uz jsem blizko NATD
Pentium
pentium.konference at seznam.cz
Tue Nov 26 03:00:31 CET 2002
> "ps -ax" vypise vsechny bezici procesy, NAT musi byt mezi nimi, jinak
> nebezi.
Podle tohoto natd bezi
server# ps -ax
PID TT STAT TIME COMMAND
0 ?? DLs 0:00.00 (swapper)
1 ?? ILs 0:00.02 /sbin/init --
2 ?? DL 0:00.00 (pagedaemon)
3 ?? DL 0:00.00 (vmdaemon)
4 ?? DL 0:00.00 (bufdaemon)
5 ?? DL 0:00.00 (vnlru)
6 ?? DL 0:00.08 (syncer)
17 ?? Is 0:00.00 adjkerntz -i
61 ?? Ss 0:00.01 /sbin/natd -f /etc/natd.conf -n ppp0
68 ?? Ss 0:00.03 /sbin/routed -q
97 ?? Ss 0:00.09 /usr/sbin/syslogd -s
100 ?? Is 0:00.01 /usr/sbin/named
102 ?? Is 0:00.00 /usr/sbin/portmap
107 ?? I 0:00.00 nfsiod -n 4
108 ?? I 0:00.00 nfsiod -n 4
109 ?? I 0:00.00 nfsiod -n 4
110 ?? I 0:00.00 nfsiod -n 4
115 ?? D 0:00.01 amd -p -a /.amd_mnt -l syslog /host
/etc/amd.map /net
116 ?? D 0:00.00 amd -p -a /.amd_mnt -l syslog /host
/etc/amd.map /net
120 ?? Is 0:00.00 /usr/sbin/inetd -wW
122 ?? Is 0:00.01 /usr/sbin/cron
124 ?? Is 0:00.28 /usr/sbin/sshd
127 ?? Ss 0:00.05 sendmail: accepting connections (sendmail)
130 ?? Is 0:00.01 sendmail: Queue runner at 00:30:00 for
/var/spool/client
146 ?? Ss 0:02.07 moused -p /dev/psm0 -t auto
161 ?? S 0:00.26 /usr/local/sbin/arpwatch
170 ?? Ss 0:00.00 /usr/local/sbin/dhcpd
204 ?? R 0:25.61 /usr/X11R6/bin/XFree86 :0 -nolisten tcp
226 ?? Ss 0:00.47 kdeinit: Running... (kdeinit)
229 ?? S 0:00.52 kdeinit: dcopserver --nosid (kdeinit)
233 ?? S 0:00.36 kdeinit: klauncher (kdeinit)
235 ?? S 0:06.38 kdeinit: kded (kdeinit)
246 ?? S 0:04.24 /usr/local/bin/artsd -F 10 -S 4096 -s 60 -m
artsmessa
248 ?? S 0:00.75 kdeinit: knotify (kdeinit)
253 ?? S 0:00.61 kdeinit: ksmserver --restore (kdeinit)
254 ?? S 0:03.06 kdeinit: kwin -session
11c0a8010100010369491360000000
256 ?? S 0:03.41 kdeinit: kdesktop (kdeinit)
258 ?? S 0:07.20 kdeinit: kicker (kdeinit)
259 ?? I 0:00.06 kdeinit: kio_file file
/tmp/ksocket-root/klauncher4f4
261 ?? S 0:02.16 kdeinit: klipper -icon klipper -miniicon
klipper (kde
262 ?? S 0:06.19 kdeinit: konqueror -session
11c0a80101000103696878900
263 ?? S 0:01.81 kdf -session
11c0a80101000103696875900000006550009
265 ?? I 0:00.08 kdeinit: kio_file file
/tmp/ksocket-root/klauncher4f4
266 ?? S 0:00.07 kdeinit: kio_file file
/tmp/ksocket-root/klauncher4f4
267 ?? S 0:04.62 kdeinit: konsole -icon konsole -miniicon
konsole (kde
278 ?? I 0:00.09 kdeinit: kio_file file
/tmp/ksocket-root/klauncher4f4
279 ?? I 0:00.08 kdeinit: kio_file file
/tmp/ksocket-root/klauncher4f4
283 ?? S 0:00.73 kdeinit: kio_uiserver (kdeinit)
285 ?? S 0:03.64 kppp -icon kppp -miniicon kppp
286 ?? Is 0:00.03 kppp -icon kppp -miniicon kppp
292 ?? S 0:01.57 kdeinit: kedit -caption KEdit -icon kedit
-miniicon k
271 p0 Ss 0:00.11 /bin/csh
293 p0 R+ 0:00.00 ps -ax
181 v0 Is 0:00.07 login -p root
189 v0 I 0:00.08 -csh (csh)
192 v0 I+ 0:00.02 /bin/sh /usr/X11R6/bin/startx
203 v0 I+ 0:00.02 xinit /root/.xinitrc -- -nolisten tcp
212 v0 I 0:00.03 /bin/sh /usr/local/bin/startkde
251 v0 S 0:00.02 kwrapper ksmserver --restore
182 v1 Is+ 0:00.01 /usr/libexec/getty Pc ttyv1
183 v2 Is+ 0:00.01 /usr/libexec/getty Pc ttyv2
184 v3 Is+ 0:00.01 /usr/libexec/getty Pc ttyv3
185 v4 Is+ 0:00.01 /usr/libexec/getty Pc ttyv4
186 v5 Is+ 0:00.01 /usr/libexec/getty Pc ttyv5
187 v6 Is+ 0:00.02 /usr/libexec/getty Pc ttyv6
188 v7 Is+ 0:00.01 /usr/libexec/getty Pc ttyv7
289 a0 Ss+ 0:00.05 pppd 115200 -detach crtscts -detach
defaultroute mode
************************************************************
> Krome 'natd_enable="YES"' musi byt pritomno take
'natd_interface="ppp0"'
> Dale musi byt aktivni firewall. Mate v rc.conf aktivovan firewall v
> konfiguraci "open" tak jak uz jsem jednou drive psal
> (firewall_enable=YES";firewall_type="open") ?
Ano to snam mam v poradku viz vypis
rc.conf
hostname="server.martin-network.cz"
gateway_enable="YES"
firewall_enable="YES"
firewall_logging="YES"
firewall_script="/etc/rc.firewall" <-opraveno
firewall_type="OPEN" <- Jsou spravne velka pismena ?
firewall_quiet="NO"
natd_progam="/sbin/natd"
natd_enable="YES"
natd_interface="ppp0"
natd_flags="-f /etc/natd.conf"
tcp_drop_synfin="YES"
ifconfig_ep0="inet 192.168.1.1 netmask 255.255.255.0"
ipv6_enable="YES"
*************************************************************
standardni /etc/rc.firewall, ale /etc/rc.ipfw,
To zustalo standartin to bylo jen kvuli experimentu podle jedne prirucky
to byla pouze kopiie ale uz jsem to vratil Provedl jsem tam jednu
modifikaci misto lo0 jsem zadal ppp0 jen zkusebne
Takze ipfw -a list
server# ipfw -a list
00100 12 1289 allow ip from any to any via ppp0 <- to jsem zmenil
misto lo0
00200 3 212 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 47 4812 allow ip from any to any
65535 0 0 deny ip from any to any <-- podle tohoto soudim ze ok
Podle vseho pakety prosly pres ipfw
**********************************************************
> Tohle sice problem primo souvisejici s prekladem, nicmene, problem to
> je, tak proc se o nem nezminit - nemate v poradku DNS
To bohuzel jeste neumim spustit on se me porad ptal na nejakou domenu
tak jsem si nejakou vycucal z prstu :] Nebo tam mam dat domenu localhost
? Tu by nemel hledat Muzu to vsude zmenit to neni problem.
***********************************************************
adresu vam rekne 'ifconfig -a', aktualni 'default route" vam rekne
> 'netstat -rn').
rekl mi>
server# ifconfig -a
ep0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::260:97ff:fe1e:4ca7%ep0 prefixlen 64 scopeid 0x1
ether 00:60:97:1e:4c:a7
media: Ethernet 10baseT/UTP
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 212.90.224.215 --> 195.146.122.66 netmask 0xffffff00
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
netstat -rn
Internet:
Destination Gateway Flags Refs Use Netif
Expire
default 195.146.122.66 UGSc 2 7 ppp0
127.0.0.1 127.0.0.1 UH 0 3 lo0
192.168.1 link#1 UC 2 0 ep0
192.168.1.1 00:60:97:1e:4c:a7 UHLW 2 18 lo0
192.168.1.99 00:a0:24:56:16:f0 UHLW 0 0 ep0
1085
195.146.122.66 212.90.224.215 UH 0 0 ppp0
212.90.224.215 127.0.0.1 UH 0 0 lo0
Internet6:
Destination Gateway Flags
Netif Expire
::/96 ::1 UGRSc
lo0
::1 ::1 UH
lo0
::ffff:0.0.0.0/96 ::1 UGRSc
lo0
fe80::/10 ::1 UGRSc
lo0
fe80::%ep0/64 link#1 UC
ep0
fe80::260:97ff:fe1e:4ca7%ep0 00:60:97:1e:4c:a7 UHL
lo0
fe80::%lo0/64 fe80::1%lo0 Uc
lo0
fe80::1%lo0 link#4 UHL
lo0
ff01::/32 ::1 U
lo0
ff02::/16 ::1 UGRS
lo0
ff02::%ep0/32 link#1 UC
ep0
ff02::%lo0/32 ::1 UC
lo0
PRi tom jsem objevil toto v logu Kppp pripojeni
Ted jsem neco objevil !!!!
Nov 26 01:58:33 server pppd[289]: pppd 2.3.5 started by root, uid 0
Nov 26 01:58:33 server pppd[289]: Connect: ppp0 <--> /dev/cuaa0
Nov 26 01:58:36 server pppd[289]: local IP address 212.90.224.215
Nov 26 01:58:36 server pppd[289]: remote IP address 195.146.122.66
Podle toho by se mne menila IP pri pripojeni a to by mohl byt problem
Zkusil jsem dat jako vychozi branu 195.146.122.66 ale ta take nesla
pingnout
z win9x takze v tom to neni z linuxu lze toto cislo pingnout
tcpdump: listening on ppp0
02:34:17.386925 195.146.122.66 > 212.90.224.215: icmp: echo reply
02:34:18.282694 212.90.224.215 > 195.146.122.66: icmp: echo request
Obavam se jestli mi nemeni to pripojeni adresu servru ale ping z win9x
na 192.168.1.1 je stale funkcni takze nevim
*********************************************************
pakety odchazely, a to se zdrojovou adresou neprelozenou
neprelozenou - pak je chybne nakonfigurovan NAT (vcetne
> > > souvisejici konfigurace firewallu)
Podle toho co jste videl nahore je asi firewall ok takze ted k natu ten
je take zapnuty a podle predeslych rad ho neni treba nijak konfigurovat
,ale ja jsem si hral:
Hratky s NATD
server# natd -redirect_address 192.168.1.99 195.146.122.66
natd: aliasing address not given
zkousel jsem i primo toto ale napsalo to tuto chybu
*********************************************************
Routingu nerozumim jelikoz mi to nechodi vim co by melo bejt v hlavicce
paketu ale nevim jak to tam dostat :{
P.s Je lepci prehlednost ? Ja z toho delam otazka odpoved a odeluji to
***** nevadi vam tento format ?
Diky a zachovejte me prizen
Vypis rc.conf jako zaver dopisu dal uz nic neni jen
rc.firewall
# Copyright (c) 1996 Poul-Henning Kamp
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above
copyright
# notice, this list of conditions and the following disclaimer in
the
# documentation and/or other materials provided with the
distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/rc.firewall,v 1.30.2.15 2002/02/28 14:51:42 cjc
Exp $
#
#
# Setup system for firewall service.
#
# Suck in the configuration variables.
if [ -z "" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
############
# Define the firewall type in /etc/rc.conf. Valid values are:
# open - will allow anyone in
# client - will try to protect just this machine
# simple - will try to protect a whole network
# closed - totally disables IP services except via lo0 interface
# UNKNOWN - disables the loading of firewall rules.
# filename - will load the rules in the given filename (full path
required)
#
# For ``client'' and ``simple'' the entries below should be
customized
# appropriately.
############
#
# If you don't know enough about packet filtering, we suggest that
you
# take time to read this book:
#
# Building Internet Firewalls, 2nd Edition
# Brent Chapman and Elizabeth Zwicky
#
# O'Reilly & Associates, Inc
# ISBN 1-56592-871-7
# http://www.ora.com/
# http://www.oreilly.com/catalog/fire2/
#
# For a more advanced treatment of Internet Security read:
#
# Firewalls & Internet Security
# Repelling the wily hacker
# William R. Cheswick, Steven M. Bellowin
#
# Addison-Wesley
# ISBN 0-201-63357-4
# http://www.awl.com/
# http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
#
setup_loopback () {
############
# Only in rare cases do you want to change these rules
#
add 100 pass all from any to any via ppp0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
}
if [ -n "" ]; then
firewall_type=""
fi
############
# Set quiet mode if requested
#
case in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
-f flush
############
# Network Address Translation. All packets are passed to natd(8)
# before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd
# starting at the rule number following the divert rule.
#
# For ``simple'' firewall type the divert rule should be put to a
# different place to not interfere with address-checking rules.
#
case in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case in
[Yy][Ee][Ss])
if [ -n "" ]; then
add 50 divert natd all from any to any via
fi
;;
esac
esac
############
# If you just configured ipfw in the kernel as a tool to solve
network
# problems or you just want to disallow some particular kinds of
traffic
# then you will want to change the default policy to open. You can
also
# do this as your only action by setting the firewall_type to
``open''.
#
# add 65000 pass all from any to any
# Prototype setups.
#
case in
[Oo][Pp][Ee][Nn])
setup_loopback
add 65000 pass all from any to any
;;
[Cc][Ll][Ii][Ee][Nn][Tt])
############
# This is a prototype setup that will protect your system somewhat
# against people from outside your own network.
############
# set these to your network and netmask and ip
net="192.168.1.1"
mask="255.255.255.0"
ip="192.198.1.1"
setup_loopback
# Allow any traffic to or from my own net.
add pass all from to :
add pass all from : to
# Allow TCP through if setup succeeded
add pass tcp from any to any established
# Allow IP fragments to pass through
add pass all from any to any frag
# Allow setup of incoming email
add pass tcp from any to 25 setup
# Allow setup of outgoing TCP connections only
add pass tcp from to any setup
# Disallow setup of all other TCP connections
add deny tcp from any to any setup
# Allow DNS queries out in the world
add pass udp from to any 53 keep-state
# Allow NTP queries out in the world
add pass udp from to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the
machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed0"
onet="192.168.1.0"
omask="255.255.255.0"
oip="192.168.1.1"
# set these to your inside interface network and netmask and ip
iif="ed1"
inet="192.168.1.0"
imask="255.255.255.0"
iip="192.168.1.1"
#my ISPs dns
dns1="195.146.100.5"
dns2="195.146.100.100"
setup_loopback
# Stop spoofing
add deny all from : to any in via
add deny all from : to any in via
# Stop RFC1918 nets on the outside interface
add deny all from any to 10.0.0.0/8 via
add deny all from any to 172.16.0.0/12 via
add deny all from any to 192.168.0.0/16 via
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
E)
# on the outside interface
add deny all from any to 0.0.0.0/8 via
add deny all from any to 169.254.0.0/16 via
add deny all from any to 192.0.2.0/24 via
add deny all from any to 224.0.0.0/4 via
add deny all from any to 240.0.0.0/4 via
# Network Address Translation. This rule is placed here
deliberately
# so that it does not interfere with the surrounding
address-checking
# rules. If for example one of your internal LAN machines had its
IP
# address set to 192.0.2.1 then an incoming packet for it after
being
# translated by natd(8) would match the `deny' rule above.
Similarly
# an outgoing packet originated from it before being translated
would
# match the `deny' rule below.
case in
[Yy][Ee][Ss])
if [ -n "" ]; then
add divert natd all from any to any via
fi
;;
esac
# Stop RFC1918 nets on the outside interface
add deny all from 10.0.0.0/8 to any via
add deny all from 172.16.0.0/12 to any via
add deny all from 192.168.0.0/16 to any via
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class
E)
# on the outside interface
add deny all from 0.0.0.0/8 to any via
add deny all from 169.254.0.0/16 to any via
add deny all from 192.0.2.0/24 to any via
add deny all from 224.0.0.0/4 to any via
add deny all from 240.0.0.0/4 to any via
# Allow TCP through if setup succeeded
add pass tcp from any to any established
# Allow IP fragments to pass through
add pass all from any to any frag
# Allow setup of incoming email
add pass tcp from any to 25 setup
# Allow access to our DNS
add pass tcp from any to 53 setup
add pass udp from any to 53
add pass udp from 53 to any
# Allow access to our WWW
add pass tcp from any to 80 setup
# Reject&Log all setup of incoming connections from the outside
add deny log tcp from any to any in via setup
# Allow setup of any other TCP connection
add pass tcp from any to any setup
# Allow DNS queries out in the world
add pass udp from to any 53 keep-state
# Allow NTP queries out in the world
add pass udp from to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
[Cc][Ll][Oo][Ss][Ee][Dd])
setup_loopback
;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
;;
*)
if [ -r "" ]; then
fi
;;
esac
More information about the Users-l
mailing list