From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fox@transbank.ru>
Date: Thu, 27 Feb 2003 14:34:19 +0300
From: =?koi8-r?B?8M/Mz9fOycvP1yDkxc7J0w==?= <fox@transbank.ru>
X-Mailer: The Bat! (v1.62 Christmas Edition) UNREG / CD5BF9353B3B7091
Organization: =?koi8-r?B?6+IgIvTSwc7T0M/S1M7ZyiI=?=
X-Priority: 3 (Normal)
Message-ID: <97168612484.20030227143419@transbank.ru>
To: Dmitry Lebkov <community@altlinux.ru>
Subject: Re[6]: [Comm] IPtables
In-Reply-To: <20030227200544.29667880.dima@sakhalin.ru>
References: <10185641140.20030226153128@transbank.ru>
 <20030226124638.GI10970@hell.immo> <197149302796.20030227091229@transbank.ru>
 <20030227183551.5c41d454.dima@sakhalin.ru>
 <85161533406.20030227123620@transbank.ru>
 <20030227200544.29667880.dima@sakhalin.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Sender: community-admin@altlinux.ru
Errors-To: community-admin@altlinux.ru
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.0.9
Precedence: bulk
Reply-To: community@altlinux.ru
X-Reply-To: =?koi8-r?B?8M/Mz9fOycvP1yDkxc7J0w==?= <fox@transbank.ru>
List-Unsubscribe: <http://www.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Id: <community.altlinux.ru>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <http://www.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
List-Archive: <http://www.altlinux.ru/pipermail/community/>
Archived-At: <http://lore.altlinux.org/community/97168612484.20030227143419@transbank.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

Здравствуйте, Dmitry.

Вы писали 27 февраля 2003 г., 13:05:44:


DL> Я так понимаю, что это уже после ручной правки. Сделай
DL> резервную копию и всетаки сделай service iptables save
DL> (just note: не из спортивного же интереса я просил результат
DL> save -- результаты ручной правки тяжко парсить глазами).
DL> И вот то, что получится - покажи.

DL> Хотя вот, только что заметил ... У тебя отсутствует правило:

DL> FORWARD -d 10.0.1.124 --dport 5122 -j ACCEPT

DL> Вот это оно самое и есть.
Вот вывод команды service iptables save

# Generated by iptables-save v1.2.4 on Thu Feb 27 14:13:05 2003
*filter
:INPUT ACCEPT [15:1688]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:droplog - [0:0]
[0:0] -A INPUT -i lo -j ACCEPT 
[23502:2893709] -A INPUT -i eth1 -j ACCEPT 
[3:111] -A INPUT -p icmp -j ACCEPT 
[0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A INPUT -d 217.69.198.30 -i eth0 -p tcp -m tcp --dport 60179 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A INPUT -d 217.69.198.58 -i eth0 -p tcp -m tcp --dport 2900 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A INPUT -d 217.69.198.58 -i eth0 -p tcp -m tcp --dport 2847 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A INPUT -d 217.69.198.30 -i eth0 -p tcp -m tcp --dport 24554 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[6:288] -A INPUT -i eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A INPUT -i eth0 -p tcp -m tcp --sport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[27259:30913801] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT 
[439:190184] -A INPUT -d 217.69.198.30 -p udp -m udp --dport 55777 -j ACCEPT 
[0:0] -A INPUT -d 217.69.198.58 -p udp -m udp --dport 5122 -j ACCEPT 
[435:180037] -A INPUT -d 217.69.198.30 -p udp -m udp --dport 55778 -j ACCEPT 
[23:18512] -A INPUT -i eth0 -j droplog 
[2:112] -A FORWARD -p icmp -j ACCEPT 
[133:6556] -A FORWARD -o eth0 -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --dport 995 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[2:96] -A FORWARD -o eth0 -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --dport 465 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[3:144] -A FORWARD -o eth0 -p tcp -m tcp --dport 5190 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --dport 55 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.4 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.6 -p tcp -m tcp --dport 7001 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.6 -p tcp -m tcp --dport 2900 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.7 -p tcp -m tcp --dport 7001 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.7 -p tcp -m tcp --dport 7777 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.7 -p tcp -m tcp --dport 7090:7110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.7 -p tcp -m tcp --dport 2900 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[390:47883] -A FORWARD -s 10.0.1.7 -p udp -m udp --dport 55777 -j ACCEPT 
[383:46829] -A FORWARD -s 10.0.1.8 -p udp -m udp --dport 55777 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.8 -p tcp -m tcp --dport 7001 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[40:1920] -A FORWARD -s 10.0.1.9 -p tcp -m tcp --dport 12801 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 4661 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 4662 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 4661 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 4662 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[12:420] -A FORWARD -d 10.0.1.124 -p udp -m udp --dport 5122 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27530 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 4665 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 3306 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27005 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27010 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27011 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27012 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27015 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27025 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 27017 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p udp -m udp --dport 5122 -j ACCEPT 
[314:12560] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 5122 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 1716 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 1717 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 1718 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 8777 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p udp -m udp --dport 27900 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p udp -m udp --dport 5122 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p udp -m udp --dport 21000 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p udp -m udp --dport 21001 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p udp -m udp --dport 21002 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p udp -m udp --dport 21003 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 7002 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 6003 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 20045 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 28900 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 7002 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.115 -p tcp -m tcp --dport 6003 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 6667 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.124 -p tcp -m tcp --dport 6666 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p tcp -m tcp --dport 6667 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.161 -p tcp -m tcp --dport 6666 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 21000 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 21001 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 21002 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 21003 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 2847 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 2848 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 7002 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p tcp -m tcp --dport 6003 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 5122 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27005 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27010 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27011 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27012 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27015 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27025 -j ACCEPT 
[0:0] -A FORWARD -s 10.0.1.10 -p udp -m udp --dport 27017 -j ACCEPT 
[106:17111] -A FORWARD -i eth0 -p udp -m udp --sport 53 -j ACCEPT 
[150:9655] -A FORWARD -o eth0 -p udp -m udp --dport 53 -j ACCEPT 
[11401:2572468] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
[30:1668] -A FORWARD -j droplog 
[0:0] -A OUTPUT -o lo -j ACCEPT 
[31890:30458697] -A OUTPUT -o eth1 -j ACCEPT 
[3:111] -A OUTPUT -p icmp -j ACCEPT 
[1380:82800] -A OUTPUT -o eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
[23353:1905478] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT 
[0:0] -A OUTPUT -d 217.69.198.30 -p udp -m udp --dport 55777 -j ACCEPT 
[0:0] -A OUTPUT -d 217.69.198.58 -p udp -m udp --dport 5122 -j ACCEPT 
[0:0] -A OUTPUT -d 217.69.198.30 -p udp -m udp --dport 55778 -j ACCEPT 
[0:0] -A OUTPUT -o eth0 -j droplog 
[53:20180] -A droplog -j LOG 
[53:20180] -A droplog -j DROP 
COMMIT
# Completed on Thu Feb 27 14:13:05 2003
# Generated by iptables-save v1.2.4 on Thu Feb 27 14:13:05 2003
*nat
:PREROUTING ACCEPT [1424:99393]
:POSTROUTING ACCEPT [1305:78250]
:OUTPUT ACCEPT [1303:78180]
[2:70] -A PREROUTING -d 217.69.198.58 -p udp -m udp --dport 5122 -j DNAT --to-destination 10.0.1.124 
[297:17999] -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE 
[0:0] -A POSTROUTING -s 217.69.198.0/255.255.255.224 -o eth0 -j MASQUERADE 
[0:0] -A OUTPUT -d 217.69.198.58 -p udp -m udp --dport 5122 -j DNAT --to-destination 10.0.1.124 
COMMIT
# Completed on Thu Feb 27 14:13:05 2003

С уважением,
 Половников Денис