am ajuns la punctul in care nu mai stiu ce sa fac... momentan am urmatoarele reguli (sint pe un alt server, deci nu va impiedicati de venet0 sau ens18!)
Code:
root@vps:~# iptables -vxnL
Chain INPUT (policy ACCEPT 1076 packets, 59738 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- !lo * 127.0.0.0/8 0.0.0.0/0 reject-with icmp-port-unreachable
1 36 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 180 ACCEPT tcp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:22
4 516 ACCEPT udp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED udp dpt:1194
0 0 ACCEPT udp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED udp spt:53
0 0 ACCEPT tcp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp spt:53
0 0 ACCEPT tcp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp spt:80
0 0 ACCEPT tcp -- ens18 * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp spt:443
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 152 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 ens18 10.8.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- ens18 tun0 10.8.0.0/24 0.0.0.0/0
2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 1011 packets, 42740 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1 36 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 120 ACCEPT tcp -- * ens18 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp spt:22
4 516 ACCEPT udp -- * ens18 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED udp spt:1194
0 0 ACCEPT udp -- * ens18 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED udp dpt:53
0 0 ACCEPT tcp -- * ens18 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:53
0 0 ACCEPT tcp -- * ens18 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:80
0 0 ACCEPT tcp -- * ens18 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED tcp dpt:443
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
root@vps:~#
si bineinteles si masqarada aferenta:
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens18 -j MASQUERADE
unde ens0 e intefata din extern... asa imi da ifconfigul:
Code:
root@vps:~# ifconfig
ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.255.0 broadcast x.x.x.255
ether xx.xx.xx.xx.xx txqueuelen 1000 (Ethernet)
RX packets 7213366 bytes 439730412 (439.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 174645 bytes 9749894 (9.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 204 bytes 16695 (16.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 204 bytes 16695 (16.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 57 bytes 4356 (4.3 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 4356 (4.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
care ai vreo idee?
---------- Post added at 21:05 ---------- Previous post was at 20:45 ----------
îmi dau o bere!!!!
am gasit "chichitza":
Code:
iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.6:80
unde 10.8.0.6 e ip-ul meu (local din pivnita) din tunel si 80 e portul care-vreu sa.l deschid...sau oricare altul..
---------- Post added at 21:14 ---------- Previous post was at 21:05 ----------
...deci am ajuns la concluzia ca nu trebuie sa faci decit o singura regula pe port, dupa care sa faci masqueradingul pe interfata respectiva...