Temat: DMZ konfiguracja
Operator internetu ustawił mi podobno DMZ na 192.168.100.2 kiedyś to chodziło bez dmz teraz troche namieszane i nie moge dojsc do ladu z tym. Port 22 dziala z zewnatrz.
br-lan Link encap:Ethernet HWaddr E8:94:F6:ED:BA:36
inet addr:192.168.100.2 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::ea94:f6ff:feed:ba36/64 Scope:Link
inet6 addr: fd5c:4968:f969::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1233370 errors:0 dropped:117 overruns:0 frame:0
TX packets:1113195 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:235749901 (224.8 MiB) TX bytes:221076188 (210.8 MiB)
eth0 Link encap:Ethernet HWaddr E8:94:F6:ED:BA:37
inet6 addr: fe80::ea94:f6ff:feed:ba37/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:24381 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:8228973 (7.8 MiB)
Interrupt:4
eth1 Link encap:Ethernet HWaddr E8:94:F6:ED:BA:36
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1809777 errors:0 dropped:2451 overruns:0 frame:0
TX packets:1420730 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:985009161 (939.3 MiB) TX bytes:303908876 (289.8 MiB)
Interrupt:5
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:55 errors:0 dropped:0 overruns:0 frame:0
TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:3968 (3.8 KiB) TX bytes:3968 (3.8 KiB)
wlan0 Link encap:Ethernet HWaddr E8:94:F6:ED:BA:36
inet6 addr: fe80::ea94:f6ff:feed:ba36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:342285 errors:0 dropped:0 overruns:0 frame:0
TX packets:745026 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107484083 (102.5 MiB) TX bytes:806931793 (769.5 MiB)Teraz pytanie jak to poprawnie ustawić aby działało.
Na firewallu otwarte mam porty:
17:12]-[root@main](~) # cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
#config include
# option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
config rule
option src lan
option dest_port 80
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 22
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 21
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 443
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 6667
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 5050
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 5051
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 554
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 37777
option target ACCEPT
option proto tcp
config rule
option src lan
option dest_port 8899
option target ACCEPT
option proto tcp
# OPENVPN
config rule
option src lan
option dest_port 1194
option target ACCEPT
option proto udp
# Testowa Kamera DMZ
config rule
option target 'ACCEPT'
option dest_port '37777'
option name "KAMERA"
option proto 'tpc udp'
option src 'wan'
config rule
option target 'ACCEPT'
option dest_port '8899'
option name "KAMERA2"
option proto 'tpc udp'
option src 'wan'
# uTORRENT
config rule
option src lan
option dest_port 31514
option target ACCEPT
option proto udpOraz firewall.user
ale niestety nie działa
# przekierowanie portow kamera
#rtsp
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 554 -j DNAT --to-destination 192.168.100.6:554
#onvifi
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 37777 -j DNAT --to-destination 192.168.100.6:8899