Всем привет!
Прошу помощи в следующей ситуации.
Настроен Оpenvpn сервис.
Со стороны Сервера проводное подключение, белый IP, со стороны клиента -- 4G.
Есть связность между сетями - хосты в сетях пингуются проходя vpn тоннель.
Мне нужно предоставить к хосту в сети Оpenvpn доступ из Интернет.
Например, можно представить, что на этом хосте web-сервер.
Это правила NAT, но я не могу самостоятельно разобраться..
Подскажите пожалуйста, как решить проблему.
Сеть сторона СЕРВЕРА
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.1 netmask 255.255.255.192 broadcast 192.168.11.63
ether e0:d5:5e:94:cb:0f txqueuelen 1000 (Ethernet)
RX packets 7363462 bytes 10589740613 (10.5 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5665383 bytes 590581931 (590.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
em0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet XXX.XXX.76.51 netmask 255.255.255.192 broadcast XXX.XXX.76.63
ether e0:d5:5e:94:cb:0e txqueuelen 1000 (Ethernet)
RX packets 5822860 bytes 620012724 (620.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10172323 bytes 10848708303 (10.8 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether e0:d5:5e:94:cb:0f txqueuelen 1000 (Ethernet)
RX packets 91179 bytes 15236631 (15.2 MB)
RX errors 0 dropped 13 overruns 0 frame 0
TX packets 157818 bytes 137981842 (137.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 20417 bytes 1606080 (1.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20417 bytes 1606080 (1.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.254.1 netmask 255.255.255.255 destination 192.168.254.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 418 bytes 35416 (35.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 486 bytes 35903 (35.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Сеть Сторона КЛИЕНТА
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.51.9 netmask 255.255.255.0 broadcast 192.168.51.255
ether b6:2a:84:fa:e4:6a txqueuelen 1000 (Ethernet)
RX packets 44469 bytes 6798093 (6.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 70136 bytes 75522300 (75.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 46
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 771967 bytes 29946191101 (29.9 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 771967 bytes 29946191101 (29.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun30: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.254.13 netmask 255.255.255.255 destination 192.168.254.14
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 569 bytes 39299 (39.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 521 bytes 43328 (43.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Маршруты сторона СЕРВЕРА
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 XXX.XXX.76.1 0.0.0.0 UG 0 0 0 em0
192.168.11.0 0.0.0.0 255.255.255.192 U 0 0 0 br0
192.168.51.0 192.168.254.2 255.255.255.0 UG 0 0 0 tun1 # маршрут в сторону Клиента
192.168.254.0 192.168.254.2 255.255.255.0 UG 0 0 0 tun1
192.168.254.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
XXX.XXX.76.0 0.0.0.0 255.255.255.192 U 0 0 0 em0
Маршруты сторона КЛИЕНТА
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.51.1 0.0.0.0 UG 0 0 0 eth0
192.168.11.0 192.168.254.14 255.255.255.192 UG 0 0 0 tun30 # маршрут в сторону Сервера
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.254.0 192.168.254.14 255.255.255.0 UG 0 0 0 tun30
192.168.254.14 0.0.0.0 255.255.255.255 UH 0 0 0 tun30
iptables на СЕРВЕРЕ
# Generated by iptables-save v1.8.4 on Thu Feb 22 18:28:08 2024
*mangle
:PREROUTING ACCEPT [1499538:850768562]
:INPUT ACCEPT [8186:860125]
:FORWARD ACCEPT [1490751:849822355]
:OUTPUT ACCEPT [5388:586882]
:POSTROUTING ACCEPT [1496094:850407299]
COMMIT
# Completed on Thu Feb 22 18:28:08 2024
# Generated by iptables-save v1.8.4 on Thu Feb 22 18:28:08 2024
*nat
:PREROUTING ACCEPT [17616:1791243]
:INPUT ACCEPT [443:25392]
:OUTPUT ACCEPT [181:11587]
:POSTROUTING ACCEPT [12489:1179215]
-A PREROUTING -i em0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.11.3:21
-A POSTROUTING -s 192.168.11.0/26 -o em0 -j MASQUERADE
-A POSTROUTING -s 192.168.21.0/26 -o em0 -j MASQUERADE
-A POSTROUTING -s 192.168.254.0/24 -o em0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 22 18:28:08 2024
# Generated by iptables-save v1.8.4 on Thu Feb 22 18:28:08 2024
*filter
:INPUT DROP [43:7230]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [156:17790]
:f2b-sshd - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i em0 -p tcp -m multiport --dports 22,443 -j ACCEPT
-A INPUT -i em0 -p udp -m udp --dport 1012 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i em0 -p tcp -m multiport --dports 21 -j ACCEPT
-A FORWARD -i br0 -o em0 -j ACCEPT
-A FORWARD -i wlp5s0 -o em0 -j ACCEPT
-A FORWARD -i tun1 -o em0 -j ACCEPT
-A FORWARD -i tun1 -o br0 -j ACCEPT
-A FORWARD -i tun1 -o wlp5s0 -j ACCEPT
-A FORWARD -s 192.168.11.0/26 -i br0 -j ACCEPT
-A FORWARD -s 192.168.21.0/26 -i wlp5s0 -j ACCEPT
-A FORWARD -s 192.168.51.0/24 -j ACCEPT
COMMIT
# Completed on Thu Feb 22 18:28:08 2024
iptables на КЛИЕНТЕ
iptables-save
# Generated by iptables-save v1.8.7 on Thu Feb 22 18:42:35 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Feb 22 18:42:35 2024
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them