sslug-teknik team mailing list archive

Thread
Date

Re: IPtables Problem

To: sslug-teknik@xxxxxxxx
From: Frank Vestergaard Pedersen <sslug@xxxxxxxxxxxx>
Date: Wed, 10 Oct 2007 21:53:50 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
In-reply-to: <d6753d0465c311fbb07461a358131421$1@forum.sslug.dk>
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm
User-agent: Thunderbird 1.5.0.13 (X11/20070824)

Per Jørgensen wrote:

Frank Vestergaard Pedersen skrev:

Hej Per

Jeg tro ikke at dit problem ligger i din firewall (jeg har ikkenærlæst scriptet) men i din routning!
vil du ikke lige sende outputtet af en "ifconfig" og en "netstat -n"

/Frank

Hej Frank. Jeg tror vist nok et eller andet sted du har ret i detteomkring routningen.

Her er min ifconfig:
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:00:24:C6:A0:FC

inet addr:83.95.44.14 Bcast:83.255.255.255Mask:255.255.255.252

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:7045382 errors:0 dropped:0 overruns:0 frame:0
         TX packets:7956285 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:4209354623 (3.9 GiB)  TX bytes:2716253344 (2.5 GiB)
         Interrupt:10 Base address:0x9000

eth0:0    Link encap:Ethernet  HWaddr 00:00:24:C6:A0:FC

inet addr:87.50.193.217 Bcast:87.255.255.255Mask:255.255.255.252

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         Interrupt:10 Base address:0x9000

eth1      Link encap:Ethernet  HWaddr 00:00:24:C6:A0:FD
         inet addr:172.16.0.1  Bcast:172.16.0.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:5720299 errors:0 dropped:2067 overruns:185 frame:0
         TX packets:5063988 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:3865147047 (3.5 GiB)  TX bytes:3439924330 (3.2 GiB)
         Interrupt:10 Base address:0xd000

eth2      Link encap:Ethernet  HWaddr 00:00:24:C6:A0:FE
         inet addr:172.16.10.1  Bcast:172.16.10.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:2904336 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2212159 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:3593546398 (3.3 GiB)  TX bytes:642418482 (612.6 MiB)
         Interrupt:10 Base address:0xf000

eth3      Link encap:Ethernet  HWaddr 00:00:24:C6:2E:BC
         inet addr:172.16.20.1  Bcast:172.16.20.255  Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:312394 errors:0 dropped:9695 overruns:833 frame:0
         TX packets:419415 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:23294111 (22.2 MiB)  TX bytes:573871127 (547.2 MiB)
         Interrupt:5 Base address:0x1000

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:7639 errors:0 dropped:0 overruns:0 frame:0
         TX packets:7639 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:389481 (380.3 KiB)  TX bytes:389481 (380.3 KiB)

Og netstat -n:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp 0 0 172.16.0.1:22 172.16.0.12:58572ESTABLISHED

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  8      [ ]         DGRAM                    1466     /dev/log
unix  2      [ ]         DGRAM                    799400
unix  3      [ ]         STREAM     CONNECTED     799399
unix  3      [ ]         STREAM     CONNECTED     799398
unix  2      [ ]         DGRAM                    557765
unix  2      [ ]         DGRAM                    482633
unix  2      [ ]         DGRAM                    355529
unix  2      [ ]         DGRAM                    1802
unix  2      [ ]         DGRAM                    1507

og så en route:route
Kernel IP routing table

Destination Gateway Genmask Flags Metric RefUse Iface83.95.44.12 * 255.255.255.252 U 0 00 eth087.50.193.216 * 255.255.255.252 U 0 00 eth0172.16.20.0 * 255.255.255.0 U 0 00 eth3172.16.0.0 * 255.255.255.0 U 0 00 eth1172.16.10.0 * 255.255.255.0 U 0 00 eth2default atm2-0-10470.na 0.0.0.0 UG 0 00 eth0

Nu har jeg så aldrig brugt route før i min tid med Linux, så jeg håberda lidt at du evt kunne forklare lidt dybere omkring hvad der ligeskal gøre her

Det ser umiddelbart ud til at være ok, men jeg kiggede lige i ditfirewall script og faldt over denne


$IPTABLES -t nat -A POSTROUTING -s ! $WAN -j SNAT --to-source $WAN_IP

den er jo ganske fin! bare ikke hvis man gerne vil snakke med din plutocore! for så skulle den vel være sådan her: (jeg er ikke helt sikker på syntaksen)

$IPTABLES -t nat -A POSTROUTING -s ! $WAN -j SNAT --to-source $WAN1_IP (læg mærke til WAN1_IP)

så du kommer vist til at lave to SNAT i den rigtige rækkefølge


$IPTABLES -t nat -A POSTROUTING -s $PLUTOCORE -j SNAT --to-source $WAN1_IP
$IPTABLES -t nat -A POSTROUTING -s ! $WAN -j SNAT --to-source $WAN_IP

(jeg er nu ikke helt sikker på at det vil virke, men prøv det!)

/Frank

References

IPtables Problem
From: Per Jørgensen, 2007-10-06
Re: IPtables Problem
From: Frank Vestergaard Pedersen, 2007-10-06
Re: IPtables Problem
From: Per Jørgensen, 2007-10-10