Ich habe die folgenden 2 Debian-Server in meinem Szenario: Der erste ist mein Haupt-OpenVPN-Server, er hat 2 aktive NICS eth0 (172.25.156.146) und eth3 (172.26.16.1) – Der zweite Server hat auch 2 aktive NICS eth0 172.26.16.16 und eth1 10.77.144.75. Beide Server sind direkt über 172.26.16.0/24 verbunden.
Auf einige Dienste/Server in meinem LAN kann nur vom 2. Server aus zugegriffen werden (daher die direkte Verbindung). Um diese internen Server/Dienste vom Hauptserver (172.25.156.146) aus zugänglich zu machen, wurden die folgenden Regeln aktiviert:
auf dem Hauptserver:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.25.156.145 0.0.0.0 UG 0 0 0 eth0
10.77.144.0 172.26.16.16 255.255.255.0 UG 0 0 0 eth3 # internal servers range
10.250.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tap3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
172.17.17.0 0.0.0.0 255.255.255.0 U 0 0 0 tap5
172.25.132.0 172.25.156.145 255.255.255.128 UG 0 0 0 eth0
172.25.156.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 #route back
zum zweiten Server
172.31.249.0 0.0.0.0 255.255.255.0 U 0 0 0 tap4
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 tap6
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap6
192.168.88.0 192.168.88.2 255.255.255.0 UG 0 0 0 tun0
192.168.88.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.200.0 192.168.200.1 255.255.255.0 UG 0 0 0 tap2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.200.100 192.168.200.1 255.255.255.255 UGH 0 0 0 tap2
/proc/sys/net/ipv4/ip_forward = 1
iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
pkts bytes target prot opt in out source destination
252 15593 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.128.0/24 ctstate NEW
1671K 742M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 10.77.128.0/24 ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
auf dem zweiten Server
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 10.77.144.1 255.0.0.0 UG 0 0 0 eth1
10.77.144.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # towards the internal servers
172.25.132.0 10.77.144.1 255.255.255.128 UG 0 0 0 eth1
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # route back to the main server
192.168.88.0 172.26.16.1 255.255.255.0 UG 0 0 0 eth0
iptables-Regeln:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2330 127K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41784 2293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 840 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
947 149K DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4346 833K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 512 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state NEW
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10620 879K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
pkts bytes target prot opt in out source destination
und die IP-Weiterleitung ist aktiviert.
Das Problem: Vom Hauptserver aus kann ich den internen Server nicht anpingen, vom zweiten Server aus schon. Für jede Hilfe bin ich sehr dankbar.
Antwort1
Das Folgende löste das obige Problem (wenn es auf dem zweiten Server ausgeführt wird):
root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –