[Linux-bruxelles] wrt54 : passons à la vitesse supérieur
Alain BarBason
alain at barbason.be
Sam 30 Juil 23:03:10 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gaëtan Frenoy wrote:
> Le samedi 30 juillet 2005 à 17:47 +0200, Alain BarBason a écrit :
>
>>Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>> 3 252 DROP all -- any any anywhere anywhere
>
>
> Ah ah ! 3 paquets "droppés" ... C'est soit un hasard, soit on
> brûle très fort... :)
>
> Est-ce que ceci ne pourrait pas aider :
>
> palier500:~# iptables -I OUTPUT -o eth1 -d 10.0.0.0/8 -j ACCEPT
>
> Cela autorisera les paquets en sortie de ton serveur vers
> le sous-réseau 10.0.0.0/8.
et voila la suite, pas sur que je comprends tout. En tout cas, la perte
a été déplacée vers l'input.
> Presque :
>
> wrt# iptables -L -v -Z
> svr# iptables -L -v -Z && ping -c 3 10.200.172.206 && iptables -L -v
> wrt# iptables -L -v
>
> Si tu refais -Z après, il va remettre tout à zéro. Ici, on veut voir
> ce qui passe (ou qui ne passe pas) et par quelle règle il est traité.
Evidemment.
serveur
(le -c 3 ne fonctionnant pas , j'ai fait un ctrl-c, et il a coupé après
2 (voir plus loin))
> palier500:~# iptables -L -v -Z && ping -c 3 10.200.172.206
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth1 any anywhere 255.255.255.255
> 82 4600 ACCEPT all -- eth1 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT !tcp -- eth1 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- ppp0 any 192.168.0.0/24 anywhere LOG level warning
> 0 0 DROP all -- ppp0 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- ppp0 any anywhere 255.255.255.255
> 45 6934 ACCEPT all -- ppp0 any anywhere 212-100-173-47.adsl.easynet.be
> 3 252 LOG all -- any any anywhere anywhere LOG level warning
> 3 252 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 TCPMSS tcp -- any ppp0 anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
> 10 498 ACCEPT all -- eth1 ppp0 192.168.0.0/24 anywhere
> 10 476 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 3 252 ACCEPT all -- any eth1 anywhere 10.0.0.0/8
> 0 0 ACCEPT all -- any lo anywhere anywhere
> 0 0 ACCEPT all -- any eth1 anywhere 255.255.255.255
> 75 14156 ACCEPT all -- any eth1 anywhere 192.168.0.0/24
> 0 0 ACCEPT !tcp -- any eth1 anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 ACCEPT all -- any ppp0 anywhere 255.255.255.255
> 45 3022 ACCEPT all -- any ppp0 212-100-173-47.adsl.easynet.be anywhere
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
> Zeroing chain `INPUT'
> Zeroing chain `FORWARD'
> Zeroing chain `OUTPUT'
> PING 10.200.172.206 (10.200.172.206) 56(84) bytes of data.
>
> --- 10.200.172.206 ping statistics ---
> 2 packets transmitted, 0 received, 100% packet loss, time 1016ms
>
> palier500:~# iptables -L -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 LOG all -- !lo any 127.0.0.0/8 anywhere LOG level warning
> 0 0 DROP all -- !lo any 127.0.0.0/8 anywhere
> 0 0 ACCEPT all -- eth1 any anywhere 255.255.255.255
> 51 2844 ACCEPT all -- eth1 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT !tcp -- eth1 any anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- ppp0 any 192.168.0.0/24 anywhere LOG level warning
> 0 0 DROP all -- ppp0 any 192.168.0.0/24 anywhere
> 0 0 ACCEPT all -- ppp0 any anywhere 255.255.255.255
> 21 3389 ACCEPT all -- ppp0 any anywhere 212-100-173-47.adsl.easynet.be
> 2 168 LOG all -- any any anywhere anywhere LOG level warning
> 2 168 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 TCPMSS tcp -- any ppp0 anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
> 1 46 ACCEPT all -- eth1 ppp0 192.168.0.0/24 anywhere
> 1 40 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 2 168 ACCEPT all -- any eth1 anywhere 10.0.0.0/8
> 0 0 ACCEPT all -- any lo anywhere anywhere
> 0 0 ACCEPT all -- any eth1 anywhere 255.255.255.255
> 50 8296 ACCEPT all -- any eth1 anywhere 192.168.0.0/24
> 0 0 ACCEPT !tcp -- any eth1 anywhere BASE-ADDRESS.MCAST.NET/4
> 0 0 LOG all -- any ppp0 anywhere 192.168.0.0/24 LOG level warning
> 0 0 DROP all -- any ppp0 anywhere 192.168.0.0/24
> 0 0 ACCEPT all -- any ppp0 anywhere 255.255.255.255
> 21 1451 ACCEPT all -- any ppp0 212-100-173-47.adsl.easynet.be anywhere
> 0 0 LOG all -- any any anywhere anywhere LOG level warning
> 0 0 DROP all -- any any anywhere anywhere
et le wrt
> root at rcwrt-09:~# iptables -L -v -Z
> Chain INPUT (policy ACCEPT 135 packets, 6940 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 55 2744 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 6 504 ACCEPT icmp -- any any anywhere anywhere
> 0 0 REJECT tcp -- vlan1 any anywhere anywhere reject-with tcp-reset
> 0 0 REJECT all -- vlan1 any anywhere anywhere reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 DROP all -- vlan1 any anywhere anywhere state INVALID,NEW
> 0 0 TCPMSS tcp -- any vlan1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>
> Chain OUTPUT (policy ACCEPT 186 packets, 15772 bytes)
> pkts bytes target prot opt in out source destination
> Zeroing chain `INPUT'
> Zeroing chain `FORWARD'
> Zeroing chain `OUTPUT'
> root at rcwrt-09:~# iptables -L -v
> Chain INPUT (policy ACCEPT 20 packets, 1020 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 16 784 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 2 168 ACCEPT icmp -- any any anywhere anywhere
> 0 0 REJECT tcp -- vlan1 any anywhere anywhere reject-with tcp-reset
> 0 0 REJECT all -- vlan1 any anywhere anywhere reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP all -- any any anywhere anywhere state INVALID
> 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 DROP all -- vlan1 any anywhere anywhere state INVALID,NEW
> 0 0 TCPMSS tcp -- any vlan1 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
>
> Chain OUTPUT (policy ACCEPT 35 packets, 3868 bytes)
> pkts bytes target prot opt in out source destination
- --
by AlainBB
http://www.barbason.be
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFC6+sNm0bBkbX7YzERAodUAKDYbjY0FUMchv97MQHL+qDWTZ3nCgCgzvH/
3GCIf2GCvjvv/Ai9ExU/rls=
=ox1x
-----END PGP SIGNATURE-----
Plus d'informations sur la liste de diffusion Linux-bruxelles