Автор Тема: Странен проблем с internet connection sharing  (Прочетена 2798 пъти)

Robert_

  • Напреднали
  • *****
  • Публикации: 52
    • Профил
Имам една система на Debian с ядро 2.6.8-2-686, която съм си дал смелата задача да направя едновременно рутер и уеб сървър. Той е с две мрежови карти с настройки:
eth0 - 212.5.143.124 - външната
eth1 - 192.168.0.1 - вътрешната
Докато се рових из форумите и статиите за Дебиан открих една статия, в която дават следния начин за рутиране - много елементарен:
dpkg-reconfigure iptables
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
и още допълнителни команди, но когато дадох тези двете тръгнаха и двата компютъра и имаше интернет и на двата (втория е 192.168.0.2)
Давах същата команда два дни, когато вчера без видима причина интернета на вътрешния компютър изчезна. Има пинг, а няма интернет. Тогава пробвах един файл "firewall.sh", който си копирах от http://www.aboutdebian.com и доколкото можах адаптирах за моя случай. Файла е:
#!/bin/sh

#  IPTABLES  FIREWALL  script for the Linux 2.4 kernel.
#  This script is a derivitive of the script presented in
#  the IP Masquerade HOWTO page at:
#  www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html
#  It was simplified to coincide with the configuration of
#  the sample system presented in the Guides section of
#  www.aboutdebian.com
#
#  This script is presented as an example for testing ONLY
#  and should not be used on a production firewall server.
#
#    PLEASE SET THE USER VARIABLES
#    IN SECTIONS A AND B OR C

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."


# === SECTION A
# -----------   FOR EVERYONE

# SET THE INTERFACE DESIGNATION AND ADDRESS AND NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
#   The default value below is for "eth0".  This value
#   could also be "eth1" if you have TWO NICs in your system.
#   You can use the ifconfig command to list the interfaces
#   on your system.  The internal interface will likely have
#   have an address that is in one of the private IP address
#   ranges.
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.

# Enter the designation for the Internal Interface's
INTIF="eth1"

# Enter the NETWORK address the Internal Interface is on
INTNET="192.168.0.0"

# Enter the IP address of the Internal Interface
INTIP="192.168.0.1"



# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
#   The default value below is "ppp0" which is appropriate
#   for a MODEM connection.
#   If you have two NICs in your system change this value
#   to "eth0" or "eth1" (whichever is opposite of the value
#   set for INTIF above).  This would be the NIC connected
#   to your cable or DSL modem (WITHOUT a cable/DSL router).
#       Note that this is an interface DESIGNATION - not
#       the IP address of the interface.
#   Enter the external interface's designation for the
#   EXTIF variable:

EXTIF="eth0"


# ! ! ! ! !  Use ONLY Section B  *OR*  Section C depending on
#  ! ! ! !   the type of Internet connection you have.
# ! ! ! ! !  Uncomment ONLY ONE of the EXTIP statements.


# === SECTION B
# -----------   FOR THOSE WITH STATIC PUBLIC IP ADDRESSES

   # SET YOUR EXTERNAL IP ADDRESS
   #   If you specified a NIC (i.e. "eth0" or "eth1" for
   #   the external interface (EXTIF) variable above,
   #   AND if that external NIC is configured with a
   #   static, public IP address (assigned by your ISP),
   #   UNCOMMENT the following EXTIP line and enter the
   #   IP address for the EXTIP variable:

EXTIP="212.5.143.124"



# === SECTION C
# ----------   DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS


# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
#   If you get your IP address dynamically from SLIP, PPP,
#   BOOTP, or DHCP, UNCOMMENT the command below.
#   (No values have to be entered.)
#         Note that if you are uncommenting these lines then
#         the EXTIP line in Section B must be commented out.

#EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"


# --------  No more variable setting beyond this point  --------


echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF"
echo "       External interface IP address is: $EXTIP"
echo "    Loading firewall server rules..."

UNIVERSE="0.0.0.0"

# Clear any existing rules and setting default policy to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat

# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X

# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

echo -e "     - Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# remote interface, any source, going to permanent PPP address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT


#  OPTIONAL:  Uncomment the following two commands if plan on running
#             an Apache Web site on the firewall server itself
#
echo -e "      - Allowing EXTERNAL access to the WWW server"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT


# Catch all rule, all other incoming is denied and logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "     - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "     - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e "    Firewall server rule loading complete\n\n"


това е. И като реши да не тръгва и не тръгва. Уж всичко съм направил както се иска да бъде а не тръгва. Освен това когато стартирам този скрипт не мога да изпращам пинг нито към вътрешния компютър нито към гейтуеиа. Някой може ли да помогне в настройката на този файъруол, така че да имам интернет и на двата компютъра.
Приемам както съвети, така и адреси за четене в интернет '<img'>
Много благодаря предварително.
Активен

Dean79

  • Напреднали
  • *****
  • Публикации: 151
    • Профил
Странен проблем с internet connection sharing
« Отговор #1 -: Feb 08, 2006, 13:38 »
Възможно е доставчика ти да прави проверка на ТТЛ.
прочети как да стане увеличаването с 1
iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
Активен

Robert_

  • Напреднали
  • *****
  • Публикации: 52
    • Профил
Странен проблем с internet connection sharing
« Отговор #2 -: Feb 08, 2006, 14:06 »
Възможно е, но не виждам какъв интерес ще има. Преди работеше и изведнъж спря. Не мога да си обясня тези неща. Имам пинг към 192.168.0.1 и към 192.168.0.2. Когато стартирам гореописания скрипт firewall.sh, тогава всичко замира. Правил съм го това нещо и то наскоро под уиндоус. Тогава всичко вървеше без проблеми. Склонен съм да вярвам, че нещо в моите команди не е наред... Някаква идея?...
Активен

Подобни теми
Заглавие Започната от Отговора Прегледи Последна публикация
Internet Connection Sharing, MTU
Настройка на програми
Knopper 1 2499 Последна публикация Apr 06, 2004, 21:43
от
Internet Connection sharing
Настройка на програми
pcpro 1 2275 Последна публикация May 09, 2005, 12:00
от VladSun
Internet connection sharing
Настройка на хардуер
ssl 7 3401 Последна публикация Jan 05, 2008, 01:32
от Stratovarius
WiFi hotspot & internet connection sharing
Хардуерни и софтуерни проблеми
remotexx 5 3670 Последна публикация Feb 08, 2016, 08:55
от remotexx
Internet Connection Sharing-Mint и Debian
Настройка на хардуер
new_2k 2 2410 Последна публикация Oct 04, 2017, 13:56
от new_2k