Eu tenho um roteador Linux (Debian 6.x) para onde encaminhar algumas portas para serviços internos. Algumas portas tcp (como 80, 22 ...) estão OK.
Eu tenho um aplicativo escutando na porta 54277udp. Nenhum retorno é proveniente deste aplicativo, eu só recebo dados nesta porta.
Roteador:
cat /proc/sys/net/ipv4/conf/all/rp_filter = 1
cat /proc/sys/net/ipv4/conf/eth0/forwarding = 1
cat /proc/sys/net/ipv4/conf/ppp0/forwarding = 1
$IPTABLES -t nat -I PREROUTING -p udp -i ppp0 --dport 54277 -j DNAT --to-destination $SRV_IP:54277
$IPTABLES -I FORWARD -p udp -d $SRV_IP --dport 54277 -j ACCEPT
Também o tráfego interno do MASPRERADING para ppp0 (internet) está ativo & trabalhando.
Política padrão INPUT & OUTPUT & FORWARD é DROP
O que é estranho, quando eu faço:
tcpdump -p -vvvv -i ppp0 port 54277
Eu recebo muito tráfego:
18:35:43.646133 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.652301 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.653324 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.655795 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.656727 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
18:35:43.659719 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 57)
source.ip > own.external.ip..54277: [udp sum ok] UDP, length 29
tcpdump -p -i eth0 port 54277 (na mesma máquina, o roteador)
eu recebo muito menos tráfego.
também no destino $SRV_IP há apenas alguns pacotes chegando, mas não todos.
SERVIDOR INTERNO:
19:15:30.039663 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.276112 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
19:15:30.726048 IP source.ip.52394 > 192.168.215.4.54277: UDP, length 16
Então algumas portas do udp são "ignoradas / descartadas"?
Alguma ideia do que poderia estar errado?
Editar:
Isso é estranho: A regra Forward possui pacotes de dados, mas a regra PREROUTING tem 0 pacotes ...
iptables -nvL -t filter |grep 54277
Chain FORWARD (policy DROP 0 packets, 0 bytes)
168 8401 ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277
iptables -nvL -t nat |grep 54277
Chain PREROUTING (policy ACCEPT 405 packets, 24360 bytes)
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 my.external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4
Editar2:
Chain PREROUTING (policy ACCEPT 102K packets, 6148K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 external.ip udp dpt:54277 state NEW,RELATED,ESTABLISHED to:192.168.215.4
1191 71460 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.215.4
3119 187K DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.215.3
+some other tcp forward rules
Chain POSTROUTING (policy ACCEPT 4626 packets, 294K bytes)
pkts bytes target prot opt in out source destination
2343 145K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1529 packets, 111K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
574K 33M PSAD_BLOCK_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4511K 257M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:54277
559 30745 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:17784
0 0 DROP all -- * * 192.168.215.30 0.0.0.0/0
16 3355 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:45000
1 40 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set netdrop src LOG flags 0 level 4 prefix 'IPSET'
403 35523 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- ppp0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- ppp0 * 172.16.0.0/16 0.0.0.0/0
0 0 DROP all -- ppp0 * 192.168.0.0/24 0.0.0.0/0
0 0 DROP all -- ppp0 * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- ppp0 * 240.0.0.0/5 0.0.0.0/0
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW limit: avg 5/min burst 7 LOG flags 0 level 4 prefix 'Drop-Syn'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 LOG all -f ppp0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix 'Fragments-Packets'
0 0 DROP all -f ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix 'NULL-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
2 96 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix 'XMAS-Packets'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 LOG tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 limit: avg 5/min burst 7 LOG flags 0 level 4 prefix 'Fin-Packets-Scan'
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 LOG all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src LOG flags 0 level 4 prefix 'IPSET:'
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 match-set ipdrop src
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0 state RELATED,ESTABLISHED
1445 121K ACCEPT icmp -- eth0 * 192.168.215.0/24 192.168.215.254 icmp type 8 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 192.168.215.0/24 192.168.215.254 udp dpt:161 state NEW,ESTABLISHED
1479 94070 ACCEPT tcp -- eth0 * 192.168.215.0/24 192.168.215.254 tcp dpt:22 state NEW,ESTABLISHED
2220 265K ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:43 state RELATED,ESTABLISHED
21337 1229K ACCEPT all -- eth0 * 192.168.215.0/24 192.168.215.254
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:17500
1118 60931 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3483
818 78992 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
1 343 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
69 4968 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427
2 200 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:4321 state RELATED,ESTABLISHED
31820 1815K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix 'DROP'
31820 1815K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38943 2546K PSAD_BLOCK_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.3 tcp dpt:80
2790 471K ACCEPT tcp -- * * 0.0.0.0/0 192.168.215.4 tcp spt:22
89446 4359K ACCEPT udp -- * * 0.0.0.0/0 192.168.215.4 state NEW,RELATED,ESTABLISHED udp dpt:54277
122K 7500K ACCEPT all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
123K 11M ACCEPT all -- ppp0 eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:981 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 state NEW,RELATED,ESTABLISHED
0 0 DROP all -- ppp0 ppp0 0.0.0.0/0 0.0.0.0/0
3 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix 'DROP'
3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7684 919K PSAD_BLOCK_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:54277
33594 2855K ACCEPT icmp -- * ppp0 own.ext.ip 0.0.0.0/0 icmp type 3
403 35523 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED
1445 121K ACCEPT icmp -- * eth0 192.168.215.254 192.168.215.0/24 icmp type 0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:80 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * eth0 192.168.215.254 192.168.215.0/24 udp spt:161 state RELATED,ESTABLISHED
1904 789K ACCEPT tcp -- * eth0 192.168.215.254 192.168.215.0/24 tcp spt:22 state RELATED,ESTABLISHED
2780 174K ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED
16 896 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:43 state NEW,ESTABLISHED
53234 13M ACCEPT all -- * eth0 192.168.215.254 192.168.215.0/24
0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4321 state NEW,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix 'DROP'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PSAD_BLOCK_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0
Chain PSAD_BLOCK_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 121.30.234.78 0.0.0.0/0
0 0 DROP all -- * * 118.70.170.83 0.0.0.0/0
Chain PSAD_BLOCK_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 121.30.234.78
0 0 DROP all -- * * 0.0.0.0/0 118.70.170.83