Задать вопрос
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: 46ab64cf77e847aa9ff5ea0884eafca9.jpg

    Еще может что-то может подсказать сам шарк, ибо я, если честно, со своими эникейными знаниями слаб.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: если я всё таки верно понимаю, проблема с возвратом пакета.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: Вот собственно несколько пакетов которые wireshark видит на 2221 порту 1.2.3.5 я не до конца понимаю почему
    No.     Time     Source                Destination           Protocol Length Info
       5448 15:45:32 1.2.3.5      1.2.3.4       TCP      66     63312→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
    
    Frame 5448: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
    Ethernet II, Src: AsustekC_9d:99:c6 (00:26:18:9d:99:c6), Dst: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d)
    Internet Protocol Version 4, Src: 1.2.3.5 (1.2.3.5), Dst:1.2.3.4 (188.234.249.229)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 52
        Identification: 0x62f7 (25335)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 126
        Protocol: TCP (6)
        Header checksum: 0x2b6a [validation disabled]
            [Good: False]
            [Bad: False]
        Source: 1.2.3.5 (1.2.3.5)
        Destination:1.2.3.4 (188.234.249.229)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 63312 (63312), Dst Port: 2221 (2221), Seq: 0, Len: 0
        Source Port: 63312 (63312)
        Destination Port: 2221 (2221)
        [Stream index: 330]
        [TCP Segment Len: 0]
        Sequence number: 0    (relative sequence number)
        Acknowledgment number: 0
        Header Length: 32 bytes
        .... 0000 0000 0010 = Flags: 0x002 (SYN)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...0 .... = Acknowledgment: Not set
            .... .... 0... = Push: Not set
            .... .... .0.. = Reset: Not set
            .... .... ..1. = Syn: Set
                [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                    [Connection establish request (SYN): server port 2221]
                    [Severity level: Chat]
                    [Group: Sequence]
            .... .... ...0 = Fin: Not set
        Window size value: 8192
        [Calculated window size: 8192]
        Checksum: 0x7645 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
            Maximum segment size: 1460 bytes
                Kind: Maximum Segment Size (2)
                Length: 4
                MSS Value: 1460
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            Window scale: 2 (multiply by 4)
                Kind: Window Scale (3)
                Length: 3
                Shift count: 2
                [Multiplier: 4]
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            TCP SACK Permitted Option: True
                Kind: SACK Permitted (4)
                Length: 2
    
    No.     Time     Source                Destination           Protocol Length Info
       5451 15:45:321.2.3.4       1.2.3.5       TCP      60     2221→63312 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    
    Frame 5451: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
    Ethernet II, Src: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d), Dst: AsustekC_9d:99:c6 (00:26:18:9d:99:c6)
    Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 1.2.3.5 (1.2.3.5)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 40
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 63
        Protocol: TCP (6)
        Header checksum: 0xcd69 [validation disabled]
            [Good: False]
            [Bad: False]
        Source:1.2.3.4 (188.234.249.229)
        Destination: 1.2.3.5 (1.2.3.5)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 63312 (63312), Seq: 1, Ack: 1, Len: 0
        Source Port: 2221 (2221)
        Destination Port: 63312 (63312)
        [Stream index: 330]
        [TCP Segment Len: 0]
        Sequence number: 1    (relative sequence number)
        Acknowledgment number: 1    (relative ack number)
        Header Length: 20 bytes
        .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...1 .... = Acknowledgment: Set
            .... .... 0... = Push: Not set
            .... .... .1.. = Reset: Set
                [Expert Info (Warn/Sequence): Connection reset (RST)]
                    [Connection reset (RST)]
                    [Severity level: Warn]
                    [Group: Sequence]
            .... .... ..0. = Syn: Not set
            .... .... ...0 = Fin: Not set
        Window size value: 0
        [Calculated window size: 0]
        [Window size scaling factor: -1 (unknown)]
        Checksum: 0xd6fe [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        [SEQ/ACK analysis]
            [This is an ACK to the segment in frame: 5448]
            [The RTT to ACK the segment was: 0.000788000 seconds]
            [iRTT: 0.000788000 seconds]
    
    No.     Time     Source                Destination           Protocol Length Info
       5461 15:45:32 192.168.0.34         1.2.3.4       TCP      66     49601→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
    
    Frame 5461: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 1
    Ethernet II, Src: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d), Dst: AsustekC_9d:97:62 (00:26:18:9d:97:62)
    Internet Protocol Version 4, Src: 192.168.0.34 (192.168.0.34), Dst:1.2.3.4 (188.234.249.229)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 52
        Identification: 0x62f7 (25335)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 128
        Protocol: TCP (6)
        Header checksum: 0x2032 [validation disabled]
            [Good: False]
            [Bad: False]
        Source: 192.168.0.34 (192.168.0.34)
        Destination:1.2.3.4 (188.234.249.229)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 49601 (49601), Dst Port: 2221 (2221), Seq: 0, Len: 0
        Source Port: 49601 (49601)
        Destination Port: 2221 (2221)
        [Stream index: 331]
        [TCP Segment Len: 0]
        Sequence number: 0    (relative sequence number)
        Acknowledgment number: 0
        Header Length: 32 bytes
        .... 0000 0000 0010 = Flags: 0x002 (SYN)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...0 .... = Acknowledgment: Not set
            .... .... 0... = Push: Not set
            .... .... .0.. = Reset: Not set
            .... .... ..1. = Syn: Set
                [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                    [Connection establish request (SYN): server port 2221]
                    [Severity level: Chat]
                    [Group: Sequence]
            .... .... ...0 = Fin: Not set
        Window size value: 8192
        [Calculated window size: 8192]
        Checksum: 0xa29c [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
            Maximum segment size: 1460 bytes
                Kind: Maximum Segment Size (2)
                Length: 4
                MSS Value: 1460
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            Window scale: 2 (multiply by 4)
                Kind: Window Scale (3)
                Length: 3
                Shift count: 2
                [Multiplier: 4]
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            TCP SACK Permitted Option: True
                Kind: SACK Permitted (4)
                Length: 2
    
    No.     Time     Source                Destination           Protocol Length Info
       5465 15:45:321.2.3.4       192.168.0.34          TCP      54     2221→49601 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    
    Frame 5465: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 1
    Ethernet II, Src: AsustekC_9d:97:62 (00:26:18:9d:97:62), Dst: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d)
    Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 192.168.0.34 (192.168.0.34)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 40
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 62
        Protocol: TCP (6)
        Header checksum: 0xc531 [validation disabled]
            [Good: False]
            [Bad: False]
        Source:1.2.3.4 (188.234.249.229)
        Destination: 192.168.0.34 (192.168.0.34)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 49601 (49601), Seq: 1, Ack: 1, Len: 0
        Source Port: 2221 (2221)
        Destination Port: 49601 (49601)
        [Stream index: 331]
        [TCP Segment Len: 0]
        Sequence number: 1    (relative sequence number)
        Acknowledgment number: 1    (relative ack number)
        Header Length: 20 bytes
        .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...1 .... = Acknowledgment: Set
            .... .... 0... = Push: Not set
            .... .... .1.. = Reset: Set
                [Expert Info (Warn/Sequence): Connection reset (RST)]
                    [Connection reset (RST)]
                    [Severity level: Warn]
                    [Group: Sequence]
            .... .... ..0. = Syn: Not set
            .... .... ...0 = Fin: Not set
        Window size value: 0
        [Calculated window size: 0]
        [Window size scaling factor: -1 (unknown)]
        Checksum: 0x0356 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        [SEQ/ACK analysis]
            [This is an ACK to the segment in frame: 5461]
            [The RTT to ACK the segment was: 0.000860000 seconds]
            [iRTT: 0.000860000 seconds]
    
    No.     Time     Source                Destination           Protocol Length Info
       5835 15:45:32 192.168.0.34         1.2.3.4       TCP      66     [TCP Spurious Retransmission] 49601→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
    
    Frame 5835: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 1
    Ethernet II, Src: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d), Dst: AsustekC_9d:97:62 (00:26:18:9d:97:62)
    Internet Protocol Version 4, Src: 192.168.0.34 (192.168.0.34), Dst:1.2.3.4 (188.234.249.229)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 52
        Identification: 0x62f9 (25337)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 128
        Protocol: TCP (6)
        Header checksum: 0x2030 [validation disabled]
            [Good: False]
            [Bad: False]
        Source: 192.168.0.34 (192.168.0.34)
        Destination:1.2.3.4 (188.234.249.229)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 49601 (49601), Dst Port: 2221 (2221), Seq: 0, Len: 0
        Source Port: 49601 (49601)
        Destination Port: 2221 (2221)
        [Stream index: 331]
        [TCP Segment Len: 0]
        Sequence number: 0    (relative sequence number)
        Acknowledgment number: 0
        Header Length: 32 bytes
        .... 0000 0000 0010 = Flags: 0x002 (SYN)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...0 .... = Acknowledgment: Not set
            .... .... 0... = Push: Not set
            .... .... .0.. = Reset: Not set
            .... .... ..1. = Syn: Set
                [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                    [Connection establish request (SYN): server port 2221]
                    [Severity level: Chat]
                    [Group: Sequence]
            .... .... ...0 = Fin: Not set
        Window size value: 8192
        [Calculated window size: 8192]
        Checksum: 0xa29c [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
            Maximum segment size: 1460 bytes
                Kind: Maximum Segment Size (2)
                Length: 4
                MSS Value: 1460
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            Window scale: 2 (multiply by 4)
                Kind: Window Scale (3)
                Length: 3
                Shift count: 2
                [Multiplier: 4]
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            TCP SACK Permitted Option: True
                Kind: SACK Permitted (4)
                Length: 2
        [SEQ/ACK analysis]
            [iRTT: 0.000860000 seconds]
            [TCP Analysis Flags]
                [Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
                    [This frame is a (suspected) spurious retransmission]
                    [Severity level: Note]
                    [Group: Sequence]
                [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                    [This frame is a (suspected) retransmission]
                    [Severity level: Note]
                    [Group: Sequence]
    
    No.     Time     Source                Destination           Protocol Length Info
       5837 15:45:321.2.3.4       192.168.0.34          TCP      54     2221→49601 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
    
    Frame 5837: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 1
    Ethernet II, Src: AsustekC_9d:97:62 (00:26:18:9d:97:62), Dst: AsustekC_c5:1c:1d (54:04:a6:c5:1c:1d)
    Internet Protocol Version 4, Src:1.2.3.4 (188.234.249.229), Dst: 192.168.0.34 (192.168.0.34)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 01.. = Differentiated Services Codepoint: Unknown (0x01)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 40
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 62
        Protocol: TCP (6)
        Header checksum: 0xc531 [validation disabled]
            [Good: False]
            [Bad: False]
        Source:1.2.3.4 (188.234.249.229)
        Destination: 192.168.0.34 (192.168.0.34)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 2221 (2221), Dst Port: 49601 (49601), Seq: 1, Ack: 1, Len: 0
        Source Port: 2221 (2221)
        Destination Port: 49601 (49601)
        [Stream index: 331]
        [TCP Segment Len: 0]
        Sequence number: 1    (relative sequence number)
        Acknowledgment number: 1    (relative ack number)
        Header Length: 20 bytes
        .... 0000 0001 0100 = Flags: 0x014 (RST, ACK)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...1 .... = Acknowledgment: Set
            .... .... 0... = Push: Not set
            .... .... .1.. = Reset: Set
                [Expert Info (Warn/Sequence): Connection reset (RST)]
                    [Connection reset (RST)]
                    [Severity level: Warn]
                    [Group: Sequence]
            .... .... ..0. = Syn: Not set
            .... .... ...0 = Fin: Not set
        Window size value: 0
        [Calculated window size: 0]
        [Window size scaling factor: -1 (unknown)]
        Checksum: 0x0356 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        [SEQ/ACK analysis]
            [This is an ACK to the segment in frame: 5835]
            [The RTT to ACK the segment was: 0.000863000 seconds]
            [iRTT: 0.000860000 seconds]
    
    No.     Time     Source                Destination           Protocol Length Info
       5850 15:45:32 1.2.3.5      1.2.3.4       TCP      66     [TCP Spurious Retransmission] 63312→2221 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
    
    Frame 5850: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
    Ethernet II, Src: AsustekC_9d:99:c6 (00:26:18:9d:99:c6), Dst: IETF-VRRP-VRID_0d (00:00:5e:00:01:0d)
    Internet Protocol Version 4, Src: 1.2.3.5 (1.2.3.5), Dst:1.2.3.4 (188.234.249.229)
        Version: 4
        Header Length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
        Total Length: 52
        Identification: 0x62f9 (25337)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 126
        Protocol: TCP (6)
        Header checksum: 0x2b68 [validation disabled]
            [Good: False]
            [Bad: False]
        Source: 1.2.3.5 (1.2.3.5)
        Destination:1.2.3.4 (188.234.249.229)
        [Source GeoIP: Unknown]
        [Destination GeoIP: Unknown]
    Transmission Control Protocol, Src Port: 63312 (63312), Dst Port: 2221 (2221), Seq: 0, Len: 0
        Source Port: 63312 (63312)
        Destination Port: 2221 (2221)
        [Stream index: 330]
        [TCP Segment Len: 0]
        Sequence number: 0    (relative sequence number)
        Acknowledgment number: 0
        Header Length: 32 bytes
        .... 0000 0000 0010 = Flags: 0x002 (SYN)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...0 .... = Acknowledgment: Not set
            .... .... 0... = Push: Not set
            .... .... .0.. = Reset: Not set
            .... .... ..1. = Syn: Set
                [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 2221]
                    [Connection establish request (SYN): server port 2221]
                    [Severity level: Chat]
                    [Group: Sequence]
            .... .... ...0 = Fin: Not set
        Window size value: 8192
        [Calculated window size: 8192]
        Checksum: 0x7645 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
        Urgent pointer: 0
        Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
            Maximum segment size: 1460 bytes
                Kind: Maximum Segment Size (2)
                Length: 4
                MSS Value: 1460
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            Window scale: 2 (multiply by 4)
                Kind: Window Scale (3)
                Length: 3
                Shift count: 2
                [Multiplier: 4]
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            No-Operation (NOP)
                Type: 1
                    0... .... = Copy on fragmentation: No
                    .00. .... = Class: Control (0)
                    ...0 0001 = Number: No-Operation (NOP) (1)
            TCP SACK Permitted Option: True
                Kind: SACK Permitted (4)
                Length: 2
        [SEQ/ACK analysis]
            [iRTT: 0.000788000 seconds]
            [TCP Analysis Flags]
                [Expert Info (Note/Sequence): This frame is a (suspected) spurious retransmission]
                    [This frame is a (suspected) spurious retransmission]
                    [Severity level: Note]
                    [Group: Sequence]
                [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                    [This frame is a (suspected) retransmission]
                    [Severity level: Note]
                    [Group: Sequence]
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: Как будет возможность, настрою wireshark для того, чтобы ответить на ваш вопрос.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: установил tcpdump очень буду признателен если поможете со следующим:
    Вот что происходит на 2221 порту, когда к нам пытаются подключиться, для скачивания обновлений
    [root@наш.доменн]# tcpdump -i any  port 2221
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    14:15:35.457914 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    14:15:38.157952 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:15:38.459262 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    14:15:41.148556 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    14:15:44.461209 IP внешний.пользователь.convex.ru.63705 > наш.доменн.rockwell-csp1: Flags [S], seq 2078803573, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    14:15:47.154251 IP 188x234x244x181.static-business.188-181.ertelecom.ru.49340 > наш.доменн.rockwell-csp1: Flags [S], seq 1500447274, win 8192, options [mss 1460,nop,nop,sackOK], length 0

    Не совсем понял, как проанализировать уходят ли они дальше.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: Так же не привело к результатам.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: До вашей правки перезапуск происходил нормально
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь: Не обратил внимание на последний перезапуск:
    service iptables restart
    iptables: Setting chains to policy ACCEPT: filter nat [ OK ]
    iptables: Flushing firewall rules: [ OK ]
    iptables: Unloading modules: [ OK ]
    iptables: Applying firewall rules: iptables-restore v1.4.7: host/network `1.2.3.5:2221' not found
    Error occurred at line: 7
    Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    [FAILED]
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Игорь:
    Generated by iptables-save v1.4.7 on Wed Feb  4 13:06:28 2015
    *nat
    :PREROUTING ACCEPT [445:35874]
    :POSTROUTING ACCEPT [201:12052]
    :OUTPUT ACCEPT [201:12052]
    -A PREROUTING -d 1.2.3.4/32 -p udp -m udp --dport 2221 -j DNAT --to-destination 1.2.3.5:2221
    -A POSTROUTING -d 1.2.3.5:2221 -p tcp -m tcp --dport 2221 -j SNAT --to-source 1.2.3.4
    COMMIT
    # Completed on Wed Feb  4 13:06:28 2015
    # Generated by iptables-save v1.4.7 on Wed Feb  4 13:06:28 2015
    *filter
    :INPUT DROP [70:5549]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1859:1537954]
    :fail2ban-MAIL - [0:0]
    :fail2ban-SSH - [0:0]
    :fail2ban-VESTA - [0:0]
    :vesta - [0:0]
    -A INPUT -p tcp -m multiport --dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
    -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
    -A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 110,995 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 143,993 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 3306,5432 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -s 188.234.249.229/32 -j ACCEPT
    -A INPUT -s 192.168.0.5/32 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Владимир: Результата также не последовало.
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Также большое спасибо за совет, перезапустил iptables результата не последовало. На что еще стоит обратить внимание?
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Владимир:
    sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.default.accept_source_route = 0
    kernel.sysrq = 0
    kernel.core_uses_pid = 1
    net.ipv4.tcp_syncookies = 1
    error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
    error: "net.bridge.bridge-nf-call-iptables" is an unknown key
    error: "net.bridge.bridge-nf-call-arptables" is an unknown key
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    kernel.shmmax = 68719476736
    kernel.shmall = 4294967296
  • Как сделать правильный проброс портов через iptables в centos?

    @mishka_abramov Автор вопроса
    Спасибо за столь оперативный ответ! Однако подскажите, в чём еще может быть проблема
    sysctl

    # Kernel sysctl configuration file for Red Hat Linux
    #
    # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
    # sysctl.conf(5) for more details.

    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1

    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1

    # Do not accept source routing
    net.ipv4.conf.default.accept_source_route = 0

    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0

    # Controls whether core dumps will append the PID to the core filename.
    # Useful for debugging multi-threaded applications.
    kernel.core_uses_pid = 1

    # Controls the use of TCP syncookies
    net.ipv4.tcp_syncookies = 1

    # Disable netfilter on bridges.
    net.bridge.bridge-nf-call-ip6tables = 0
    net.bridge.bridge-nf-call-iptables = 0
    net.bridge.bridge-nf-call-arptables = 0

    # Controls the default maxmimum size of a mesage queue
    kernel.msgmnb = 65536

    # Controls the maximum size of a message, in bytes
    kernel.msgmax = 65536