LINUX.ORG.RU
ФорумAdmin

PPTPD VPN + ping


0

0

При установке VPN (pptpd) на SLES 10.1 возникла проблема. Она заключается в том, что подключенный по ВПН клиент видит только себя и ВПН-сервер, остальная сеть не прощупывается. Если отключить файрвол, то все прикрасно работает.

Сеть с сервером и выдаваемые IP лежат в одном диапазоне (т.е. 10.2.1.0/24) Форвардинг пакетов включен

Конфиг файрвола:

FW_DEV_EXT="dsl0 ppp1 ppp0" # Mega hack N1 FW_DEV_INT="eth-id-00:15:17:11:c2:d8 eth-id-00:15:17:11:c2:d9" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="10.2.1.6 10.2.1.0/24,0/0,tcp,5190 10.2.1.0/24,0/0,tcp,7777" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="1723 80 9090 ftp ssh" FW_SERVICES_EXT_UDP="1723 ipsec-nat-t isakmp" FW_SERVICES_EXT_IP="esp icmp gre 50 51" # Mega hack N2 FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="gre" FW_SERVICES_INT_RPC="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_SERVICES_ACCEPT_EXT="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_FORWARD_MASQ="0/0,10.2.1.6,udp,6112,6112,89.163.35.194 0/0,10.2.1.6,tcp,6112,6112,89.163.35.194" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" #------------------------------------------------------- # EXPERT OPTIONS - all others please don't change these! FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="bootp" FW_ALLOW_FW_BROADCAST_DMZ="" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="int" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="" FW_FORWARD_ALWAYS_INOUT_DEV=""

anonymous

FW_DEV_EXT="dsl0 ppp1 ppp0"                     # Mega hack N1
FW_DEV_INT="eth-id-00:15:17:11:c2:d8 eth-id-00:15:17:11:c2:d9"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="10.2.1.6 10.2.1.0/24,0/0,tcp,5190 10.2.1.0/24,0/0,tcp,7777"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="1723 80 9090 ftp ssh"
FW_SERVICES_EXT_UDP="1723 ipsec-nat-t isakmp"
FW_SERVICES_EXT_IP="esp icmp gre 50 51"         # Mega hack N2
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP="gre"
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_MASQ="0/0,10.2.1.6,udp,6112,6112,89.163.35.194 0/0,10.2.1.6,tcp,6112,6112,89.163.35.194"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
#-------------------------------------------------------
# EXPERT OPTIONS - all others please don't change these!
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT="bootp"
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="int"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES=""
FW_FORWARD_ALWAYS_INOUT_DEV=""

anonymous
()
Ответ на: комментарий от BusTeR

SuSEfirewall2, насколько я понял - это надстройка над iptables

anonymous
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.