Eu tenho os 2 servidores debian a seguir no meu cenário: O primeiro é meu servidor openvpn principal, ele tem 2 NICS eth0 ativo (172.25.156.146) e eth3 (172.26.16.1) - O segundo servidor também possui 2 NICS ativos eth0 172.26.16.16 e eth1 10.77.144.75. Ambos os servidores estão conectados diretamente em 172.26.16.0/24.
Alguns serviços / servidores em minha LAN são acessíveis somente a partir do segundo servidor (daí a conexão direta), e para tornar estes servidores / serviços internos acessíveis a partir do servidor principal (172.25.156.146), as seguintes regras foram ativado:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.25.156.145 0.0.0.0 UG 0 0 0 eth0
10.77.144.0 172.26.16.16 255.255.255.0 UG 0 0 0 eth3 # internal servers range
10.250.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tap3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
172.17.17.0 0.0.0.0 255.255.255.0 U 0 0 0 tap5
172.25.132.0 172.25.156.145 255.255.255.128 UG 0 0 0 eth0
172.25.156.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 #route back
172.31.249.0 0.0.0.0 255.255.255.0 U 0 0 0 tap4
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 tap6
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap6
192.168.88.0 192.168.88.2 255.255.255.0 UG 0 0 0 tun0
192.168.88.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.200.0 192.168.200.1 255.255.255.0 UG 0 0 0 tap2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.200.100 192.168.200.1 255.255.255.255 UGH 0 0 0 tap2
/proc/sys/net/ipv4/ip_forward = 1
iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
pkts bytes target prot opt in out source destination
252 15593 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.128.0/24 ctstate NEW
1671K 742M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 10.77.128.0/24 ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 10.77.144.1 255.0.0.0 UG 0 0 0 eth1
10.77.144.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # towards the internal servers
172.25.132.0 10.77.144.1 255.255.255.128 UG 0 0 0 eth1
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # route back to the main server
192.168.88.0 172.26.16.1 255.255.255.0 UG 0 0 0 eth0
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2330 127K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41784 2293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 840 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
947 149K DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4346 833K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 512 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state NEW
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10620 879K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
pkts bytes target prot opt in out source destination
e o encaminhamento de ip está ativado.
O problema: a partir do servidor principal eu não sou capaz de ping no servidor interno, mas posso a partir do segundo servidor. Qualquer ajuda será muito apreciada.
O seguinte resolveu o problema acima (se for executado no segundo servidor):
root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –
Tags ip ip-forwarding