Ahoj, mam router pripojeny k internetu sitovou kartkou eth2. LAN do br0 (wifi + ethernet).
Kdyz na routeru pustim ping, vse je v poradku:
root@router# ping -c 4 www.facebook.com
PING www.facebook.com (69.171.234.96) 56(84) bytes of data.
64 bytes from 69.171.234.96: icmp_req=1 ttl=241 time=177 ms
64 bytes from 69.171.234.96: icmp_req=2 ttl=240 time=170 ms
64 bytes from 69.171.234.96: icmp_req=3 ttl=240 time=171 ms
64 bytes from 69.171.234.96: icmp_req=4 ttl=240 time=171 ms
--- www.facebook.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 170.951/172.589/177.190/2.705 ms
root@router#
time 3004ms
Kdyz ale pustim ping z LAN, strasne dlouho to trva. Odezva od serveru je porad +- stejna, ale celkova doba je extremne dlouha a mezi vypisy jednotlivych radku to strasne dlouho ceka:
martin@martin ~ $ ping -c 4 www.facebook.com
PING www.facebook.com (69.171.228.74) 56(84) bytes of data.
64 bytes from 69.171.228.74: icmp_req=1 ttl=239 time=179 ms
64 bytes from 69.171.228.74: icmp_req=2 ttl=239 time=179 ms
64 bytes from 69.171.228.74: icmp_req=3 ttl=239 time=179 ms
64 bytes from 69.171.228.74: icmp_req=4 ttl=239 time=182 ms
--- www.facebook.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 69862ms
rtt min/avg/max/mdev = 179.195/180.368/182.842/1.487 ms
martin@martin ~ $
time 69862ms
Pakety ale snad chodi v poradku (firewall na routeru):
root@router# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
374 22674 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
34 2837 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
76 5970 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
2 477 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
502 67487 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
42 12596 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
22 3080 REJECT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
Chain FORWARD (policy DROP 325 packets, 20878 bytes)
pkts bytes target prot opt in out source destination
195 11808 ACCEPT all -- br0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap0 eth2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 tap0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap0 br0 0.0.0.0/0 0.0.0.0/0
7 588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 435 packets, 87526 bytes)
pkts bytes target prot opt in out source destination
532 69990 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
22 3167 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
root@router#
Firewall na routeru:
#!/bin/bash
WAN="eth2"
LAN="br0"
VPN="tap0"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $VPN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -i $VPN -o $WAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $VPN -j ACCEPT
iptables -A FORWARD -i $VPN -o $LAN -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $WAN -j REJECT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
Cim to muze byt? Nemohl by to delat LAN bridge? Nic jineho me nenapada.