0/0 0.0.0.0/0 ppp0_fwd 0 -- 0.0.0.0/0 0.0.0.0/0 Reject 0 -- 0.0.0.0/0 0.0.0.0/0 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' reject 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 eth0_out 0 -- 0.0.0.0/0 0.0.0.0/0 ppp0_out 0 -- 0.0.0.0/0 0.0.0.0/0 Reject 0 -- 0.0.0.0/0 0.0.0.0/0 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' reject 0 -- 0.0.0.0/0 0.0.0.0/0 Chain Drop (1 references) target prot opt source destination reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 dropBcast 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 dropInvalid 0 -- 0.0.0.0/0 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain Ifw (1 references) target prot opt source destination Chain Reject (4 references) target prot opt source destination reject tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 dropBcast 0 -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 dropInvalid 0 -- 0.0.0.0/0 0.0.0.0/0 reject udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 reject udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 reject tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 dropNotSyn tcp -- 0.0.0.0/0 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain all2all (0 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Reject 0 -- 0.0.0.0/0 0.0.0.0/0 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' reject 0 -- 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) target prot opt source destination DROP 0 -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast DROP 0 -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) target prot opt source destination DROP 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 Chain dynamic (4 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW loc2net 0 -- 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) target prot opt source destination dynamic 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 loc2fw 0 -- 0.0.0.0/0 0.0.0.0/0 Chain eth0_out (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 fw2loc 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) target prot opt source destination LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:' DROP 0 -- 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) target prot opt source destination LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:' reject 0 -- 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) target prot opt source destination ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Drop 0 -- 0.0.0.0/0 0.0.0.0/0 LOG 0 -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' DROP 0 -- 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) target prot opt source destination dynamic 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW net2all 0 -- 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) target prot opt source destination dynamic 0 -- 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW net2all 0 -- 0.0.0.0/0 0.0.0.0/0 Chain ppp0_out (1 references) target prot opt source destination fw2net 0 -- 0.0.0.0/0 0.0.0.0/0 Chain reject (11 references) target prot opt source destination DROP 0 -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast DROP 0 -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast DROP 0 -- 255.255.255.255 0.0.0.0/0 DROP 0 -- 224.0.0.0/4 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurfs (0 references) target prot opt source destination LOG 0 -- 192.168.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' DROP 0 -- 192.168.1.255 0.0.0.0/0 LOG 0 -- 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' DROP 0 -- 255.255.255.255 0.0.0.0/0 LOG 0 -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' DROP 0 -- 224.0.0.0/4 0.0.0.0/0 [root@pc1 afaith]#
şi
[root@pc1 afaith]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ppp0_masq 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain ppp0_masq (1 references) target prot opt source destination MASQUERADE 0 -- 192.168.1.0/24 0.0.0.0/0 [root@pc1 afaith]#
îmi e prea lene să descifrez ce e pe acolo,aşa că revin la un firewall minimal (totul pe accept + masquerade)
[root@pc1 afaith]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@pc1 afaith]#
[root@pc1 afaith]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@pc1 afaith]#
dau repede fuguţa prin vecini să văd ce şi cum şi .. pauză :mellow:
băi.. ce să fie ce să fie ..
mă gândesc la DNS-uri :
[root@pc1 afaith]# cat /etc/resolv.conf nameserver 193.231.100.130 # ppp temp entry nameserver 193.231.100.134 # ppp temp entry [root@pc1 afaith]#
sunt în regulă
mă gândesc apoi la ordinea de rezolvare a unei adrese
[root@pc1 afaith]# cat /etc/nsswitch.conf|grep hosts hosts: files dns [root@pc1 afaith]#
şi-aici e totul în regulă....
să fie din dnsmasq ? păi de rulat rulează,
[root@pc1 afaith]# service dnsmasq status dnsmasq (pid 6930) is running... [root@pc1 afaith]#
la config nu mi-am băgat nasu' de nicio culoare de când l-am instalat, aşa că nu sunt probleme. deci, ce-ar trebui să mai fac ? mă seacă problema asta ... deja ... deja mă scoate din minţi! pur şi simplu nu-mi explic de unde a apărut problema :mellow:
şi ping-ul merge în ambele sensuri
Lumea lui A.Faith --> http://afaith.eu
###############################
There is no patch for human stupidity
###############################
join #mandrivaro on FreeNode!
problema a intuit-o bigguy92, de pe softpedia :
echo 1 > /proc/sys/net/ipv4/ip_forward
pentru un ***** de comandă, mi-am făcut un car de nervi ... damn it!
Lumea lui A.Faith --> http://afaith.eu
###############################
There is no patch for human stupidity
###############################
join #mandrivaro on FreeNode!
TOCMAI ITI RASPUNDEAM.... :), TOTUSI IL LAS POSTAT
===============
;D Nu e chiar asa ciudat.
Parerea mea sa incerci urmatoarele:
- vezi fisierul:
Daca nu "1" nu-ti va merge => activeaza forwarding pe placile de retea
- renunta la shorewall, eu nu pot sa-l tin in frau sub nici o forma, prefer varianta manuala
- foloseste snat sau dnat, nu masquarade, in unele situatii ajuta
Csabi's BLOG
Linux registered user # 457717
shorewall folosesc pentru că webmin are un webgui trăznet şi merge brici! până acuma, n-a dat gherlă deloc. când e vorba de probleme, revin la o versiune minimală de iptables şi scot firewall-ul din ecuaţie.
snat şi dnat nu pot folosi, pentru că am ip dinamic alocat prin dhcp de către clicknet (conexiune PPPoE)
Lumea lui A.Faith --> http://afaith.eu
###############################
There is no patch for human stupidity
###############################
join #mandrivaro on FreeNode!
dap, ai dreptate, ... retrag partea cu snat si dnat ;)
Csabi's BLOG
Linux registered user # 457717
Uite o line care te-ar putea ajuta la configurarea unui firewall sau a unui script care sa faca doar snat sau dnat, in cazul in care ai IP alocat dinamic
ifconfig eth0 | fgrep 'inet addr' | cut -d : -f 2 | cut -d \ -f 1
dupa aceasta linie o sa iti afiseza strict doar IP-ul tau pe interfata eth0 in cazul de mai sus, pt tine fiind vorba de ppp0
Bafta
mersi de intenţie, însă explică-mi şi mie (dacă poţi/vrei/ai chef/etc.) care-s avantajele folosiri dnat/snat şi nu a funcţiei masquerade ? (n-o zic ironic, chiar vorbesc serios)
Lumea lui A.Faith --> http://afaith.eu
###############################
There is no patch for human stupidity
###############################
join #mandrivaro on FreeNode!
As of RFC 2663, NAT and IP Masquerading are the same thing. Once upon a time, NAT required your own externally addressable subnet (you'd have had to pay for your own class A, B, or C address block). This is, however, no longer true. Official NAT is now more than happy to work with the nonrouted subnets of 192.168.x.x, 172.16.x.x, and 10.x.x.x . While I used to say that for all intents and purposes, NAT is IP Masquerading is NAT, I can now correctly say that they are indeed the same thing. Linux just insists on calling NAT by the name of IP Masquerading. What did old Will Shakespeare say? A rose by any other name…?
mersi maaxx - şi eu sunt de acord 100% cu nenea Shakespeare
Lumea lui A.Faith --> http://afaith.eu
###############################
There is no patch for human stupidity
###############################
join #mandrivaro on FreeNode!