无忧启动论坛
标题: OpenWRT 吃错药了 [打印本页]
作者: 不点 时间: 2017-10-19 10:30
标题: OpenWRT 吃错药了
改变一下旧的不良习惯,少说废话,开门见山。dd-wrt 支持 port triggering(端口触发)功能,而 OpenWRT 拒不支持!
关于此功能,在 OpenWRT 自己的论坛上很多年前都有讨论,但开发者拒不采取任何行动,真是吃错药了!
这是个重要的功能,不实现根本就不行。
TP-Link 里面的 “转发规则”->“特殊应用程序” 的功能就是 port triggering 的功能(也有别的路由器实现了相同的功能)。
遗憾的是,TP-Link 也吃错药了!有几个新款的 TP-Link 竟然在 “转发规则” 里面阉割掉了 “特殊应用程序” 的设置项!我怀疑——TP 也想砸掉自己的门牌吗?
好吧,那就只好买华硕等牌子的了。祈祷一下,华硕该不会胡整吧!
国内很多(如果不是 “全部” 的话)基于 OpenWRT 的路由器都不支持 Port Triggering 的功能。
作者: 江南一根葱 时间: 2017-10-19 11:16
这功能太不和谐,比如这样屁民就能通过这功能很方便地用sync软件交换敏感文件。
作者: fdsa0 时间: 2017-10-28 12:27
楼主说下具体应用场景
作者: 不点 时间: 2017-10-29 08:45
多日来,回复者少,感兴趣者不多,说明这属于不常用功能。
没错,这个功能确实在普通家庭环境用不上。但在路由器携带多个电脑的环境(比如办公环境),就有用了。
家庭环境,可以用 DMZ 的功能来取代,或者设置固定内网 ip 地址的端口映射来取代。
然而 DMZ(或固定ip的端口映射)有缺点,只能对这台内网 ip 机器有效,对其他 ip 地址的内网机器是无效的。
关于 port triggering 功能,其公开的应用场景,是游戏软件。有些游戏软件需要穿过路由器与内网通讯,而内网被路由器阻挡,无法为外网提供服务,于是这些游戏软件就无法运转。DMZ 之类的技术,可以解决这个问题,但只有一台内网机器能够与外网正常通讯。这在家庭环境不太严重,因为家庭的电脑不多,只要固定一台机器来玩游戏就行了。但要想多人都玩游戏,这 DMZ 功能就是无用的了。我估计网吧的路由器就需要 port triggering 的功能了(仅仅是猜测,本人不曾接触网吧的网络知识)。
port triggering 的功能只对游戏软件有用?难道其他软件用不上此功能?拍拍脑袋,应该很容易明白:不可能的事。关于“究竟还会有其他什么软件能用上此功能”的问题,抱歉,本人不想进一步阐明。只透露一点,我以前百思不得其解的某个问题,在不经意的情况下,竟然用 port triggering 功能解决了!而其他不具有此功能的路由器完全失败!再提醒一下,你在搜索引擎里面搜 port triggering,会发现有不少人都在抱怨“此功能未实现”以及相应的讨论和补丁。这些人都知道 port triggering 有什么用,以及此功能的重要性。假如你是一个网管(当然不只是你自己家庭网络的网管了;你得是一个公司或部门的网管才算数吧?),你八成得有自己的本领吧?那么我估计,你至少听说过这个 port triggering 功能。
有人说,路由器有了 uPnP 功能就不需要 port triggering 了。我认为这是胡说八道。UPnP 需要软件支持才行。如果你使用的那个软件不支持 UPnP,那么即使开启路由器的 UPnP 也无济于事。
好的,套用网络术语:纯干货,不废话。
作者: 2013olly 时间: 2017-10-30 15:41
本帖最后由 2013olly 于 2017-10-30 15:42 编辑
也许openwrt开发者有其他想法也说不定,比如影响不使用这个功能的用户的性能,对硬件要求更高等等
grub4dos不是也有很多功能有补丁但是没有加入发行版吗
记得之前也看到过一句话,加入一个新功能相对比较容易,难的是去掉这个功能
作者: 不点 时间: 2017-10-31 06:13
在他们的论坛上,开发者已经明确了不采用补丁的原因。理由是补丁的授权协议不明(不过提醒一下,dd-wrt也是开源的,却能支持 port triggering;因此我觉得开发者拿授权协议说事,只是一个借口罢了)。根本不存在性能问题,也不存在硬件要求问题。然而问题是,开发者不采取其它措施,比如自己开发相应的功能,或者号召大家来开发此功能。换句话说,开发者很敷衍,不重视。
您提到 grub4dos,但我已经离开其开发者的行列了,不适合进行过多的评论。在我的记忆中,在我维护期间,grub4dos 似乎不存在“补丁未采纳”的问题。可能有些补丁会因为有负面作用而未采纳,但后来一定有更好的补丁被采纳了。有些补丁,当初采纳了,后来想删除,那是因为补丁已经过时。比如内置的 cdrom 驱动程序就是这样一种状况。把 port triggering 看成过时功能?这恐怕不合适吧?所以,你不能拿 grub4dos 来类比。
甚至,grub4dos 所依赖的 bios 都要作废,就连 grub4dos 都要过时了,因此,你不能拿 grub4dos 说事。就我来说,我都不想开发 grub4dos 了,我确实是一种敷衍的心态了。难道 openwrt 的开发者也不想开发 openwrt 了吗?他的心态也是敷衍吗?我们搞技术的,不可能是纯技术。其中心态是最要紧的东西。心态不行,技术肯定做得不到位。如果心态行,而技术不行,那不是事,迟早能攻克技术难关。好,就不啰嗦太多了。
作者: 不点 时间: 2017-10-31 16:45
转贴一篇文章,感觉介绍得很不错,正是我以前不了解的内容。
http://techguylabs.com/products/asus-routers-dd-wrt
Asus Routers with DD-WRT
华硕路由器预装 DD-WRT
Product link(产品链接): Asus Routers with DD-WRT http://www.asus.com/us/site/routers/DD-WRT/
The weakest part of many routers on the market today is the firmware installed on it. It's often insecure, out of date, or unreliable, and it's lead to the creation of open source alternatives including Tomato and DD-WRT. While these alternatives are free, it still requires extra work after buying the router. The added complication of the installation can be a barrier for many end users. But Asus has come out with a series of routers that come with DD-WRT pre-installed.
DD-WRT is Linux-based, and has a logically structured user interface accessible from a standard web browser. Thanks to the huge user community that gives support to DD-WRT developers, security flaws and holes are found and corrected quickly. There's also extensive support and how-to guides on the DD-WRT website.
Find all of the router models with DD-WRT on Asus' website http://www.asus.com/us/site/routers/DD-WRT/
作者: 不点 时间: 2017-10-31 17:30
上述链接已经失效,华硕已经不再预装 DD-WRT 了。既然华硕不预装 DD-WRT 了,我也就不想要华硕路由器了。
不开源的路由器系统,尽管功能很花哨,可是安全性掌握在路由器制造商手上,等于毫无安全性可言。
我的电脑操作系统已经是 Linux 了,而路由器的操作系统也得是开源的才行。
今后的一个任务,就是把家里的闭源路由器淘汰掉,换成开源的路由器系统。
作者: 不点 时间: 2017-10-31 18:37
搜到用 iptables 做端口触发的方法了。为了防止原文丢失,复制一份放在这里。
http://bbs.chinaunix.net/thread-2123503-1-1.html
求教:iptables 做 port trigger
问:
1。我想请教下,如何用iptables 做port trigger啊?
2。我在网上看到一条命令:
iptables -A FORWARD -o eth0 -j TRIGGER --trigger-type out --trigger-proto udp --trigger-match 3000 --trigger-relate 6880-6890
iptables -t nat -A PREROUTING -j TRIGGER --trigger-type dnat
哪位知道是什么意思啊?
答:
你好,触发是对两类数据包的操作: Output 的包 和 Input 的包。第一条命令主要是建立一个触发链表,此链表记录一些触发信息,以便后续操作。如你写的命令,对 output包 如果是udp协议,且目的端口是3000的话,那么就触发开启6880-6890端口,建立触发链表,记录信息主要有原ip,协议,触发端口(即3000),打开端口(即6880-6890)。对 input 包的处理,则在第二条命令中实现 iptables -t nat -A PREROUTING -j TRIGGER --trigger-type dnat 此命令会查找触发链表,如果是udp包,且目的端口在6880-6890内的话,就会进行dnat操作,默认ip是链表记录的原ip。
当然,链表有一个定时器,如果提供接口的话,可以修改此定时器的value。
问:
这个 target 主要用于什么用途?
答:
你好,这个 target 主要用来动态开启一些端口,外网可以通过这些端口主动连至内网。当然前提是 内网 “触发”。
问:
那么,这个是不是有点类似 ALG(Application Layer Gateway) 的感觉了?就像 ip_nat_ftp 那样?
答:
有点类似,从实现来说:两者都需要记录一些信息,为后续包做处理;从功能来说:都是为了实现nat穿透。
但具体的实现,两者又有很明显的差别。alg针对某些特定协议,且处理会涉及一些“应用层数据”;而trigger针对一般协议,利用iptables提供的接口,针对包头就可以了,不需要“应用层数据”做任何处理 。
以上仅是个人认识,有错误之处,请各位指点。
问:
谢谢,问题解决了,我现在想在里面加上个时间,就是在发出的包记个时间,收回的包也记个时间,用来设置类似超时的东西,我该怎么做啊?
答:
程序里面本身就有定时器,你可以添加参数来制定定时时间,或者通过读写/proc文件来指定定时器时间。
作者: 不点 时间: 2017-11-11 14:11
本帖最后由 不点 于 2017-11-11 18:16 编辑
Port Triggering Using A NAT Firestarter Firewall And Specter In Debian/Ubuntu
Author: jeff_k Tags: debian, ubuntu
Many that play PC games, such as battle.net, need to be able to set up port triggering. Typical "hardware" routers have the ability to set this up from online menus. However, using a Linux PC to perform your router functions can provide much more control and versatility than can be realized with a "hardware" router. All of your NAT (network address translation), firewall, and port forwarding functions can be implemented by iptables, the de facto firewall in Linux versions 2.4.x and 2.6.x.
I looked online quite a lot to try to find a linux- or iptables-based port triggering setup. There was plenty on port forwarding using iptables, but not really anything on port triggering. This article provides the details to implement simple port triggering using iptables, firestarter, ULOG, Specter, and a small amount of bash scripting. ULOG is the user space logging facility that can be added onto iptables, allowing for multicasting of packets. Specter is a program that runs a daemon that allows you to initiate actions as a result of subscribing to ULOG streams. Firestarter is a firewall GUI front-end to iptables, which makes interfacing to your firewall easy. Although it appears that there has not been recent development activity of firestarter, it is still a viable, user-friendly, easily-installed package that really does not require upgrades once properly configured. The only software that you need to install to be able to implement port triggering with this method is firestarter, Specter, and a few bash scripts. My configuration uses a PC running Debian Linux (although the following instructions will work for Ubuntu as well) as the router/firewall for my home LAN, and most of the PCs in my LAN are running Windows (the gaming PCs).
I use as an example port triggering for battle.net. The main reason for this is that my son likes to host games for this, so I have a decent tester, and he has proven the setup for many months. Battle.net primarily uses tcp port 6112; the concept here is that when a PC on the internal LAN (for example, 192.168.0.102) initiates a tcp connection to the battle.net server site to start hosting a game, the PC initiates this on tcp destination port 6112. This action then "triggers" a sequence of commands that reconfigure the firewall temporarily: it enables port 6112 to be opened on the firewall, and forwards connections aimed at this port to machine 192.168.0.102, the "triggering" (hosting) machine. After a reasonable period of time, the port is closed and stealthed, dropping any packets that are routed to it to thwart any outside meddling or attacks (as usual).
Port triggering was implemented by specifying which port would be involved. Two iptables rules were added to the OUTBOUND chain, which in my setup (firestarter) is the set of rules that are jumped to from the OUTPUT chain after some screening is done on the OUTPUT traffic on the LAN. The rules perform ULOG logging output to the nlgroup 20 (an arbitrary number), matching only on TCP packets in the NEW state. When those packets are output, then Specter executes a bash file. The bash file sets up additional iptables rules and also creates lock files, so that we ensure that we do not create redundant iptables rules. Aside from setting up the port forwarding rules to the initiating PC on the LAN for incoming connections, the new iptables rules also add another ULOG output, ulog-nlgroup 21. This subscribes to packets at a very limited rate, specifically only 1/minute. This checks to make sure that the outbound traffic that initiated the connection is still active; if it is inactive for a specified amount of time (15 minutes), then the forwarding rules are eliminated, and the triggering setup is abandoned. This distinguishes port triggering from port forwarding; in port forwarding, the forwarding is implemented indefinitely, which is less secure.
Before we begin, some assumptions:
- you are using two NICs in the linux box being used as the router/firewall,
- one connected to the internet via a cable / DSL modem (I am assuming it is eth1),
- one connected to your LAN (I am assuming it is eth0).
You can check which card is which on your system by using the command:
On a typical setup possessing two cards, the output of this command should identify one card with a broadcast ID of something like "192.168.0.255" or "10.0.0.255", etc. In that case, that interface is your LAN interface and you should change what has been assumed here (eth0) to the value given by the command output. The other interface should access the internet and have a broadcast address like "255.255.255.255". If it is different from "eth1", then change eth1 to the proper value throughout this howto.
Set up Firestarter per the instructions at the following link:
http://www.debianadmin.com/secure-ubuntu-desktop-using-firestarter-firewall.html
Using its wizard, Firestarter can be easily configured to function as a router for internet connection sharing. It is essentially a GUI interface to Linux's iptables.
A feature of Firestarter is that you can insert your own custom rules into iptables. We will use this to insert two rules after the configuration script for Firestarter has been run. This is done by creating the file:
/etc/firestarter/user-post
with the following two lines in it (use your favorite editor, such as nano; or if you are using gnome, you can copy and paste these lines into a graphical editor):
- $IPT -I OUTBOUND 4 -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 6112 -j ULOG --ulog-prefix "trigger write" --ulog-nlgroup 20 -m hashlimit --hashlimit 1/minute --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name w6112
- $IPT -I OUTBOUND 5 -s 192.168.0.0/24 -i eth0 -p tcp -m state --state NEW --dport 6112 -j ULOG --ulog-nlgroup 21 --ulog-prefix "initial trigger" -m hashlimit --hashlimit 1/minute --hashlimit-burst 2 --hashlimit-mode srcip,dstport --hashlimit-name n6112
(replace 192.168.0.0/24 with your LAN address range, and eth0 with the appropriate interface name). In order to create the file, you will need to create it as root or with root privileges.
These two iptables rules watch your LAN for outgoing packets with a destination port of 6112 (the battle.net networking port). When it sees these packets, a limited number of them are logged to user space via netlink sockets. A package which we will install next, called "Specter", subscribes to these sockets and acts upon them. Initial packets are logged to nlgroup 21, and a script is used to initiate a battle.net session by setting up port forwarding to the initiating PC. Continuing packets (regardless of whether they are in a NEW state or not) are logged to nlgroup 20, and a script is used to keep track of whether there is still activity by the initiating PC or not. Since port forwarding to an internal LAN client opens ports to the internet, it is not something that you should leave in place when you are not playing a game. As long as packets have been sent from this PC within 15 minutes, the ports are left open and forwarded. After 15 minutes of inactivity, port forwarding is stopped, the session is closed, and it is assumed the game is over. A new session can then be immediately initiated.
To install Specter in Debian or Ubuntu, issue the following command:
- sudo apt-get install specter specter-mysql specter-pgsql
We will need to edit the config file for Specter, /etc/specter.conf, to be able to act upon the user space logging. Add the following lines to the end of this file:
- # nlgroup 20, write to file /tmp/forward.6112 if dest port 6112 is outbound from LAN
- 20 {
- :BASE
- :EXEC
- command "/bin/echo %S %P %d > /tmp/forward.6112"
- }
- # nlgroup 21, run script initial_trigger_action if a new tcp connection to dest port 6112 is outbound from LAN
- 21 {
- :BASE
- :EXEC
- command "/etc/firestarter/initial_trigger_action"
- }
Again, you will need root privileges to save this file.
The home page for Specter is at: http://joker.linuxstuff.pl/specter/
Next, create the bash script file (it also needs root ownership) and save it as:
/etc/firestarter/initial_trigger_action
That file contains the following lines:
- #!/bin/bash
- # file initial_trigger_action %S %P %d
- # script for initial trigger activity - run from specter for ulog-nlgroup 20
- # check to verify lock file does not yet exist, if not, then
- # create a lock file, /tmp/trigger.port.lock (port=port number to trigger on)
- # add iptables rules for forwarding port number to source ip by using firestarter
- # set up "at" file to check for continued activity from source on port
- #
- # find forward(date) file
- # forwardfile=`ls -t1 forward* | grep -m 1 f`
- # Source IP address
- # Wait long enough for tmp file to be created by nlgroup 21 process
- sleep 0.5
- if [ -f /tmp/forward.6112 ]; then
- while read inputline
- do
- SourceIP="$(echo $inputline | cut -d' ' -f1)"
- Protocl="$(echo $inputline | cut -d' ' -f2)"
- dest_port="$(echo $inputline | cut -d' ' -f3)"
- done < /tmp/forward.6112
- if [ -f /tmp/trigger.6112.lock ]; then echo "lock file already exists!! Get rid of it"; exit 1;
- else
- #
- # write lock file
- #
- echo "$SourceIP $dest_port $Protocl" > /tmp/trigger.6112.lock
- #
- # add forwarding rules
- # using firestarter
- # add line in /etc/firestarter/inbound/forward
- # of format:
- # name, port, destIP, port, comment
- # first copy forward to forward.backup
- cat /etc/firestarter/inbound/forward > /etc/firestarter/inbound/forward.backup
- # now add line to end and save forward
- echo "f$dest_port, $dest_port, $SourceIP, $dest_port, fwd$dest_port-$SourceIP" | cat /etc/firestarter/inbound/forward - > /etc/firestarter/inbound/forward.tmp
- cp /etc/firestarter/inbound/forward.tmp /etc/firestarter/inbound/forward
- #
- # now restart firestarter to activate forwarding
- /etc/init.d/firestarter force-reload
- # next step: run at command
- at -f /etc/firestarter/trigger_test_6112 now + 5 minutes
- fi
- fi
- # done
After creating it, you will need to make it executable with the command:
- sudo chmod 755 /etc/firestarter/initial_trigger_action
Next, create the following bash script file (it also needs root ownership) and save it as:
/etc/firestarter/trigger_test_6112
Here is the file:
- #!/bin/bash
- # file trigger_test_6112
- # script to test for continued trigger activity - run from at command
- # lock file should be updated from specter ulog-nlgroup 21
- # if tcp connections for game have not been established yet
- # check to verify lock file exists, if not, then exit with error
- # lock file is /tmp/trigger.6112.lock
- # if lock file exists, check time of last modification (mod used touch)
- # if less than 15 minutes, run another at command and exit, continuing chain
- # if 15 minutes or more, remove iptables forwarding rules for forwarding port
- # number to source ip, and remove iptables rulse for ulogging to nlgroup 21
- #
- # read lock file
- # first step - check for lock file existence
- if [ -f /tmp/trigger.6112.lock ]; then echo "OK, file exists"
- else echo "lock file does not exist!!"; exit 1
- fi
- # second step - read variables from lock file
- while read inputline
- do
- SourceIP="$(echo $inputline | cut -d' ' -f1)"
- Protocl="$(echo $inputline | cut -d' ' -f2)"
- dest_port="$(echo $inputline | cut -d' ' -f3)"
- done < /tmp/forward.6112
- # next step: check to see if outgoing port has been triggered recently
- fwd_file_age=`ls -lt --time-style=+%s /tmp/forward.6112 | awk '{print $6}'`
- now_time=`date +%s`
- time_diff=$[$now_time-$fwd_file_age]
- echo " time diff = $time_diff "
- if [ "$time_diff" -ge "600" ]; then
- # delete lock file
- # else run at file and exit 0
- # remove line of forward file containing $dest_port
- # using sed
- sed "/$dest_port/d" "/etc/firestarter/inbound/forward" > /etc/firestarter/inbound/forward.temp
- cp /etc/firestarter/inbound/forward.temp /etc/firestarter/inbound/forward
- #
- # restart firestarter to de-activate forwarding
- /etc/init.d/firestarter force-reload
- rm /tmp/trigger.6112.lock
- fi
- # run at file to test whether forwarding should still be implemented
- #
- at -f /etc/firestarter/trigger_test_6112 now + 5 minutes
- # done
After creating it, you will need to make it executable with the command:
- sudo chmod 755 /etc/firestarter/trigger_test_6112
These scripts create a few files in the /tmp directory for debugging purposes; they can be disregarded aside from the lock file (or you can modify the scripts if you like to prevent them from being created). By default, mail is sent to root when a session is initiated, and during a session, announcing the status of the session. One useful feature of Firestarter is that you can monitor who is actually connected to your LAN PCs from the outside world; when a battle.net session is functioning properly, you will see several IP addresses connected on port 6112 to your LAN PC (for example, 192.168.0.102).
A couple of notes regarding this setup: with it, you can have multiple game participants behind the firewall on your LAN, at the same time that you have external connections to the hosting PC. The key issue is that the hosting PC needs to be the first one that contacts the battle.net website (the first one that actually makes an outgoing request to port 6112). This PC is identified as the host for 15 minutes after its last attempt to contact the website, and if that PC does not follow through and become the host, but instead a different LAN PC attempts to become the host, it will not be able to until the timers in the scripts expire and the firewall closes again. This can be a source of frustration if you have eager gamers on the LAN that are not heeding this requirement. This setup does not enable (or disable) pings from the internet. That can be done separately in Firestarter. Allowing pings (ICMP) is not necessary for battle.net to work; however, it is used sometimes for troubleshooting. I prefer to make my firewall entirely stealthed when a game is not active, and I haven't gone to the trouble to change the behavior of ICMP during a game.
Also, bash/sed gurus out there will note that I am no advanced scripter -- my goal was to get something working and document it sufficiently for someone else to know what I did. I welcome suggestions for improvement of the setup; as I mentioned, I found no setups (outside of OpenWrt, and it requires specialized hardware) that would allow you to do the type of automated port triggering needed for gaming and still close the ports at the end of the game for better security. Although this setup was written for Debian/Ubuntu, it should work equally well (with properly amended installation instructions) for other flavors of Linux. The hardware requirements of the router/firewall PC, aside from needing 2 NICs, is very modest. Mine has no terminal, it's in the closet collocated with the cable modem; I control it entirely by using remote VNC software and SSH (Putty and ultraVNC from a Windows PC).
作者: sherylynn 时间: 2019-4-3 14:25
端口转发功能还是挺重要的,我就比较常用
作者: flynaj 时间: 2021-3-22 12:55
看了全文,这个功能,upnpd 不是更完善,性能更好.
| 欢迎光临 无忧启动论坛 (http://bbs.wuyou.net/) |
Powered by Discuz! X3.3 |