Часть пакетов не натится....

[jidckii]

Все привет.
Перенес маршрутизатор в гиппервизор.
После этого у меня натятся не все пакеты.
правила iptables:

Код: [Выделить]

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source хх.229.235.хх
смотрю на внешнем интерфейсе трафик:

Код: [Выделить]

emedvedev@router~10:23:44:~$ sudo tcpdump -n -i eth1 | grep 172.20.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:25:01.605335 IP 172.20.0.53.63922 > 45.79.82.237.80: Flags [F.], seq 1801137296, ack 2779478857, win 16362, length 0
10:25:02.150852 IP 172.20.0.53.63922 > 45.79.82.237.80: Flags [F.], seq 0, ack 1, win 16362, length 0
10:25:03.250891 IP 172.20.0.53.63922 > 45.79.82.237.80: Flags [F.], seq 0, ack 1, win 16362, length 0
10:25:05.450867 IP 172.20.0.53.63922 > 45.79.82.237.80: Flags [F.], seq 0, ack 1, win 16362, length 0
10:25:09.853043 IP 172.20.0.53.63922 > 45.79.82.237.80: Flags [F.], seq 0, ack 1, win 16362, length 0
и как видно, проскакивают пакеты у которых адрес ситочника не подменился.

С чем такое может быть связано ?
Это может быть из-за гиппервизора ?

[fisher74]

Всегда показывайте все загруженные правила

Код: [Выделить]

sudo iptables-saveв противном случае, некоторые моменты могут быть упущены

[jidckii]

Код: [Выделить]

emedvedev@router~11:38:41:~$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Wed Feb 17 11:38:42 2016
*mangle
:PREROUTING ACCEPT [708739396:495814862821]
:INPUT ACCEPT [9194105:2506163795]
:FORWARD ACCEPT [697306117:493052400659]
:OUTPUT ACCEPT [5595929:2115459352]
:POSTROUTING ACCEPT [699215688:494863664915]
-A FORWARD -d 172.20.1.0/24 -j MARK --set-xmark 0xa/0xffffffff
-A FORWARD -s 172.20.1.0/24 -j MARK --set-xmark 0xb/0xffffffff
-A FORWARD -d 172.20.0.20/32 -j MARK --set-xmark 0xc/0xffffffff
-A FORWARD -s 172.20.0.20/32 -j MARK --set-xmark 0xd/0xffffffff
COMMIT
# Completed on Wed Feb 17 11:38:42 2016
# Generated by iptables-save v1.4.21 on Wed Feb 17 11:38:42 2016
*filter
:INPUT ACCEPT [10602288:2627299455]
:FORWARD ACCEPT [139263110:36633789561]
:OUTPUT ACCEPT [6386822:2188849310]
-A FORWARD -s 172.20.0.48/29 -i eth0 -j ACCEPT
-A FORWARD -d 172.20.0.48/29 -o eth0 -j ACCEPT
-A FORWARD -i ppp* -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp* -j ACCEPT
-A FORWARD -i ppp* -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o ppp* -j ACCEPT
-A FORWARD -i ppp* -j DROP
-A FORWARD -o ppp* -j DROP
-A FORWARD -s 172.20.0.70/32 -d 85.12.253.217/32 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 172.20.0.71/32 -d 85.12.253.217/32 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 172.20.0.70/32 -d 80.78.243.47/32 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 172.20.0.71/32 -d 80.78.243.47/32 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -s 172.20.0.70/32 -i eth0 -o eth1 -j DROP
-A FORWARD -s 172.20.0.71/32 -i eth0 -o eth1 -j DROP
-A FORWARD -s 172.20.1.0/24 -i eth0 -o eth1 -p udp -m udp --dport 53 -j DROP
-A FORWARD -s 172.20.1.0/24 -i eth0 -o eth1 -p udp -m udp --sport 53 -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.2.0/24 -d 172.20.0.16/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.3.0/24 -d 172.20.0.16/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.4.0/24 -d 172.20.0.16/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.5.0/24 -d 172.20.0.16/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.20.0.16/32 -d 172.30.2.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.20.0.16/32 -d 172.30.3.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.20.0.16/32 -d 172.30.4.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.20.0.16/32 -d 172.30.5.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.20.0.0/23 -d 172.30.2.11/32 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 172.20.0.0/23 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.7.0/24 -d 172.30.2.11/32 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 172.30.7.0/24 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.30.5.0/24 -d 172.20.0.35/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.20.0.35/32 -d 172.30.5.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.5.0/24 -d 172.20.0.38/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.20.0.38/32 -d 172.30.5.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.0/24 -d 172.20.0.35/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.20.0.35/32 -d 172.30.2.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.0/24 -d 172.20.0.38/32 -i eth2 -o eth0 -j ACCEPT
-A FORWARD -s 172.20.0.38/32 -d 172.30.2.0/24 -i eth0 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 77.88.8.8/32 -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 77.88.8.8/32 -d 172.30.2.11/32 -i eth1 -o eth2 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 77.88.8.1/32 -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 77.88.8.1/32 -d 172.30.2.11/32 -i eth1 -o eth2 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 8.8.8.8/32 -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 8.8.8.8/32 -d 172.30.2.11/32 -i eth1 -o eth2 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 8.8.4.4/32 -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 8.8.4.4/32 -d 172.30.2.11/32 -i eth1 -o eth2 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 172.30.2.95/32 -i eth2 -j ACCEPT
-A FORWARD -d 172.30.2.95/32 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.21/32 -d 188.254.32.148/32 -i eth2 -o eth1 -j ACCEPT
-A FORWARD -s 188.254.32.148/32 -d 172.30.2.21/32 -i eth1 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.22/32 -d 188.254.32.148/32 -i eth2 -o eth1 -j ACCEPT
-A FORWARD -s 188.254.32.148/32 -d 172.30.2.22/32 -i eth1 -o eth2 -j ACCEPT
-A FORWARD -s 172.30.2.11/32 -d 172.30.7.0/24 -j ACCEPT
-A FORWARD -s 172.30.7.0/24 -d 172.30.2.21/32 -j ACCEPT
-A FORWARD -o eth2 -j DROP
-A FORWARD -i eth2 -j DROP
COMMIT
# Completed on Wed Feb 17 11:38:42 2016
# Generated by iptables-save v1.4.21 on Wed Feb 17 11:38:42 2016
*nat
:PREROUTING ACCEPT [15349692:1397349988]
:INPUT ACCEPT [3401262:237034292]
:OUTPUT ACCEPT [16728:1202294]
:POSTROUTING ACCEPT [903220:94971291]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 172.20.0.38:21
-A PREROUTING -i eth1 -p tcp -m tcp --dport 5060 -j DNAT --to-destination 172.20.0.11:5060
-A PREROUTING -i eth1 -p udp -m udp --dport 5060 -j DNAT --to-destination 172.20.0.11:5060
-A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.20.0.13:443
-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.20.0.13:25
-A PREROUTING -i eth1 -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.20.0.13:465
-A PREROUTING -i eth1 -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.20.0.13:587
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.20.0.13:110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.20.0.13:995
-A PREROUTING -i eth1 -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.20.0.13:143
-A PREROUTING -i eth1 -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.20.0.13:993
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 172.20.0.37:22
-A PREROUTING -i eth1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.20.0.37:80
-A POSTROUTING -o eth1 -j SNAT --to-source xx.229.235.xx
COMMIT
# Completed on Wed Feb 17 11:38:42 2016

[kobaltd]

1) У Вас "каша" в правилах - работать будет но при :FORWARD ACCEPT столько правил с -j ACCEPT
2) покажите ip route list и ip rule list