Главная » Форум » Gentoo Linux » Системное администрирование

[РЕШЕНО]Настройка firewall

pascorp 6 Августа, 2014 - 22:01

Тема не совсем про gentoo, но раз про администрирование надеюсь не запинают.
Есть маршрутизатор беспроводной (1 wifi, 1wan,4 lan) OpenWrt & TP-Link WR842NDv2 & xl2tpd.
1. Доступ в интернет для маршрутизатора настроил: через ssh с маршрутизатора гугл пингуется.
2. Доступ с компьютера (и по wifi с телефона) к маршрутизатору настроил (по ssh на маршрутизатор захожу).
3. Доступ с компьютера (и телефона) в интернет отсутствует. При этом пингуется как шлюз локалки провайдера, так и шлюз VPN L2TP.
Вот настройки файервола маршрутизатора (в формате принятом в OpenWrt:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option dest '*'
	option name '1'
	option proto 'all'
	option src '*'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'vpn'

config zone
	option name 'LAN'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'lan'

config zone
	option name 'WAN'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'wan'

config zone
	option name 'WAN6'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wan6'
	option masq '1'

config redirect
	option enabled '1'

config forwarding
	option dest 'vpn'
	option src 'LAN'

config forwarding
	option dest 'WAN'
	option src 'LAN'

config forwarding
	option dest 'WAN'
	option src 'vpn'

config redirect
	option enabled '1'

config forwarding
	option dest 'LAN'
	option src 'WAN6'

config forwarding
	option dest 'WAN'
	option src 'WAN6'

config forwarding
	option dest 'vpn'
	option src 'WAN6'

Вот те же настройки через вебморду ссылка
По моему, видимо неправильному, мнению должно работать. Но не работает.
Помогите кто может. :-(

‹ memory_limit и dev-php/suhosin. Не срабатывает опция suhosin.memory_limit. Nginx HTTP/1.1 302 Moved Temporarily ›
»

.

Автор willy, дата создания 7 Августа, 2014 - 02:29.

По ссылке присутствует чек - "Ограничение MSS" - это по-своему назвато: --clamp-mss-to-pmtu ?

»

Если перейти на английский,

Автор pascorp, дата создания 7 Августа, 2014 - 05:34.

Если перейти на английский, то это называется как "MSS clamping".
Выхлоп iptables-save:

root@OpenWrt:~# iptables-save 
# Generated by iptables-save v1.4.21 on Thu Aug  7 01:18:48 2014
*nat
:PREROUTING ACCEPT [297:31115]
:INPUT ACCEPT [181:20255]
:OUTPUT ACCEPT [201:22235]
:POSTROUTING ACCEPT [179:11939]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_LAN_rule - [0:0]
:postrouting_WAN6_rule - [0:0]
:postrouting_WAN_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:prerouting_LAN_rule - [0:0]
:prerouting_WAN6_rule - [0:0]
:prerouting_WAN_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:zone_LAN_postrouting - [0:0]
:zone_LAN_prerouting - [0:0]
:zone_WAN6_postrouting - [0:0]
:zone_WAN6_prerouting - [0:0]
:zone_WAN_postrouting - [0:0]
:zone_WAN_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_LAN_postrouting
-A delegate_postrouting -o eth0 -j zone_WAN_postrouting
-A delegate_postrouting -o wlan0 -j zone_WAN6_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_LAN_prerouting
-A delegate_prerouting -i eth0 -j zone_WAN_prerouting
-A delegate_prerouting -i wlan0 -j zone_WAN6_prerouting
-A zone_LAN_postrouting -m comment --comment "user chain for postrouting" -j postrouting_LAN_rule
-A zone_LAN_postrouting -j MASQUERADE
-A zone_LAN_prerouting -m comment --comment "user chain for prerouting" -j prerouting_LAN_rule
-A zone_WAN6_postrouting -m comment --comment "user chain for postrouting" -j postrouting_WAN6_rule
-A zone_WAN6_postrouting -j MASQUERADE
-A zone_WAN6_prerouting -m comment --comment "user chain for prerouting" -j prerouting_WAN6_rule
-A zone_WAN_postrouting -m comment --comment "user chain for postrouting" -j postrouting_WAN_rule
-A zone_WAN_postrouting -j MASQUERADE
-A zone_WAN_prerouting -m comment --comment "user chain for prerouting" -j prerouting_WAN_rule
-A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
COMMIT
# Completed on Thu Aug  7 01:18:48 2014
# Generated by iptables-save v1.4.21 on Thu Aug  7 01:18:48 2014
*raw
:PREROUTING ACCEPT [3417:312020]
:OUTPUT ACCEPT [3510:809739]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Thu Aug  7 01:18:48 2014
# Generated by iptables-save v1.4.21 on Thu Aug  7 01:18:48 2014
*mangle
:PREROUTING ACCEPT [3417:312020]
:INPUT ACCEPT [2985:282056]
:FORWARD ACCEPT [375:22708]
:OUTPUT ACCEPT [3510:809739]
:POSTROUTING ACCEPT [4037:863925]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
COMMIT
# Completed on Thu Aug  7 01:18:48 2014
# Generated by iptables-save v1.4.21 on Thu Aug  7 01:18:48 2014
*filter
:INPUT ACCEPT [8:791]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94:6755]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_LAN_rule - [0:0]
:forwarding_WAN6_rule - [0:0]
:forwarding_WAN_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:input_LAN_rule - [0:0]
:input_WAN6_rule - [0:0]
:input_WAN_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:output_LAN_rule - [0:0]
:output_WAN6_rule - [0:0]
:output_WAN_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:reject - [0:0]
:zone_LAN_dest_ACCEPT - [0:0]
:zone_LAN_forward - [0:0]
:zone_LAN_input - [0:0]
:zone_LAN_output - [0:0]
:zone_LAN_src_ACCEPT - [0:0]
:zone_WAN6_dest_ACCEPT - [0:0]
:zone_WAN6_forward - [0:0]
:zone_WAN6_input - [0:0]
:zone_WAN6_output - [0:0]
:zone_WAN6_src_ACCEPT - [0:0]
:zone_WAN_dest_ACCEPT - [0:0]
:zone_WAN_forward - [0:0]
:zone_WAN_input - [0:0]
:zone_WAN_output - [0:0]
:zone_WAN_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
-A INPUT -j delegate_input
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -m comment --comment 1 -j ACCEPT
-A delegate_forward -i br-lan -j zone_LAN_forward
-A delegate_forward -i eth0 -j zone_WAN_forward
-A delegate_forward -i wlan0 -j zone_WAN6_forward
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -i br-lan -j zone_LAN_input
-A delegate_input -i eth0 -j zone_WAN_input
-A delegate_input -i wlan0 -j zone_WAN6_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_LAN_output
-A delegate_output -o eth0 -j zone_WAN_output
-A delegate_output -o wlan0 -j zone_WAN6_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A zone_LAN_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_LAN_forward -m comment --comment "user chain for forwarding" -j forwarding_LAN_rule
-A zone_LAN_forward -m comment --comment "forwarding LAN -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_LAN_forward -m comment --comment "forwarding LAN -> WAN" -j zone_WAN_dest_ACCEPT
-A zone_LAN_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_LAN_forward -j zone_LAN_src_ACCEPT
-A zone_LAN_input -m comment --comment "user chain for input" -j input_LAN_rule
-A zone_LAN_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_LAN_input -j zone_LAN_src_ACCEPT
-A zone_LAN_output -m comment --comment "user chain for output" -j output_LAN_rule
-A zone_LAN_output -j zone_LAN_dest_ACCEPT
-A zone_LAN_src_ACCEPT -i br-lan -j ACCEPT
-A zone_WAN6_dest_ACCEPT -o wlan0 -j ACCEPT
-A zone_WAN6_forward -m comment --comment "user chain for forwarding" -j forwarding_WAN6_rule
-A zone_WAN6_forward -m comment --comment "forwarding WAN6 -> LAN" -j zone_LAN_dest_ACCEPT
-A zone_WAN6_forward -m comment --comment "forwarding WAN6 -> WAN" -j zone_WAN_dest_ACCEPT
-A zone_WAN6_forward -m comment --comment "forwarding WAN6 -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_WAN6_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_WAN6_forward -j zone_WAN6_src_ACCEPT
-A zone_WAN6_input -m comment --comment "user chain for input" -j input_WAN6_rule
-A zone_WAN6_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_WAN6_input -j zone_WAN6_src_ACCEPT
-A zone_WAN6_output -m comment --comment "user chain for output" -j output_WAN6_rule
-A zone_WAN6_output -j zone_WAN6_dest_ACCEPT
-A zone_WAN6_src_ACCEPT -i wlan0 -j ACCEPT
-A zone_WAN_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_WAN_forward -m comment --comment "user chain for forwarding" -j forwarding_WAN_rule
-A zone_WAN_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_WAN_forward -j zone_WAN_src_ACCEPT
-A zone_WAN_input -m comment --comment "user chain for input" -j input_WAN_rule
-A zone_WAN_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_WAN_input -j zone_WAN_src_ACCEPT
-A zone_WAN_output -m comment --comment "user chain for output" -j output_WAN_rule
-A zone_WAN_output -j zone_WAN_dest_ACCEPT
-A zone_WAN_src_ACCEPT -i eth0 -j ACCEPT
-A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "forwarding vpn -> WAN" -j zone_WAN_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j zone_vpn_src_ACCEPT
-A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_vpn_input -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
-A zone_vpn_output -j zone_vpn_dest_ACCEPT
COMMIT
# Completed on Thu Aug  7 01:18:48 2014
»

Удалил все зоны и правила и

Автор pascorp, дата создания 7 Августа, 2014 - 20:26.

Удалил все зоны и правила и добавил правила на вкладке "Пользовательские правила".
Плюс в rc.local добавил перезагрузку xl2tpd и фаервола (без перезагрузки первый не цепляет интерфейс, а второй не применяет пользовательские правила).

»

Настройки просмотра комментариев

Выберите нужный метод показа комментариев и нажмите "Сохранить установки".