>[оверквотинг удален]
>>> state NEW LOG flags 7
>>> level 4 prefix `ACCEPT '
>>> асус может писать в логи и если вы можете их посмотреть, то
>>> напишите правила для
>>> -t mangle PREROUTING и POSTROUTING для логирования, в таблице фильтров в FORWARD
>>> временно разрешите все и попробуйте обратится с клиента, а дальше
>>> уже по результату.
>> Я пока не разобрался где асус логи хранит, плохо я в этом
>> разбираюсь - стыдно даже)) но я стараюсь!
> в /etc что то типа syslog.conf есть?admin@RT-N16:/tmp/home/root# find / -name *.conf
/rom/etc/ld.so.conf
/rom/etc/resolv.conf
/rom/etc/static_routes/china_edu.conf
/rom/etc/static_routes/china_mobile.conf
/rom/etc/static_routes/china_telecom.conf
/rom/etc/static_routes/china_unicom.conf
/rom/etc/usb_modeswitch.conf
/tmp/resolv.conf
/tmp/etc/smb.conf
/tmp/etc/minidlna.conf
/tmp/etc/dnsmasq.conf
/tmp/etc/resolv.conf
/tmp/etc/usb_modeswitch.conf
/tmp/etc/ld.so.conf
/usr/sbin/lld2d.conf
видимо нет.
>> Я тут поснифил трафик с локальной машины асуса и с сервера за
>> тплинком и мне пришло в голову вот что: у асуса внешний
>> ip 92.62.x.x, но сам себя он считает 10.83.х.х - это ip
>> внутри провайдера. В общем правила я пробовал писать и для 92.62.х.х
>> и для 10.83, может в этом косяк?
> зависит что вы там прописали.
> покажите вывод:
> ifconfig
admin@RT-N16:/tmp/home/root# ifconfig
br0 Link encap:Ethernet HWaddr BC:AE:C5:C2:EF:43
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1630858 errors:0 dropped:0 overruns:0 frame:0
TX packets:1093219 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:143564942 (136.9 MiB) TX bytes:136460992 (130.1 MiB)
eth0 Link encap:Ethernet HWaddr BC:AE:C5:C2:EF:43
inet addr:10.83.х.х Bcast:10.83.х.х Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58434436 errors:0 dropped:0 overruns:0 frame:0
TX packets:36527331 errors:60 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3445823259 (3.2 GiB) TX bytes:4006880636 (3.7 GiB)
Interrupt:4 Base address:0x2000
eth1 Link encap:Ethernet HWaddr BC:AE:C5:C2:EF:43
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14378547 errors:0 dropped:0 overruns:0 frame:65748733
TX packets:36591179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2111276639 (1.9 GiB) TX bytes:1668728435 (1.5 GiB)
Interrupt:3 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:270751 errors:0 dropped:0 overruns:0 frame:0
TX packets:270751 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:50650312 (48.3 MiB) TX bytes:50650312 (48.3 MiB)
vlan1 Link encap:Ethernet HWaddr BC:AE:C5:C2:EF:43
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:709367 errors:0 dropped:0 overruns:0 frame:0
TX packets:1283779 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:81417549 (77.6 MiB) TX bytes:127291621 (121.3 MiB)
> route -n
admin@RT-N16:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.83.183.5 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.83.183.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.83.183.5 0.0.0.0 UG 0 0 0 eth0
> текущие правила iptables после добавления ваших правил, при этом все таблицы :
> mangle, nat, filter
admin@RT-N16:/tmp/home/root# iptables -nvL
Chain INPUT (policy ACCEPT 1069K packets, 105M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 85 packets, 4428 bytes)
pkts bytes target prot opt in out source destination
344 17453 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8080
1385K 125M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
37 2200 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
19800 854K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
58046 2980K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
Chain OUTPUT (policy ACCEPT 1006K packets, 133M bytes)
pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
pkts bytes target prot opt in out source destination
Chain PControls (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logaccept (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
----------------------------------------------------------------------------------------------
admin@RT-N16:/tmp/home/root# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 958K packets, 62M bytes)
pkts bytes target prot opt in out source destination
110 6096 DNAT tcp -- * * 0.0.0.0/0 10.83.х.х tcp dpt:8080 to:37.28.х.х:8080
448K 26M VSERVER all -- * * 0.0.0.0/0 10.83.х.х
Chain POSTROUTING (policy ACCEPT 107K packets, 6637K bytes)
pkts bytes target prot opt in out source destination
1675 100K SNAT all -- * * 0.0.0.0/0 37.28.х.х to:10.83.х.х
422K 30M MASQUERADE all -- * eth0 !10.83.х.х 0.0.0.0/0
1801 381K MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Chain OUTPUT (policy ACCEPT 51068 packets, 4055K bytes)
pkts bytes target prot opt in out source destination
Chain LOCALSRV (0 references)
pkts bytes target prot opt in out source destination
Chain VSERVER (1 references)
pkts bytes target prot opt in out source destination
19 964 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:ххххх to:192.168.1.1:хх
3 144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.1.1:8443
448K 26M VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
57736 2964K DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:ххххх to:192.168.1.2:хххх
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:ххххх to:192.168.1.2:хххх
Chain VUPNP (1 references)
pkts bytes target prot opt in out source destination
> ecли есть iptables-save, то его вывод
admin@RT-N16:/tmp/home/root# iptables-save
# Generated by iptables-save v1.3.8 on Wed Sep 24 13:08:12 2014
*nat
:PREROUTING ACCEPT [959217:62561240]
:POSTROUTING ACCEPT [107346:6658645]
:OUTPUT ACCEPT [51415:4077199]
:LOCALSRV - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 10.83.x.x -p tcp -m tcp --dport 8080 -j DNAT --to-destination 37.28.x.x:8080
-A PREROUTING -d 10.83.x.x -j VSERVER
-A POSTROUTING -d 37.28.x.x -j SNAT --to-source 10.83.x.x
-A POSTROUTING -s ! 10.83.x.x -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport xxxxx -j DNAT --to-destination 192.168.1.1:xxxx
-A VSERVER -p tcp -m tcp --dport 8443 -j DNAT --to-destination 192.168.1.1:8443
-A VSERVER -j VUPNP
-A VSERVER -p tcp -m tcp --dport xxxxx -j DNAT --to-destination 192.168.1.2:xxxx
-A VSERVER -p udp -m udp --dport xxxxx -j DNAT --to-destination 192.168.1.2:xxxx
COMMIT
# Completed on Wed Sep 24 13:08:12 2014
# Generated by iptables-save v1.3.8 on Wed Sep 24 13:08:12 2014
*mangle
:PREROUTING ACCEPT [3547890:309934947]
:INPUT ACCEPT [1219354:121720951]
:FORWARD ACCEPT [2247606:183672941]
:OUTPUT ACCEPT [1141403:160049517]
:POSTROUTING ACCEPT [3369980:344355403]
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -m state --state NEW -j MARK --set-mark 0x1
COMMIT
# Completed on Wed Sep 24 13:08:12 2014
# Generated by iptables-save v1.3.8 on Wed Sep 24 13:08:12 2014
*filter
:INPUT ACCEPT [1070101:105612345]
:FORWARD ACCEPT [960:50146]
:OUTPUT ACCEPT [1006671:133226122]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A FORWARD -p tcp -m multiport --dports 8080 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Sep 24 13:08:12 2014
> адреса только маскируйте, что бы логика осталась понятной
92.62.х.х = Асус
10.83.х.х =Асус (тоже..)
37.28.х.х = ТП-Линк
> какие команды умеет асус, что есть в busybox
admin@RT-N16:/tmp/home/root# busybox
BusyBox v1.17.4 (2014-04-14 09:22:34 CST) multi-call binary.
Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.
Usage: busybox [function] [arguments]...
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, arp, ash, awk, basename, blkid, cat, chmod, chown, chpasswd, clear, cmp, cp, crond, cut, date, dd, df, dirname, dmesg, du, e2fsck, echo, egrep, env, ether-wake,
expr, fdisk, fgrep, find, flock, free, fsck.ext2, fsck.ext3, fsck.minix, fsync, grep, gunzip, gzip, head, ifconfig, insmod, ionice, kill, killall, klogd, less, ln,
logger, login, ls, lsmod, lsusb, md5sum, mdev, mkdir, mke2fs, mkfs.ext2, mkfs.ext3, mknod, mkswap, modprobe, more, mount, mv, netstat, nice, nohup, nslookup, pidof,
ping, ping6, printf, ps, pwd, readlink, renice, rm, rmdir, rmmod, route, sed, setconsole, sh, sleep, sort, strings, swapoff, swapon, sync, syslogd, tail, tar, telnetd,
test, top, touch, tr, traceroute, traceroute6, true, tune2fs, udhcpc, umount, uname, unzip, uptime, usleep, vconfig, vi, watch, wc, wget, which, zcat, zcip