Роутер с OpenWRT. Сеть такая: есть 2 провайдера, настроена балансировка между ними. Настроен vlan1 и vlan4 для разных сетей. ip первой сети 192.168.123.0/24 ip второй сети 192.168.4.0/24
Никак не могу настроить firewall, так что бы сети не видели друг друга. Подозреваю, что где-то раньше стоит разрешающее правило на все.
Вот кусок /etc/config/firewall (без редиректов портов)
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-WEB-router'
option src 'lan'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-SSH-router'
option src 'lan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-DNS'
option src 'lan vlan4'
option proto 'tcp udp'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Deny-private'
option src 'vlan4'
option dest 'lan'
option target 'DROP'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'vlan4'
option input 'ACCEPT'
option output 'ACCEPT'
option family 'ipv4'
option network 'vlan4'
option forward 'ACCEPT'
config zone
option name 'wan2'
option forward 'REJECT'
option output 'ACCEPT'
option network 'wan2'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan2'
option src 'lan'
config forwarding
option dest 'wan'
option src 'vlan4'
config forwarding
option dest 'wan2'
option src 'vlan4'
Вот сеть - два бриджа, один на lan, другой для vlan4:
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.123.1'
config interface 'wan'
option ifname 'eth0.2'
option _orig_ifname 'eth0.2'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '80.80.80.2'
option netmask '255.255.255.0'
option gateway '80.80.80.1'
option metric '10'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1 8t'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '2 8t'
config interface 'wan2'
option proto 'static'
option ifname 'eth0.3'
option _orig_ifname 'eth0.3'
option _orig_bridge 'false'
option ipaddr '82.82.82.82'
option netmask '255.255.255.0'
option gateway '82.82.82.1'
option metric '20'
config interface 'vlan4'
option type 'bridge'
option proto 'static'
option ifname 'eth0.4'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
при таком раскладе пинги с обоих сетей ходят спокойно друг к другу. Даже если добавить правила в custom rules:
iptables -A FORWARD --src 192.168.123.0/24 --dst 192.168.4.0/24 -j DROP
iptables -A FORWARD --src 192.168.123.0/24 --dst 10.1.100.0/24 -j DROP
iptables -A FORWARD --src 192.168.123.0/24 --dst 172.23.0.0/16 -j DROP
Вывод iptables-save
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*nat
:PREROUTING ACCEPT [131912:12191086]
:INPUT ACCEPT [2406:256025]
:OUTPUT ACCEPT [9587:742249]
:POSTROUTING ACCEPT [832:117234]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_mainc_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan2_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_mainc_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan2_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_mainc_postrouting - [0:0]
:zone_mainc_prerouting - [0:0]
:zone_wan2_postrouting - [0:0]
:zone_wan2_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0.2 -j zone_wan_postrouting
-A delegate_postrouting -o br-mainc -j zone_mainc_postrouting
-A delegate_postrouting -o eth0.3 -j zone_wan2_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0.2 -j zone_wan_prerouting
-A delegate_prerouting -i br-mainc -j zone_mainc_prerouting
-A delegate_prerouting -i eth0.3 -j zone_wan2_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_wan2_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan2_rule
-A zone_wan2_postrouting -j MASQUERADE
-A zone_wan2_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan2_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment ssh -j DNAT --to-destination 192.168.123.222:22
-A zone_wan_prerouting -p tcp -m tcp --dport 2003 -m comment --comment graphite -j DNAT --to-destination 192.168.123.222:2003
-A zone_wan_prerouting -p tcp -m tcp --dport 2004 -m comment --comment graphite2 -j DNAT --to-destination 192.168.123.222:2004
-A zone_wan_prerouting -p tcp -m tcp --dport 8082 -m comment --comment graphite-web -j DNAT --to-destination 192.168.123.222:8082
-A zone_wan_prerouting -p tcp -m tcp --dport 8081 -m comment --comment owncloud -j DNAT --to-destination 192.168.123.222:8081
-A zone_wan_prerouting -p tcp -m tcp --dport 8083 -m comment --comment zabbix -j DNAT --to-destination 192.168.123.222:8083
-A zone_wan_prerouting -p tcp -m tcp --dport 8084 -m comment --comment munin -j DNAT --to-destination 192.168.123.222:8084
-A zone_wan_prerouting -p tcp -m tcp --dport 8085 -m comment --comment grafana -j DNAT --to-destination 192.168.123.222:8085
-A zone_wan_prerouting -p tcp -m tcp --dport 9200 -m comment --comment eleasticsearch -j DNAT --to-destination 192.168.123.222:9200
-A zone_wan_prerouting -p tcp -m tcp --dport 9000 -m comment --comment dump -j DNAT --to-destination 192.168.123.222:9000
-A zone_wan_prerouting -p tcp -m tcp --dport 888 -m comment --comment buh-1c -j DNAT --to-destination 192.168.123.16:80
-A zone_wan_prerouting -p tcp -m tcp --dport 13389 -m comment --comment buh-rdp -j DNAT --to-destination 192.168.123.16:3389
-A zone_wan_prerouting -p tcp -m tcp --dport 3001 -m comment --comment mc-redmine -j DNAT --to-destination 192.168.4.3:3001
-A zone_wan_prerouting -p tcp -m tcp --dport 22325 -m comment --comment mainc-ssh -j DNAT --to-destination 192.168.4.3:22
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "srv.codeinside.ru" -j DNAT --to-destination 192.168.123.222:80
-A zone_wan_prerouting -p tcp -m tcp --dport 223 -m comment --comment lxc-ssh -j DNAT --to-destination 192.168.123.223:22
-A zone_wan_prerouting -p tcp -m tcp --dport 224 -m comment --comment kvm-ssh -j DNAT --to-destination 192.168.123.224:22
-A zone_wan_prerouting -p tcp -m tcp --dport 225 -m comment --comment lxc2-ssh -j DNAT --to-destination 192.168.123.225:22
-A zone_wan_prerouting -p tcp -m tcp --dport 5225 -m comment --comment lxc2 -j DNAT --to-destination 192.168.123.225:5225
-A zone_wan_prerouting -p tcp -m tcp --dport 55900 -m comment --comment vnc-buh -j DNAT --to-destination 192.168.123.16:55900
-A zone_wan_prerouting -p tcp -m tcp --dport 55800 -m comment --comment vnc-web -j DNAT --to-destination 192.168.123.16:55800
-A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment openvpn -j DNAT --to-destination 192.168.123.222:1194
-A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment openvpn -j DNAT --to-destination 192.168.123.222:1194
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*raw
:PREROUTING ACCEPT [4795466:2426151760]
:OUTPUT ACCEPT [48801:10329428]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*mangle
:PREROUTING ACCEPT [4795487:2426156512]
:INPUT ACCEPT [49747:5007832]
:FORWARD ACCEPT [4738676:2419244372]
:OUTPUT ACCEPT [48812:10330688]
:POSTROUTING ACCEPT [4785830:2429226313]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A mssfix -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan2 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Sep 23 14:02:55 2014
# Generated by iptables-save v1.4.20 on Tue Sep 23 14:02:55 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_mainc_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan2_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_mainc_rule - [0:0]
:input_rule - [0:0]
:input_wan2_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_mainc_rule - [0:0]
:output_rule - [0:0]
:output_wan2_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_DROP - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_mainc_dest_ACCEPT - [0:0]
:zone_mainc_forward - [0:0]
:zone_mainc_input - [0:0]
:zone_mainc_output - [0:0]
:zone_mainc_src_ACCEPT - [0:0]
:zone_wan2_dest_ACCEPT - [0:0]
:zone_wan2_forward - [0:0]
:zone_wan2_input - [0:0]
:zone_wan2_output - [0:0]
:zone_wan2_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A FORWARD -s 192.168.123.0/24 -d 192.168.4.0/24 -j DROP
-A FORWARD -s 192.168.123.0/24 -d 10.1.100.0/24 -j DROP
-A FORWARD -s 192.168.123.0/24 -d 172.23.0.0/16 -j DROP
-A FORWARD -s 192.168.4.0/24 -d 192.168.123.0/24 -j DROP
-A FORWARD -s 192.168.4.0/24 -d 10.9.0.0/24 -j DROP
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0.2 -j zone_wan_forward
-A delegate_forward -i br-mainc -j zone_mainc_forward
-A delegate_forward -i eth0.3 -j zone_wan2_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0.2 -j zone_wan_input
-A delegate_input -i br-mainc -j zone_mainc_input
-A delegate_input -i eth0.3 -j zone_wan2_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0.2 -j zone_wan_output
-A delegate_output -o br-mainc -j zone_mainc_output
-A delegate_output -o eth0.3 -j zone_wan2_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_dest_DROP -o br-lan -j DROP
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "forwarding lan -> wan2" -j zone_wan2_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_src_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 80 -m comment --comment Allow-WEB-router -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment Allow-SSH-router -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_mainc_dest_ACCEPT -o br-mainc -j ACCEPT
-A zone_mainc_forward -m comment --comment "user chain for forwarding" -j forwarding_mainc_rule
-A zone_mainc_forward -p tcp -m comment --comment Deny-private -j zone_lan_dest_DROP
-A zone_mainc_forward -p udp -m comment --comment Deny-private -j zone_lan_dest_DROP
-A zone_mainc_forward -m comment --comment "forwarding mainc -> wan" -j zone_wan_dest_ACCEPT
-A zone_mainc_forward -m comment --comment "forwarding mainc -> wan2" -j zone_wan2_dest_ACCEPT
-A zone_mainc_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_mainc_forward -j zone_mainc_src_ACCEPT
-A zone_mainc_input -m comment --comment "user chain for input" -j input_mainc_rule
-A zone_mainc_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_mainc_input -j zone_mainc_src_ACCEPT
-A zone_mainc_output -m comment --comment "user chain for output" -j output_mainc_rule
-A zone_mainc_output -j zone_mainc_dest_ACCEPT
-A zone_mainc_src_ACCEPT -i br-mainc -j ACCEPT
-A zone_wan2_dest_ACCEPT -o eth0.3 -j ACCEPT
-A zone_wan2_forward -m comment --comment "user chain for forwarding" -j forwarding_wan2_rule
-A zone_wan2_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan2_forward -j zone_wan2_src_REJECT
-A zone_wan2_input -m comment --comment "user chain for input" -j input_wan2_rule
-A zone_wan2_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan2_input -j zone_wan2_src_REJECT
-A zone_wan2_output -m comment --comment "user chain for output" -j output_wan2_rule
-A zone_wan2_output -j zone_wan2_dest_ACCEPT
-A zone_wan2_src_REJECT -i eth0.3 -j reject
-A zone_wan_dest_ACCEPT -o eth0.2 -j ACCEPT
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_src_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -j reject
COMMIT
Подскажите в какую сторону копать?