Добрый вечер уважаемые форумчане. Несколько дней бьюсь над решением, пока решения нет.
Дано:Проблема:Пакеты с сети 192.168.1.0/24 ходят в сеть 5.0.0.0/29, обратно ходить отказываются.Конфигурация:# Generated by iptables-save v1.4.4 on Fri May 28 22:59:45 2010
*mangle
:PREROUTING ACCEPT [61776578:16711677905]
:INPUT ACCEPT [47392927:3233408190]
:FORWARD ACCEPT [14255246:13451046294]
:OUTPUT ACCEPT [46285184:120584285073]
:POSTROUTING ACCEPT [60551606:134037611535]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o eth1 -j TTL --ttl-inc 1
COMMIT
# Completed on Fri May 28 22:59:45 2010
# Generated by iptables-save v1.4.4 on Fri May 28 22:59:45 2010
*nat
:PREROUTING ACCEPT [281745:38942466]
:POSTROUTING ACCEPT [212657:13286774]
:OUTPUT ACCEPT [206522:12939625]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25003 -j DNAT --to-destination 5.0.0.4:25003
-A PREROUTING -i eth0 -p udp -m udp --dport 25002 -j DNAT --to-destination 5.0.0.4:25002
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25001 -j DNAT --to-destination 5.0.0.4:25001
-A POSTROUTING -s 5.0.0.0/29 ! -d 5.0.0.0/29 -j MASQUERADE
COMMIT
# Completed on Fri May 28 22:59:45 2010
# Generated by iptables-save v1.4.4 on Fri May 28 22:59:45 2010
*filter
:INPUT ACCEPT [47392794:3233402058]
:FORWARD ACCEPT [14255246:13451046294]
:OUTPUT ACCEPT [46285201:120584295151]
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP
COMMIT
# Completed on Fri May 28 22:59:45 2010
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.0.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
10.150.5.19 10.158.33.253 255.255.255.255 UGH 0 0 0 eth0
212.1.254.56 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
5.0.0.0 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.158.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp1
79.120.84.0 10.158.33.253 255.255.252.0 UG 0 0 0 eth0
79.120.124.0 10.158.33.253 255.255.252.0 UG 0 0 0 eth0
77.246.96.0 10.158.33.253 255.255.248.0 UG 0 0 0 eth0
79.111.240.0 10.158.33.253 255.255.240.0 UG 0 0 0 eth0
93.182.0.0 10.158.33.253 255.255.192.0 UG 0 0 0 eth0
95.221.64.0 10.158.33.253 255.255.192.0 UG 0 0 0 eth0
79.120.64.0 10.158.33.253 255.255.192.0 UG 0 0 0 eth0
95.221.128.0 10.158.33.253 255.255.128.0 UG 0 0 0 eth0
95.220.128.0 10.158.33.253 255.255.128.0 UG 0 0 0 eth0
172.16.0.0 10.158.33.253 255.240.0.0 UG 0 0 0 eth0
10.0.0.0 10.158.33.253 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
eth0 Link encap:Ethernet HWaddr 00:01:6c:ee:49:a9
inet addr:10.158.33.130 Bcast:10.158.33.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:76935645 errors:16 dropped:165 overruns:9 frame:0
TX packets:150019737 errors:0 dropped:0 overruns:5 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3924438909 (3.9 GB) TX bytes:1581414851 (1.5 GB)
Interrupt:18 Base address:0xee00
eth1 Link encap:Ethernet HWaddr 00:11:2f:3e:99:33
inet addr:5.0.0.1 Bcast:5.0.0.7 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24966223 errors:0 dropped:5 overruns:0 frame:0
TX packets:15607087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1364376018 (1.3 GB) TX bytes:3070277848 (3.0 GB)
Interrupt:23 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:228763 errors:0 dropped:0 overruns:0 frame:0
TX packets:228763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:653104242 (653.1 MB) TX bytes:653104242 (653.1 MB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:79.111.69.143 P-t-P:212.1.254.56 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1372 Metric:1
RX packets:28758568 errors:0 dropped:0 overruns:0 frame:0
TX packets:48721334 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3353992173 (3.3 GB) TX bytes:724462759 (724.4 MB)
ppp1 Link encap:Point-to-Point Protocol
inet addr:1.0.10.1 P-t-P:1.0.10.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:11868 errors:0 dropped:0 overruns:0 frame:0
TX packets:21295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:13013358 (13.0 MB) TX bytes:1001084 (1.0 MB)
# Generated by iptables-save v1.2.7a on Fri May 28 19:06:28 2010
*nat
:PREROUTING ACCEPT [107158:12767085]
:POSTROUTING ACCEPT [19450:1079584]
:OUTPUT ACCEPT [5495:347467]
:VSERVER - [0:0]
-A PREROUTING -d 79.111.234.29 -j VSERVER
-A PREROUTING -d 10.157.243.19 -j VSERVER
-A POSTROUTING -s ! 79.111.234.29 -o ppp0 -j MASQUERADE
-A POSTROUTING -s ! 10.157.243.19 -o vlan1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A VSERVER -p udp -m udp --dport 52394 -j DNAT --to-destination 192.168.1.149:52394
-A VSERVER -p udp -m udp --dport 52058 -j DNAT --to-destination 192.168.1.149:52058
-A VSERVER -p udp -m udp --dport 55284 -j DNAT --to-destination 192.168.1.2:55284
-A VSERVER -p udp -m udp --dport 57793 -j DNAT --to-destination 192.168.1.149:57793
-A VSERVER -p udp -m udp --dport 64858 -j DNAT --to-destination 192.168.1.149:64858
-A VSERVER -p udp -m udp --dport 50658 -j DNAT --to-destination 192.168.1.149:50658
-A VSERVER -p udp -m udp --dport 51054 -j DNAT --to-destination 192.168.1.2:51054
-A VSERVER -p udp -m udp --dport 60021 -j DNAT --to-destination 192.168.1.149:60021
-A VSERVER -p udp -m udp --dport 54325 -j DNAT --to-destination 192.168.1.149:54325
-A VSERVER -p udp -m udp --dport 49348 -j DNAT --to-destination 192.168.1.2:49348
-A VSERVER -p udp -m udp --dport 52249 -j DNAT --to-destination 192.168.1.149:52249
-A VSERVER -p udp -m udp --dport 50590 -j DNAT --to-destination 192.168.1.2:50590
-A VSERVER -p udp -m udp --dport 58876 -j DNAT --to-destination 192.168.1.149:58876
-A VSERVER -p udp -m udp --dport 64826 -j DNAT --to-destination 192.168.1.2:64826
-A VSERVER -p udp -m udp --dport 64850 -j DNAT --to-destination 192.168.1.149:64850
-A VSERVER -p tcp -m tcp --dport 23288 -j DNAT --to-destination 192.168.1.149:23288
-A VSERVER -p udp -m udp --dport 20978 -j DNAT --to-destination 192.168.1.149:20978
-A VSERVER -p tcp -m tcp --dport 38143 -j DNAT --to-destination 192.168.1.149
-A VSERVER -p tcp -m tcp --dport 51214 -j DNAT --to-destination 192.168.1.149:51214
-A VSERVER -p tcp -m tcp --dport 6391 -j DNAT --to-destination 192.168.1.149:6391
COMMIT
# Completed on Fri May 28 19:06:28 2010
# Generated by iptables-save v1.2.7a on Fri May 28 19:06:28 2010
*mangle
:PREROUTING ACCEPT [34680735:27842274948]
:INPUT ACCEPT [3266049:325595956]
:FORWARD ACCEPT [31397345:27513636640]
:OUTPUT ACCEPT [5686463:7295077672]
:POSTROUTING ACCEPT [37129901:34827031521]
COMMIT
# Completed on Fri May 28 19:06:28 2010
# Generated by iptables-save v1.2.7a on Fri May 28 19:06:28 2010
*filter
:INPUT ACCEPT [54196:5611565]
:FORWARD ACCEPT [109573:14870791]
:OUTPUT ACCEPT [5390354:7083816889]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p 2 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -d 224.0.0.0/240.0.0.0 -p udp -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Fri May 28 19:06:28 2010
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.0.10.3 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
1.0.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
10.158.33.130 10.157.243.253 255.255.255.255 UGH 2 0 0 vlan1
5.0.0.0 0.0.0.0 255.255.255.248 U 0 0 0 ppp1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.157.243.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
89.20.128.0 10.157.243.253 255.255.224.0 UG 2 0 0 vlan1
213.141.128.0 10.157.243.253 255.255.224.0 UG 2 0 0 vlan1
212.1.224.0 10.157.243.253 255.255.224.0 UG 2 0 0 vlan1
172.30.0.0 10.157.243.253 255.255.0.0 UG 2 0 0 vlan1
172.28.0.0 10.157.243.253 255.254.0.0 UG 2 0 0 vlan1
172.24.0.0 10.157.243.253 255.252.0.0 UG 2 0 0 vlan1
172.16.0.0 10.157.243.253 255.248.0.0 UG 2 0 0 vlan1
10.0.0.0 10.157.243.253 255.0.0.0 UG 2 0 0 vlan1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 212.1.254.85 0.0.0.0 UG 0 0 0 ppp0
0.0.0.0 10.157.243.253 0.0.0.0 UG 1 0 0 vlan1
br0 Link encap:Ethernet HWaddr 00:24:8C:3A:BE:C8
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::224:8cff:fe3a:bec8/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:170885922 errors:0 dropped:0 overruns:0 frame:0
TX packets:112351400 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3961019397 (3.6 GiB) TX bytes:4110890108 (3.8 GiB)
eth0 Link encap:Ethernet HWaddr 00:24:8C:3A:BE:C8
inet6 addr: fe80::224:8cff:fe3a:bec8/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:284056656 errors:10543 dropped:0 overruns:683 frame:683
TX packets:283771536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:624562053 (595.6 MiB) TX bytes:3657794848 (3.4 GiB)
Interrupt:4 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:24:8C:3A:BE:C8
inet6 addr: fe80::224:8cff:fe3a:bec8/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103303 errors:0 dropped:0 overruns:0 frame:12840014
TX packets:1049574 errors:157 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:46734241 (44.5 MiB) TX bytes:311270331 (296.8 MiB)
Interrupt:13 Base address:0x5000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:886767 errors:0 dropped:0 overruns:0 frame:0
TX packets:886767 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76991440 (73.4 MiB) TX bytes:76991440 (73.4 MiB)
ppp0 Link encap:Point-Point Protocol
inet addr:79.111.234.29 P-t-P:212.1.254.85 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1400 Metric:1
RX packets:9849686 errors:0 dropped:0 overruns:0 frame:0
TX packets:21015577 errors:0 dropped:3397 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1021643553 (974.3 MiB) TX bytes:1404378238 (1.3 GiB)
ppp1 Link encap:Point-Point Protocol
inet addr:1.0.10.2 P-t-P:1.0.10.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:20087 errors:0 dropped:0 overruns:0 frame:0
TX packets:11868 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:954320 (931.9 KiB) TX bytes:13013358 (12.4 MiB)
vlan0 Link encap:Ethernet HWaddr 00:24:8C:3A:BE:C8
inet6 addr: fe80::224:8cff:fe3a:bec8/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:170875662 errors:0 dropped:0 overruns:0 frame:0
TX packets:112711676 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:376048791 (358.6 MiB) TX bytes:278501197 (265.5 MiB)
vlan1 Link encap:Ethernet HWaddr 00:1A:92:3A:43:7B
inet addr:10.157.243.19 Bcast:10.157.243.255 Mask:255.255.255.0
inet6 addr: fe80::21a:92ff:fe3a:437b/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:113180995 errors:0 dropped:0 overruns:0 frame:0
TX packets:171059857 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3725429450 (3.4 GiB) TX bytes:3379293433 (3.1 GiB)
Пояснения: VPN-туннель 1.0.10.1:1.0.10.2, pptp-сервером выступает Linux-шлюз. Маршрутизаторы находятся в одной сети провайдера, но это, наверное, не имеет значения.
[admin@root]$ traceroute 5.0.0.4
traceroute to 5.0.0.4 (5.0.0.4), 30 hops max, 38 byte packets
1 1.0.10.1 (1.0.10.1) 9.095 ms 10.093 ms 7.222 ms
2 5.0.0.4 (5.0.0.4) 7.072 ms 6.967 ms 6.949 ms
[admin@root]$ traceroute 5.0.0.1
traceroute to 5.0.0.1 (5.0.0.1), 30 hops max, 38 byte packets
1 5.0.0.1 (5.0.0.1) 9.283 ms 9.074 ms 7.119 ms
тут вопросов нет, сеть видна
root@myrouter:~# tt 192.168.1.149
traceroute to 192.168.1.149 (192.168.1.149), 30 hops max, 60 byte packets
1 1.0.10.2 (1.0.10.2) 7.468 ms 7.295 ms 7.226 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C
root@myrouter:~# tt 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 5.270 ms 5.104 ms 9.200 ms
А тут виден только br0
Честно говоря голова идет кругом, или мыльница дохлая, или лыжи не едут
Подскажите, все ли верно?