LINUX.ORG.RU
ФорумAdmin

не могу заставить VPN-клиентов проходить через шлюз


0

0

Здравствуйте! Клиенты VPN -> Internet -> Шлюз (файрвол) -> Локальная сеть (Находится VPN-сервер поднят через pptpd). У клиента VPN адрес динамический, он подключается к провайдеру (провайдер любой). В логах вижу, что запрос на внешний интерфейс Шлюза проходит и он принимается, а дальше не идет на VPN-сервер. Сообщение в логах Dec 14 14:18:12 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1490 x.x.x.x:1723 L=48 S=0x00 I=26080 F=0x4000 T=123 SYN (#77) Dec 14 14:18:13 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1490 x.x.x.x:1723 L=48 S=0x00 I=26336 F=0x4000 T=123 SYN (#77) Dec 14 14:18:13 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1490 x.x.x.x:1723 L=48 S=0x00 I=26592 F=0x4000 T=123 SYN (#77) Dec 14 14:18:14 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1490 x.x.x.x:1723 L=48 S=0x00 I=26848 F=0x4000 T=123 SYN (#77) Dec 14 14:19:20 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1491 x.x.x.x:1723 L=48 S=0x00 I=49889 F=0x4000 T=123 SYN (#77) Dec 14 14:19:21 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1491 x.x.x.x:1723 L=48 S=0x00 I=50145 F=0x4000 T=123 SYN (#77) Dec 14 14:19:21 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1491 x.x.x.x:1723 L=48 S=0x00 I=50401 F=0x4000 T=123 SYN (#77) Dec 14 14:19:22 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1491 x.x.x.x:1723 L=48 S=0x00 I=50657 F=0x4000 T=123 SYN (#77) Dec 14 14:21:20 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1492 x.x.x.x:1723 L=48 S=0x00 I=13284 F=0x4000 T=123 SYN (#77) Dec 14 14:21:21 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1492 x.x.x.x:1723 L=48 S=0x00 I=13540 F=0x4000 T=123 SYN (#77) Dec 14 14:21:21 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1492 x.x.x.x:1723 L=48 S=0x00 I=13796 F=0x4000 T=123 SYN (#77) Dec 14 14:21:22 avto kernel: Packet log: input ACCEPT eth1 PROTO=6 195.112.226.201:1492 x.x.x.x:1723 L=48 S=0x00 I=14052 F=0x4000 T=123 SYN (#77)

Форвадинг включен. Где я мог недосмотреть. Что пропустил. Всем спасибо!


Конфиг файрвола
#!/bin/sh
#
# Script firewall gatewace
#
EXTERNAL_INTERFACE="eth1"    # interface Internet
LOCAL_INTERFACE="eth0"       # interface Local Net
LOCAL_INTERFACE1="ppp0"       # interface Local Net
LOOPBACK_INTERFACE="lo"      # 127.0.0.1
IPADDR="x.x.x.x"      # IP addr Internet
LOCALNET_1="192.168.0.0/24"  # Diapazon LocalNet addr
LOCALNET_2="192.168.10.0/24" # VPN Local net
#IPSECSG=""                   # VPN GateWase
#FREESWANVI=""
ANYWHERE="0/0"
NAMESERVER_1="y.y.y.y"  # DNS 1
NAMESERVER_2="y.y.y.y" # DNS 2
MY_ISP="0/0"
SMTP_SERVER="post.krsn.ru"
POP_SERVER="mail.krsn.ru"
POP_SERVER1="z.z.z.z"
SMTP_SERVER1="z.z.z.z"
NEWS_SERVER=""
SYSLOG_SERVER=""
LOOPBACK="127.0.0.1/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_REZERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"
# SSH PORTS
SSH_PORTS="1022:1023"
# TRACEEROUTE
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# Delete rules
echo " Delete rules"
ipchains -F
# Clear rules
echo " Clear rules"
ipchains -X
# Setting rules default DENY
echo " Setting rules default DENY"
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# 
#ipchains -A output -f -j DENY
# LOOPBACK
#echo " LOOPBACK " 
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# SPOOFING & BAD ADDRESS
echo " SPOOFING & BAD ADDRESS "
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Blocing CLASS A
echo " Blocing CLASS A "
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Blocing CLASS B
echo " Blocing CLASS B "
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Blocing Loopback
echo " Blocing Loopback "
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Blocing BROADCAST
echo " Blocing BROADCAST "
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
#
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

zks
() автор топика 

# Blocing CLASS E
echo " Blocing CLASS E "
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_REZERVED_NET -j DENY -l
# Blocing reserved ADDR
echo " Blocing reserved ADDR "
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
#ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
#ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#
#ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
#
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
#
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
#
#ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
#
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
#-----------------------------------------------------------------
# ICMP
echo " ICMP " 
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
#
echo " Traceroute "
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
# DNS full server
echo " DNS server < - > clients "
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# DNS client
echo " DNS client 53 "
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
#
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
#
# HTTP client (80)
#
echo " HTTP client " 
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
#
# HTTPS client (443)
#
echo " HTTPS client " 
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
#
# POP client (110)
#
echo " POP client " 
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
# POP client for EKOS
echo " POP client EKOS" 
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER1 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER1 110 -j ACCEPT
#

zks
() автор топика
Ответ на: комментарий от zks

Не надо демонстрировать свои скрипты, нужно перейти на iptables+ соответствующие патчи patch-o-matic. В этом форуме все это неоднократно обсуждалось, используйте поиск.

chucha ★★★☆
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin