Server nem elérhető el belső hálózaton

Sziasztok,

szeretném a segítségeteket kérni a következőkben.

Van egy Debian 7-es szerverem amit csak a belső hálózatomon nem látok. Elvileg eddig tökéletesen működött, de talán egy mostani frissítés kiütötte.

A belső hálózatból ha pingelem, akkor nem látszódik, de ha openwrt-n keresztül rácsatlakozok, akkor tökéletesen megy.

Nézegettem a blokkolásokat /etc/hosts.deny, fail2ban, de ott semmi nyomát nem találtam a blokkolás okának.

A belső hálóban ahogyan írtam a pinget blokkolja, SSH, Samba server elérését, illetve van rajta egy webmin még azt is (feltételezem az összes portot).

Ha a routert pingelem az fut, de ha a serverről más belső hálóózatos IP-t, akkor az is blokkolva van.

Kérdésem, hogy hogyan lehetne le ellenőriznem, hogy miket blokkol a server, vagy mi blokkolhat a serveren?

---
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default openwrt.lan 0.0.0.0 UG 0 0 0 eth2
172.16.200.0 172.16.200.2 255.255.255.0 UG 0 0 0 tun1
172.16.200.2 * 255.255.255.255 UH 0 0 0 tun1
192.168.15.0 * 255.255.255.0 U 0 0 0 eth2
---
arp
Address HWtype HWaddress Flags Mask Iface
openwrt.lan ether 02:84:05:42:d6:XX C eth2
192.168.15.180 (incomplete) eth2
android-c788fb084c0d541 (incomplete) eth2
192.168.15.160 (incomplete) eth2
---
tcpdump -i eth2

17:19:16.431400 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3661840, win 13873, length 0
17:19:16.431503 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3662624:3662912, ack 9121, win 919, length 288
17:19:16.431549 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3662912:3663072, ack 9121, win 919, length 160
17:19:16.431573 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3663072:3663248, ack 9121, win 919, length 176
17:19:16.431580 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3662448, win 13721, length 0
17:19:16.431594 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3663248:3663424, ack 9121, win 919, length 176
17:19:16.431660 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3663424:3663808, ack 9121, win 919, length 384
17:19:16.431792 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3662624, win 13677, length 0
17:19:16.431814 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3663808:3663984, ack 9121, win 919, length 176
17:19:16.431973 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3663808, win 13381, length 0
17:19:16.431995 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3663984:3664320, ack 9121, win 919, length 336
17:19:16.432079 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3664320:3664480, ack 9121, win 919, length 160
17:19:16.432119 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3664480:3664656, ack 9121, win 919, length 176
17:19:16.432163 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3663984, win 13337, length 0
17:19:16.432215 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3664656:3665040, ack 9121, win 919, length 384
17:19:16.432256 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3665040:3665104, ack 9121, win 919, length 64
17:19:16.432293 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3665104:3665280, ack 9121, win 919, length 176
17:19:16.432362 IP openwrt.lan.51148 > server.1234 : Flags [.], ack 3664480, win 13213, length 0
17:19:16.432383 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3665280:3665632, ack 9121, win 919, length 352
17:19:16.432469 IP server.1234 > openwrt.lan.51148: Flags [P.], seq 3665632:3665792, ack 9121, win 919, length 160
17:19:16.432589 IP openwrt.lan.51148 > server.1234 : Flags [P.], seq 9121:9185, ack 3664480, win 13213, length 64
^Z
[8]+ Megállítva tcpdump -i eth2

Kalmi

2382 megtekintés

Iptables -nvL esetleg?

---------------------------------------------------
Hell is empty and all the devils are here.
-- Wm. Shakespeare, "The Tempest"

0 szavazat

A hozzászóláshoz be kell jelentkezni

---
iptables -nvL Chain INPUT (policy DROP 131 packets, 12976 bytes) pkts bytes target prot opt in out source destination 0 0 monitorix_IN_8 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:143 ctstate NEW,RELATED,ESTABLISHED 0 0 monitorix_IN_7 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 ctstate NEW,RELATED,ESTABLISHED 3310 208K monitorix_IN_6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:3306 ctstate NEW,RELATED,ESTABLISHED 0 0 monitorix_IN_5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:139 ctstate NEW,RELATED,ESTABLISHED 0 0 monitorix_IN_4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 ctstate NEW,RELATED,ESTABLISHED 114 6232 monitorix_IN_3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 ctstate NEW,RELATED,ESTABLISHED 114 10412 monitorix_IN_2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 ctstate NEW,RELATED,ESTABLISHED 0 0 monitorix_IN_1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 ctstate NEW,RELATED,ESTABLISHED 256 306K monitorix_IN_0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 ctstate NEW,RELATED,ESTABLISHED 6104 781K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 39610 2016K portsentry all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 fail2ban-named-refused-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,953 38236 1847K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 38236 1847K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- eth1 * 192.168.15.0/24 0.0.0.0/0 3 252 ACCEPT icmp -- eth2 * 192.168.15.0/24 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 39385 1995K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- br0 * 192.168.15.0/24 0.0.0.0/0 tcp dpt:1234 2 104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 0 0 ACCEPT tcp -- eth1 * 192.168.15.0/24 0.0.0.0/0 tcp dpt:1234 0 0 ACCEPT tcp -- eth2 * 192.168.15.0/24 0.0.0.0/0 tcp dpt:1234 1 42 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 219 20671 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9080 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun1 * 0.0.0.0/0 0.0.0.0/0 38 1936 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 0 0 ACCEPT all -- * * 172.16.0.0/16 0.0.0.0/0 0 0 ACCEPT tcp -- * * 192.168.15.0/24 0.0.0.0/0 tcp dpt:3128 0 0 ACCEPT tcp -- * * 192.168.15.0/24 0.0.0.0/0 tcp dpt:8080 0 0 ACCEPT tcp -- * * 192.168.15.0/24 0.0.0.0/0 tcp dpt:9090 0 0 ACCEPT tcp -- * * 192.168.15.0/24 0.0.0.0/0 tcp dpt:5222 0 0 ACCEPT udp -- * * 192.168.15.0/24 192.168.15.100 multiport dports 137,138 0 0 ACCEPT tcp -- * * 192.168.15.0/24 192.168.15.100 multiport dports 139,445 40 3696 ACCEPT udp -- * * 192.168.15.0/24 192.168.15.255 udp dpt:137 0 0 DROP udp -- * * 0.0.0.0/0 192.168.15.100 multiport dports 137,138 0 0 DROP tcp -- * * 0.0.0.0/0 192.168.15.100 multiport dports 139,445 0 0 fail2ban-named-refused-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,953 1 40 fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 1 40 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
204 29860 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
191 12187 portsentry all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 eth2 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- br0 eth1 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth1 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth2 eth0 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.15.10 tcp dpt:1234
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.15.10 tcp dpt:1234
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 tun0 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth2 tun0 192.168.15.0/24 0.0.0.0/0
191 12187 ACCEPT all -- tun1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 tun1 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth2 tun1 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 6798 packets, 1041K bytes)
pkts bytes target prot opt in out source destination
0 0 monitorix_IN_8 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:143 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_7 udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 ctstate RELATED,ESTABLISHED
1686 205K monitorix_IN_6 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:3306 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_5 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:139 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_4 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110 dpts:1024:65535 ctstate RELATED,ESTABLISHED
114 6232 monitorix_IN_3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 ctstate RELATED,ESTABLISHED
114 6196 monitorix_IN_2 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 monitorix_IN_1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 ctstate RELATED,ESTABLISHED
242 22574 monitorix_IN_0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpts:1024:65535 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:873
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9443
89089 23M ACCEPT all -- * * 192.168.15.100 192.168.15.0/24 state RELATED,ESTABLISHED

Chain LOGDROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-dovecot (2 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-named-refused-tcp (2 references)
pkts bytes target prot opt in out source destination

Chain fail2ban-ssh (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_0 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_1 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_2 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_3 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_4 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_5 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_6 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_7 (2 references)
pkts bytes target prot opt in out source destination

Chain monitorix_IN_8 (2 references)
pkts bytes target prot opt in out source destination

Chain portsentry (2 references)
pkts bytes target prot opt in out source destination

Nem látok semmi blokkolást

0 szavazat

A hozzászóláshoz be kell jelentkezni

Látatlanban lehet, hogy naiv dolgot linkelek, de lehet, hogy érdemes lenne a routert is alaposan szemügyre venni: http://hup.hu/node/125820 Ugyan nem OpenWRT, hanem DD-WRT, de volt meglepetés a működésében.

0 szavazat

A hozzászóláshoz be kell jelentkezni

A routing tablad alapjan a 192.168.15.0/24 az eth2-n megy, de nem ugy nez ki, hogy mukodik az ARP ebben a halozatban. Elarulnad esetleg az IP cimeket is? Sokat segitene. Elso ranezesre ugy nez ki, a gep masik szegmensen van, mint a tobbiek.

0 szavazat

A hozzászóláshoz be kell jelentkezni

Server nem elérhető el belső hálózaton

Hozzászólások