flybee27
13-11-2015, 17:55
Здравствуйте, форумчане
Проблема в том, что не видно локалку за сервером OpenVPN. Настроено на Debian, фаерволом(надстройкой над Iptables) является Shorewall.
Пинг с подключенного клиента проходит только на 10.0.0.2(локальный IP сервера) и дальше не идет. Из локалки за серваком могу пропинговать 10.0.1.1 - VPN сервер,а пинг на подключенного клиента тоже не проходит.
Сервер(eth0: 192.168.1.3 - смотрит в сторону провайдера, eth1:10.0.0.2 - смотрит в локалку, ppp0 - соединение с провайдером 62.xxx.xxx.xxx, tap0: 10.0.1.1 - vpn интерфейс)
ниже схема рисунком.
http://f19.ifotki.info/thumb/f30d473499924c8cb50edfff7f7b6e4b3edd2b230085032.jpg (http://i-fotki.info/19/f30d473499924c8cb50edfff7f7b6e4b3edd2b230085032.jpg.html)
изначально ставилась задача поднять VPN для RDP и Sip соединения.
#
local 62.221.43.14
port 1194
proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.0.1.0 255.255.255.0
keepalive 10 120
ping-timer-rem
client-to-client
persist-tun
persist-key
push "route 10.0.1.0 255.255.255.0"
client-config-dir ccd
user nobody
group nogroup
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
#topology subnet
status openvpn-status.log
verb 4
eth0 Link encap:Ethernet HWaddr 80:1f:02:30:1d:30
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::821f:2ff:fe30:1d30/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:303977981 errors:0 dropped:3 overruns:0 frame:0
TX packets:196619808 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:382732174307 (356.4 GiB) TX bytes:38789120146 (36.1 GiB)
Interrupt:41 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 50:46:5d:69:c9:55
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::5246:5dff:fe69:c955/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:200935254 errors:0 dropped:0 overruns:0 frame:0
TX packets:300872213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38068384875 (35.4 GiB) TX bytes:380316272918 (354.1 GiB)
Interrupt:42 Base address:0x2000
ppp0 Link encap:Point-to-Point Protocol
inet addr:62.XXX.XXX.XXX P-t-P:213.227.254.162 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:303893501 errors:0 dropped:0 overruns:0 frame:0
TX packets:196585074 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:376040172687 (350.2 GiB) TX bytes:34463900464 (32.0 GiB)
tap0 Link encap:Ethernet HWaddr 92:0e:2e:87:2e:3e
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::900e:2eff:fe87:2e3e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:554 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:64132 (62.6 KiB) TX bytes:4996 (4.8 KiB)
#
ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vpn ipv4
net ppp0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians,norfc1918
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians,blacklist
vpn tap+
ppp0 eth1
eth1:10.0.1.0/24 10.0.0.0/24
loc all ACCEPT
$FW all ACCEPT
#net all DROP
#OpenVPN
vpn loc ACCEPT
loc vpn ACCEPT
vpn $FW ACCEPT
$FW vpn ACCEPT
net all DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
10.0.1.0 * 255.255.255.0 U 0 0 0 tap0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
l0.asr01-kh.khe * 255.255.255.255 UH 0 0 0 ppp0
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
702K 701M net2fw all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
371K 87M loc2fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
2 120 vpn2fw all -- tap0 * 0.0.0.0/0 0.0.0.0/0
272 17142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
99 11880 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10M 14G net_frwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
7269K 543M loc_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
1 60 vpn_frwd all -- tap0 * 0.0.0.0/0 0.0.0.0/0
2336 206K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
2336 206K reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
319K 87M fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
601K 701M fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
2 120 fw2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
218 12822 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
99 11880 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Drop (3 references)
pkts bytes target prot opt in out source destination
155K 8955K all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
155K 8955K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
155K 8955K Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
2 156 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
71285 3647K NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
1 73 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain Invalid (2 references)
pkts bytes target prot opt in out source destination
828 40587 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
Chain NotSyn (2 references)
pkts bytes target prot opt in out source destination
10 1652 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02
Chain Reject (2 references)
pkts bytes target prot opt in out source destination
2435 218K all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
2435 218K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
2336 206K Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
327 16992 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 10.0.0.31 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.48 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.64 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.76 0.0.0.0/0
626 46996 DROP all -- * * 10.0.0.108 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.221 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.222 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.223 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.224 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.225 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.226 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.227 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.229 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.230 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.231 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.232 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.233 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.234 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.235 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.236 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.237 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.238 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.239 0.0.0.0/0
71 5564 DROP all -- * * 10.0.0.240 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.241 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.242 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.243 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.244 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.245 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.246 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.247 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.248 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.249 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.250 0.0.0.0/0
Chain dynamic (10 references)
pkts bytes target prot opt in out source destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
601K 701M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /* TFTP */
127 28156 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
297K 86M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1194
7401 444K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
15087 994K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
48680 3319K blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
47983 3267K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
47983 3267K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
327K 84M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
322K 84M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /* TFTP */
7590 411K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 ctorigdstport 80
31331 2066K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
9062 790K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
206K 17M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
206K 17M smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
6809K 422M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
7060K 526M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
206K 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
209K 17M blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
7266K 543M loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 loc2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
155K 8955K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
155K 8955K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
600K 692M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
547K 692M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
3 168 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
5 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
155K 8955K Drop all -- * * 0.0.0.0/0 0.0.0.0/0
154K 8912K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
1472 79012 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
1472 79012 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
9365K 13G tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
10M 14G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
54 5765 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.8 tcp dpt:3389 ctorigdstport 63389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.17 tcp dpt:3389 ctorigdstport 63390
981 50996 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:21 /* FTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.41 tcp dpt:80 ctorigdstport 3232
216 10884 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7 tcp dpt:80 /* Web */
205 10656 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7 tcp dpt:443 /* Web */
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.16 udp dpt:5060 ctorigdstport 35060
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.16 tcp dpt:22 ctorigdstport 63395
16 711 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.16 udp dpts:10000:20000
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
10M 14G net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain reject (9 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
327 16992 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
2009 189K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
14 4659 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0 [goto]
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0flags: 0x17/0x02
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source destination
1 60 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source destination
1 60 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2net (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 vpn2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
1 60 vpn2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 vpn2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 10
10.0.0.0 255.0.0.0 10.0.1.1 10.0.1.2 20
10.0.1.0 255.255.255.0 On-link 10.0.1.2 276
10.0.1.0 255.255.255.0 10.0.1.1 10.0.1.2 20
10.0.1.2 255.255.255.255 On-link 10.0.1.2 276
10.0.1.255 255.255.255.255 On-link 10.0.1.2 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.107 266
192.168.1.107 255.255.255.255 On-link 192.168.1.107 266
192.168.1.255 255.255.255.255 On-link 192.168.1.107 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.107 266
224.0.0.0 240.0.0.0 On-link 10.0.1.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.107 266
255.255.255.255 255.255.255.255 On-link 10.0.1.2 276
насколько понимаю, я где-то натупил с роутингом. Подскажите, пожалуйста, что подправить.
Проблема в том, что не видно локалку за сервером OpenVPN. Настроено на Debian, фаерволом(надстройкой над Iptables) является Shorewall.
Пинг с подключенного клиента проходит только на 10.0.0.2(локальный IP сервера) и дальше не идет. Из локалки за серваком могу пропинговать 10.0.1.1 - VPN сервер,а пинг на подключенного клиента тоже не проходит.
Сервер(eth0: 192.168.1.3 - смотрит в сторону провайдера, eth1:10.0.0.2 - смотрит в локалку, ppp0 - соединение с провайдером 62.xxx.xxx.xxx, tap0: 10.0.1.1 - vpn интерфейс)
ниже схема рисунком.
http://f19.ifotki.info/thumb/f30d473499924c8cb50edfff7f7b6e4b3edd2b230085032.jpg (http://i-fotki.info/19/f30d473499924c8cb50edfff7f7b6e4b3edd2b230085032.jpg.html)
изначально ставилась задача поднять VPN для RDP и Sip соединения.
#
local 62.221.43.14
port 1194
proto udp
dev tap
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.0.1.0 255.255.255.0
keepalive 10 120
ping-timer-rem
client-to-client
persist-tun
persist-key
push "route 10.0.1.0 255.255.255.0"
client-config-dir ccd
user nobody
group nogroup
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
#topology subnet
status openvpn-status.log
verb 4
eth0 Link encap:Ethernet HWaddr 80:1f:02:30:1d:30
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::821f:2ff:fe30:1d30/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:303977981 errors:0 dropped:3 overruns:0 frame:0
TX packets:196619808 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:382732174307 (356.4 GiB) TX bytes:38789120146 (36.1 GiB)
Interrupt:41 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 50:46:5d:69:c9:55
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::5246:5dff:fe69:c955/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:200935254 errors:0 dropped:0 overruns:0 frame:0
TX packets:300872213 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38068384875 (35.4 GiB) TX bytes:380316272918 (354.1 GiB)
Interrupt:42 Base address:0x2000
ppp0 Link encap:Point-to-Point Protocol
inet addr:62.XXX.XXX.XXX P-t-P:213.227.254.162 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:303893501 errors:0 dropped:0 overruns:0 frame:0
TX packets:196585074 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:376040172687 (350.2 GiB) TX bytes:34463900464 (32.0 GiB)
tap0 Link encap:Ethernet HWaddr 92:0e:2e:87:2e:3e
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::900e:2eff:fe87:2e3e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:554 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:64132 (62.6 KiB) TX bytes:4996 (4.8 KiB)
#
ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vpn ipv4
net ppp0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians,norfc1918
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians,blacklist
vpn tap+
ppp0 eth1
eth1:10.0.1.0/24 10.0.0.0/24
loc all ACCEPT
$FW all ACCEPT
#net all DROP
#OpenVPN
vpn loc ACCEPT
loc vpn ACCEPT
vpn $FW ACCEPT
$FW vpn ACCEPT
net all DROP
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
10.0.1.0 * 255.255.255.0 U 0 0 0 tap0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
l0.asr01-kh.khe * 255.255.255.255 UH 0 0 0 ppp0
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
702K 701M net2fw all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
371K 87M loc2fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
2 120 vpn2fw all -- tap0 * 0.0.0.0/0 0.0.0.0/0
272 17142 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
99 11880 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10M 14G net_frwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
7269K 543M loc_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
1 60 vpn_frwd all -- tap0 * 0.0.0.0/0 0.0.0.0/0
2336 206K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
2336 206K reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
319K 87M fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
601K 701M fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
2 120 fw2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
218 12822 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
99 11880 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Drop (3 references)
pkts bytes target prot opt in out source destination
155K 8955K all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
155K 8955K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
155K 8955K Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
2 156 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
71285 3647K NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
1 73 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain Invalid (2 references)
pkts bytes target prot opt in out source destination
828 40587 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
Chain NotSyn (2 references)
pkts bytes target prot opt in out source destination
10 1652 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags:! 0x17/0x02
Chain Reject (2 references)
pkts bytes target prot opt in out source destination
2435 218K all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */
2435 218K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
2336 206K Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
327 16992 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 10.0.0.31 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.48 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.64 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.76 0.0.0.0/0
626 46996 DROP all -- * * 10.0.0.108 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.221 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.222 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.223 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.224 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.225 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.226 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.227 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.229 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.230 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.231 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.232 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.233 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.234 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.235 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.236 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.237 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.238 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.239 0.0.0.0/0
71 5564 DROP all -- * * 10.0.0.240 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.241 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.242 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.243 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.244 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.245 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.246 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.247 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.248 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.249 0.0.0.0/0
0 0 DROP all -- * * 10.0.0.250 0.0.0.0/0
Chain dynamic (10 references)
pkts bytes target prot opt in out source destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
601K 701M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /* TFTP */
127 28156 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
297K 86M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1194
7401 444K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
15087 994K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
2 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
48680 3319K blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
47983 3267K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
47983 3267K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
327K 84M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
322K 84M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /* TFTP */
7590 411K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 ctorigdstport 80
31331 2066K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
9062 790K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
206K 17M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
206K 17M smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
6809K 422M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
7060K 526M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
206K 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
209K 17M blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
7266K 543M loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 loc2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
155K 8955K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
155K 8955K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
600K 692M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
547K 692M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
3 168 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
5 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
155K 8955K Drop all -- * * 0.0.0.0/0 0.0.0.0/0
154K 8912K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
1472 79012 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
1472 79012 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
9365K 13G tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
10M 14G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
54 5765 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.8 tcp dpt:3389 ctorigdstport 63389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.17 tcp dpt:3389 ctorigdstport 63390
981 50996 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.3 tcp dpt:21 /* FTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.41 tcp dpt:80 ctorigdstport 3232
216 10884 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7 tcp dpt:80 /* Web */
205 10656 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7 tcp dpt:443 /* Web */
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.16 udp dpt:5060 ctorigdstport 35060
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.16 tcp dpt:22 ctorigdstport 63395
16 711 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.16 udp dpts:10000:20000
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
10M 14G net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
Chain reject (9 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
327 16992 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
2009 189K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
14 4659 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0 [goto]
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcpflags: 0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0flags: 0x17/0x02
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source destination
1 60 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source destination
1 60 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2net (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 vpn2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
1 60 vpn2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 vpn2vpn all -- * tap0 0.0.0.0/0 0.0.0.0/0
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 10
10.0.0.0 255.0.0.0 10.0.1.1 10.0.1.2 20
10.0.1.0 255.255.255.0 On-link 10.0.1.2 276
10.0.1.0 255.255.255.0 10.0.1.1 10.0.1.2 20
10.0.1.2 255.255.255.255 On-link 10.0.1.2 276
10.0.1.255 255.255.255.255 On-link 10.0.1.2 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.107 266
192.168.1.107 255.255.255.255 On-link 192.168.1.107 266
192.168.1.255 255.255.255.255 On-link 192.168.1.107 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.107 266
224.0.0.0 240.0.0.0 On-link 10.0.1.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.107 266
255.255.255.255 255.255.255.255 On-link 10.0.1.2 276
насколько понимаю, я где-то натупил с роутингом. Подскажите, пожалуйста, что подправить.