NAT - Masquerade, pristup zevnitr dovnitr (SYN -> RST,ACK)

**monsoon** · 27.11.2007, 23:26

Ahoj, vzhledem k tomu, ze nas hw router Asus WL500g Deluxe posledni dobu neustale mrznul, rozhodl jsem se, ze budu routovat u sebe na serveru. Bohuzel ne vse mi beha :/

Schema je cca nasledujici...

Kód:

                                vmware (bridge)
                                router
                                hostname:gentoo
                             |---------------------|
                PC           |   eth0              |
                |            | /      \            |
ISP - modem - switch -- server-        Masquerade  |
                |            | \      /            |
                PC           |   eth1              |
                             |---------------------|

Na switchi je povesen server s jedou sitovkou, na nem bezi vmware a ten si situje pres bridge, ve vmwaru bezi virtualni stroj ( router ) s dvema sitovkama (eth0,eth1). Ten bridge by mel byt snad plne transparentni, takze proste jakoby bylo dalsi pc s dvema sitovkama primo na switchi. eth0 ma verejnou adresu od isp, eth1 ma privatni.

Kód:

gentoo ~ # ip addr
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:63:2d:43 brd ff:ff:ff:ff:ff:ff
    inet 62.24.66.141/24 brd 62.24.66.255 scope global eth0
    inet6 fe80::20c:29ff:fe63:2d43/64 scope link
       valid_lft forever preferred_lft forever
4: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:63:2d:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.250/24 brd 192.168.123.255 scope global eth1
    inet6 fe80::20c:29ff:fe63:2d4d/64 scope link
       valid_lft forever preferred_lft forever

Kód:

gentoo ~ # iptables -vn -L
Chain INPUT (policy ACCEPT 194K packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 31M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 374K packets, 59M bytes)
 pkts bytes target     prot opt in     out     source               destination

Kód:

gentoo ~ # iptables -t nat -nv -L
Chain PREROUTING (policy ACCEPT 1152K packets, 101M bytes)
 pkts bytes target     prot opt in     out     source               destination
 131K 6802K DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:59999 to:192.168.123.110
1129K  142M DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:59999 to:192.168.123.110
   11   552 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:413 to:192.168.123.22
  760  130K DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:413 to:192.168.123.22
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1984 to:192.168.123.22
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1984 to:192.168.123.22
   12  2510 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:2000:2010 to:192.168.123.22
  149  8900 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 to:192.168.123.124
   54  2870 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:60000:60200 to:192.168.123.124
   12   491 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:5555 to:192.168.123.124
   14   783 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 to:192.168.123.124
 1282 63220 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:192.168.123.124
   17  3390 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:8767 to:192.168.123.124
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 to:192.168.123.124

Chain POSTROUTING (policy ACCEPT 1369K packets, 161M bytes)
 pkts bytes target     prot opt in     out     source               destination
 741K   58M MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 13544 packets, 1343K bytes)
 pkts bytes target     prot opt in     out     source               destination

Mam presmerovane nejake porty dovnitr na ruzna pc, zvenku vse funguje, ale pokud se chci na dane porty pripojit zevnitr natu, tak to nelze.
Priklad...
Chci se z nejakeho PC za natem (192.168.123.126) pripojit na web server (192.168.123.124) pres verejnou adresu (62.24.66.141).
Zahajuji tedy tcp spojeni, odeslu SYN, na eth0 se nedostane vubec nic, hned se vrati RST,ACK a tim spojeni konci.

Kód:

gentoo ~ # tshark -i eth1 -p -f "host 192.168.123.126 and port 80" -V
Capturing on eth1
Frame 1 (74 bytes on wire, 74 bytes captured)
    Arrival Time: Nov 27, 2007 03:09:19.521087000
    [Time delta from previous captured frame: 1196129359.521087000 seconds]
    [Time delta from previous displayed frame: 1196129359.521087000 seconds]
    [Time since reference or first frame: 1196129359.521087000 seconds]
    Frame Number: 1
    Frame Length: 74 bytes
    Capture Length: 74 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
Ethernet II, Src: Intel_1b:3a:6c (00:19:d1:1b:3a:6c), Dst: Vmware_63:2d:4d (00:0c:29:63:2d:4d)
    Destination: Vmware_63:2d:4d (00:0c:29:63:2d:4d)
        Address: Vmware_63:2d:4d (00:0c:29:63:2d:4d)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Intel_1b:3a:6c (00:19:d1:1b:3a:6c)
        Address: Intel_1b:3a:6c (00:19:d1:1b:3a:6c)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.123.126 (192.168.123.126), Dst: 62.24.66.141 (62.24.66.141)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 60
    Identification: 0xdcc1 (56513)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0xa12e [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.123.126 (192.168.123.126)
    Destination: 62.24.66.141 (62.24.66.141)
Transmission Control Protocol, Src Port: 34812 (34812), Dst Port: http (80), Seq: 0, Len: 0
    Source port: 34812 (34812)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Header length: 40 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 5840
    Checksum: 0x72e0 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    Options: (20 bytes)
        Maximum segment size: 1460 bytes
        SACK permitted
        Timestamps: TSval 1262329001, TSecr 0
        NOP
        Window scale: 7 (multiply by 128)

Frame 2 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Nov 27, 2007 03:09:19.521278000
    [Time delta from previous captured frame: 0.000191000 seconds]
    [Time delta from previous displayed frame: 0.000191000 seconds]
    [Time since reference or first frame: 1196129359.521278000 seconds]
    Frame Number: 2
    Frame Length: 54 bytes
    Capture Length: 54 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
Ethernet II, Src: Vmware_63:2d:4d (00:0c:29:63:2d:4d), Dst: Intel_1b:3a:6c (00:19:d1:1b:3a:6c)
    Destination: Intel_1b:3a:6c (00:19:d1:1b:3a:6c)
        Address: Intel_1b:3a:6c (00:19:d1:1b:3a:6c)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Vmware_63:2d:4d (00:0c:29:63:2d:4d)
        Address: Vmware_63:2d:4d (00:0c:29:63:2d:4d)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 62.24.66.141 (62.24.66.141), Dst: 192.168.123.126 (192.168.123.126)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (0x06)
    Header checksum: 0x7e04 [correct]
        [Good: True]
        [Bad : False]
    Source: 62.24.66.141 (62.24.66.141)
    Destination: 192.168.123.126 (192.168.123.126)
Transmission Control Protocol, Src Port: http (80), Dst Port: 34812 (34812), Seq: 0, Ack: 1, Len: 0
    Source port: http (80)
    Destination port: 34812 (34812)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 0
    Checksum: 0xd966 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 1]
        [The RTT to ACK the segment was: 0.000191000 seconds]

2 packets captured

Predem dekuji za kazdou radu a snahu pomoci.

**monsoon** · 30.11.2007, 00:12

Tak vyreseno, musi se to natovat drobatko jinak.
Takhle to funguje.

Kód:

gentoo ~ # iptables -t nat -nv --line-numbers -L
Chain PREROUTING (policy ACCEPT 2126K packets, 183M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      272 13900 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:59999 to:192.168.123.110
2     1265  159K DNAT       udp  --  *      *       0.0.0.0/0            62.24.66.141        udp dpt:59999 to:192.168.123.110
3        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:21 to:192.168.123.124
4        2   112 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:80 to:192.168.123.124
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:113 to:192.168.123.124
6        0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.24.66.141        udp dpt:1194 to:192.168.123.124
7        0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.24.66.141        udp dpt:8767 to:192.168.123.124
8        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpts:60000:60200 to:192.168.123.124
9        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:413 to:192.168.123.22
10       0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.24.66.141        udp dpt:413 to:192.168.123.22
11       0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpt:1984 to:192.168.123.22
12       0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.24.66.141        udp dpt:1984 to:192.168.123.22
13       0     0 DNAT       tcp  --  *      *       0.0.0.0/0            62.24.66.141        tcp dpts:2000:2010 to:192.168.123.22

Chain POSTROUTING (policy ACCEPT 2639K packets, 310M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3387  251K SNAT       all  --  *      *       192.168.123.0/24     0.0.0.0/0           to:62.24.66.141

Chain OUTPUT (policy ACCEPT 19339 packets, 1806K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Téma: NAT - Masquerade, pristup zevnitr dovnitr (SYN -> RST,ACK)

Nástroje témat

Zobrazení

NAT - Masquerade, pristup zevnitr dovnitr (SYN -> RST,ACK)

Re: NAT - Masquerade, pristup zevnitr dovnitr (SYN -> RST,ACK)

Informace o tématu

Users Browsing this Thread

Pravidla přispívání