Reencaminhamento IP duplo não funciona

1

Eu tenho os 2 servidores debian a seguir no meu cenário: O primeiro é meu servidor openvpn principal, ele tem 2 NICS eth0 ativo (172.25.156.146) e eth3 (172.26.16.1) - O segundo servidor também possui 2 NICS ativos eth0 172.26.16.16 e eth1 10.77.144.75. Ambos os servidores estão conectados diretamente em 172.26.16.0/24.

Alguns serviços / servidores em minha LAN são acessíveis somente a partir do segundo servidor (daí a conexão direta), e para tornar estes servidores / serviços internos acessíveis a partir do servidor principal (172.25.156.146), as seguintes regras foram ativado:

no servidor principal:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.25.156.145  0.0.0.0         UG        0 0          0 eth0
10.77.144.0     172.26.16.16    255.255.255.0   UG        0 0          0 eth3 # internal servers range
10.250.250.0    0.0.0.0         255.255.255.0   U         0 0          0 tap3
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.16.0     0.0.0.0         255.255.255.0   U         0 0          0 tap1
172.17.17.0     0.0.0.0         255.255.255.0   U         0 0          0 tap5
172.25.132.0    172.25.156.145  255.255.255.128 UG        0 0          0 eth0
172.25.156.144  0.0.0.0         255.255.255.248 U         0 0          0 eth0
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3 #route back 

para o segundo servidor

172.31.249.0    0.0.0.0         255.255.255.0   U         0 0          0 tap4
192.168.0.0     192.168.0.1     255.255.255.0   UG        0 0          0 tap6
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 tap6
192.168.88.0    192.168.88.2    255.255.255.0   UG        0 0          0 tun0
192.168.88.2    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.200.0   192.168.200.1   255.255.255.0   UG        0 0          0 tap2
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 tap2
192.168.200.100 192.168.200.1   255.255.255.255 UGH       0 0          0 tap2


/proc/sys/net/ipv4/ip_forward = 1

iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  252 15593 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.128.0/24       ctstate NEW
1671K  742M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      10.77.128.0/24       ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

no segundo servidor

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.0        10.77.144.1     255.0.0.0       UG        0 0          0 eth1
10.77.144.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1 # towards the internal servers
172.25.132.0    10.77.144.1     255.255.255.128 UG        0 0          0 eth1
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0 # route back to the main server
192.168.88.0    172.26.16.1     255.255.255.0   UG        0 0          0 eth0

Regras do iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:telnet state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2330  127K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
41784 2293K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   14   840 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  947  149K DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4346  833K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   512 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23 state NEW
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
10620  879K ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination    

e o encaminhamento de ip está ativado.

O problema: a partir do servidor principal eu não sou capaz de ping no servidor interno, mas posso a partir do segundo servidor. Qualquer ajuda será muito apreciada.

    
por Ants0 24.11.2014 / 13:40

1 resposta

0

O seguinte resolveu o problema acima (se for executado no segundo servidor):

root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –
    
por 15.03.2016 / 22:24