[LUG.ro] Re: [LUG.ro Mix] Iptables-dos conexiones pppoe y balance de carga (todo en uno:D)
Sebastián D. Criado
lugro@lugro.org.ar
Mon, 30 May 2005 11:36:59 -0300
--nextPart1858317.vEc4S1poZj
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Mando esto a Lugr gral ya que es el =E1mbito.
El Domingo 29 Mayo 2005 21:11, guillermo nardoni escribi=F3:
> Hola como andan muchachios, bueno les comento mi caso
> a ver que me
> aconsejan.
> tengo dos conexiones pppoe
>
> ppp0 (dhcp de arnet conectado a eth1 para pppoe)(2 mb)
> ppp1 (dhcp de ciudad (flash) conectado a eth2 para
> pppoe) (512 k)
>
> eth0:
> subred=3D 192.168.0.0
> ip: 192.168.0.1
> nm: 255.255.255.0
> dns: 200.45.191.35
> dns: 200.45.191.40
>
> eth1:
> subred: 10.0.0.0
> ip: 10.0.0.1
> nm: 255.0.0.0
>
> eth2:
> subnet: 10.0.1.0
> ip: 10.0.1.1
> nm: 255.0.0.0
>
> hay un server interno (DMZ)
> dmz: conectado por eth0
> ipdmz: 192.168.0.99
> nm: 255.255.255.0
> gateway: 192.168.0.1
> dns: 200.45.191.35
> dns: 200.45.191.40
> servicios:
> ports: 80, 6667, 7777, 2106
> la cuesti=F3n es que quiero hacer balance de carga entre
> las dos conexiones
> pppoe hay 15 terminales colgadas de las dos conexiones
> , las cualestienen
> salidas a internet.-
Lo que vos buscas tengo entendido que no se puede hacer con ADSL. Se pod=ED=
a=20
hacer con las conexiones ppp siempre y cuando el proveedor te lo permita,=20
pero no se puede con pppoe.=20
Te paso igualmente un excelente documento sobre ruteo que te va a servir
http://www.lartc.org/howto/lartc.rpdb.multiple-links.html
> agredecer=EDa una sugerencia aqu=ED dejo el archivos
> fw.nat que tengo
> actualmente (hoy por hoy, est=E1 ruteando todo por la
> conexi=F3n ppp0) .-
> y por =FAltimo y prometo no joder por un largo tiempo
> jejejejeej, que puedo
> hacer cuando las conexiones se cortar y se vuelven a
> levantar?, como las ips
> son din=E1micas no me sirve tengo que descar y cargar a
> mano nuevamente el
> firewall con los comandos fw.nat stop y fw.nat start
> respectivamente.-
Pone en el cron con el tiempo que quieras que se ejecute el siguiente scri=
pt.
pruebasl.sh
#!/bin/sh
if [ !`pidof pppoe` ]; then
/usr/sbin/adsl-start
fi
Saludos.-
>
>
> desde ya much=EDsimas gracias-
> Guillermo de Rosario-
>
>
> ARCHIVO FW.NAT (PARA RUTEAR ENTRE OTRAS COSAS:d)
>
> #!/bin/sh
>
> case "$1" in
>
> start)
>
> echo "Limpiando Todas las Reglas del Firewall...."
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> iptables -F
>
> iptables -t nat -F
>
> iptables -t mangle -F
>
> GAMES_PORT=3D"27015:27030"
>
> LOCAL_PORT=3D"27015"
>
> DMZ_LOCAL_IP=3D"192.168.0.1"
>
> GAMES2_PORT=3D"7777 2106 6667:7000"
>
> INET_IFACE=3D"ppp0"
>
> INET_IFACE2=3D"ppp0"
>
> #INET_IP=3D"`ifconfig $INET_IFACE | grep inet | cut -d :
> -f 2 | \ cut -d '
> ' -f 1` "
>
> INET_IP=3D"`ifconfig $INET_IFACE | grep 'inet addr' |
> awk '{print $2}' |
> sed -e 's/.*://'`"
>
> INET_IP2=3D"`ifconfig $INET_IFACE2 | grep 'inet addr' |
> awk '{print $2}' |
> sed -e 's/.*://'`"
>
> #HTTP_IP=3D"`ifconfig $INET_IFACE | grep inet | cut -d :
> -f 2 | \ cut -d '
> ' -f 1` "
>
> HTTP_IP=3D"`ifconfig $INET_IFACE | grep 'inet addr' |
> awk '{print $2}' |
> sed -e 's/.*://'`"
>
> #DNS_IP=3D"`ifconfig $INET_IFACE | grep inet | cut -d :
> -f 2 | \ cut -d ' ' -f
> 1`"
>
> DNS_IP=3D"`ifconfig $INET_IFACE | grep 'inet addr' | awk
> '{print $2}' | sed -e
> 's/.*://'`"
>
> #GAMES_IP=3D"`ifconfig $INET_IFACE | grep inet | cut -d
>
> : -f 2 | \ cut -d '
>
> ' -f 1`"
>
> GAMES_IP=3D"`ifconfig $INET_IFACE | grep 'inet addr' |
> awk '{print $2}' |
> sed -e 's/.*://'`"
>
> echo "Direccion Internet Interfaz ppp0 =3D $INET_IP"
>
> echo "Direccion Internet Interfaz ppp0 http =3D
> $HTTP_IP"
>
> echo "Direccion Internet Interfaz ppp0 dns =3D $DNS_IP"
>
> echo "Direccion Internet Interfaz ppp0 games =3D
> $GAMES_IP"
>
> echo "Direccion Internet Interfaz ppp1 =3D $INET_IP2"
>
> echo "Direccion Internet Interfaz ppp1 http =3D
> $HTTP_IP"
>
> echo "Direccion Internet Interfaz ppp1 dns =3D $DNS_IP"
>
> echo "Direccion Internet Interfaz ppp1 games =3D
> $GAMES_IP"
>
>
>
> #INET_IP=3D"194.236.50.152"
>
> #HTTP_IP=3D"194.236.50.153"
>
> #DNS_IP=3D"194.236.50.154"
>
> #INET_IFACE=3D"eth0"
>
> LAN_IP=3D"192.168.0.1/255.255.255.0"
>
> LAN_IFACE=3D"eth1"
>
> echo "Direccion Internet HOST LINUX Interfaz
> $LAN_IFACE =3D $LAN_IP"
>
> #DMZ_HTTP_IP=3D"192.168.1.2"
>
> #DMZ_DNS_IP=3D"192.168.1.3"
>
> #DMZ_GAMES_IP=3D"192.168.1.4"
>
> #DMZ_IP=3D"192.168.1.1"
>
> #DMZ_IFACE=3D"eth0:2"
>
> #echo $DMZ_IFACE
>
> DMZ_HTTP_IP=3D"192.168.0.99"
>
> DMZ_DNS_IP=3D"192.168.0.3"
>
> DMZ_GAMES_IP=3D"192.168.0.201"
>
> DMZ2_GAMES_IP=3D"192.168.0.99"
>
> DMZ_IP=3D"192.168.0.1"
>
> DMZ_IFACE=3D"eth1"
>
> echo "Interfaz DMZ =3D $DMZ_IFACE"
>
> echo "Direccion Internet Interfaz $DMZ_IFACE dns =3D
> $DMZ_DNS_IP"
>
> echo "Direccion Internet Interfaz $DMZ_IFACE games =3D
> $DMZ_GAMES_IP"
>
> echo "Direccion Internet Interfaz $DMZ_IFACE games =3D
> $DMZ2_GAMES_IP"
>
> echo "Direccion Internet Interfaz $DMZ_IFACE http =3D
> $DMZ_HTTP_IP"
>
> echo "Direccion Internet Interfaz $DMZ_IFACE ip =3D
> $DMZ_IP"
>
>
>
> LO_IFACE=3D"lo"
>
> LO_IP=3D"127.0.0.1"
>
> IPTABLES=3D"/sbin/iptables"
>
> /sbin/depmod -a
>
> /sbin/modprobe ip_tables
>
> /sbin/modprobe ip_conntrack
>
> /sbin/modprobe iptable_filter
>
> /sbin/modprobe iptable_mangle
>
> /sbin/modprobe iptable_nat
>
> /sbin/modprobe ipt_LOG
>
> /sbin/modprobe ipt_limit
>
> /sbin/modprobe ipt_state
>
> #/sbin/modprobe ipt_owner
>
> #/sbin/modprobe ipt_REJECT
>
> /sbin/modprobe ipt_MASQUERADE
>
> /sbin/modprobe ip_conntrack_ftp
>
> /sbin/modprobe ip_conntrack_irc
>
> /sbin/modprobe ip_nat_ftp
>
> /sbin/modprobe ip_nat_irc
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
>
> #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
>
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> echo "Establezo reglas por defecto"
>
> $IPTABLES -P INPUT DROP
>
> $IPTABLES -P OUTPUT DROP
>
> $IPTABLES -P FORWARD DROP
>
> $IPTABLES -N bad_tcp_packets
>
> $IPTABLES -N allowed
>
> $IPTABLES -N icmp_packets
>
> echo "NEW sin SYC?. - Rechazo el paquete"
>
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags
> SYN,ACK SYN,ACK \
>
> -m state --state NEW -j REJECT --reject-with tcp-reset
>
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
> --state NEW -j LOG \
>
> --log-prefix "New not syn:"
>
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state
> --state NEW -j DROP
>
> $IPTABLES -A allowed -p tcp --syn -j ACCEPT
>
> $IPTABLES -A allowed -p tcp -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A allowed -p tcp -j DROP
>
>
>
> $IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8
> -j ACCEPT
>
> $IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type
> 11 -j ACCEPT
>
> $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
>
> $IPTABLES -A INPUT -p icmp -i $INET_IFACE -j
> icmp_packets
>
> $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
> $DMZ_GAMES_IP -j ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
> $DMZ2_GAMES_IP -j ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_DNS_IP
> -j ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d
> $DMZ_HTTP_IP -j ACCEPT
>
> #$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
>
> $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
>
> $IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT
>
>
>
>
>
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j
> ACCEPT
>
> $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67
> --sport 68 -j ACCEPT
>
> $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
> ESTABLISHED,RELATED \
>
> -j ACCEPT
>
> $IPTABLES -A INPUT -m limit --limit 3/minute
> --limit-burst 3 -j LOG \
>
> --log-level DEBUG --log-prefix "IPT INPUT packet died:
> "
>
>
>
> $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
>
>
>
> #
>
> # DMZ section
>
> #
>
> # General rules
>
> #
>
> #$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j
> ACCEPT
>
> #$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m
> state \
>
> #--state ESTABLISHED,RELATED -j ACCEPT
>
> #$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j
> ACCEPT
>
> #$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m
> state \
>
> #--state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j
> ACCEPT
>
> $IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -j
> ACCEPT
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j
> ACCEPT
>
> $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j
> ACCEPT
>
>
>
> #
>
> # HTTP server
>
> #
>
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o
> $DMZ_IFACE -d $DMZ_HTTP_IP \
>
> --dport 80 -j allowed
>
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o
> $DMZ_IFACE -d $DMZ_HTTP_IP \
>
> -j icmp_packets
>
> #
>
> # DNS server
>
> #
>
> $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o
> $DMZ_IFACE -d $DMZ_DNS_IP \
>
> --dport 53 -j allowed
>
> $IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o
> $DMZ_IFACE -d $DMZ_DNS_IP \
>
> --dport 53 -j ACCEPT
>
> $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o
> $DMZ_IFACE -d $DMZ_DNS_IP \
>
> -j icmp_packets
>
>
>
> #
>
> # GAMES PARA LA INTERNET
>
> #
>
> #
>
> # GAMES SERVER
>
> # PUERTOS GAMES_PORT(VER)
>
> #
>
> for i in $GAMES_PORT; do
>
> echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP IP
> DMZ_GAMES=3D$DMZ_GAMES_IP"
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp
> --dport $i \
>
> -j DNAT --to-destination $DMZ_GAMES_IP
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP -p udp
> --dport $i \
>
> -j DNAT --to-destination $DMZ_GAMES_IP
>
> done
>
> for i in $LOCAL_PORT; do
>
> echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP IP
> DMZ_LOCAL=3D$DMZ_LOCAL_IP"
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP -p tcp
> --dport $i \
>
> -j DNAT --to-destination $DMZ_LOCAL_IP
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP -p udp
> --dport $i \
>
> -j DNAT --to-destination $DMZ_LOCAL_IP
>
> done
>
>
>
> for i in $GAMES2_PORT; do
>
> echo " HACIENDO PREROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP2 IP DMZ2_GAMES =3D
> $DMZ2_GAMES_IP"
>
> echo $DMZ2_GAMES_IP
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP2 -p tcp
> --dport $i \
>
> -j DNAT --to-destination $DMZ2_GAMES_IP
>
> $IPTABLES -t nat -A PREROUTING -d $INET_IP2 -p udp
> --dport $i \
>
> -j DNAT --to-destination $DMZ2_GAMES_IP
>
> done
>
>
>
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
>
> $IPTABLES -A FORWARD -i $DMZ_IFACE -j ACCEPT
>
> $IPTABLES -A FORWARD -p tcp --dport 21 -i $INET_IFACE
> -j ACCEPT
>
> $IPTABLES -A FORWARD -p tcp --dport 22 -i $INET_IFACE
> -j ACCEPT
>
> $IPTABLES -A FORWARD -p tcp --dport 23 -i $INET_IFACE
> -j ACCEPT
>
> $IPTABLES -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A FORWARD -m limit --limit 3/minute
> --limit-burst 3 -j LOG \
>
> --log-level DEBUG --log-prefix "IPT FORWARD packet
> died: "
>
> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
>
>
>
> $IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT
>
> $IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT
>
> $IPTABLES -A OUTPUT -p all -s $INET_IP -j ACCEPT
>
>
>
> $IPTABLES -A OUTPUT -m limit --limit 3/minute
> --limit-burst 3 -j LOG \
>
> --log-level DEBUG --log-prefix "IPT OUTPUT packet
> died: "
>
> # PARA LA LAN HAGO SQUID PARA CACHEAR
>
> #
>
> $IPTABLES -t nat -A PREROUTING -p tcp -i $LAN_IFACE
> --dport 80 -j
> REDIRECT --to-port 3128
>
>
>
> $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d $HTTP_IP --dport 80
> \
>
> -j DNAT --to-destination $DMZ_HTTP_IP
>
> #
>
> # PARA JUEGOS
>
> #
>
> #
>
> #$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d $GAMES_IP --dport
> 27015 \
>
> #-j DNAT --to-destination $DMZ_GAMES_IP
>
> #
>
> #$IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d $GAMES_IP --dport
> 27016 \
>
> #-j DNAT --to-destination $DMZ_GAMES_IP
>
> #
>
> #IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d $GAMES_IP --dport
> 27017 \
>
> #-j DNAT --to-destination $DMZ_GAMES_IP
>
> #
>
>
>
> $IPTABLES -t nat -A PREROUTING -p tcp -i $INET_IFACE
> -d $DNS_IP --dport 53 \
>
> -j DNAT --to-destination $DMZ_DNS_IP
>
> $IPTABLES -t nat -A PREROUTING -p udp -i $INET_IFACE
> -d $DNS_IP --dport 53 \
>
> -j DNAT --to-destination $DMZ_DNS_IP
>
> echo "HACIENDO POSTROUTING DE LA LAN (SALIDAS A
> INTERNET)"
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -s 0/0 --dport
> 21 -j MASQUERADE
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -s 0/0 --dport
> 20 -j MASQUERADE
>
> $IPTABLES -t nat -A POSTROUTING -p tcp --dport 22 -j
> MASQUERADE
>
> $IPTABLES -t nat -A POSTROUTING -p tcp --dport 23 -j
> MASQUERADE
>
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
> --to-source $INET_IP
>
>
>
> for i in $GAMES_PORT; do
>
> echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP IP
> DMZ_GAMES=3D$DMZ_GAMES_IP"
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP
>
> $IPTABLES -t nat -A POSTROUTING -p udp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP
>
> done
>
>
> for i in $LOCAL_PORT; do
>
> echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP IP
> DMZ_LOCAL=3D$DMZ_LOCAL_IP"
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP
>
> $IPTABLES -t nat -A POSTROUTING -p udp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP
>
> done
>
>
>
> for i in $GAMES2_PORT; do
>
> echo " HACIENDO POSTROUTING DEL PUERTO $i DE JUEGOS"
>
> echo " IP INTERNET=3D$INET_IP2 IP
> DMZ2_GAMES=3D$DMZ2_GAMES_IP"
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP2
>
> $IPTABLES -t nat -A POSTROUTING -p udp -d
> 192.168.0.0/255.255.255.0 \
>
> --dport $i -j SNAT --to-source $INET_IP2
>
> done
>
>
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> ;;
>
> stop)
>
> echo "Apagando el Servicio de Firewall y Routing..."
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
>
> iptables -P INPUT ACCEPT
>
> iptables -P OUTPUT ACCEPT
>
> iptables -F
>
> iptables -t nat -F
>
> iptables -t mangle -F
>
> ;;
>
> *)
>
> echo "modo de uso: ./fw.nat {start|stop}"
>
> exit 1
>
> ;;
>
> esac
>
> exit 0
>
>
>
>
>
>
>
>
>
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam =A1gratis!
> =A1Abr=ED tu cuenta ya! - http://correo.yahoo.com.ar
> _______________________________________________
> Lugro-mix mailing list
> Lugro-mix@lugro.org.ar
> http://www.lugro.org.ar/mailman/listinfo/lugro-mix
=2D-=20
Sebasti=E1n D. Criado - scriado{en}ciudad.com.ar
L.U.G.R.o - http://www.lugro.org.ar
GNU/Linux Registered User # 146768
=2D------------------------------------------------------------------
"Si el Universo fuera un programa estar=EDa hecho en C, y correr=EDa sobre
un sistema UNIX"
An=F3nimo.
=09
--nextPart1858317.vEc4S1poZj
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCmyUW8hmHQ8ZCg0IRAqvWAKDAWFkcrhl1w9tjj/HFNLleufuTkwCgj8KG
KLDSCLbTp7AVaNk56elQXcs=
=zvAL
-----END PGP SIGNATURE-----
--nextPart1858317.vEc4S1poZj--