Hello, felraktam egy centost egy xen domuba, 192.168.122.2 a cime, szepen latja a netet, dom0-rol lehet ra sshzni, es kivulrol is szeretnek. Itt van alul egy iptables-save a dom0-rol, mit rontok el, mindig refuzalja a konnekciot a komputer amikor a dom0 22-es portjara sshznek a 208.112.114.188 cim felol. Elore is koszonom az otleteket!
# Generated by iptables-save v1.3.5 on Tue Apr 12 21:51:14 2011 *mangle :PREROUTING ACCEPT [284370:86350474] :INPUT ACCEPT [283735:86303036] :FORWARD ACCEPT [83:13094] :OUTPUT ACCEPT [252554:85350362] :POSTROUTING ACCEPT [252629:85362976] COMMIT # Completed on Tue Apr 12 21:51:14 2011 # Generated by iptables-save v1.3.5 on Tue Apr 12 21:51:14 2011 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [252554:85350362] :Orange_acct - [0:0] :Orange_acct_in - [0:0] :Orange_acct_out - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -s 10.1.0.0/255.255.252.0 -j Orange_acct_in -A INPUT -p tcp -m tcp --dport 1976 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25252 -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT -A INPUT -s 127.0.0.1 -p udp -j ACCEPT -A INPUT -s 208.112.114.188 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j DROP -A INPUT -p tcp -m tcp --dport 1104 -j ACCEPT -A INPUT -p udp -m udp --dport 1104 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1103 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1102 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1101 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1100 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1024:65535 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i ipsec0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -d 76.12.86.132 -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m physdev --physdev-in vif1.0 -j ACCEPT -A FORWARD -m physdev --physdev-in vif2.0 -j ACCEPT -A OUTPUT -d 10.1.0.0/255.255.252.0 -j Orange_acct_out -A OUTPUT -s 76.12.86.132 -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A Orange_acct_in -s 10.1.0.0/255.255.252.0 -A Orange_acct_out -d 10.1.0.0/255.255.252.0 COMMIT # Completed on Tue Apr 12 21:51:14 2011 # Generated by iptables-save v1.3.5 on Tue Apr 12 21:51:14 2011 *nat :PREROUTING ACCEPT [16725:1004760] :POSTROUTING ACCEPT [4857:292558] :OUTPUT ACCEPT [4857:292558] -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.122.2:22 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Tue Apr 12 21:51:14 2011 _________________________________________________ linux lista - linux@mlf.linux.rulez.org http://mlf2.linux.rulez.org/mailman/listinfo/linux
