Собственно повторяю вопросы:
поствил прошивку, ничего не настраивал (только нат и фаер проверил что включены), смотрю на правила:
Код:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
CFG tcp -- 192.168.1.5 anywhere tcp dpt:www Records Packet's Source Interface
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
[color=red]ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp spt:10290
ACCEPT tcp -- anywhere anywhere tcp spt:10290
ACCEPT udp -- anywhere anywhere udp dpt:10290
ACCEPT tcp -- anywhere anywhere tcp dpt:10290
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain[/color]
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT igmp -- anywhere anywhere
[color=red]ACCEPT udp -- anywhere anywhere udp dpt:161[/color]
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
DROP tcp -- anywhere anywhere tcp dpt:telnet
[color=red]ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data[/color]
DROP udp -- anywhere anywhere udp dpt:500
[color=red]ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
DROP udp -- anywhere anywhere udp dpt:route[/color]
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW
ACCEPT igmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere state INVALID
собственно интересует, что за красные правила, в старых прошивках такого не было.
и второе:
при трейсе (по icmp или udp) модет в маршруте отсутсвует...
делаю трейс с freebsd с ip 192.168.1.5, подключённой напрямую к модему с 192.168.1.1
настройки фри и её фаера не менялись и всё работало с предыдущими прошивками.
делаю трейс до
www.wplus.ru (собственно первый хоп должен быть модем):
по udp
Код:
# traceroute www.wplus.ru
traceroute to www.wplus.net (195.131.52.140), 64 hops max, 40 byte packets
1 * * *
2 10.36.71.1 (10.36.71.1) 50.847 ms 51.313 ms 49.524 ms
3 nstyx-gw.wplus.net (195.131.84.232) 50.501 ms 49.952 ms 49.551 ms
4 www.wplus.net (195.131.52.140) 49.630 ms 50.948 ms 51.318 ms
и смотрим на интерфейсе, в который воткрут шнурок в модем:
Код:
b# tcpdump -ni rl0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
12:04:53.126840 IP 192.168.1.5.50442 > 195.131.52.140.33435: UDP, length: 12
12:04:58.130897 IP 192.168.1.5.50442 > 195.131.52.140.33436: UDP, length: 12
12:05:03.140830 IP 192.168.1.5.50442 > 195.131.52.140.33437: UDP, length: 12
12:05:08.150870 IP 192.168.1.5.50442 > 195.131.52.140.33438: UDP, length: 12
12:05:08.252730 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.259323 IP 192.168.1.5.50442 > 195.131.52.140.33439: UDP, length: 12
12:05:08.307188 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.309423 IP 192.168.1.5.50442 > 195.131.52.140.33440: UDP, length: 12
12:05:08.403269 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.404652 IP 192.168.1.5.50442 > 195.131.52.140.33441: UDP, length: 12
12:05:08.453048 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.459327 IP 192.168.1.5.50442 > 195.131.52.140.33442: UDP, length: 12
12:05:08.506739 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.508942 IP 192.168.1.5.50442 > 195.131.52.140.33443: UDP, length: 12
12:05:08.557503 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:05:08.559263 IP 192.168.1.5.50442 > 195.131.52.140.33444: UDP, length: 12
12:05:08.606984 IP 195.131.52.140 > 192.168.1.5: icmp 36: 195.131.52.140 udp port 33444 unreachable
12:05:08.613597 IP 192.168.1.5.50442 > 195.131.52.140.33445: UDP, length: 12
12:05:08.662408 IP 195.131.52.140 > 192.168.1.5: icmp 36: 195.131.52.140 udp port 33445 unreachable
12:05:08.664552 IP 192.168.1.5.50442 > 195.131.52.140.33446: UDP, length: 12
12:05:08.711484 IP 195.131.52.140 > 192.168.1.5: icmp 36: 195.131.52.140 udp port 33446 unreachable
делаем трейс по icmp: traceroute -I
www.wplus.ruКод:
12:07:32.666887 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 1
12:07:37.670992 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 2
12:07:42.681174 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 3
12:07:47.691230 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 4
12:07:47.752298 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:47.759375 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 5
12:07:47.809447 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:47.811980 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 6
12:07:47.859212 IP 10.36.71.1 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:47.860758 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 7
12:07:47.906974 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:47.913112 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 8
12:07:47.960969 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:47.962420 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 9
12:07:48.010526 IP 195.131.84.232 > 192.168.1.5: icmp 36: time exceeded in-transit
12:07:48.012442 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 10
12:07:48.060995 IP 195.131.52.140 > 192.168.1.5: icmp 40: echo reply seq 10
12:07:48.066811 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 11
12:07:48.115931 IP 195.131.52.140 > 192.168.1.5: icmp 40: echo reply seq 11
12:07:48.117379 IP 192.168.1.5 > 195.131.52.140: icmp 40: echo request seq 12
12:07:48.164743 IP 195.131.52.140 > 192.168.1.5: icmp 40: echo reply seq 12
и опять модем не хочет ответить!
однако он пингуется:
Код:
# ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=2.533 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1.642 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=1.687 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=1.605 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=1.630 ms
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.605/1.819/2.533/0.358 ms
тут меня в очередной раз интересует, почему пинг до модема, подключённого напряму более 1 мс???дальше интересней, делаю трейс только до модема:
Код:
# traceroute -n 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 40 byte packets
1 192.168.1.1 2.966 ms 2.817 ms 2.726 ms
опа, есть.
теперь по icmp:
Код:
# traceroute -nI 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 60 byte packets
1 192.168.1.1 2.947 ms 3.158 ms 2.668 ms
и снова обращаем внимание на задержки!
вообщем и целом всё.
Вход
Регистрация
FAQ
Поиск
[/i]
ибо отвечаете вы на не на всё, а как то выборочно, вроде и не спрашивали ничего.... 