Zdravim,
narazil sem na divnej problem, jedna konkretni ip (213.192.19.10) se ke me nemuze dostat a ja se nemuzu dostat k ni (ani ping nebo tracert).
Po restartu routeru chvilku vsechno slape, pote dostavam chybu:
root@turris:~# ping 213.192.19.10
PING 213.192.19.10 (213.192.19.10): 56 data bytes
ping: sendto: Operation not permitted
root@turris:~# traceroute 213.192.19.10
traceroute to 213.192.19.10 (213.192.19.10), 30 hops max, 38 byte packets
1traceroute: sendto: Operation not permittedAdresy 213.192.19.1 213.192.19.9 213.192.19.11 jedou bez problemu, je to jen tahle konkretni ip.
ve FW nevidim zadne pravidlo ktere by provoz melo blokovat. Nejakej napad na reseni?
root@turris:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N MINIUPNPD
-N accept
-N drop
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N turris
-N turris-log-incoming
-N turris-nflog
-N ucollect_fake
-N ucollect_fake_accept
-N zone_lan_dest_accept
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_accept
-N zone_wan_dest_REJECT
-N zone_wan_dest_accept
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -m comment --comment "!fw3" -j accept
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_ rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -m comment --comment "!fw3" -j accept
-A accept -j turris
-A accept -m comment --comment "!fw3" -j ACCEPT
-A drop -i eth2 -j turris-log-incoming
-A drop -m comment --comment "!fw3" -j DROP
-A forwarding_rule -j turris-nflog
-A input_rule -j turris-nflog
-A output_rule -j turris-nflog
-A reject -i eth2 -j turris-log-incoming
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00005E11_l_a_ 4_X dst -j LOG --log-prefix "turris-00005E11: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00005E11_l_a_ 4_X src -j LOG --log-prefix "turris-00005E11: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00415B11_l_a_ 4_X dst -j LOG --log-prefix "turris-00415B11: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00415B11_l_a_ 4_X src -j LOG --log-prefix "turris-00415B11: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00557B71_l_ap _4_X dst,dst -j LOG --log-prefix "turris-00557B71: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00557B71_l_ap _4_X src,src -j LOG --log-prefix "turris-00557B71: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_007E0511_l_a_ 4_X dst -j LOG --log-prefix "turris-007E0511: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_007E0511_l_a_ 4_X src -j LOG --log-prefix "turris-007E0511: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_009A7E41_l_a_ 4_X dst -j LOG --log-prefix "turris-009A7E41: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_009A7E41_l_a_ 4_X src -j LOG --log-prefix "turris-009A7E41: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00A704A1_l_a_ 4_X dst -j LOG --log-prefix "turris-00A704A1: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00A704A1_l_a_ 4_X src -j LOG --log-prefix "turris-00A704A1: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00CE6700_lb_a _4_X dst -j LOG --log-prefix "turris-00CE6700: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00CE6700_lb_a _4_X src -j LOG --log-prefix "turris-00CE6700: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00CE6701_l_a_ 4_X dst -j LOG --log-prefix "turris-00CE6701: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00CE6701_l_a_ 4_X src -j LOG --log-prefix "turris-00CE6701: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00D05711_l_a_ 4_X dst -j LOG --log-prefix "turris-00D05711: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00D05711_l_a_ 4_X src -j LOG --log-prefix "turris-00D05711: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00DEAD51_l_a_ 4_X dst -j LOG --log-prefix "turris-00DEAD51: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00DEAD51_l_a_ 4_X src -j LOG --log-prefix "turris-00DEAD51: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00DEB060_lb_a _4_X dst -j LOG --log-prefix "turris-00DEB060: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00DEB060_lb_a _4_X src -j LOG --log-prefix "turris-00DEB060: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_00FE0D01_l_a_ 4_X dst -j LOG --log-prefix "turris-00FE0D01: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_00FE0D01_l_a_ 4_X src -j LOG --log-prefix "turris-00FE0D01: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_047C0DE1_l_a_ 4_X dst -j LOG --log-prefix "turris-047C0DE1: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_047C0DE1_l_a_ 4_X src -j LOG --log-prefix "turris-047C0DE1: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_06E7E701_l_a_ 4_X dst -j LOG --log-prefix "turris-06E7E701: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_06E7E701_l_a_ 4_X src -j LOG --log-prefix "turris-06E7E701: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_07E7E411_l_a_ 4_X dst -j LOG --log-prefix "turris-07E7E411: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_07E7E411_l_a_ 4_X src -j LOG --log-prefix "turris-07E7E411: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_0A566041_l_ap _4_X dst,dst -j LOG --log-prefix "turris-0A566041: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_0A566041_l_ap _4_X src,src -j LOG --log-prefix "turris-0A566041: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_0A7D7011_l_a_ 4_X dst -j LOG --log-prefix "turris-0A7D7011: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_0A7D7011_l_a_ 4_X src -j LOG --log-prefix "turris-0A7D7011: " --log-level 7
-A turris -o eth2 -m limit --limit 1/sec -m set --match-set turris_100FA4E0_lb_a _4_X dst -j LOG --log-prefix "turris-100FA4E0: " --log-level 7
-A turris -i eth2 -m limit --limit 1/sec -m set --match-set turris_100FA4E0_lb_a _4_X src -j LOG --log-prefix "turris-100FA4E0: " --log-level 7
-A turris -o eth2 -m set --match-set turris_00CE6700_lb_a_4_X dst -j DROP
-A turris -i eth2 -m set --match-set turris_00CE6700_lb_a_4_X src -j DROP
-A turris -o eth2 -m set --match-set turris_00DEB060_lb_a_4_X dst -j DROP
-A turris -i eth2 -m set --match-set turris_00DEB060_lb_a_4_X src -j DROP
-A turris -o eth2 -m set --match-set turris_100FA4E0_lb_a_4_X dst -j DROP
-A turris -i eth2 -m set --match-set turris_100FA4E0_lb_a_4_X src -j DROP
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00005E11 _l_a_4_X src -j LOG --log-prefix "turris-00005E11: " --log-level 7
-A turris-log-incoming -j ucollect_fake
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00415B11 _l_a_4_X src -j LOG --log-prefix "turris-00415B11: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00557B71 _l_ap_4_X src,src -j LOG --log-prefix "turris-00557B71: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_007E0511 _l_a_4_X src -j LOG --log-prefix "turris-007E0511: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_009A7E41 _l_a_4_X src -j LOG --log-prefix "turris-009A7E41: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00A704A1 _l_a_4_X src -j LOG --log-prefix "turris-00A704A1: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00CE6700 _lb_a_4_X src -j LOG --log-prefix "turris-00CE6700: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00CE6701 _l_a_4_X src -j LOG --log-prefix "turris-00CE6701: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00D05711 _l_a_4_X src -j LOG --log-prefix "turris-00D05711: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00DEAD51 _l_a_4_X src -j LOG --log-prefix "turris-00DEAD51: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00DEB060 _lb_a_4_X src -j LOG --log-prefix "turris-00DEB060: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_00FE0D01 _l_a_4_X src -j LOG --log-prefix "turris-00FE0D01: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_047C0DE1 _l_a_4_X src -j LOG --log-prefix "turris-047C0DE1: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_06E7E701 _l_a_4_X src -j LOG --log-prefix "turris-06E7E701: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_07E7E411 _l_a_4_X src -j LOG --log-prefix "turris-07E7E411: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0A566041 _l_ap_4_X src,src -j LOG --log-prefix "turris-0A566041: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_0A7D7011 _l_a_4_X src -j LOG --log-prefix "turris-0A7D7011: " --log-level 7
-A turris-log-incoming -m limit --limit 1/sec -m set --match-set turris_100FA4E0 _lb_a_4_X src -j LOG --log-prefix "turris-100FA4E0: " --log-level 7
-A turris-log-incoming -m set --match-set turris_00005E11_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00415B11_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00557B71_l_ap_4_X src,src -j RE TURN
-A turris-log-incoming -m set --match-set turris_007E0511_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_009A7E41_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00A704A1_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00CE6700_lb_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00CE6701_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00D05711_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00DEAD51_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00DEB060_lb_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_00FE0D01_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_047C0DE1_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_06E7E701_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_07E7E411_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_0A566041_l_ap_4_X src,src -j RE TURN
-A turris-log-incoming -m set --match-set turris_0A7D7011_l_a_4_X src -j RETURN
-A turris-log-incoming -m set --match-set turris_100FA4E0_lb_a_4_X src -j RETURN
-A turris-log-incoming -m limit --limit 1/sec --limit-burst 500 -j LOG --log-pre fix "turris-00000000: " --log-level 7
-A ucollect_fake -m mark --mark 0x80000/0xc0000 -m limit --limit 100/sec --limit -burst 200 -j LOG --log-prefix "ucollect-fake-open-inet: " --log-level 7
-A ucollect_fake -m mark --mark 0x80000/0xc0000 -j DROP
-A ucollect_fake_accept -p tcp -m tcp --dport 3692 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A ucollect_fake_accept -p tcp -m tcp --dport 1392 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A ucollect_fake_accept -p tcp -m tcp --dport 4497 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A ucollect_fake_accept -p tcp -m tcp --dport 9449 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A ucollect_fake_accept -p tcp -m tcp --dport 1449 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A ucollect_fake_accept -p tcp -m tcp --dport 9492 -m mark --mark 0xc0000/0xc000 0 -j ACCEPT
-A zone_lan_dest_accept -o br-lan -m comment --comment "!fw3" -j accept
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j fo rwarding_lan_rule
-A zone_lan_forward -d 93.171.172.221/32 -m comment --comment "!fw3: block" -j z one_wan_dest_REJECT
-A zone_lan_forward -d 192.200.123.108/32 -m comment --comment "!fw3: block2" -j zone_wan_dest_REJECT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_w an_dest_accept
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j accept
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_accept
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan _rule
-A zone_lan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 2" -j accept
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j accept
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_accept
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_ lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_accept
-A zone_lan_src_accept -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j accept
-A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_accept -o eth2 -m conntrack --ctstate INVALID -m comment --comm ent "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_accept -o eth2 -m comment --comment "!fw3" -j accept
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j fo rwarding_wan_rule
-A zone_wan_forward -d 224.0.0.0/4 -p udp -m comment --comment "!fw3: ubus:igmpp roxy[instance1] rule 1" -j zone_lan_dest_accept
-A zone_wan_forward -s 89.233.171.0/24 -p udp -m comment --comment "!fw3: IPTV_j edna" -j accept
-A zone_wan_forward -s 224.0.0.0/4 -p udp -m comment --comment "!fw3: IPTV_dva" -j accept
-A zone_wan_forward -s 212.96.179.0/24 -p udp -m comment --comment "!fw3: IPTV_t ri" -j accept
-A zone_wan_forward -s 89.233.172.0/24 -p udp -m comment --comment "!fw3: IPTV_s est" -j accept
-A zone_wan_forward -s 232.0.2.0/24 -p udp -m comment --comment "!fw3: IPTV_sedu m" -j accept
-A zone_wan_forward -s 232.0.1.0/24 -p udp -m comment --comment "!fw3: IPTV_deve t" -j accept
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j accept
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan _rule
-A zone_wan_input -p igmp -m comment --comment "!fw3: ubus:igmpproxy[instance1] rule 0" -j accept
-A zone_wan_input -p igmp -m comment --comment "!fw3: IGMP_ENABLE" -j accept
-A zone_wan_input -s 212.96.179.0/24 -p tcp -m comment --comment "!fw3: IPTV_cty ri" -j accept
-A zone_wan_input -s 212.96.179.0/24 -p udp -m comment --comment "!fw3: IPTV_cty ri" -j accept
-A zone_wan_input -s 89.233.171.134/32 -p tcp -m comment --comment "!fw3: IPTV_p et" -j accept
-A zone_wan_input -s 89.233.171.134/32 -p udp -m comment --comment "!fw3: IPTV_p et" -j accept
-A zone_wan_input -s 232.0.2.0/24 -p tcp -m comment --comment "!fw3: IPTV_osum" -j accept
-A zone_wan_input -s 232.0.2.0/24 -p udp -m comment --comment "!fw3: IPTV_osum" -j accept
-A zone_wan_input -s 232.0.1.0/24 -p tcp -m comment --comment "!fw3: IPTV_deset" -j accept
-A zone_wan_input -s 232.0.1.0/24 -p udp -m comment --comment "!fw3: IPTV_deset" -j accept
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j accept
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j accept
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_ wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_accept
-A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject