LINUX.ORG.RU
ФорумAdmin

Port forwarding [openwrt][iptables]

 ,


0

1

Привет. Пытаюсь пробросить порты на роутере. Добавил в

/etc/config/firewall

config 'rule'
        option 'src' 'wan'
        option 'target' 'ACCEPT'
        option 'proto' 'tcpudp'
        option 'dest_port' '6882'

config 'redirect' 'torrent'
        option 'src' 'wan'
        option 'proto' 'tcpudp'
        option 'src_dport' '6882'
        option 'dest_ip' '192.168.1.2'
        option 'dest_port' '6882'

и как-то никак... Вывод iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
input_rule  all  --  anywhere             anywhere            
input      all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
zone_wan_MSSFIX  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
forwarding_rule  all  --  anywhere             anywhere            
forward    all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
output_rule  all  --  anywhere             anywhere            
output     all  --  anywhere             anywhere            

Chain forward (1 references)
target     prot opt source               destination         
zone_lan_forward  all  --  anywhere             anywhere            
zone_wan_forward  all  --  anywhere             anywhere            

Chain forwarding_lan (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         
nat_reflection_fwd  all  --  anywhere             anywhere            

Chain forwarding_wan (1 references)
target     prot opt source               destination         

Chain input (1 references)
target     prot opt source               destination         
zone_lan   all  --  anywhere             anywhere            
zone_wan   all  --  anywhere             anywhere            

Chain input_lan (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan (1 references)
target     prot opt source               destination         

Chain nat_reflection_fwd (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.1.0/24       192.168.1.2         tcp dpt:6882 
ACCEPT     udp  --  192.168.1.0/24       192.168.1.2         udp dpt:6882 

Chain output (1 references)
target     prot opt source               destination         
zone_lan_ACCEPT  all  --  anywhere             anywhere            
zone_wan_ACCEPT  all  --  anywhere             anywhere            

Chain output_rule (1 references)
target     prot opt source               destination         

Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 
DROP       all  --  anywhere             anywhere            

Chain zone_lan (1 references)
target     prot opt source               destination         
input_lan  all  --  anywhere             anywhere            
zone_lan_ACCEPT  all  --  anywhere             anywhere            

Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_lan_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_lan_MSSFIX (0 references)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
zone_wan_ACCEPT  all  --  anywhere             anywhere            
forwarding_lan  all  --  anywhere             anywhere            
zone_lan_REJECT  all  --  anywhere             anywhere            

Chain zone_wan (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6882 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:6882 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc 
input_wan  all  --  anywhere             anywhere            
zone_wan_REJECT  all  --  anywhere             anywhere            

Chain zone_wan_ACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain zone_wan_DROP (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain zone_wan_MSSFIX (1 references)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 

Chain zone_wan_REJECT (2 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain zone_wan_forward (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             192.168.1.2         udp dpt:6882 
ACCEPT     tcp  --  anywhere             192.168.1.2         tcp dpt:6882 
forwarding_wan  all  --  anywhere             anywhere            
zone_wan_REJECT  all  --  anywhere             anywhere

Куда копать?


Ответ на: комментарий от NightSpamer

на

Chain PREROUTING (policy ACCEPT 72774 packets, 7807K bytes)
 pkts bytes target     prot opt in     out     source               destination         
72807 7809K prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
40065 3622K zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0           
    5   256 zone_wan_prerouting  all  --  pppoe-wan *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
40539 3518K postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 zone_lan_nat  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0           
40539 3518K zone_wan_nat  all  --  *      pppoe-wan  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2188 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain nat_reflection_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       192.168.11.241      tcp dpt:6882 to:192.168.1.2:6882 
    0     0 DNAT       udp  --  *      *       192.168.1.0/24       192.168.11.241      udp dpt:6882 to:192.168.1.2:6882 

Chain nat_reflection_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.2         tcp dpt:6882 to:192.168.1.1 
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.2         udp dpt:6882 to:192.168.1.1 

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
40539 3518K nat_reflection_out  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain prerouting_lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         
72775 7807K nat_reflection_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain prerouting_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
40065 3622K prerouting_lan  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_nat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
40539 3518K MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6882 to:192.168.1.2:6882 
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:6882 to:192.168.1.2:6882 
    5   256 prerouting_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0

fjord
() автор топика
Ответ на: комментарий от NightSpamer

iptables-save 

# Generated by iptables-save v1.4.6 on Fri Apr 29 17:59:39 2011
*nat
:PREROUTING ACCEPT [75244:8041264]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2323:141230]
:nat_reflection_in - [0:0]
:nat_reflection_out - [0:0]
:postrouting_rule - [0:0]
:prerouting_lan - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
:zone_lan_nat - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_nat - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i br-lan -j zone_lan_prerouting 
-A PREROUTING -i pppoe-wan -j zone_wan_prerouting 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -o br-lan -j zone_lan_nat 
-A POSTROUTING -o pppoe-wan -j zone_wan_nat 
-A nat_reflection_in -s 192.168.1.0/24 -d 192.168.11.241/32 -p tcp -m tcp --dport 6882 -j DNAT --to-destination 192.168.1.2:6882 
-A nat_reflection_in -s 192.168.1.0/24 -d 192.168.11.241/32 -p udp -m udp --dport 6882 -j DNAT --to-destination 192.168.1.2:6882 
-A nat_reflection_out -s 192.168.1.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 6882 -j SNAT --to-source 192.168.1.1 
-A nat_reflection_out -s 192.168.1.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 6882 -j SNAT --to-source 192.168.1.1 
-A postrouting_rule -j nat_reflection_out 
-A prerouting_rule -j nat_reflection_in 
-A zone_lan_prerouting -j prerouting_lan 
-A zone_wan_nat -j MASQUERADE 
-A zone_wan_prerouting -p tcp -m tcp --dport 6882 -j DNAT --to-destination 192.168.1.2:6882 
-A zone_wan_prerouting -p udp -m udp --dport 6882 -j DNAT --to-destination 192.168.1.2:6882 
-A zone_wan_prerouting -j prerouting_wan 
COMMIT
# Completed on Fri Apr 29 17:59:39 2011
# Generated by iptables-save v1.4.6 on Fri Apr 29 17:59:39 2011
*raw
:PREROUTING ACCEPT [2935727:2675166246]
:OUTPUT ACCEPT [4995:554421]
:zone_lan_notrack - [0:0]
:zone_wan_notrack - [0:0]
-A PREROUTING -i br-lan -j zone_lan_notrack 
-A PREROUTING -i pppoe-wan -j zone_wan_notrack 
COMMIT
# Completed on Fri Apr 29 17:59:39 2011
# Generated by iptables-save v1.4.6 on Fri Apr 29 17:59:39 2011
*mangle
:PREROUTING ACCEPT [3916931:3403965616]
:INPUT ACCEPT [18531:2292224]
:FORWARD ACCEPT [3834441:3393144028]
:OUTPUT ACCEPT [19105:1877615]
:POSTROUTING ACCEPT [3848219:3394586617]
COMMIT
# Completed on Fri Apr 29 17:59:39 2011
# Generated by iptables-save v1.4.6 on Fri Apr 29 17:59:39 2011
*filter
:INPUT ACCEPT [680:124185]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward - [0:0]
:forwarding_lan - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input - [0:0]
:input_lan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:nat_reflection_fwd - [0:0]
:output - [0:0]
:output_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan - [0:0]
:zone_lan_ACCEPT - [0:0]
:zone_lan_DROP - [0:0]
:zone_lan_MSSFIX - [0:0]
:zone_lan_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_wan - [0:0]
:zone_wan_ACCEPT - [0:0]
:zone_wan_DROP - [0:0]
:zone_wan_MSSFIX - [0:0]
:zone_wan_REJECT - [0:0]
:zone_wan_forward - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood 
-A INPUT -j input_rule 
-A INPUT -j input 
-A FORWARD -j zone_wan_MSSFIX 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -j forward 
-A FORWARD -j reject 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j output 
-A forward -i br-lan -j zone_lan_forward 
-A forward -i pppoe-wan -j zone_wan_forward 
-A forwarding_rule -j nat_reflection_fwd 
-A input -i br-lan -j zone_lan 
-A input -i pppoe-wan -j zone_wan 
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 6882 -j ACCEPT 
-A nat_reflection_fwd -s 192.168.1.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 6882 -j ACCEPT 
-A output -j zone_lan_ACCEPT 
-A output -j zone_wan_ACCEPT 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -j REJECT --reject-with icmp-port-unreachable 
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN 
-A syn_flood -j DROP 
-A zone_lan -j input_lan 
-A zone_lan -j zone_lan_ACCEPT 
-A zone_lan_ACCEPT -o br-lan -j ACCEPT 
-A zone_lan_ACCEPT -i br-lan -j ACCEPT 
-A zone_lan_DROP -o br-lan -j DROP 
-A zone_lan_DROP -i br-lan -j DROP 
-A zone_lan_MSSFIX -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A zone_lan_REJECT -o br-lan -j reject 
-A zone_lan_REJECT -i br-lan -j reject 
-A zone_lan_forward -j zone_wan_ACCEPT 
-A zone_lan_forward -j forwarding_lan 
-A zone_lan_forward -j zone_lan_REJECT 
-A zone_wan -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A zone_wan -p udp -m udp --dport 68 -j ACCEPT 
-A zone_wan -j input_wan 
-A zone_wan -j zone_wan_REJECT 
-A zone_wan_ACCEPT -o pppoe-wan -j ACCEPT 
-A zone_wan_ACCEPT -i pppoe-wan -j ACCEPT 
-A zone_wan_DROP -o pppoe-wan -j DROP 
-A zone_wan_DROP -i pppoe-wan -j DROP 
-A zone_wan_MSSFIX -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A zone_wan_REJECT -o pppoe-wan -j reject 
-A zone_wan_REJECT -i pppoe-wan -j reject 
-A zone_wan_forward -d 192.168.1.2/32 -p udp -m udp --dport 6882 -j ACCEPT 
-A zone_wan_forward -d 192.168.1.2/32 -p tcp -m tcp --dport 6882 -j ACCEPT 
-A zone_wan_forward -j forwarding_wan 
-A zone_wan_forward -j zone_wan_REJECT 
COMMIT

fjord
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin