1
Odkladiště / Re:Maily odesílané cuzk.cz
« kdy: Dnes v 12:00:58 »
Nebo povolanější bude spíš Jiří Veselý (https://x.com/VeselyJir).
Ale teď řeší přechod na cuzk.gov.cz
Ale teď řeší přechod na cuzk.gov.cz
Zobrazit příspěvky
Tato sekce Vám umožňuje zobrazit všechny příspěvky tohoto uživatele. Prosím uvědomte si, že můžete vidět příspěvky pouze z oblastí Vám přístupných.
Stran: [1]
2
Sítě / Re:Nedostupnost Microsoft AZURE přes IPv6 a nftables?
« kdy: 16. 06. 2023, 17:22:16 »
Mnohokrát díky. Opravdu pomohlo snížení MTU.
3
Sítě / Re:Nedostupnost Microsoft AZURE přes IPv6 a nftables?
« kdy: 16. 06. 2023, 11:30:41 »
a pokračování:
Kód: [Vybrat]
table ip6 firewalld {
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_POLICIES_pre
jump nat_PREROUTING_ZONES
jump nat_PREROUTING_POLICIES_post
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "enp1s0" goto nat_PRE_internal
iifname "eno1" goto nat_PRE_external
iifname "docker0" goto nat_PRE_docker
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_POLICIES_pre
jump nat_POSTROUTING_ZONES
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "enp1s0" goto nat_POST_internal
oifname "eno1" goto nat_POST_external
oifname "docker0" goto nat_POST_docker
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_POST_docker {
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
}
chain nat_POST_docker_post {
}
chain nat_PRE_docker {
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
}
chain nat_PRE_docker_post {
}
chain nat_POST_external {
jump nat_POST_external_pre
jump nat_POST_external_log
jump nat_POST_external_deny
jump nat_POST_external_allow
jump nat_POST_external_post
}
chain nat_POST_external_pre {
}
chain nat_POST_external_log {
}
chain nat_POST_external_deny {
}
chain nat_POST_external_allow {
}
chain nat_POST_external_post {
}
chain nat_PRE_external {
jump nat_PRE_external_pre
jump nat_PRE_external_log
jump nat_PRE_external_deny
jump nat_PRE_external_allow
jump nat_PRE_external_post
}
chain nat_PRE_external_pre {
}
chain nat_PRE_external_log {
}
chain nat_PRE_external_deny {
}
chain nat_PRE_external_allow {
}
chain nat_PRE_external_post {
}
chain nat_POST_internal {
jump nat_POST_internal_pre
jump nat_POST_internal_log
jump nat_POST_internal_deny
jump nat_POST_internal_allow
jump nat_POST_internal_post
}
chain nat_POST_internal_pre {
}
chain nat_POST_internal_log {
}
chain nat_POST_internal_deny {
}
chain nat_POST_internal_allow {
}
chain nat_POST_internal_post {
}
chain nat_PRE_internal {
jump nat_PRE_internal_pre
jump nat_PRE_internal_log
jump nat_PRE_internal_deny
jump nat_PRE_internal_allow
jump nat_PRE_internal_post
}
chain nat_PRE_internal_pre {
}
chain nat_PRE_internal_log {
}
chain nat_PRE_internal_deny {
}
chain nat_PRE_internal_allow {
}
chain nat_PRE_internal_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
}Kód: [Vybrat]
table ip6 wg-quick-wg0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
ct state established,related counter packets 2300 bytes 900798 accept
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
4
Sítě / Re:Nedostupnost Microsoft AZURE přes IPv6 a nftables?
« kdy: 16. 06. 2023, 11:29:07 »
Zde jsou pravidla:
Kód: [Vybrat]
nft list ruleset
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain raw_PREROUTING {
type filter hook prerouting priority raw + 10; policy accept;
icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PREROUTING_ZONES
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp1s0" goto mangle_PRE_internal
iifname "eno1" goto mangle_PRE_external
iifname "docker0" goto mangle_PRE_docker
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_POLICIES_pre
jump filter_INPUT_ZONES
jump filter_INPUT_POLICIES_post
ct state invalid drop
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_FORWARD_POLICIES_pre
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
jump filter_FORWARD_POLICIES_post
ct state invalid drop
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
oifname "lo" accept
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "enp1s0" goto filter_IN_internal
iifname "eno1" goto filter_IN_external
iifname "docker0" goto filter_IN_docker
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_IN_ZONES {
iifname "enp1s0" goto filter_FWDI_internal
iifname "eno1" goto filter_FWDI_external
iifname "docker0" goto filter_FWDI_docker
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES {
oifname "enp1s0" goto filter_FWDO_internal
oifname "eno1" goto filter_FWDO_external
oifname "docker0" goto filter_FWDO_docker
goto filter_FWDO_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_docker {
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain filter_FWDO_docker {
jump filter_FWDO_docker_pre
jump filter_FWDO_docker_log
jump filter_FWDO_docker_deny
jump filter_FWDO_docker_allow
jump filter_FWDO_docker_post
accept
}
chain filter_FWDO_docker_pre {
}
chain filter_FWDO_docker_log {
}
chain filter_FWDO_docker_deny {
}
chain filter_FWDO_docker_allow {
}
chain filter_FWDO_docker_post {
}
chain filter_FWDI_docker {
jump filter_FWDI_docker_pre
jump filter_FWDI_docker_log
jump filter_FWDI_docker_deny
jump filter_FWDI_docker_allow
jump filter_FWDI_docker_post
accept
}
chain filter_FWDI_docker_pre {
}
chain filter_FWDI_docker_log {
}
chain filter_FWDI_docker_deny {
}
chain filter_FWDI_docker_allow {
}
chain filter_FWDI_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
chain filter_IN_external {
jump filter_IN_external_pre
jump filter_IN_external_log
jump filter_IN_external_deny
jump filter_IN_external_allow
jump filter_IN_external_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_external_pre {
}
chain filter_IN_external_log {
}
chain filter_IN_external_deny {
}
chain filter_IN_external_allow {
tcp dport 22 ct state { new, untracked } accept
}
chain filter_IN_external_post {
}
chain filter_FWDO_external {
jump filter_FWDO_external_pre
jump filter_FWDO_external_log
jump filter_FWDO_external_deny
jump filter_FWDO_external_allow
jump filter_FWDO_external_post
}
chain filter_FWDO_external_pre {
}
chain filter_FWDO_external_log {
}
chain filter_FWDO_external_deny {
}
chain filter_FWDO_external_allow {
ct state { new, untracked } accept
}
chain filter_FWDO_external_post {
}
chain filter_FWDI_external {
jump filter_FWDI_external_pre
jump filter_FWDI_external_log
jump filter_FWDI_external_deny
jump filter_FWDI_external_allow
jump filter_FWDI_external_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_external_pre {
}
chain filter_FWDI_external_log {
}
chain filter_FWDI_external_deny {
}
chain filter_FWDI_external_allow {
oifname "eno1" accept
}
chain filter_FWDI_external_post {
}
chain mangle_PRE_external {
jump mangle_PRE_external_pre
jump mangle_PRE_external_log
jump mangle_PRE_external_deny
jump mangle_PRE_external_allow
jump mangle_PRE_external_post
}
chain mangle_PRE_external_pre {
}
chain mangle_PRE_external_log {
}
chain mangle_PRE_external_deny {
}
chain mangle_PRE_external_allow {
}
chain mangle_PRE_external_post {
}
chain filter_IN_internal {
jump filter_IN_internal_pre
jump filter_IN_internal_log
jump filter_IN_internal_deny
jump filter_IN_internal_allow
jump filter_IN_internal_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_internal_pre {
}
chain filter_IN_internal_log {
}
chain filter_IN_internal_deny {
}
chain filter_IN_internal_allow {
tcp dport 22 ct state { new, untracked } accept
tcp dport { 80, 443 } accept
ip daddr 224.0.0.251 udp dport 5353 ct state { new, untracked } accept
ip6 daddr ff02::fb udp dport 5353 ct state { new, untracked } accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 ct state { new, untracked } accept
udp dport 138 ct state { new, untracked } accept
tcp dport 139 ct state { new, untracked } accept
tcp dport 445 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
}
chain filter_IN_internal_post {
}
chain filter_FWDO_internal {
jump filter_FWDO_internal_pre
jump filter_FWDO_internal_log
jump filter_FWDO_internal_deny
jump filter_FWDO_internal_allow
jump filter_FWDO_internal_post
}
chain filter_FWDO_internal_pre {
}
chain filter_FWDO_internal_log {
}
chain filter_FWDO_internal_deny {
}
chain filter_FWDO_internal_allow {
ct state { new, untracked } accept
}
chain filter_FWDO_internal_post {
}
chain filter_FWDI_internal {
jump filter_FWDI_internal_pre
jump filter_FWDI_internal_log
jump filter_FWDI_internal_deny
jump filter_FWDI_internal_allow
jump filter_FWDI_internal_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_internal_pre {
}
chain filter_FWDI_internal_log {
}
chain filter_FWDI_internal_deny {
}
chain filter_FWDI_internal_allow {
oifname "enp1s0" accept
}
chain filter_FWDI_internal_post {
}
chain mangle_PRE_internal {
jump mangle_PRE_internal_pre
jump mangle_PRE_internal_log
jump mangle_PRE_internal_deny
jump mangle_PRE_internal_allow
jump mangle_PRE_internal_post
}
chain mangle_PRE_internal_pre {
}
chain mangle_PRE_internal_log {
}
chain mangle_PRE_internal_deny {
}
chain mangle_PRE_internal_allow {
}
chain mangle_PRE_internal_post {
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
udp dport 67 ct state { new, untracked } accept
tcp dport 53 ct state { new, untracked } accept
udp dport 53 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain filter_FWDO_public {
jump filter_FWDO_public_pre
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
jump filter_FWDO_public_post
}
chain filter_FWDO_public_pre {
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
chain filter_FWDO_public_post {
}
chain filter_FWDI_public {
jump filter_FWDI_public_pre
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
jump filter_FWDI_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_pre {
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain filter_FWDI_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type echo-request accept
icmpv6 type nd-router-solicit accept
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
icmpv6 type mld-listener-query accept
icmpv6 type destination-unreachable accept
icmpv6 type packet-too-big accept
icmpv6 type time-exceeded accept
icmpv6 type parameter-problem accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
}
5
Sítě / Nedostupnost Microsoft AZURE přes IPv6 a nftables?
« kdy: 16. 06. 2023, 11:24:45 »
Mám opět takový menší problém. Rozjel jsem si pomocí Wireguarda od vpsfree IPv6.
Nakonfiguroval radvd a skoro vše funguje jak má.
Jenom se nemohu dostat na stránky, které běží na Microsoft AZURE.
Když to byl jenom Minecraft, který jsem chtěl otestovat, tak mě to tolik netrápilo, ale našel jsem další stránku.
Přes příkaz host jsem zjistil, že běží na stejné IPv6 adrese.
a
Trošičku podezřívám firefall nftables, ale pravidlo co by to blokovalo tam nevidím. Na routeru jsou obě stránky dostupné.
Ale ve vnitřní síti to už nefunguje:
Pro přehled ještě přidávám pravidla nftables.
Nakonfiguroval radvd a skoro vše funguje jak má.
Jenom se nemohu dostat na stránky, které běží na Microsoft AZURE.
Když to byl jenom Minecraft, který jsem chtěl otestovat, tak mě to tolik netrápilo, ale našel jsem další stránku.
Přes příkaz host jsem zjistil, že běží na stejné IPv6 adrese.
Kód: [Vybrat]
host launcher.mojang.com
launcher.mojang.com is an alias for launcher-cdn.azureedge.net.
launcher-cdn.azureedge.net is an alias for launcher-cdn.afd.azureedge.net.
launcher-cdn.afd.azureedge.net is an alias for star-azureedge-prod.trafficmanager.net.
star-azureedge-prod.trafficmanager.net is an alias for dual.part-0017.t-0009.t-msedge.net.
dual.part-0017.t-0009.t-msedge.net is an alias for part-0017.t-0009.t-msedge.net.
part-0017.t-0009.t-msedge.net has address 13.107.246.45
part-0017.t-0009.t-msedge.net has address 13.107.213.45
part-0017.t-0009.t-msedge.net has IPv6 address 2620:1ec:46::45
part-0017.t-0009.t-msedge.net has IPv6 address 2620:1ec:bdf::45a
Kód: [Vybrat]
host api.golemio.cz
api.golemio.cz is an alias for golem-9m8-e8a8ekfzc8edchdd.z01.azurefd.net.
golem-9m8-e8a8ekfzc8edchdd.z01.azurefd.net is an alias for star-azurefd-prod.trafficmanager.net.
star-azurefd-prod.trafficmanager.net is an alias for dual.part-0017.t-0009.t-msedge.net.
dual.part-0017.t-0009.t-msedge.net is an alias for global-entry-afdthirdparty-fallback.trafficmanager.net.
global-entry-afdthirdparty-fallback.trafficmanager.net is an alias for dual.part-0017.t-0009.fb-t-msedge.net.
dual.part-0017.t-0009.fb-t-msedge.net is an alias for part-0017.t-0009.fb-t-msedge.net.
part-0017.t-0009.fb-t-msedge.net has address 13.107.226.45
part-0017.t-0009.fb-t-msedge.net has address 13.107.253.45
part-0017.t-0009.fb-t-msedge.net has IPv6 address 2620:1ec:29:1::45
part-0017.t-0009.fb-t-msedge.net has IPv6 address 2620:1ec:48:1::45
Trošičku podezřívám firefall nftables, ale pravidlo co by to blokovalo tam nevidím. Na routeru jsou obě stránky dostupné.
Kód: [Vybrat]
wget https://api.golemio.cz
--2023-06-16 11:06:17-- https://api.golemio.cz/
Resolving api.golemio.cz (api.golemio.cz)... 2620:1ec:bdf::44, 2620:1ec:46::44, 13.107.213.44, ...
Connecting to api.golemio.cz (api.golemio.cz)|2620:1ec:bdf::44|:443... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: https://operator-ict.gitlab.io/golemio/documentation/ [following]
--2023-06-16 11:06:17-- https://operator-ict.gitlab.io/golemio/documentation/
Resolving operator-ict.gitlab.io (operator-ict.gitlab.io)... 35.185.44.232
Connecting to operator-ict.gitlab.io (operator-ict.gitlab.io)|35.185.44.232|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 30174 (29K) [text/html]
Saving to: ‘index.html’
index.html 100%[=======================================================================================>] 29.47K --.-KB/s in 0.1s
2023-06-16 11:06:18 (228 KB/s) - ‘index.html’ saved [30174/30174]Ale ve vnitřní síti to už nefunguje:
Kód: [Vybrat]
wget https://api.golemio.cz
--2023-06-16 11:07:25-- https://api.golemio.cz/
Překládám api.golemio.cz (api.golemio.cz)… 2620:1ec:46::45, 2620:1ec:bdf::45, 13.107.246.45, ...
Navazuje se spojení s api.golemio.cz (api.golemio.cz)|2620:1ec:46::45|:443… spojeno.
^C
Pro přehled ještě přidávám pravidla nftables.
6
Sítě / Re:openSUSE PC jako router
« kdy: 25. 04. 2023, 14:23:04 »
Po vypnutí firewalld a doplnění pravidel nftables dle článku https://www.root.cz/clanky/nftables-priklad-konfigurace-firewallu-a-vzorove-situace/ router funguje.
7
Sítě / openSUSE PC jako router
« kdy: 25. 04. 2023, 09:47:35 »
Dobrý den,
potřeboval bych poradit či nakopnout.
Chtěl jsem si postavit router z počítače, který má dvě síťové karty. Jedna je nazvaná wan a je připojena do sítě 10.0.0.0/24.
Druhá je lan a přiděluje adresy z rozsahu 192.168.2.0/24. DHCP i DNS fungují, ale menší problém je s předáváním provozu z lan do wan.
Na počítači běží openSUSE Tumbleweed a firewalld.
U příkazu ping z místní sítě lan na počítač v síti wan se zobrazuje toto:
Pomocí nástroje TCPDUMP jsem na routeru zachytával provoz:
Pokud firewall vypnu zachytávání provozu se změní a dorazí na cílový stroj. Nedojde však ke změně adresy a tak cílový stroj nemá kam odpovědět.
Zde je zachycený provoz na routeru:
A zde na cílovém počítači:
Routování je nastaveno příkazy:
Výpis routovací tabulky:
Výpis rozhraní:
A nastavení firewallu pro lan:
a pro wan:
Děkuji za případnou pomoc.
potřeboval bych poradit či nakopnout.
Chtěl jsem si postavit router z počítače, který má dvě síťové karty. Jedna je nazvaná wan a je připojena do sítě 10.0.0.0/24.
Druhá je lan a přiděluje adresy z rozsahu 192.168.2.0/24. DHCP i DNS fungují, ale menší problém je s předáváním provozu z lan do wan.
Na počítači běží openSUSE Tumbleweed a firewalld.
U příkazu ping z místní sítě lan na počítač v síti wan se zobrazuje toto:
Kód: [Vybrat]
ping 10.0.0.152
PING 10.0.0.152 (10.0.0.152) 56(84) bytes of data.
From 192.168.2.1 icmp_seq=1 Packet filtered
From 192.168.2.1 icmp_seq=2 Packet filtered
From 192.168.2.1 icmp_seq=3 Packet filtered
From 192.168.2.1 icmp_seq=4 Packet filtered
From 192.168.2.1 icmp_seq=5 Packet filtered
From 192.168.2.1 icmp_seq=6 Packet filtered
From 192.168.2.1 icmp_seq=7 Packet filtered
From 192.168.2.1 icmp_seq=8 Packet filtered
From 192.168.2.1 icmp_seq=9 Packet filtered
From 192.168.2.1 icmp_seq=10 Packet filteredPomocí nástroje TCPDUMP jsem na routeru zachytával provoz:
Kód: [Vybrat]
tcpdump -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
08:44:27.311669 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 1, length 64
08:44:27.311730 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:28.316507 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 2, length 64
08:44:28.316551 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:29.340507 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 3, length 64
08:44:29.340547 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:30.364431 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 4, length 64
08:44:30.364472 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:31.388411 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 5, length 64
08:44:31.388457 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:32.412413 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 6, length 64
08:44:32.412454 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:33.436361 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 7, length 64
08:44:33.436402 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:34.460316 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 8, length 64
08:44:34.460356 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:35.484306 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 9, length 64
08:44:35.484346 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:36.508247 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 10, length 64
08:44:36.508288 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:37.532285 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 11, length 64
08:44:37.532325 lan Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92Pokud firewall vypnu zachytávání provozu se změní a dorazí na cílový stroj. Nedojde však ke změně adresy a tak cílový stroj nemá kam odpovědět.
Zde je zachycený provoz na routeru:
Kód: [Vybrat]
tcpdump -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:39:29.122895 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 1, length 64
09:39:29.122929 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 1, length 64
09:39:30.143463 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 2, length 64
09:39:30.143481 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 2, length 64
09:39:31.167414 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 3, length 64
09:39:31.167431 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 3, length 64
09:39:32.191408 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 4, length 64
09:39:32.191427 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 4, length 64
09:39:33.215340 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 5, length 64
09:39:33.215357 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 5, length 64
09:39:34.239353 lan In IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 6, length 64
09:39:34.239371 wan Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 6, length 64A zde na cílovém počítači:
Kód: [Vybrat]
tcpdump -i enp0s31f6 icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:39:28.668370 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 1, length 64
09:39:28.668513 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 1, length 64
09:39:29.688989 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 2, length 64
09:39:29.689088 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 2, length 64
09:39:30.712961 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 3, length 64
09:39:30.713073 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 3, length 64
09:39:31.736939 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 4, length 64
09:39:31.737043 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 4, length 64
09:39:32.760819 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 5, length 64
09:39:32.760935 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 5, length 64
09:39:33.784821 enp0s31f6 In IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 6, length 64
09:39:33.784922 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 6, length 64Routování je nastaveno příkazy:
Kód: [Vybrat]
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -pVýpis routovací tabulky:
Kód: [Vybrat]
ip rou
default via 10.0.0.138 dev wan
10.0.0.0/24 dev wan proto kernel scope link src 10.0.0.237
192.168.2.0/24 dev lan proto kernel scope link src 192.168.2.1Výpis rozhraní:
Kód: [Vybrat]
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 10:60:4b:60:03:92 brd ff:ff:ff:ff:ff:ff
altname enp0s25
altname eno1
inet 10.0.0.237/24 brd 10.0.0.255 scope global wan
valid_lft forever preferred_lft forever
inet6 fe80::1260:4bff:fe60:392/64 scope link
valid_lft forever preferred_lft forever
3: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether a0:36:9f:a0:65:ec brd ff:ff:ff:ff:ff:ff
altname enp1s0
inet 192.168.2.1/24 brd 192.168.2.255 scope global lan
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fea0:65ec/64 scope link
valid_lft forever preferred_lft foreverA nastavení firewallu pro lan:
Kód: [Vybrat]
firewall-cmd --zone=internal --list-all
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:a pro wan:
Kód: [Vybrat]
firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: eno1 wan
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:Děkuji za případnou pomoc.
Stran: [1]
