Настройка iptables для xl2tpd

[skytrain]

Добрый день.
Есть проблема. Нет пинга до ВПН клиентов и обратно.

Вариант немного нестандартный.
Есть сеть. В ней два шлюза с разными провайдерами (192.168.3.1 и 192.168.3.
Ввиду "МЕГА СТРАННОЙ" политики партии в отношении *nix один из шлюзов - роутер, другой - ....ну в общем сервер.
А фаервол на Linuxе ubuntu 12.04 на адресе 192.168.3.11
Так -же за Linuxовой машиной сеть 10.17.224.0/24
И вот нужно сделать ВПН сервер на l2tp на Linuxовой машине.

Собственно вопрос вот в чем.
Нужна ли какая либо "хитрая" настройка фаервола на ВПН сервере?

Я подозреваю что нужна, так как пакеты до ВПН клиента упрямо ДОХНУТ в НАТ-е ВПН сервера.

(Нажмите, чтобы показать/скрыть)

Jun 11 17:07:40 vpnsrv kernel: [74286.336094] POST-DST-HOSTIN= OUT=ppp0 SRC=10.200.200.1 DST=10.200.200.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=16060 SEQ=231

Пакеты через интерфейс ppp0 доходят только до -t mangle -I POSTROUTING и все....\
В нате уже ничего нет.

Я чего-то в этом вопросе конкретно не понимаю.
Согласно статьям по настройке нужно повесить маскарадинг на интерфейс по которому физически идет l2tp,
iptables  -t nat   -A POSTROUTING -o br0 -s 10.200.200.0/24 -j MASQUERADE
НО Я ПЛОХО ПОНИМАЮ ЗАЧЕМ ОНО ТУТ НУЖНО!!!? И КАКУЮ РОЛЬ ИГРАЕТ!!!!?

Выкладываю

(Нажмите, чтобы показать/скрыть)

ladmin@vpnsrv:~$ sudo cat /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

Может дело в нем?

Вот лог подключения виндовой машины.

(Нажмите, чтобы показать/скрыть)

ВоJun 11 18:23:51 vpnsrv xl2tpd[2760]: get_call: allocating new tunnel for host 188.128.95.170, port 64113.
Jun 11 18:23:51 vpnsrv xl2tpd[2760]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 98, call is 0.
Jun 11 18:23:51 vpnsrv xl2tpd[2760]: control_finish: sending SCCRP
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: get_call: allocating new tunnel for host 188.128.95.170, port 64113.
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: control_finish: message type is Start-Control-Connection-Request(1).  Tunnel is 98, call is 0.
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: control_finish: Peer requested tunnel 98 twice, ignoring second one.
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: build_fdset: closing down tunnel 5426
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: control_finish: message type is Start-Control-Connection-Connected(3).  Tunnel is 98, call is 0.
Jun 11 18:23:53 vpnsrv xl2tpd[2760]: Connection established to 188.128.95.170, 64113.  Local: 13249, Remote: 98 (ref=0/0).  LNS session is 'default'
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: control_finish: message type is Incoming-Call-Request(10).  Tunnel is 98, call is 0.
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: control_finish: Sending ICRP
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: control_finish: message type is Incoming-Call-Connected(12).  Tunnel is 98, call is 1.
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: start_pppd: I'm running:
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "/usr/sbin/pppd"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "passive"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "nodetach"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "10.200.200.1:10.200.200.2"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "refuse-pap"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "name"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "vpnsrv"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "debug"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "file"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "/etc/ppp/options.xl2tpd"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "ipparam"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "188.128.95.170"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: "/dev/pts/1"
Jun 11 18:23:54 vpnsrv xl2tpd[2760]: Call established with 188.128.95.170, Local: 44432, Remote: 1, Serial: 0
Jun 11 18:23:54 vpnsrv pppd[2820]: pppd 2.4.5 started by root, uid 0
Jun 11 18:23:54 vpnsrv pppd[2820]: using channel 2
Jun 11 18:23:54 vpnsrv pppd[2820]: Using interface ppp0
Jun 11 18:23:54 vpnsrv pppd[2820]: Connect: ppp0 <--> /dev/pts/1
Jun 11 18:23:54 vpnsrv pppd[2820]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS> <magic 0xa86c94c9> <pcomp> <accomp>]
Jun 11 18:23:54 vpnsrv pppd[2820]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS> <magic 0xa86c94c9> <pcomp> <accomp>]
Jun 11 18:23:55 vpnsrv ovpn-server[1900]: 192.168.2.1:62893 write UDPv4 []: Operation not permitted (code=1)
Jun 11 18:23:55 vpnsrv ovpn-server[1900]: 192.168.2.1:62893 write UDPv4 []: Operation not permitted (code=1)
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x52d86390> <pcomp> <accomp> <callback CBCP>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [LCP ConfRej id=0x1 <callback CBCP>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [LCP ConfReq id=0x2 <mru 1400> <magic 0x52d86390> <pcomp> <accomp>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [LCP ConfAck id=0x2 <mru 1400> <magic 0x52d86390> <pcomp> <accomp>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [LCP EchoReq id=0x0 magic=0xa86c94c9]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CHAP Challenge id=0x4 <cf2e967451680a0a>, name = "l2tpd"]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [LCP Ident id=0x3 magic=0x52d86390 "MSRASV5.20"]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [LCP Ident id=0x4 magic=0x52d86390 "MSRAS-0-SRV-OD"]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [LCP EchoRep id=0x0 magic=0x52d86390]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [CHAP Response id=0x4 <0000000000000000000000000000000000000000000000000470447203dcc00b5657ddaecc15a9649737f90c2b4d586201>, name = "umo-mos"]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CHAP Success id=0x4 "Access granted"]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.200.200.1>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [CCP ConfReq id=0x5 <mppe +H -M -S -L -D -C>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CCP ConfRej id=0x5 <mppe +H -M -S -L -D -C>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [IPCP ConfReq id=0x6 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins 0.0.0.0> <ms-dns2 0.0.0.0> <ms-wins 0.0.0.0>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [IPCP ConfRej id=0x6 <ms-wins 0.0.0.0> <ms-wins 0.0.0.0>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [CCP ConfRej id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CCP ConfReq id=0x2]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [IPCP ConfRej id=0x1 <compress VJ 0f 01>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [IPCP ConfReq id=0x2 <addr 10.200.200.1>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [CCP TermReq id=0x7"R\37777777730c\37777777620\000<\37777777715t\000\000\002\37777777734"]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [CCP TermAck id=0x7]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [IPCP ConfReq id=0x8 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [IPCP ConfNak id=0x8 <addr 10.200.200.2> <ms-dns1 8.8.8.8> <ms-dns2 192.168.3.20>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [IPCP ConfAck id=0x2 <addr 10.200.200.1>]
Jun 11 18:23:56 vpnsrv pppd[2820]: rcvd [IPCP ConfReq id=0x9 <addr 10.200.200.2> <ms-dns1 8.8.8.8> <ms-dns2 192.168.3.20>]
Jun 11 18:23:56 vpnsrv pppd[2820]: sent [IPCP ConfAck id=0x9 <addr 10.200.200.2> <ms-dns1 8.8.8.8> <ms-dns2 192.168.3.20>]
Jun 11 18:23:56 vpnsrv pppd[2820]: Cannot determine ethernet address for proxy ARP
Jun 11 18:23:56 vpnsrv pppd[2820]: local  IP address 10.200.200.1
Jun 11 18:23:56 vpnsrv pppd[2820]: remote IP address 10.200.200.2
Jun 11 18:23:56 vpnsrv pppd[2820]: Script /etc/ppp/ip-up started (pid 2847)
Jun 11 18:23:56 vpnsrv pppd[2820]: Script /etc/ppp/ip-up finished (pid 2847), status = 0x0
Jun 11 18:23:57 vpnsrv ntpd[2380]: Listen normally on 11 ppp0 10.200.200.1 UDP 123
Jun 11 18:23:57 vpnsrv ntpd[2380]: peers refreshed
Jun 11 18:23:57 vpnsrv ntpd[2380]: new interface(s) found: waking up resolver
Jun 11 18:23:59 vpnsrv pppd[2820]: sent [CCP ConfReq id=0x2]
Jun 11 18:23:59 vpnsrv pppd[2820]: rcvd [CCP TermAck id=0x2]
Jun 11 18:23:59 vpnsrv pppd[2820]: sent [CCP TermReq id=0x3"No compression negotiated"]
Jun 11 18:23:59 vpnsrv pppd[2820]: rcvd [CCP TermAck id=0x3"No compression negotiated"]
Jun 11 18:24:06 vpnsrv pppd[2820]: sent [LCP EchoReq id=0x1 magic=0xa86c94c9]
Jun 11 18:24:06 vpnsrv pppd[2820]: rcvd [LCP EchoRep id=0x1 magic=0x52d86390]
Jun 11 18:24:16 vpnsrv pppd[2820]: sent [LCP EchoReq id=0x2 magic=0xa86c94c9]
Jun 11 18:24:16 vpnsrv pppd[2820]: rcvd [LCP EchoRep id=0x2 magic=0x52d86390]

[skytrain]

Да... Затупил...