Porównaj ceny domen i usług IT, sprzedawców z całego świata

Przekierowywanie pakietów udp do portów iptables „zagubione”?


Mam router linuksowy (Debian 6.x), na którym przekazuję część portów do usług wewnętrznych. Niektóre porty TCP (np. 80, 22 ...) są w porządku.
Mam jedną aplikację nasłuchującą na porcie 54277udp. Nie ma powrotu z tej aplikacji, odbieram dane tylko na tym porcie.
Router:
cat/proc/sys/net/ipv4/conf/all/rp_filter = 1
cat/proc/sys/net/ipv4/conf/eth0/forwarding = 1
cat/proc/sys/net/ipv4/conf/ppp0/forwarding = 1$IPTABLES -t nat -I PREROUTING -p udp -i ppp0 --dport 54277 -j DNAT --to-destination $SRV_IP:54277
$IPTABLES -I FORWARD -p udp -d $SRV_IP --dport 54277 -j ACCEPT

Aktywny i działający jest również MASKOWANIE ruchu wewnętrznego na ppp0 (Internet).
Domyślna zasada to INPUT & amp; WYJŚCIE & amp; DALEJ - UPUŚĆ
Co jest dziwnego, kiedy to robię:
tcpdump -p -vvvv -i ppp0 port 54277

Mam duży ruch:
18:35:43.646133 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.652301 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.653324 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.655795 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.656727 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.659719 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29

       tcpdump -p -i eth0 port 54277
(na tym samym komputerze, routerze) mam znacznie mniejszy ruch.
również w miejscu przeznaczenia
       $SRV_IP
przybywa tylko kilka paczek, ale nie wszystkie.
SERWER WEWNĘTRZNY:
19:15:30.039663 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.276112 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.726048 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16

Więc niektóre porty udp są „ignorowane/odrzucane”?
Jakieś pomysły, co może być nie tak?
Edytować:
To dziwne: w regule Forward znajdują się pakiety danych, aw regule PREROUTING 0 pakietów ...
iptables -nvL -t filter |grep 54277
Chain FORWARD (policy DROP 0 packets, 0 bytes)
168 8401 ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277iptables -nvL -t nat |grep 54277
Chain PREROUTING (policy ACCEPT 405 packets, 24360 bytes)
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 my.external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4

Edit2:
Chain PREROUTING (policy ACCEPT 102K packets, 6148K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4
1191 71460 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.215.4
3119 187K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.215.3
+some other tcp forward rulesChain POSTROUTING (policy ACCEPT 4626 packets, 294K bytes)
pkts bytes target prot opt in out source destination
2343 145K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT 1529 packets, 111K bytes)
pkts bytes target prot opt in out source destinationChain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
574K 33M PSAD_BLOCK_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4511K 257M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:54277
559 30745 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:17784
0 0 DROP all -- * * 192.168.215.30 0.0.0.0/0
16 3355 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45000
1 40 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src LOG flags 0 level 4 prefix `IPSET'
403 35523 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- ppp0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- ppp0 * 172.16.0.0/16 0.0.0.0/0
0 0 DROP all -- ppp0 * 192.168.0.0/24 0.0.0.0/0
0 0 DROP all -- ppp0 * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- ppp0 * 240.0.0.0/5 0.0.0.0/0
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Drop-Syn'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 LOG all -f ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fragments-Packets'
0 0 DROP all -f ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `NULL-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2 96 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `XMAS-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix `Fin-Packets-Scan'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src LOG flags 0 level 4 prefix `IPSET:'
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
1445 121K ACCEPT icmp -- eth0 * 192.168.215.0/24 192.168.215.254 icmp type 8 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 192.168.215.0/24 192.168.215.254 udp dpt:161 state NEW,ESTABLISHED
1479 94070 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:22 state NEW,ESTABLISHED
2220 265K ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 state RELATED,ESTABLISHED
21337 1229K ACCEPT all -- eth0 * 192.168.215.0/24 192.168.215.254
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:17500
1118 60931 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3483
818 78992 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
1 343 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
69 4968 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427
2 200 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:4321 state RELATED,ESTABLISHED
31820 1815K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
31820 1815K DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38943 2546K PSAD_BLOCK_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.3 tcp dpt:80
2790 471K ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.4 tcp spt:22
89446 4359K ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277
122K 7500K ACCEPT all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
123K 11M ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:981 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- ppp0 ppp0 0.0.0.0/0 0.0.0.0/0
3 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7684 919K PSAD_BLOCK_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:54277
33594 2855K ACCEPT icmp -- * ppp0 own.ext.ip 0.0.0.0/0 icmp type 3
403 35523 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED
1445 121K ACCEPT icmp -- * eth0 192.168.215.254 192.168.215.0/24 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * eth0 192.168.215.254 192.168.215.0/24 udp spt:161 state RELATED,ESTABLISHED
1904 789K ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:22 state RELATED,ESTABLISHED
2780 174K ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED
16 896 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED
53234 13M ACCEPT all -- * eth0 192.168.215.254 192.168.215.0/24
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4321 state NEW,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0Chain PSAD_BLOCK_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0Chain PSAD_BLOCK_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0Chain PSAD_BLOCK_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83

Zaproszony:

Aby odpowiedzieć na pytania, Zaloguj się lub Zarejestruj się