Aqui está o problema que estou tentando resolver. Existe um servidor ("sistema remoto") que eu sou capaz de fazer ssh a partir do meu computador local, mas este sistema remoto não tem conexão com a Internet. Eu quero fornecer o sistema remoto com acesso à internet através do meu computador local usando VPN baseada em ssh. Como faço isso? Eu tentei o seguinte, que parece funcionar parcialmente. O que quero dizer com 'trabalho parcial' é que os pacotes de conexão (pacotes de sincronização) são enviados para o meu computador local, mas não conseguem estabelecer a conexão com a Internet. Eu estou usando o tcpdump para capturar pacotes no computador local. O computador local e o sistema remoto estão executando o centos 7.
A configuração - Nota: os comandos abaixo são executados em ordem. Os comandos user @ remote são executados no servidor remoto e os comandos user @ local são executados no computador local.
[user@remote ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
[user@local ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
Crie a interface tun0 no sistema remoto .
[user@remote ~]$ sudo ip tuntap add tun0 mode tun
[user@remote ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc noop state DOWN qlen 500
link/none
Crie a interface tun0 no sistema local .
[user@local ~]$ sudo ip tuntap add tun0 mode tun
[user@local ~]$ ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether AA:BB:CC:DD:EE:FF brd ff:ff:ff:ff:ff:ff
inet AAA.BBB.CCC.DDD/24 brd AAA.BBB.CCC.255 scope global dynamic eth0
valid_lft 1785sec preferred_lft 1785sec
inet6 EEEE:FFFF:GGGG:HHHH:IIII:JJJJ:KKKK:LLLL/64 scope global noprefixroute dynamic
valid_lft 2591987sec preferred_lft 604787sec
inet6 ABCD::IIII:JJJJ:KKKK:LLLL/64 scope link
valid_lft forever preferred_lft forever
3: tun0: mtu 1500 qdisc noop state DOWN qlen 500
link/none
Atribua um endereço IP ao tun0 e exiba-o:
[user@local ~]$ sudo ip addr add 10.0.2.1/30 dev tun0
[user@local ~]$ sudo ip link set dev tun0 up
[user@local ~]$ ip addr show tun0
3: tun0: mtu 1500 qdisc pfifo_fast state DOWN qlen 500
link/none
inet 10.0.2.1/30 scope global tun0
valid_lft forever preferred_lft forever
[user@remote ~]$ sudo ip addr add 10.0.2.2/30 dev tun0
[user@remote ~]$ sudo ip link set dev tun0 up
[user@remote ~]$ ip addr show tun0
3: tun0: mtu 1500 qdisc pfifo_fast state DOWN qlen 500
link/none
inet 10.0.2.2/30 scope global tun0
valid_lft forever preferred_lft forever
Modifique o sshd_config nos sistemas remoto e local para ativar o tunelamento:
[user@remote ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config
PermitTunnel point-to-point
[user@local ~]$ sudo grep PermitTunnel /etc/ssh/sshd_config
PermitTunnel point-to-point
Crie o túnel ssh:
[user@local ~]$ sudo ssh -f -w0:0 root@remote true
root@remote's password:
[user@local ~]$ ps aux | grep root@remote
root 1851 0.0 0.0 76112 1348 ? Ss 23:12 0:00 ssh -f -w0:0 root@remote true
Teste o ping em ambos os servidores usando os novos endereços IP:
[user@local ~]$ ping 10.0.2.2 -c 2
PING 10.0.2.2 (10.0.2.2) 56(84) bytes of data.
64 bytes from 10.0.2.2: icmp_seq=1 ttl=64 time=1.68 ms
64 bytes from 10.0.2.2: icmp_seq=2 ttl=64 time=0.861 ms
--- 10.0.2.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.861/1.274/1.688/0.415 ms
[user@remote ~]$ ping 10.0.2.1 -c 2
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.
64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.589 ms
64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.889 ms
--- 10.0.2.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.589/0.739/0.889/0.150 ms
[user@remote ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
AAA.BBB.CCC.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[user@remote ~]$ ip route show
default via AAA.BBB.CCC.1 dev eth0 proto static metric 100
10.0.2.0/30 dev tun0 proto kernel scope link src 10.0.2.2
AAA.BBB.CCC.0/24 dev eth0 proto kernel scope link src AAA.BBB.CCC.31 metric 100
Obtenha endereços IP do Google:
[user@local ~]$ nslookup google.com
Server: s.e.r.ver
Address: s.e.r.ver#53
Non-authoritative answer:
Name: google.com
Address: 173.194.219.101
Name: google.com
Address: 173.194.219.100
Name: google.com
Address: 173.194.219.113
Name: google.com
Address: 173.194.219.102
Name: google.com
Address: 173.194.219.139
Name: google.com
Address: 173.194.219.138
IMPORTANTE: executei o comando acima em um horário diferente e obtive um resultado diferente. Não assuma que sua resposta será igual à minha para o nslookup acima.
Como todos os endereços IP do Google começam com 173.194.219, vamos rotear todos esses endereços IP pelo computador local.
[user@remote ~]$ sudo ip route add 173.194.219.0/24 dev tun0
[user@remote ~]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gateway 0.0.0.0 UG 100 0 0 eth0
10.0.2.0 0.0.0.0 255.255.255.252 U 0 0 0 tun0
AAA.BBB.CCC.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
173.194.219.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
[user@remote ~]$ ip route show
default via AAA.BBB.CCC.1 dev eth0 proto static metric 100
10.0.2.0/30 dev tun0 proto kernel scope link src 10.0.2.2
AAA.BBB.CCC.0/24 dev eth0 proto kernel scope link src AAA.BBB.CCC.31 metric 100
173.194.219.0/24 dev tun0 scope link
Ativar ip_forwarding:
[user@local ~]$ grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
[user@local ~]$ sudo service network restart
Restarting network (via systemctl): [ OK ]
Configure a captura de pacotes no computador local usando o tcpdump:
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22' -i any
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Tente se conectar ao Google a partir do servidor remoto.
[user@remote ~]$ openssl s_client -connect google.com:443
socket: No route to host
connect:errno=113
Assim que o comando openssl é executado no servidor remoto, o tcpdump captura alguns pacotes:
10.0.2.2.52768 > 173.194.219.102.443: Flags [S], cksum 0x8702 (correct), seq 994650730, win 29200, options [mss 1460,sackOK,TS val 7701438 ecr 0,nop,wscale 7], length 0
00:49:33.247753 IP (tos 0x0, ttl 64, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.247883 IP (tos 0xc0, ttl 64, id 9538, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.100 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 46037, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.48774 > 173.194.219.100.443: Flags [S], cksum 0x47a7 (correct), seq 2218733674, win 29200, options [mss 1460,sackOK,TS val 7701439 ecr 0,nop,wscale 7], length 0
00:49:33.253068 IP (tos 0x0, ttl 64, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.254771 IP (tos 0xc0, ttl 64, id 9539, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.101 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 26282, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.51312 > 173.194.219.101.443: Flags [S], cksum 0x6ff8 (correct), seq 2634016105, win 29200, options [mss 1460,sackOK,TS val 7701443 ecr 0,nop,wscale 7], length 0
00:49:33.258805 IP (tos 0x0, ttl 64, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
00:49:33.258845 IP (tos 0xc0, ttl 64, id 9540, offset 0, flags [none], proto ICMP (1), length 88)
10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68
IP (tos 0x0, ttl 63, id 9293, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.33686 > 173.194.219.139.443: Flags [S], cksum 0x542b (correct), seq 995927943, win 29200, options [mss 1460,sackOK,TS val 7701450 ecr 0,nop,wscale 7], length 0
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel
Os pacotes capturados usando o tcpdump sugerem que é feita uma tentativa de estabelecer a conexão (os pacotes Sync são enviados), mas nada é recebido. Também há uma mensagem 10.0.2.1 > 10.0.2.2: ICMP host 173.194.219.139 unreachable - admin prohibited, length 68
que parece sugerir um problema.
Alguma sugestão sobre como resolver este problema? Existem regras de iptable que precisam ser adicionadas? Algum problema de firewall (firewall-d?).
Nota # 1
Saída do iptables-save:
[user@local ~]$ sudo iptables -t nat -A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.1/30 -j MASQUERADE -o eth0
[user@local ~]$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*nat
:PREROUTING ACCEPT [35:8926]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [6:439]
:POSTROUTING ACCEPT [6:439]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING -s 10.0.2.2/32 ! -d 10.0.2.0/30 -j MASQUERADE
-A POSTROUTING_ZONES -o eth0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*mangle
:PREROUTING ACCEPT [169:18687]
:INPUT ACCEPT [144:11583]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:8149]
:POSTROUTING ACCEPT [80:8149]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*security
:INPUT ACCEPT [2197:163931]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1229:185742]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*raw
:PREROUTING ACCEPT [2362:184437]
:OUTPUT ACCEPT [1229:185742]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
# Generated by iptables-save v1.4.21 on Sat Apr 15 01:40:57 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [80:8149]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i eth0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i eth0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Apr 15 01:40:57 2017
Nota # 2:
Eu configuro um servidor web apache em um host separado que somente o servidor local tem acesso. Eu executei o tcpdump no servidor web escutando na porta 80. Quando eu executo
telnet webserver 80
eu capturei os seguintes pacotes. Esse é o comportamento esperado desde que a conexão TCP seja estabelecida (S, S-Ack, Ack).
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
07:17:30.411474 IP (tos 0x10, ttl 64, id 34376, offset 0, flags [DF], proto TCP (6), length 60)
local.server.46710 > web.server.80: Flags [S], cksum 0x8412 (incorrect -> 0x6d96), seq 3018586542, win 29200, options [mss 1460,sackOK,TS val 3047398 ecr 0,nop,wscale 7], length 0
07:17:30.411557 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > local.server.46710: Flags [S.], cksum 0x8412 (incorrect -> 0x9114), seq 2651711943, ack 3018586543, win 28960, options [mss 1460,sackOK,TS val 37704524 ecr 3047398,nop,wscale 7], length 0
07:17:30.411725 IP (tos 0x10, ttl 64, id 34377, offset 0, flags [DF], proto TCP (6), length 52)
local.server.46710 > web.server.80: Flags [.], cksum 0x840a (incorrect -> 0x301c), seq 1, ack 1, win 229, options [nop,nop,TS val 3047398 ecr 37704524], length 0
Quando tento conectar-me ao servidor web do servidor remoto através do servidor local, o tcpdump no servidor web não captura nenhum pacote (nem mesmo a sincronização inicial), mas o servidor local captura o pacote Sync sendo enviado ao servidor web (veja abaixo). Isso me faz acreditar que algo está impedindo que os pacotes sejam enviados para o servidor da Web - talvez um erro de configuração ou firewall.
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i any
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
02:24:09.135842 IP (tos 0x10, ttl 64, id 38062, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50558 > web.server.80: Flags [S], cksum 0x668d (correct), seq 69756226, win 29200, options [mss 1460,sackOK,TS val 4780524 ecr 0,nop,wscale 7], length 0
IMPORTANTE: os pacotes não estão sendo roteados através de eth0, mas é feita uma tentativa de enviar os pacotes para o servidor web via tun0 (que falha). Eu posso confirmar isso executando tcpdump na interface tun0:
[user@local ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i tun0
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
02:28:10.295972 IP (tos 0x10, ttl 64, id 46976, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50560 > webserver.80: Flags [S], cksum 0xd560 (correct), seq 605366388, win 29200, options [mss 1460,sackOK,TS val 5021684 ecr 0,nop,wscale 7], length 0
Nota # 3:
Eu desliguei o firewalld no computador local e os pacotes Sync foram recebidos pelo servidor web.
[user@local ~]$ sudo systemctl stop firewalld
[user@webserver ~]$ sudo tcpdump -nn -vv 'port not 22 and 80' -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:25:17.390912 IP (tos 0x10, ttl 63, id 61767, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x30dc (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7123514 ecr 0,nop,wscale 7], length 0
08:25:17.391003 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0xa316), seq 959115533, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41771503 ecr 7123514,nop,wscale 7], length 0
08:25:17.391192 IP (tos 0x0, ttl 128, id 60032, offset 0, flags [none], proto TCP (6), length 40)
10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x7339 (correct), seq 2601927550, win 8192, length 0
08:25:18.393794 IP (tos 0x10, ttl 63, id 61768, offset 0, flags [DF], proto TCP (6), length 60)
10.0.2.2.50580 > web.server.80: Flags [S], cksum 0x2cf1 (correct), seq 2601927549, win 29200, options [mss 1460,sackOK,TS val 7124517 ecr 0,nop,wscale 7], length 0
08:25:18.393898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
web.server.80 > 10.0.2.2.50580: Flags [S.], cksum 0x4e23 (incorrect -> 0x7e71), seq 974785773, ack 2601927550, win 28960, options [mss 1460,sackOK,TS val 41772506 ecr 7124517,nop,wscale 7], length 0
08:25:18.394003 IP (tos 0x0, ttl 128, id 60033, offset 0, flags [none], proto TCP (6), length 40)
10.0.2.2.50580 > web.server.80: Flags [R], cksum 0x566a (correct), seq 2601927550, win 8192, length 0
Agora, claramente, o IP de origem precisa ser atualizado para corresponder ao endereço IP do servidor local antes que o pacote seja enviado ao servidor da web. Como sugerido pela @xin, o NAT precisa ser configurado no servidor local.
Nota # 4:
Uma vez que eu tentei me conectar ao servidor web, eu posso ver que a contagem de pacotes da regra 9 aumenta em 1 (como visto abaixo).
[user@local ~]$ sudo iptables -nvL --line-numbers
..........
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 1 60 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 1 60 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 1 60 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 1 60 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 1 60 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 1 60 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
..........
[user@local ~]$ sudo iptables -D FORWARD 9
Quando a regra 9 da cadeia FORWARD for excluída (de cima, como sugerido @xin), posso me conectar ao servidor da Web.
[user@local ~]$ sudo iptables -nvL --line-numbers
..........
Chain FORWARD (policy ACCEPT 1 packets, 60 bytes)
num pkts bytes target prot opt in out source destination
1 12 5857 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 2 120 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
4 2 120 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
5 2 120 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
6 2 120 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
7 2 120 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
..........