Титла: vtund problem
Публикувано от: edi в Apr 22, 2004, 12:31
Здравейте,
ситуацията е такава:
Две машини със Slackware (kernel 2.4.x) в мрежата на един ISP рутират трафика на две LAN (с по 10 машини) навън.
Искам да пусна vpn между тях и реших да ползвам vtund.
Проблемът е че нямам достъп до машините зад края на vpn-a. От двата рутера имам пинг към 10.0.0.1, 10.0.0.2, 192.168.1.1 и 192.168.3.1, но не и към 192.168.x.y. другата мрежа.
Опитах и с:
iptables –P INPUT ACCEPT
iptables –P FORWARD ACCEPT
но не помогна
Настройките са:
vpn server – slackware 9.1 – eth0: x.y.z.240/25, eth1:192.168.1.1/24, tap0: 10.0.0.1/24
vpn client – slackware 9.1 – eth0: x.y.z.241/25, eth1:192.168.3.1/24, tap1: 10.0.0.2/24
------------------------------------------------------------------------------------------
-------------------------
server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
localnet * 255.255.255.128 U 0 0 0 eth0
192.168.3.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default x.y.z.129 0.0.0.0 UG 1 0 0 eth0
------------------------------------------------------------------------------------------
------------------------
# Server vtun.conf
#
options {
port 5000;
ifconfig /sbin/ifconfig;
route /sbin/route;
}
default {
compress no;
speed 0;
}
vpn {
pass xxxxxxx;
type tun;
proto udp;
comp lzo:1;
encr yes;
keepalive yes;
up {
# 10.0.0.1 - local, 10.0.0.2 - remote
ifconfig "%% 10.0.0.1 pointopoint 10.0.0.2 mtu 1450";
route "add -net 192.168.3.0 netmask 255.255.255.0 gw 10.0.0.1";
#program /sbin/arp "-sD 10.0.0.1 eth0 pub";
};
}
-----------------------------------------------------------
rc.local:
---------------------
#!/bin/sh
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
IPT=/usr/sbin/iptables
INET=eth0
LAN=eth1
VPN=tap1
#
## CLEAN RULES
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
#
## SETTIN POLICY
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#
### INPUT
#$IPT -A INPUT -i $INET -m state --state NEW -p icmp -j DROP
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_client_ip -p tcp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_client_ip -p udp --dport 5000 -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p udp --dport 21 -j ACCEPT
#
## PAKETS FORWARDING
$IPT -A FORWARD -i $INET -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN -o $INET -j ACCEPT
$IPT -A FORWARD -i $INET -d 0/0 -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INET -d 0/0 -p udp --dport 21 -j ACCEPT
#
## PORT FORWARDING
#$IPT -t nat -A PREROUTING -i $INET -p udp --dport 21 -j DNAT --to 192.168.1.30:21
#
## N.A.T.
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
#
### VPN Server
killall -KILL vtund
sleep 5
/usr/local/sbin/vtund -s
#
-------------------------------------------------
------------------------------------------------------------------------------------------
-------------------------
client:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 * 255.255.255.255 UH 0 0 0 tun1
localnet * 255.255.255.128 U 0 0 0 eth1
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun1
loopback * 255.0.0.0 U 0 0 0 lo
default x.y.z.129 0.0.0.0 UG 1 0 0 eth1
------------------------------------------------------------------------------------------
-------------------------
# Client config
options {
port 5000;
timeout 60;
ifconfig /sbin/ifconfig;
route /sbin/route;
}
vpn {
passwd xxxxxxx;
device tun1;
persist yes;
up {
ifconfig "%% 10.0.0.2 pointopoint 10.0.0.1 mtu 1450";
route "add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1";
};
}
-----------------------------------------------------------
rc.local:
---------------------
#!/bin/sh
#
echo 1 > /proc/sys/net/ipv4/ip_forward
IPT=/usr/sbin/iptables
INET=eth1
LAN=eth0
#
## clean rules
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
#
## settin policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#
### input rules
#
## icmp
#$IPT -A INPUT -i $INET -p icmp -m state --state NEW -j DROP
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i $INET -p icmp --icmp-type 8 -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
#
# invalid packets
$IPT -A INPUT -f -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
#
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_server_ip -p tcp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_server_ip -p udp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 22 -j ACCEPT
#
## paket forwarding
$IPT -A FORWARD -i $INET -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN -o $INET -j ACCEPT
#
## NAT
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
#
## mangle
$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos 0x10
#
### VPN CLIENT
killall vtund
sleep 5
/usr/local/sbin/vtund vpn $vpn_server_ip
#
-------------------------------------------------
ситуацията е такава:
Две машини със Slackware (kernel 2.4.x) в мрежата на един ISP рутират трафика на две LAN (с по 10 машини) навън.
Искам да пусна vpn между тях и реших да ползвам vtund.
Проблемът е че нямам достъп до машините зад края на vpn-a. От двата рутера имам пинг към 10.0.0.1, 10.0.0.2, 192.168.1.1 и 192.168.3.1, но не и към 192.168.x.y. другата мрежа.
Опитах и с:
iptables –P INPUT ACCEPT
iptables –P FORWARD ACCEPT
но не помогна
Настройките са:
vpn server – slackware 9.1 – eth0: x.y.z.240/25, eth1:192.168.1.1/24, tap0: 10.0.0.1/24
vpn client – slackware 9.1 – eth0: x.y.z.241/25, eth1:192.168.3.1/24, tap1: 10.0.0.2/24
------------------------------------------------------------------------------------------
-------------------------
server:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
localnet * 255.255.255.128 U 0 0 0 eth0
192.168.3.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default x.y.z.129 0.0.0.0 UG 1 0 0 eth0
------------------------------------------------------------------------------------------
------------------------
# Server vtun.conf
#
options {
port 5000;
ifconfig /sbin/ifconfig;
route /sbin/route;
}
default {
compress no;
speed 0;
}
vpn {
pass xxxxxxx;
type tun;
proto udp;
comp lzo:1;
encr yes;
keepalive yes;
up {
# 10.0.0.1 - local, 10.0.0.2 - remote
ifconfig "%% 10.0.0.1 pointopoint 10.0.0.2 mtu 1450";
route "add -net 192.168.3.0 netmask 255.255.255.0 gw 10.0.0.1";
#program /sbin/arp "-sD 10.0.0.1 eth0 pub";
};
}
-----------------------------------------------------------
rc.local:
---------------------
#!/bin/sh
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
IPT=/usr/sbin/iptables
INET=eth0
LAN=eth1
VPN=tap1
#
## CLEAN RULES
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
#
## SETTIN POLICY
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#
### INPUT
#$IPT -A INPUT -i $INET -m state --state NEW -p icmp -j DROP
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_client_ip -p tcp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_client_ip -p udp --dport 5000 -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p udp --dport 21 -j ACCEPT
#
## PAKETS FORWARDING
$IPT -A FORWARD -i $INET -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN -o $INET -j ACCEPT
$IPT -A FORWARD -i $INET -d 0/0 -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INET -d 0/0 -p udp --dport 21 -j ACCEPT
#
## PORT FORWARDING
#$IPT -t nat -A PREROUTING -i $INET -p udp --dport 21 -j DNAT --to 192.168.1.30:21
#
## N.A.T.
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
#
### VPN Server
killall -KILL vtund
sleep 5
/usr/local/sbin/vtund -s
#
-------------------------------------------------
------------------------------------------------------------------------------------------
-------------------------
client:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 * 255.255.255.255 UH 0 0 0 tun1
localnet * 255.255.255.128 U 0 0 0 eth1
192.168.3.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 10.0.0.2 255.255.255.0 UG 0 0 0 tun1
loopback * 255.0.0.0 U 0 0 0 lo
default x.y.z.129 0.0.0.0 UG 1 0 0 eth1
------------------------------------------------------------------------------------------
-------------------------
# Client config
options {
port 5000;
timeout 60;
ifconfig /sbin/ifconfig;
route /sbin/route;
}
vpn {
passwd xxxxxxx;
device tun1;
persist yes;
up {
ifconfig "%% 10.0.0.2 pointopoint 10.0.0.1 mtu 1450";
route "add -net 192.168.1.0 netmask 255.255.255.0 gw 10.0.0.1";
};
}
-----------------------------------------------------------
rc.local:
---------------------
#!/bin/sh
#
echo 1 > /proc/sys/net/ipv4/ip_forward
IPT=/usr/sbin/iptables
INET=eth1
LAN=eth0
#
## clean rules
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
#
## settin policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
#
### input rules
#
## icmp
#$IPT -A INPUT -i $INET -p icmp -m state --state NEW -j DROP
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i $INET -p icmp --icmp-type 8 -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
#
# invalid packets
$IPT -A INPUT -f -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
#
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_server_ip -p tcp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -s $vpn_server_ip -p udp --dport 5000 -j ACCEPT
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET -d 0/0 -p tcp --dport 22 -j ACCEPT
#
## paket forwarding
$IPT -A FORWARD -i $INET -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN -o $INET -j ACCEPT
#
## NAT
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
#
## mangle
$IPT -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos 0x10
#
### VPN CLIENT
killall vtund
sleep 5
/usr/local/sbin/vtund vpn $vpn_server_ip
#
-------------------------------------------------
Титла: vtund problem
Публикувано от: в Apr 22, 2004, 17:31
Щом тунела се вдига т.е. имаш 10.0.0.1 P-t-P 10.0.0.2 проблема не е в него. FORWARD трябва да разрешиш дали на цяло или с отделно правило ... ти си решаваш. Какъв е default gw на машините в затворените мрежи ако е нещо различно от 192.168.1(3).1 трябва да им се каже че 192.168.1(3).0/24 са зад 192.168.1(3).1.
Успех
Успех
Титла: vtund problem
Публикувано от: в Apr 23, 2004, 20:55
благодаря за отговора.
подкарах тунела, имам пинг, сега проблемът е че Counter-a не открива сървъри в другата част на мрежата.
пинга минава без грижи, също и шеринга...
подкарах тунела, имам пинг, сега проблемът е че Counter-a не открива сървъри в другата част на мрежата.
пинга минава без грижи, също и шеринга...