ASP12 и маскарадинг

Автор: alexander_nur Дата: 26.06.2008 07:19 День добрый.

Не могу настроить маскарадинг на ASP12.

Настройки сети:

eth0: IP 10.x.y.z, gw 10.x.y.1, netmask 255.255.240.0
eth1: IP 192.168.1.4, netmask 255.255.255.0

Необходимо из 192.168.1.0 попасть в 10.х.0.0

ввожу для включения маскарадинга:

iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

Маршрутизация включена (ip_forward "1";-)

192.168.1.4 раздает адреса в сторону интерфейса eth1.

Клиенты 192.168.1.0 получают IP адреса и адрес шлюза. Однако любая трассировка оканчивается после 192.168.1.4.

Проделав это на ASP11/11.2 - маскарадинг сразу заработал.
В ASP12 - отчего то не работает.

Подскажите пожалуйста, что не так.
Re: ASP12 и маскарадинг 26.06.2008 16:30kompany ifconfig
и
iptables-save
в студию
Re: ASP12 и маскарадинг 30.06.2008 07:18alexander_nur $ ifconfig

eth0 Link encap:Ethernet HWaddr 00:1C:C4:AD:2B:F8
inet addr:10.50.230.4 Bcast:10.50.239.255 Mask:255.255.240.0
inet6 addr: fe80::21c:c4ff:fead:2bf8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:235893 errors:0 dropped:0 overruns:0 frame:0
TX packets:92567 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:119756207 (114.2 MiB-) TX bytes:8715346 (8.3 MiB-)
Interrupt:16 Base address:0x4000

eth1 Link encap:Ethernet HWaddr 00:1C:C4:AD:2B:F9
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21c:c4ff:fead:2bf9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9642 errors:0 dropped:0 overruns:0 frame:0
TX packets:8044 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:754346 (736.6 KiB-) TX bytes:23168130 (22.0 MiB-)
Interrupt:17 Base address:0x4000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10672 errors:0 dropped:0 overruns:0 frame:0
TX packets:10672 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76838460 (73.2 MiB-) TX bytes:76838460 (73.2 MiB-)


$ iptables-save

# Generated by iptables-save v1.3.8 on Mon Jun 30 09:18:24 2008
*nat
:-PREROUTING ACCEPT [92:14282]
:-POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
# Completed on Mon Jun 30 09:18:24 2008
# Generated by iptables-save v1.3.8 on Mon Jun 30 09:18:24 2008
*mangle
:-PREROUTING ACCEPT [238:29435]
:INPUT ACCEPT [197:26408]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:-POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
COMMIT
# Completed on Mon Jun 30 09:18:24 2008
# Generated by iptables-save v1.3.8 on Mon Jun 30 09:18:24 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1723 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4011 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 30 09:18:24 2008

$ cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 4011 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:-PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:-POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
COMMIT
*nat
:-PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:-POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
Re: ASP12 и маскарадинг 30.06.2008 14:16kompany Сделайте трасировку с компа на котором у вас настроен iptables для маскарада на єти адреса 10.х.0.0, а потом упростите сам конфигурационный файл /etc/sysconfig/iptables
"RH-Firewall-1-INPUT" равна цепочке "INPUT" потому можна ее просто убрать
---
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth0 -p tcp -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -p tcp -m tcp --dport 23 -j ACCEPT
-A INPUT -i eth0 -p tcp -p tcp -m tcp --dport 25 -j ACCEPT

# и.т.д.



COMMIT
*mangle
:-PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:-POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:-PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:-POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth+ -j MASQUERADE

# и.т.д.
COMMIT


---
А потом усложняйте сам конфиг так как вам нужно

и незабывайте после изменений дать команду от root(a)
---
service iptables restart
---
RSS-материал