Elektroda.pl
Elektroda.pl
X
Proszę, dodaj wyjątek www.elektroda.pl do Adblock.
Dzięki temu, że oglądasz reklamy, wspierasz portal i użytkowników.

netiaspot i tplink 2 podsieci

gmiko 13 Lut 2016 11:27 609 6
  • #1 13 Lut 2016 11:27
    gmiko
    Poziom 9  

    Mam taki problem. Konfiguracja i sprzęt:

    router netiaspot z internetem sieć 192.168.1.x
    router tplinkwr740n z OPENWRT.

    tplink połączony do portu wan kablem lan z netiaspot. w konfiguracji tplinka na porcie WAN nieułatwione: statyczne ip 192.168.1.200 bramka 192.168.1.1 broadcast 192.168.1.255 DNS 192.168.1.1.

    w konfiguracji LAN tplinka:
    adres: 192.168.2.1 bramka 192.168.1.20 0broadcast 192.168.1.255 DNS 192.168.1.200

    Hosty z sieci 192.168.2.x widzą hosty z broadcast 192.168.1.x. Jak skonfigurować, żeby podsieć 192.168.2.x miałą jedynie dostęp do internetu a nie widziała hostów z drugiej podsieci?

    0 6
  • #2 13 Lut 2016 12:22
    bogiebog
    Specjalista Sieci, Internet

    w tplink
    iptables -A OUTPUT -j ACCEPT
    iptables -A FORWARD -d 192.168.1.0/24 -j DROP

    0
  • #3 13 Lut 2016 16:56
    gmiko
    Poziom 9  

    dzięki, ale cos mi nie gra po połączeniu się telnetem z tplinkiem wpisałem podane polecenia i na koniec dałem iptables-save. potem restart firewall. I dalej po wpisaniu 192.168.1.52 połączę się z ftp tego hosta :/

    0
  • #4 13 Lut 2016 17:27
    bogiebog
    Specjalista Sieci, Internet

    gmiko napisał:
    I dalej po wpisaniu 192.168.1.52 połączę się z ftp tego hosta :/

    Z jakiego urządzenia się łączysz ?

    co pokazuje

    iptables -L

    0
  • #5 13 Lut 2016 17:49
    gmiko
    Poziom 9  

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    delegate_input all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    delegate_forward all -- anywhere anywhere
    DROP all -- anywhere 192.168.1.0/24
    DROP all -- anywhere 192.168.1.0/24

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    delegate_output all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain delegate_forward (1 references)
    target prot opt source destination
    forwarding_rule all -- anywhere anywhere /* user chain for forwarding */
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    zone_lan_forward all -- anywhere anywhere
    zone_wan_forward all -- anywhere anywhere
    reject all -- anywhere anywhere

    Chain delegate_input (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    input_rule all -- anywhere anywhere /* user chain for input */
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
    zone_lan_input all -- anywhere anywhere
    zone_wan_input all -- anywhere anywhere

    Chain delegate_output (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    output_rule all -- anywhere anywhere /* user chain for output */
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    zone_lan_output all -- anywhere anywhere
    zone_wan_output all -- anywhere anywhere

    Chain forwarding_lan_rule (1 references)
    target prot opt source destination

    Chain forwarding_rule (1 references)
    target prot opt source destination

    Chain forwarding_wan_rule (1 references)
    target prot opt source destination

    Chain input_lan_rule (1 references)
    target prot opt source destination

    Chain input_rule (1 references)
    target prot opt source destination

    Chain input_wan_rule (1 references)
    target prot opt source destination

    Chain output_lan_rule (1 references)
    target prot opt source destination

    Chain output_rule (1 references)




    target prot opt source destination

    Chain output_wan_rule (1 references)
    target prot opt source destination

    Chain reject (3 references)
    target prot opt source destination
    REJECT tcp -- anywhere anywhere reject-with tcp-reset
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain syn_flood (1 references)
    target prot opt source destination
    RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
    DROP all -- anywhere anywhere

    Chain zone_lan_dest_ACCEPT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain zone_lan_forward (1 references)
    target prot opt source destination
    forwarding_lan_rule all -- anywhere anywhere /* user chain for forwarding */
    zone_wan_dest_ACCEPT all -- anywhere anywhere /* forwarding lan -> wan */
    ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
    zone_lan_dest_ACCEPT all -- anywhere anywhere

    Chain zone_lan_input (1 references)
    target prot opt source destination
    input_lan_rule all -- anywhere anywhere /* user chain for input */
    ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
    zone_lan_src_ACCEPT all -- anywhere anywhere

    Chain zone_lan_output (1 references)
    target prot opt source destination
    output_lan_rule all -- anywhere anywhere /* user chain for output */
    zone_lan_dest_ACCEPT all -- anywhere anywhere

    Chain zone_lan_src_ACCEPT (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain zone_wan_dest_ACCEPT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain zone_wan_dest_REJECT (1 references)
    target prot opt source destination
    reject all -- anywhere anywhere

    Chain zone_wan_forward (1 references)
    target prot opt source destination
    forwarding_wan_rule all -- anywhere anywhere /* user chain for forwarding */
    ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port forwards */
    zone_wan_dest_REJECT all -- anywhere anywhere

    Chain zone_wan_input (1 references)
    target prot opt source destination
    input_wan_rule all -- anywhere anywhere /* user chain for input */
    ACCEPT udp -- anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */
    ACCEPT icmp -- anywhere anywhere icmp echo-request /* Allow-Ping */
    ACCEPT all -- anywhere anywhere ctstate DNAT /* Accept port redirections */
    zone_wan_src_REJECT all -- anywhere anywhere

    Chain zone_wan_output (1 references)
    target prot opt source destination
    output_wan_rule all -- anywhere anywhere /* user chain for output */
    zone_wan_dest_ACCEPT all -- anywhere anywhere

    Chain zone_wan_src_REJECT (1 references)
    target prot opt source destination
    reject all -- anywhere anywhere

    Dodano po 32 [sekundy]:

    czy dobrze myślę, że należy osunąć linijkę delegate_forward all -- anywhere anywhere?

    Dodano po 39 [sekundy]:

    łącze się z PC przez putty telentem

    0
  • Pomocny post
    #6 13 Lut 2016 17:55
    bogiebog
    Specjalista Sieci, Internet

    Forward musisz mieć, ale reguła DROP musi poprzedzać accept all.

    Dodano po 2 [minuty]:

    Dodaj ten DROP do Chain forwarding_rule zamiast do forward.

    0
  • #7 20 Lut 2016 17:18
    gmiko
    Poziom 9  

    Dzięki działa:)

    0
  Szukaj w 5mln produktów