Masqurade help

Kezdőlap Fórumok Vegyes felvágott Masqurade help

2 bejegyzés megtekintése - 1-2 / 2
  • Szerző
    Bejegyzés
  • 2003-10-04-11:09 #1912989
    szgezu
    Felhasználó

      Az automata ilyen-olyan ciklusokat kiszadtem, hátha szintaktikailag rossz, így esetleg meg tudja vki mondani, hogy mit csinál szerinte és mit nem?

      #!/bin/sh
      #
      # Coyote Masquerading Startup Script
      # called by: etc/rc.d/rc.inet, /etc/ppp/ip-up, /etc/dhcpc/dhcpc.updown
      #
      # Expects the external (Internet) interface to be passed as the first parameter

      if [ -z „$CONFIG_LOADED” ]; then
      . /etc/coyote/coyote.conf
      fi

      # /etc/ppp/extip is written by the /etc/ppp/ip-up script.
      EXTIP=`getifaddr ppp0`

      iptables -P INPUT ACCEPT
      iptables -F INPUT
      iptables -P OUTPUT ACCEPT
      iptables -F OUTPUT
      iptables -P FORWARD DROP
      iptables -F FORWARD
      iptables -t nat -F

      iptables -A FORWARD -i ppp0 -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
      iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

      iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 2302:2311 -j DNAT –to-dest 192.168.0.65
      iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport 2302:2311 -j DNAT –to-dest 192.168.0.65
      iptables -A FORWARD -p tcp –dport 2302:2311 -d 192.168.0.65 -j ACCEPT
      iptables -A FORWARD -p udp –dport 2302:2311 -d 192.168.0.65 -j ACCEPT
      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 2312:2321 -j DNAT –to-dest 192.168.0.66
      iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport 2312:2321 -j DNAT –to-dest 192.168.0.66
      iptables -A FORWARD -p tcp –dport 2312:2321 -d 192.168.0.66 -j ACCEPT
      iptables -A FORWARD -p udp –dport 2312:2321 -d 192.168.0.66 -j ACCEPT
      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 2322:2331 -j DNAT –to-dest 192.168.0.67
      iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport 2322:2331 -j DNAT –to-dest 192.168.0.67
      iptables -A FORWARD -p tcp –dport 2322:2331 -d 192.168.0.67 -j ACCEPT
      iptables -A FORWARD -p udp –dport 2322:2331 -d 192.168.0.67 -j ACCEPT
      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 2332:2341 -j DNAT –to-dest 192.168.0.68
      iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport 2332:2341 -j DNAT –to-dest 192.168.0.68
      iptables -A FORWARD -p tcp –dport 2332:2341 -d 192.168.0.68 -j ACCEPT
      iptables -A FORWARD -p udp –dport 2332:2341 -d 192.168.0.68 -j ACCEPT
      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 2342:2351 -j DNAT –to-dest 192.168.0.69
      iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport 2342:2351 -j DNAT –to-dest 192.168.0.69
      iptables -A FORWARD -p tcp –dport 2342:2351 -d 192.168.0.69 -j ACCEPT
      iptables -A FORWARD -p udp –dport 2342:2351 -d 192.168.0.69 -j ACCEPT

      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 47624 -j DNAT –to-dest 192.168.0.66
      iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 6073 -j DNAT –to-dest 192.168.0.66
      iptables -A FORWARD -p tcp –dport 47624 -d 192.168.0.66 -j ACCEPT
      iptables -A FORWARD -p tcp –dport 6073 -d 192.168.0.66 -j ACCEPT

      iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
      iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -o eth0 –dport 2300:2400 -j SNAT –to-source $EXTIP
      iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 -o eth0 –dport 2300:2400 -j SNAT –to-source $EXTIP
      iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -o eth0 –dport 47624 -j SNAT –to-source $EXTIP

      2009-12-04-19:55 #1870711
      csaba
      Felhasználó

        Ha vki tudja, hogy miért nem mûködik az alábbi script (a belsõ hálóról érkezõ kliensek kéréseit amit a külsõ címnek küldenek, visszairányítja; a bentlevõ csomagokat meg elküldi kifelé is) ami egy Windowsos játékot hívatott kiszolgálni, hogy a belsõ-külsõ hálón levõ kliensek között kialakuljon egy csillag topologia,
        illetve, miért nem megy az internet sem vele?
        Esetleg ha vki tudna vmi jó ötletet hogy hogyna lehetne tesztelni csak a linux routeren a scriptek eredményeit annélkül hogy állandóan ki-be kellene kapcsolgatni a Win-os gépeket+ a játékot azt is nagyon megköszönném:
        Tehát az rc.masqurade-m:

        *********************************
        #!/bin/sh
        #
        # Coyote Masquerading Startup Script
        # called by: etc/rc.d/rc.inet, /etc/ppp/ip-up, /etc/dhcpc/dhcpc.updown
        #
        # Expects the external (Internet) interface to be passed as the first parameter

        if [ -z „$CONFIG_LOADED” ]; then
        . /etc/coyote/coyote.conf
        fi

        LOCNET=192.168.0.
        EXTIF=”ppp0″
        INTIF=”eth0″
        # /etc/ppp/extip is written by the /etc/ppp/ip-up script.
        EXTIP=`getifaddr ppp0`

        echo ” External Interface: $EXTIF”
        echo ” Internal Interface: $INTIF”
        echo ” External IP: $EXTIP”

        # This will set up 192.168.0.102 as a host machine. 192.168.0.101 and 192.168.0.102
        # will be set up as client machines. The client port ranges are assigned by the two
        # PORT rules, where i is last number in the IP address. In this example
        # 192.168.0.101 gets ports 10*(101-100)+2302 to 10*(101-100)+2311 = 2312 to 2321.
        # You need to make sure DXPort corresponds correctly to these rules on each machine.
        TAHOST=66
        TACLIENTS=”65 66 67 68 69″
        TAPORTRULE1=’10*(i-65)+2302′
        TAPORTRULE2=’10*(i-65)+2311′

        echo ” clearing any existing rules and setting default policy..”
        iptables -P INPUT ACCEPT
        iptables -F INPUT
        iptables -P OUTPUT ACCEPT
        iptables -F OUTPUT
        iptables -P FORWARD DROP
        iptables -F FORWARD
        iptables -t nat -F

        echo ” FWD: Allow all connections OUT and only existing and related ones IN”
        iptables -A FORWARD -i $EXTIF -o $INTIF -m state –state ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

        echo ” Enabling SNAT (MASQUERADE) functionality on $EXTIF”
        iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

        echo ” Setting up DirectPlay client forwarding”
        for i in $TACLIENTS
        do
        P1=$((TAPORTRULE1))
        P2=$((TAPORTRULE2))
        IP=$LOCNET$i
        echo ” to $IP ports $P1:$P2″

        # Note that these rules redirect EXTIP traffic from both internal
        # and external clients.
        iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport $P1:$P2
        -j DNAT –to-dest $IP
        iptables -t nat -A PREROUTING -p udp -d $EXTIP –dport $P1:$P2
        -j DNAT –to-dest $IP
        iptables -A FORWARD -p tcp –dport $P1:$P2 -d $IP -j ACCEPT
        iptables -A FORWARD -p udp –dport $P1:$P2 -d $IP -j ACCEPT
        done

        echo ” Setting up DirectPlay host forwarding to $LOCNET$TAHOST”
        # Again both internal and external clients are redirected.
        iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 47624
        -j DNAT –to-dest $LOCNET$TAHOST
        iptables -t nat -A PREROUTING -p tcp -d $EXTIP –dport 6073
        -j DNAT –to-dest $LOCNET$TAHOST
        iptables -A FORWARD -p tcp –dport 47624 -d $LOCNET$TAHOST -j ACCEPT
        iptables -A FORWARD -p tcp –dport 6073 -d $LOCNET$TAHOST -j ACCEPT

        echo ” Enabling directplay internal masquerading”
        # These are the funky rules made for Total Annihilation. TA doesn’t seem to
        # like it when a host with a different ip address to the one it expects
        # responds to a session initiation request (on port 47624.) This happens
        # when a local client tries to set up a connection through the external ip.
        # In that case the above NAT rules forward the request to the internal
        # host, and the internal host contacts the internal client directly.
        # These rules make it so the linux box can masquerade directplay traffic
        # between local machines if they try to connect to one another via the
        # external ip address. Without them we’d have to make internal clients
        # connect via the local ip address, which would mean you couldn’t launch the
        # internal clients from a game service such as Zone.

        iptables -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
        iptables -t nat -A POSTROUTING -p tcp -s „$LOCNET”0/24
        -o $INTIF –dport 2300:2400
        -j SNAT –to-source $EXTIP
        iptables -t nat -A POSTROUTING -p udp -s „$LOCNET”0/24
        -o $INTIF –dport 2300:2400
        -j SNAT –to-source $EXTIP
        iptables -t nat -A POSTROUTING -p tcp -s „$LOCNET”0/24
        -o $INTIF –dport 47624
        -j SNAT –to-source $EXTIP

        # log all packets in filter/FORWARD that werent matched and
        # hence will be dropped (as per default policy)
        iptables -A FORWARD -j LOG –log-prefix „FWD dropped packet.”

        echo -e „nDone.n”
        ************************************

        Minden észrevételt köszönök!

      • Szerző
        Bejegyzés
      2 bejegyzés megtekintése - 1-2 / 2
      • Be kell jelentkezni a hozzászóláshoz.