LINUX.ORG.RU
ФорумAdmin

внешний прокси на tinyproxy


0

1

суть такова

надо сделать прокси, чтобы к нему можно было подконнектиться снаружи. какие есть подводные камни помимо конфига самого tinyproxy?

из конфига поменяно только:

Listen 8080
Listen [dsl0-ip]
BindSame yes

снаружи подключиться невозможно, какие логи курить не в курсе. Suse вроде, один из последних.

Ответ на: комментарий от adriano32
:PREROUTING ACCEPT [21806:3868463]
:OUTPUT ACCEPT [2340:255006]
:POSTROUTING ACCEPT [19:2826]
-A PREROUTING -i dsl0 -p tcp -m tcp --dport 8513 -j DNAT --to-destination 172.24.128.51:3389
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8513 -j DNAT --to-destination 172.24.128.51:3389
-A POSTROUTING -o dsl0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sat Sep 17 13:20:30 2011
# Generated by iptables-save v1.4.8 on Sat Sep 17 13:20:30 2011
*mangle
:PREROUTING ACCEPT [642293:532998405]
:INPUT ACCEPT [12137:1239652]
:FORWARD ACCEPT [625793:529367692]
:OUTPUT ACCEPT [2891:325551]
:POSTROUTING ACCEPT [628777:529707910]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Sat Sep 17 13:20:30 2011
# Generated by iptables-save v1.4.8 on Sat Sep 17 13:20:30 2011
*raw
:PREROUTING ACCEPT [642291:532996847]
:OUTPUT ACCEPT [2892:326391]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Sat Sep 17 13:20:30 2011
# Generated by iptables-save v1.4.8 on Sat Sep 17 13:20:30 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4:160]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth1 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth1 -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i dsl0 -j input_ext
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth0 -j forward_int
-A FORWARD -i dsl0 -j forward_ext
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -i dsl0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -d 172.24.128.51/32 -p tcp -m limit --limit 3/min -m tcp --dport 3389 -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_ext -d 172.24.128.51/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_ext -s 172.24.128.51/32 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -m pkttype --pkt-type broadcast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -i eth0 -o dsl0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -d 172.24.128.51/32 -p tcp -m limit --limit 3/min -m tcp --dport 3389 -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_int -d 172.24.128.51/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_int -s 172.24.128.51/32 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -m pkttype --pkt-type broadcast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1024:5000 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1024:5000 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 40000:40500 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 40000:40500 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Sat Sep 17 13:20:30 2011 

использоваться должен только dsl0, 178.24.128.0/24 - локалка, для решения данной задачи не нужна)

ioerror ()
Ответ на: комментарий от ioerror

Сам писал? %)

Что-то я не вижу после беглого просмотра открытого порта 8080. Выполни-ка снаружи nmap -p 8080 ip.твоего.proxy

adriano32 ★★★ ()
Ответ на: комментарий от adriano32

спасибо, подсказал куда копнуть, открыл через yast2 порт - всё заработало. гранмерси.

ioerror ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.