Re: lug-bg: ip_conntrack ???

Milen Trifonov Sun, 19 Dec 2004 15:22:12 -0800

On Thu, 2004-12-16 at 17:25 +0200, [EMAIL PROTECTED] wrote:
> > [EMAIL PROTECTED] wrote:
> >
> >>ÐÐÐÐ Linux ÐÐ ÐÐÐÑÐ ÐÐÐÐ ÐÐÑÐÐÑÐÐÐ ÐÐ 
> >>ÐÐÑÐÑÐ.
> >>
> >>ÐÑ ÐÐÐÐÑÐÐ ÐÑÐÐÐ ÐÐÐÐÑÐÐÐÐÐ ÑÐÐÐÐÐÑÐ:
> >>
> >>cat /proc/net/ip_conntrack | grep UNREPLIED | wc -l
> >>2532
> >>
> >>cat /proc/net/ip_conntrack | grep UNREPLIED | wc -l
> >>3252
> >>
> >>ÐÐÐÐÐ ÑÐ ÑÐÐÐ ÐÑÑÐÐÐ ÐÐÐÑÐ ÐÐÑÑÑ ÑÐÐÐ 
> >>ÑÐÐÐ UNREPLIED
> >>
> >>t.e. ÑÐÐÐÐÐ ÐÑ ÑÐÐÐ:
> >>
> >>udp      17 17 src=192.5.41.41 dst=192.168.4.253 sport=123 dport=123
> >>[UNREPLIED] src=192.168.4.253 dst=192.5.41.41 sport=123
> >> dport=123 use=1
> >>tcp      6 25 SYN_SENT src=192.168.50.5 dst=208.38.61.228 sport=59440
> >>dport=25 [UNREPLIED] src=208.38.61.228 dst=212.36.20.1
> >>50 sport=25 dport=59440 use=1
> >>
> >>
> >>
> >>
> >
> > ÐÐÐÐ Ñ UDP ÐÐÐÐÑÐ ÐÐ ÑÑÐÐÑÐÐ ÐÐ Ð ÐÑÐÐÐÐÐ 
> > (ÐÐ-ÑÐÐÑÐ ÐÐÐÑ ÐÐÐÐÐÐÐÐÐÐ NAT
> > ÐÑÐÐÑÐÐ NTP). ÐÐ ÐÐÐÐÑÐ ÐÐ TCP ÐÐ-ÐÐÐÑ ÐÐ ÐÐ 
> > ÐÐÐÐÑÐÐ ÐÐ ÐÑÐÐÐÑÑ ÐÑÑÐÐ
> > ÐÐÐÑÑÐÐÑÐÐÑ Ð ÐÑÐÑÐ TTL-Ð ÐÐ ÐÐÐÐÑÐÑÐ. ÐÐ 
> > ÐÑÐÐÐ ÐÐ ÑÐ ÐÐÐÐÐÐÐÐÐ, ÐÐ ÑÐÐÐ
> > Ð ÐÐÐÐÑ Ñ ÐÐÐÑÐ TTL. ÐÐÑÑÐÐÐÐ ÐÐ ÐÐÐÑ ÐÑÐ 
> > ÑÐÐÐ ÑÐ TTL ÑÐÐÑÑÑ, ÐÐÐÑÐ ÐÐ
> > ÑÐÐÐÐÐ ÐÑÐÑÐÐ ÐÐÐÐÑÐÐÐ DROP?
> >
> > ÐÑÐÐÐÐÐÐÐ ÐÐÐÐÑÐÑÐ ÐÐ ÐÐÑÐÑÐÐÐÐ. ÐÐÐ 
> > ÐÐÐÐ ÑÐÐ ÐÐ ÑÐ ÐÐÑÐÐ ÐÐÑÐ Ñ TTL
> > ÐÐÑÐÐÐÑÑÑÐ.
> >
> > ÐÑÑÐ ÑÐÐÐ, ÐÐÐ ÐÐÐÐ ÐÐ ÐÐÐÐÐÐÐÐÑ ÑÐÐÑÑÑ 
> > ÐÐ TCP ÑÐÑÐÐ, ÐÐÐÑÐ ÐÐÐÑÑÐ ÐÐ
> > ÑÐÐÐÐÐ ÐÐÐÐÑÐÐÐ RESET, ÑÐÐÐÐÐ ÐÐÐÐÑÐÐÐ DROP. 
> > ÐÐÑÑÐ ÐÑÐÑÐÐ Ð ÐÐ ÑÐ
> > ÐÐÐÑÐÐÐ NAT ÑÑÑÐÑ Ð Ð/Ñ ÐÐÐÐ ÐÐ ÑÐ 
> > ÐÐÐÐÑÑÐÐÑ ÐÐÐÐ ÐÑÐ DROP ÐÐÐÐÑÐÐÐ ÐÐ
> > ÐÑÐÐÑÐÐÐÐ ÐÐ TCP ÑÐÑÐÐ. ÐÑÐ ÐÐÐÐ ÑÐÐÐÐÑÐÐÐ 
> > ÐÑ ÑÑÑÐÐÐ ÐÐ ÑÐÑÑ ÐÐÐ NAT ÐÑÐ
> > ÑÐÑÑ, ÐÐÐÑÐ Ð ÐÑÐÑÐÐ Ð ÐÐÑÐÑÐÐÑ, ÑÐ 
> > ÐÐÐÑÑÐÐÐÑ ÑÐÑÐÐ ÐÐÐÐ ÑÐÐÐÐÐ ÑÑÐÐÐÐ
> > ÐÐÑÐ.
> >
> > ÐÑÐÐ ÐÐ Ð ÐÐÐ ÐÐ ÐÐÐÐÑ ÐÐÑÐ ÐÐ 
> > ÑÐÐÐÐÐÐÐÑÑÐ. ÐÑÐÐÐÐÐ ÐÐ ÑÐÐÐ ÐÐÐÐÐ ÑÐÑÑ
> > Ð/Ñ ÑÑÑÐÑÐ Ð 192.168.50.5. ÐÐÐÑÐ ÑÐ ÑÐÑÐÐ ÐÐ ÐÑÐ 
> > 2 ÐÑÐÑÐÐÐ, ÐÐ ÐÐÐÑÑÐÐÐ
> > ÑÑÑÐÐÐ ÐÐ ÑÐ ÐÐÐÐÐÐ ÑÐÐÐÐÐÐÐÑÑÐ..
> >
> >   ÐÐÐÐÑÐÐÐ
> >      ÐÐÑÐ
> >
> >
> 
> 
> ÐÐÐÐÐÐÐÐÑÑÐ Ð ÐÐÑÑÐ ÑÑÐÐÐÐÑÑÐÐ:
> ÐÑÐÐÐÐÐ linux router-a ÑÑÐÑÑ ÐÐÐ ÐÐÐÐ Linux gateway ÐÐ 
> ÐÐÐÑÐ ÑÐ ÐÐÐÑÑÑÐÐ
> ÐÐÑÐÐÑÐÐ.
> 
> ÐÑ ÑÐÐÐ:
> iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d ! 192.168.0.0/16 -o
> eth0 -j SNAT --to REAL_IP
> 
> ÐÑÐÐÐÐÐÐ Ð ÐÐÐÐÑÐÐ ÐÐ ÑÑÐÐÐ ÐÐÑÐÐÐ 
> ÑÐÐÐÐÐÑÐ ÐÑÐÑÐÐÐ:
> 1. ÐÐÐÐÑÑÐ ÐÐÑÑÐ ÐÐÐÐÐÐÐÐÐ Ð wireless, Ð ÑÑ ÐÑÐ 
> ÐÐÐÑÐ ÐÑÐÐ ÐÐÐÐÐÑÐÐÐÐÐ
> ÐÑÑÐÐÐ (5000-1000) ÐÐÑÐÐ ÐÐ ÑÐ ÑÐÐÐÐÐÐ !!!
> 
> ÐÑ ÐÐÐÐÑÐÐ ÐÑÐÐÐ ÐÐÐÐÑÐÐÐÐÐ ÑÐ ÐÑÐÐÐ 
> ÐÐÐÐÐÑÐ ÐÐÐÑ ÐÐÑÐÐÐÐ ÐÑÐÐ ÐÑÑÐÐÐ
> /proc/net/ip_conntrack
> ÐÐÐÑÐÐÐÑ ÐÐÐÐ ÐÐÐÐÐÑ (1 PC) ÐÑÑÐÐ ÐÐ 1000-2000 
> ÐÑÑÐÐÐ ÐÐÐÑÐ ÑÐ ÐÑÑÐÐÑ
> ÐÐÐÐÐ ÐÑÐÐÐ.
> ÐÐ ÐÐ ÐÐÑÐÐÑ ÑÐÐÐ ÑÐ ÐÐÐÐÐÐ ÐÐ ÑÐÑÑÐÑÑÐÑÐÐ 
> Linux gateway (ÐÐÐÑÐ ÐÐÑÐ
> ÑÐÑÐÐÐÐ ÑÐ Ð ÐÐÑÑÐ ÐÑÐÑÑÐ Ð ÐÑÐÑÑÐÑÐÐ).
> ÐÐÑÐÑÑÐÐ ÐÐÐ ÐÑÐ ÑÐÐÐ ÐÐÐÐÐÑ Ð ÐÐÑÑÑÐ 
> (ÐÐÐÐÐÐÑÐ ÐÐ ÐÐÐÐÐ ÑÐÐÐÑÐ ...)
> 
> ÐÑÐÐÐ ÐÑ ÑÑÑ ÐÐ ÐÐÑÐÐÐÑ ÐÐÑÐ ÐÐ ÐÐÑÑÐÐÐÑÐÑ 
> Linux Ñ ÑÑÐÐÑÐÐÑÐÑÐÐ ÐÑÐÐÑÐ ÐÑÐ
> ÑÑÑ, Ð ÑÐÐÐ ÐÐÐÐÐÑÐ ÐÐÐÐÑÑÐÑÐÐ ÐÑÑÐÐÐ ÐÑ 
> ÑÑÑ ÐÑÐÑÑÐÑÐÐ ÐÐÐÐÐÑÑÐ, Ñ.Ð. ÑÐ
> ÑÐ ÐÑÑÐÐÐÑÐ ÐÑÐ ÑÐÑÐÐÑ ÑÑÑÐÐÑ.
> 
> ÐÐÐÑÐ ÐÐ ÐÐÐÐ ÐÐ ÐÐÐÐÑÐÑÐÐÐÑÐÐ ÑÐÑÐÐ 
> ÐÐÐÑÐ Ð ÐÐÑÑÑÐ, ÐÐÑÐÑÐ ÑÑÐÑÐÐÐ ÐÐ ÐÐ
> Ð ÐÐÑÑÐÐÑ, Ð ÑÑÐÐÐÐÐÑ ÐÐÐÐÐ ÐÑÑÐÐÐ ÐÑÐ 
> ÐÐÐÐ ÐÐÐ ÐÑÐÐÐÐÐ dest-port 80 (ÐÐÐÐ
> ÐÐ Troyan.StartPage)
> 
> ÐÑÐ Ð ÐÐÐÑÐ ÐÑÐÐÐ:
> 
> tcp      6 162320 ESTABLISHED src=192.168.9.8 dst=213.16.55.67 sport=1402
> dport=80 src=212.36.20.145 dst=192.168.9.8 sport=3
> 128 dport=1402 [ASSURED] use=1
> tcp      6 429266 ESTABLISHED src=192.168.9.8 dst=193.24.240.21 sport=2807
> dport=80 src=212.36.20.145 dst=192.168.9.8 sport=
> 3128 dport=2807 [ASSURED] use=1
> tcp      6 338364 ESTABLISHED src=192.168.9.8 dst=193.24.240.21 sport=2386
> dport=80 src=212.36.20.145 dst=192.168.9.8 sport=
> 3128 dport=2386 [ASSURED] use=1
> tcp      6 271362 ESTABLISHED src=192.168.9.8 dst=193.24.240.21 sport=1306
> dport=80 src=212.36.20.145 dst=192.168.9.8 sport=
> 3128 dport=1306 [ASSURED] use=1
> tcp      6 248043 ESTABLISHED src=212.36.20.145 dst=192.168.9.8 sport=3128
> dport=3643 [UNREPLIED] src=192.168.9.8 dst=212.36
> .20.145 sport=3643 dport=3128 use=1
> 
> ÐÑ ÑÑÐÐ ÑÐ ÐÐÐÐÐ ÑÐ ÐÑÐÐÐÑÐ ÐÐ 
> ÐÑÑÐÐÐÐÑÐÐÐÐ Ð ÐÐÑÑÐ ÐÐÐÑÐÐ
> 
> ÐÐÐÑÐÐÐÑ Ð ÑÐÐÐÐÐÑÐ:
> echo 900 > /proc/sys/net/ipv4/tcp_keepalive_time
> 
> ÐÐ ÐÑÐÑÐÐÐ ÑÐÐÐ ÐÐÐÐ Ð ÐÐÐÐÑÐ ÐÐ ÐÐÐÐÑÑÐ 
> ÑÐÐÐ ÐÐÐÐÐÑ ÑÐ ÐÑÑÐÐÐÑÐ ÐÑÑÐÐÐÑ
> ÐÐ ÐÐÑÑÑ ÐÑÐÐÑÐÐÐÑÐÐÐÐ ÐÑÐÐÐ.
> 
> Ð ÐÐ ÐÐÐÐ ÐÑÐ ÐÑÐÐÐ ÐÑÐÐÐ ÐÐÐÐÐÑ ÐÐ 
> ÐÐÑÑÐÐÐÑÐÐ Linux Ñ ÑÑÐÐÑÐÐÑÐÑÐÐ ÐÑÐÐÑÐ
> Ð ÐÐÑÐÐÑÐÐ.




iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d ! 192.168.0.0/16 -o
> eth0 -j SNAT --to REAL_IP
ÑÑÐ ÑÐ ÐÐÑÐÑ, ÑÐ ÑÐÐÐ -d ! 192.168.0.0/16 Ð ÐÐÐÐÑÐÐ, 
ÐÐÑÐÑÐ ÑÐ ÐÑÐÐ
ÐÐÐÐÐÐ ÐÐÐÑÐÐÐÐÐ.



> ============================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> ============================================================================
> 
-- 
Milen Trifonov <[EMAIL PROTECTED]>

============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================

Re: lug-bg: ip_conntrack ???

Reply via email to