ipforward ce zice ? si incearca si dnat-ul recomandat intr-un singur pas (n-am testat niciodata cu chain-uri, teoretic ar trebui sa mearga, dar mai safe incearca si fara jump-uri, ca am mai patit diverse dude de genul asta)
On 9/27/2012 11:28 AM, alex alex wrote: > Dump-ul imi spune ca pachetul trece peste prerouting, se duce la B, care nu > are deschis listener pe > 1234, ceea ce e corect: > > tcpdump -nli eth1 host 10.199.25.58 -nnN > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes > 11:25:37.889671 IP 10.199.25.58.65522 > 172.20.44.36.1234: UDP, length 1464 > 11:25:37.889701 IP 172.20.44.36 > 10.199.25.58: ICMP 172.20.44.36 udp port > 1234 unreachable, length 556 > > > 2012/9/27 Catalin(ux) M. BOIE <ca...@embedromix.ro> > >> On Thu, 27 Sep 2012, alex alex wrote: >> >> Salut. >> >> Lipseste dump-ul pachetului ICMP (pachetul UDP original). >> Poti sa refaci tcpdump-ul, te rog? >> >>> E accesibil, insa nu e direct conectat. Din B: >>> ping 172.16.116.142 >>> PING 172.16.116.142 (172.16.116.142) 56(84) bytes of data. >>> 64 bytes from 172.16.116.142: icmp_seq=1 ttl=61 time=5.16 ms >>> 64 bytes from 172.16.116.142: icmp_seq=2 ttl=61 time=1.75 ms >>> La rute: >>> Destination Gateway Genmask Flags Metric Ref Use >>> Iface >>> 172.16.116.142 172.16.217.61 255.255.255.255 UGH 0 0 0 >> eth0 >>> >>> Oricum ,nu inteleg care ar fi ideea sa fie direct conectat. >>> >>> >>> >>> 2012/9/27 Alex 'CAVE' Cernat <c...@cernat.ro> >>> >>>> ce netmask e pus pe eth0 ? sigur e accesibil serverul A direct de pe B >> ? >>>> >>>> 9/27/2012 10:38 AM, alex alex wrote: >>>> >>>> Schema e simpla (A, B, C sunt calculatoarele; intre ele sunt rutere >> (R)) : >>>> A >>>> ------------------------------- Eth0 >> ---------- >>>> Eth1 172.20.44.36 10.199.25.58 >>>> |eth0 172.16.116.142| ------|R|-------------------------|B | >>>> --------------------------------|R| ---------------| C| >>>> ------------------------------ 172.16.217.61 | >> |---- >>>> Eth2 >>>> >>>> ----------- | >>>> >>>> -------------------Alta retea >>>> >>>> >>>> >>>> Pachetele vin pe eth1 (calculatorul B): >>>> tcpdump -nli eth1 host 10.199.25.58 -nnN >>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >> decode >>>> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes >>>> 10:29:43.640171 IP 10.199.25.58.65522 > 172.20.44.36.1234: UDP, length >> 1464 >>>> 10:29:43.675942 IP 10.199.25.58.65522 > 172.20.44.36.1234: UDP, length >> 1464 >>>> C este doar sursa, pachetele sunt UDP. Nu e necesara conexiune >>>> bidirectionala ci numai C->A (asta ar fi scopul). >>>> Stiu ca am mai facut acelasi lucru acum ceva timp si simt ca-mi scapa >>>> ceva.Daca aveti idei, shoot! >>>> Multumesc, >>>> alex >>>> >>>> >>>> 2012/9/27 Alex 'CAVE' Cernat <c...@cernat.ro> >>>> >>>>> pare in regula la prima vedere (nu stiu de ce te-ai complicat cu >>>>> chain-uri in plus, dar in fine, daca ti-e mai usor atunci asa sa fie - >> de >>>>> fapt vad ca si loghezi pe acolo, e mai simplu de gandit asa) >>>>> >>>>> o singura nedumerire am: sigur e eth1 interfata pe care vin pachetele >> de >>>>> dnat-uit ? >>>>> >>>>> cred ca nu ar strica si un mic de ascii art, cu schema retelei (adica >>>>> cele 3 calculatoare din problema), pe ce eth-uri sunt conectate, >> eventual >>>>> ceva adrese ip (pe bune sau 'pireli', dupa cum preferi sa divulgi >>>>> informatiile - oricum sunt deja in tcpdump) >>>>> >>>>> >>>>> On 9/27/2012 9:02 AM, alex alex wrote: >>>>> >>>>>> Salut, >>>>>> am nevoie de un cap limpede in setarea unui DNAT. >>>>>> Pe scurt,am 3 calculatoare (A,B,C). B face masquerade (iptables) >> pentru >>>>>> A. >>>>>> In acelasi timp, C trimite pachete UDP catre B, la un port specific >>>>>> (1234). >>>>>> Vreau ca acele pachete sa ajunga la A. >>>>>> Ce am facut: >>>>>> iptables -t nat -N forward_to_server >>>>>> iptables -t nat -A forward_to_server -j LOG --log-prefix " [>] New >>>>>> Forward" >>>>>> iptables -t nat -A forward_to_server -p udp -j DNAT --to >>>>>> 172.16.116.142:9996 >>>>>> iptables -t nat -I PREROUTING -i eth1 -p udp --dport 1234 -j >>>>>> forward_to_server >>>>>> >>>>>> >>>>>> Rezultatul este >>>>>> >>>>>> iptables -L -n -v -t nat >>>>>> Chain PREROUTING (policy ACCEPT 6837 packets, 668K bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 forward_to_server udp -- eth1 * 0.0.0.0/0 >>>>>> 0.0.0.0/0 udp dpt:1234 >>>>>> >>>>>> Chain POSTROUTING (policy ACCEPT 9350 packets, 785K bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 33527 2914K MASQUERADE all -- * eth1 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> 65 5460 MASQUERADE all -- * eth2 0.0.0.0/0 >>>>>> 0.0.0.0/0 >>>>>> >>>>>> Chain OUTPUT (policy ACCEPT 36414 packets, 3058K bytes) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> >>>>>> Chain forward_to_server (1 references) >>>>>> pkts bytes target prot opt in out source >>>>>> destination >>>>>> 0 0 LOG all -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 LOG flags 0 level 4 prefix ` [>] New Forward' >>>>>> 0 0 DNAT udp -- * * 0.0.0.0/0 >>>>>> 0.0.0.0/0 to:172.16.116.142:9996 >>>>>> >>>>>> Totusi, nici un pachet nu atinge regula mea din Prerouting (cel putin >> asa >>>>>> pare), desi nu am alte filtre (celalalte tabele sunt policy ACCEPT). >>>>>> Desigur, in acest timp exista pachete care vin catre B, numai ca nu >> sunt >>>>>> selectate. >>>>>> 08:56:09.311323 IP 10.199.25.58.65522 > 172.20.44.36.1234: UDP, length >>>>>> 1464 >>>>>> 08:56:09.365042 IP 10.199.25.58.65522 > 172.20.44.36.1234: UDP, length >>>>>> 1464 >>>>>> 08:56:09.365075 IP 172.20.44.36 > 10.199.25.58: ICMP 172.20.44.36 udp >>>>>> port >>>>>> 1234 unreachable, length 556 >>>>>> Simt ca imi lipseste ceva, dar nu stiu ce. M-ar ajuta un hint care sa >> ma >>>>>> scoata din blocaj. >>>>>> Multumesc, >>>>>> alex >>>>>> _______________________________________________ >>>>>> RLUG mailing list >>>>>> RLUG@lists.lug.ro >>>>>> http://lists.lug.ro/mailman/listinfo/rlug >>>>>> >>>>> >>>> >>> _______________________________________________ >>> RLUG mailing list >>> RLUG@lists.lug.ro >>> http://lists.lug.ro/mailman/listinfo/rlug >>> >> -- >> Catalin(ux) M. BOIE >> http://kernel.embedromix.ro/ >> _______________________________________________ >> RLUG mailing list >> RLUG@lists.lug.ro >> http://lists.lug.ro/mailman/listinfo/rlug >> > _______________________________________________ > RLUG mailing list > RLUG@lists.lug.ro > http://lists.lug.ro/mailman/listinfo/rlug _______________________________________________ RLUG mailing list RLUG@lists.lug.ro http://lists.lug.ro/mailman/listinfo/rlug
