[Linux-bruxelles] wrt54 : passons à la vitesse supérieur
Alain BarBason
alain at barbason.be
Sam 30 Juil 17:47:16 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gaëtan Frenoy wrote:
> Bonjour Alain,
>
> Désolé, j'ai perdu ce sujet de vue.
pas de prob, moi aussi un peu :-)
> Pourrais-tu ré-envoyer le résultat de :
> # iptables -L -v
serveur
> palier500:~# iptables -L -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 6 560 ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth1 any anywhere 255.255.255.255
> 944 155K ACCEPT all -- eth1 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT !tcp -- eth1 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- ppp0 any 192.168.0.0/24 anywhere LOG level warning
> 0 0 DROP all -- ppp0 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- ppp0 any anywhere 255.255.255.255
> 835 50571 ACCEPT all -- ppp0 any anywhere 212-100-173-47.adsl.easynet.be
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 22 1320 TCPMSS tcp -- any ppp0 anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
> 360 28803 ACCEPT all -- eth1 ppp0 192.168.0.0/24 anywhere
> 342 130K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 6 560 ACCEPT all -- any lo anywhere anywhere
> 0 0 ACCEPT all -- any eth1 anywhere 255.255.255.255
> 1284 389K ACCEPT all -- any eth1 anywhere 192.168.0.0/24
> 0 0 ACCEPT !tcp -- any eth1 anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 ACCEPT all -- any ppp0 anywhere 255.255.255.255
> 823 36668 ACCEPT all -- any ppp0 212-100-173-47.adsl.easynet.be anywhere
> 19 1596 LOG all -- any any anywhere anywhere LOG level warning
> 19 1596 DROP all -- any any anywhere anywhere
wrt
> root at rcwrt-09:~# iptables -L -v
> Chain INPUT (policy ACCEPT 598 packets, 30724 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 349 23554 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 7 588 ACCEPT icmp -- any any anywhere anywhere
> 0 0 REJECT tcp -- vlan1 any anywhere anywhere reject-with tcp-reset
> 0 0 REJECT all -- vlan1 any anywhere anywhere reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 DROP all -- vlan1 any anywhere anywhere state INVALID,NEW
> 0 0 TCPMSS tcp -- any vlan1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>
> Chain OUTPUT (policy ACCEPT 836 packets, 54357 bytes)
> pkts bytes target prot opt in out source destination
> Je suis très surpris par celle-ci notamment :
>>Chain OUTPUT (policy DROP)
>>target prot opt source destination
>>ACCEPT all -- anywhere anywhere
>
>
> Un autre test qui pourrait être intéressant et de faire (sur
> le serveur) quelque chose comme :
> # iptables -L -v -Z && ping -c 3 10.200.172.206 && iptables -L -v
>
> Le -Z remet les compteurs à 0, puis tu fais 3 pings (que l'on sait
> foireux) et enfin tu réaffiches les compteurs.
j'ai du retaper la troisème commande, il n'a pas réafficher d'embléé
iptables, mais bon, j'imagine que ca vaut
> palier500:~# iptables -L -v -Z && ping -c 3 10.200.172.206 && iptables -L -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 6 560 ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth1 any anywhere 255.255.255.255
> 992 170K ACCEPT all -- eth1 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT !tcp -- eth1 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- ppp0 any 192.168.0.0/24 anywhere LOG level warning
> 0 0 DROP all -- ppp0 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- ppp0 any anywhere 255.255.255.255
> 1125 68754 ACCEPT all -- ppp0 any anywhere 212-100-173-47.adsl.easynet.be
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 26 1560 TCPMSS tcp -- any ppp0 anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
> 420 32282 ACCEPT all -- eth1 ppp0 192.168.0.0/24 anywhere
> 395 135K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 6 560 ACCEPT all -- any lo anywhere anywhere
> 0 0 ACCEPT all -- any eth1 anywhere 255.255.255.255
> 1332 401K ACCEPT all -- any eth1 anywhere 192.168.0.0/24
> 0 0 ACCEPT !tcp -- any eth1 anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 ACCEPT all -- any ppp0 anywhere 255.255.255.255
> 1132 126K ACCEPT all -- any ppp0 212-100-173-47.adsl.easynet.be anywhere
> 19 1596 LOG all -- any any anywhere anywhere LOG level warning
> 19 1596 DROP all -- any any anywhere anywhere
> Zeroing chain `INPUT'
> Zeroing chain `FORWARD'
> Zeroing chain `OUTPUT'
> PING 10.200.172.206 (10.200.172.206) 56(84) bytes of data.
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
> ping: sendmsg: Operation not permitted
>
> --- 10.200.172.206 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 2013ms
>
> palier500:~# iptables -L -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth1 any anywhere 255.255.255.255
> 90 6504 ACCEPT all -- eth1 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT !tcp -- eth1 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- ppp0 any 192.168.0.0/24 anywhere LOG level warning
> 0 0 DROP all -- ppp0 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- ppp0 any anywhere 255.255.255.255
> 36 4109 ACCEPT all -- ppp0 any anywhere 212-100-173-47.adsl.easynet.be
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 TCPMSS tcp -- any ppp0 anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
> 0 0 ACCEPT all -- eth1 ppp0 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- any lo anywhere anywhere
> 0 0 ACCEPT all -- any eth1 anywhere 255.255.255.255
> 82 12056 ACCEPT all -- any eth1 anywhere 192.168.0.0/24
> 0 0 ACCEPT !tcp -- any eth1 anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 ACCEPT all -- any ppp0 anywhere 255.255.255.255
> 36 2068 ACCEPT all -- any ppp0 212-100-173-47.adsl.easynet.be anywhere
> 3 252 LOG all -- any any anywhere anywhere LOG level warning
> 3 252 DROP all -- any any anywhere anywhere
> palier500:~#
>
> En espérant qu'il n'y a pas trop d'autres éléments perturbateurs,
> tu devrais pouvoir retrouver par ce test là la règle qui rejette
> les paquets.
>
> En parallèle, il faut faire les mêmes commandes sur le wrt pour
> voir si les paquets sont bien arrivés et quelle règle les a
> traité (ou pas, ce qui est également une information).
euh, là je suis pas vraiment...
si je comprend bien, je devrais faire
root at rcwrt-09:~# iptables -L -v -Z
palier500:~# iptables -L -v -Z && ping -c 3 10.200.172.206 && iptables
root at rcwrt-09:~# iptables -L -v -Z
J'ai commencé à mettre l'ensemble de la discussion sur
http://www.barbason.be/wiki/index.php/Probl%E9matique_wrt54
- --
by AlainBB
http://www.barbason.be
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFC66EDm0bBkbX7YzERAmr0AKDINXvq2mRntZFoNbUTPnGzz8FihgCglxiQ
nnsUy/Qgn0mJvvzjVT2+KB4=
=cj8+
-----END PGP SIGNATURE-----
Plus d'informations sur la liste de diffusion Linux-bruxelles