Fórum Root.cz

Hlavní témata => Sítě => Téma založeno: googler1 15. 07. 2019, 17:29:47

Název: Mikrotik router a Apache server na linuxe - nepristupny na verejnej IP
Přispěvatel: googler1 15. 07. 2019, 17:29:47
Caute
Mam linux webserver na nom mam nainstalovany apache a firewall UFW - Povolene porty 80 a 443 (skusal som aj vypnut firewall ale nepomohlo to).

Na mikrotiku pouzivam PPP klienta (premenovany na WAN) pre pripojenie cez DSL Telekom a modem je v rezime bridge
Dalej som na mikrotiku v tom rychlom sprievodcovi zaklikol NAT aby nebolo "vidiet" z vonku do lokalnej siete 
Okrem portu Eth1 mam vsetky porty prebridgovane a nazov bridgeu je LAN
V porte Eth2 mam zapojeny switch a v nom vsetky koncove zariadenia a AP
Mam zapnuty DHCP server
Pravidla firewallu na mikrotiku vyzeraju takto (aj tie som skusal vypnut nepomohlo):

Kód: [Vybrat]
ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; Accept established and related packets
      chain=input action=accept connection-state=established,related log=no log-prefix=""

 1    ;;; Accept all connections from local network
      chain=input action=accept in-interface=LAN log=no log-prefix=""

 2    ;;; Accept established and related packets
      chain=forward action=accept connection-state=established,related log=no log-prefix=""

 3    ;;; Drop invalid packets
      chain=input action=drop connection-state=invalid log=yes log-prefix=""

 4    ;;; Drop all packets which are not destined to routes IP address
      chain=input action=drop dst-address-type=!local log=yes log-prefix=""

 5    ;;; Drop all packets which does not have unicast source IP address
      chain=input action=drop src-address-type=!unicast log=yes log-prefix=""

 6    ;;; Drop all packets from public internet which should not exist in public network
      chain=input action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix=""

 7    ;;; Drop invalid packets
      chain=forward action=drop connection-state=invalid log=yes log-prefix=""

 8    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix=""

 9    ;;; Drop all packets from public internet which should not exist in public network
      chain=forward action=drop src-address-list=NotPublic in-interface=WAN log=yes log-prefix=""

10    ;;; Drop all packets from local network to internet which should not exist in public network
      chain=forward action=drop dst-address-list=NotPublic in-interface=LAN log=yes log-prefix=""

11    ;;; Drop all packets in local network which does not have local network address
      chain=forward action=drop src-address=!router.lan.ip.0/24 in-interface=LAN log=yes log-prefix=""

12    ;;; Drop new connections from internet which are not dst-natted
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=yes log-prefix=""

NAT (forwarding portov) vyzera takto:

Kód: [Vybrat]
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0    chain=srcnat action=masquerade src-address=router.lan.ip.0/24 out-interface=WAN log=no log-prefix=""

 1    chain=dstnat action=dst-nat to-addresses=apache.webserver.lan.ip to-ports=80 protocol=tcp dst-address=router.lan.ip in-interface=WAN dst-port=80 log=no log-prefix=""

 2    chain=dstnat action=dst-nat to-addresses=apache.webserver.lan.ip to-ports=443 protocol=tcp dst-address=router.lan.ip in-interface=WAN dst-port=443 log=no log-prefix=""

skusal som aj alternativu nastavenia dst-address priamo na verejnu IP routera ale ani to nepomohlo


vysledok je taky ze v ramci lan je apache pristupny ale neviem preco nepocuva aj na verejnej IP? Myslim ze pricina bude v mikrotiku a nie vo webservery aj ked neviem presne kde v mikrotiku.
Název: Re:Mikrotik router a Apache server na linuxe - nepristupny na verejnej IP
Přispěvatel: robac 15. 07. 2019, 18:22:54
Pro začátek bych prohodil (v ip -> firewall -> nat):
router.lan.ip za router.wan.ip

router.wan.ip = ip->address, adresa WAN (eth1 ?)

Máte od poskytovatele veřejnou IP adresu? Jakou (tj. je skutečně routovaná nebo dělá NAT 1:1)?
Název: Re:Mikrotik router a Apache server na linuxe - nepristupny na verejnej IP
Přispěvatel: googler2 15. 07. 2019, 20:56:51
Uz to ide reklamoval som to u ISP a problem bol u nich. Sorry za "poplach". BTW ako dst address treba naozaj pouzit WAN IP mikrotiku