GoogleCodeExporter
commented
9 years ago fixed since r2791Original comment by themiron.ru on 4 May 2011 at 5:02
- Changed state: Duplicate
Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago fixed since r2791Original comment by themiron.ru on 4 May 2011 at 5:02
GoogleCodeExporter
commented
9 years ago у меня на 2775 на rt-n12 работает и на MAN и на WAN
редирект
Баг 224 на редирект не влияет.Original comment by laplande...@gmail.com on 4 May 2011 at 8:25
GoogleCodeExporter
commented
9 years ago Поставил 2972 все равно не работает. Forward
теперь выглядит так:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere
SECURITY all -- anywhere anywhere ctstate NEW
ACCEPT all -- anywhere anywhere ctstate DNAT
DROP all -- anywhere anywhere
В диагностике есть IP Tables NAT:
Chain PREROUTING (policy ACCEPT 2625 packets, 236K bytes)
pkts bytes target prot opt in out source destination
11 857 VSERVER all -- * * 0.0.0.0/0 10.XXX.XXX.XXX
Chain POSTROUTING (policy ACCEPT 27 packets, 2149 bytes)
pkts bytes target prot opt in out source destination
20 1167 MASQUERADE all -- * vlan2 !10.XXX.XXX.XXX 0.0.0.0/0
2 656 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT 29 packets, 2805 bytes)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:192.168.1.5:5001Original comment by Dim1...@gmail.com on 20 May 2011 at 11:35
GoogleCodeExporter
commented
9 years ago provided iptables FORWARD output is incomplete.
so, suspect misconfigured Firewall WEB UI settings.
Original comment by themiron.ru on 20 May 2011 at 11:57
GoogleCodeExporter
commented
9 years ago Для исключения сомнений проделал
следующую последовательность:
1.Factory default
2.Firmware upgrade 2972
3.Factory default
4.Настроил IP Config WAN & LAN перезагрузился, Wireless
Interface перезагрузился, поменял пароль и имя
перезагрузился
5.В разделе NAT Setting Virtual Server добавил правило
"пусто" 5001 192.168.1.5 5001 TCP, Enable virtual server? включен
по умолчанию. (впрочем потом пробовал и
передернуть) перезагрузился.
6. Вход снаружи на порт не работает,
тестирую как вход из браузера на свой
внешний IP (у меня реальный IP)
https://85.XXX.XXX.XXX:5001/
Изнутри работает
https://192.168.1.5:5001
7. Status & Log Port ForwardingPort дает:
Destination Proto. Port range Redirect to Local port
ALL TCP 5001 192.168.1.5 5001
8. Status & Log Diagnostic Info дает следующее:
IP Tables
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
565 61342 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
90 4778 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1976 143K SECURITY all -- vlan2 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1945 140K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 37 packets, 1974 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP all -- !br0 vlan2 0.0.0.0/0 0.0.0.0/0
0 0 SECURITY all -- !br0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
0 0 DROP all -- * br0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1332 packets, 1420K bytes)
pkts bytes target prot opt in out source destination
Chain BRUTE (0 references)
pkts bytes target prot opt in out source destination
Chain MACS (0 references)
pkts bytes target prot opt in out source destination
Chain SECURITY (2 references)
pkts bytes target prot opt in out source destination
2 128 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
1943 140K RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5
31 2621 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW LOG flags 39 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW LOG flags 39 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
IP Tables NAT
Chain PREROUTING (policy ACCEPT 1054 packets, 115K bytes)
pkts bytes target prot opt in out source destination
4 382 VSERVER all -- * * 0.0.0.0/0 10.XXX.XXX.XXX
Chain POSTROUTING (policy ACCEPT 8 packets, 536 bytes)
pkts bytes target prot opt in out source destination
33 1758 MASQUERADE all -- * vlan2 !10.XXX.XXX.XXX 0.0.0.0/0
0 0 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT 8 packets, 536 bytes)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:192.168.1.5:5001
Original comment by Dim1...@gmail.com on 21 May 2011 at 5:59
GoogleCodeExporter
commented
9 years ago first, support language is ENGLISH, not russian, please follow the rules.
you don't have public 85.XXX.XXX.XXX address, you have only 10.XXX.XXX.XXX from
your ISP. that's why VSERVER for 85.XXX.XXX.XXX doesn't work
Original comment by themiron.ru on 21 May 2011 at 6:36
GoogleCodeExporter
commented
9 years ago I have TWO static adress:
external address (public, real IP) 85.XXX.XXX.XXX is forwading by ISP to
internal address (internal ISP, not public) 10.XXX.XXX.XXX. I want to forward
port 5001 from 85.XXX.XXX.XXX to (my internal)192.168.1.5.
... May be my ISP blocking port 5001, i will consult tomorrow, but it is
improbable.
Original comment by Dim1...@gmail.com on 21 May 2011 at 7:01
GoogleCodeExporter
commented
9 years ago check with tcpdump, if packets from outter space pointed to 85. are actually
received on wan interface.
if dst address isn't changed from 85 to 10, try to add
iptables -t nat -I PREROUTING 1 -d 85.x.x.x -j VSERVEROriginal comment by themiron.ru on 21 May 2011 at 10:26
GoogleCodeExporter
commented
9 years ago 1.ISP does not block any ports on my real IP
2.tcpdump port 5001 -i vlan2 return:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 65535 bytes
17:16:57.402972 IP 10.xxx.xxx.xxx.49577 > 85.xxx.xxx.xxx.5001: Flags [S], seq
1292443485, win 8192, options [mss 1460,nop,nop,sackOK], length 0
17:17:00.400262 IP 10.xxx.xxx.xxx.49577 > 85.xxx.xxx.xxx.5001: Flags [S], seq
1292443485, win 8192, options [mss 1460,nop,nop,sackOK], length 0
17:17:06.400490 IP 10.xxx.xxx.xxx.49577 > 85.xxx.xxx.xxx.5001: Flags [S], seq
1292443485, win 8192, options [mss 1460,nop,nop,sackOK], length 0
3. after adding iptables -t nat -I PREROUTING 1 -d 85.x.x.x -j VSERVER all
works perfectly. Is it a bug?Original comment by Dim1...@gmail.com on 22 May 2011 at 1:23
GoogleCodeExporter
commented
9 years ago yes, it's a bug. of your ISP.Original comment by themiron.ru on 22 May 2011 at 6:50
Original issue reported on code.google.com by
Dim1...@gmail.comon 3 May 2011 at 9:45