OpenVPN и проброс портов

Question

vetash @vetash

OpenVPN и проброс портов

Доброго времени суток! Необходимо решение следующей задачи:
Имеется:
сеть #1 - 192.168.21.0/29
сеть #2 - 192.168.20.0/16 (!)
сервер (debian 7)
ETH0 192.168.20.55/16
ETH1 192.168.21.132/29
TUN0 10.8.0.1 (Openvpn сервер)
Клиент #1
ETH0 192.168.20.33/16
TUN0 10.8.0.2 (OpenVPN клиент)

Клиент Openvpn'ом подключается на сервер к по адресу 192.168.20.55. Необходимо сделать так, чтобы соединения к 10.8.0.1 (TUN0 на сервере) по порту 564 переадресовывались на 192.168.21.130/29 (ETH1 на сервере) на тот же порт.
Основные рецепты по iptables не работают.

Вопрос задан более трёх лет назад
20930 просмотров

1 комментарий

Подписаться 3 Оценить 1 комментарий

vetash @vetash Автор вопроса

iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2014

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

cat /proc/sys/net/ipv4/ip_forward
1

default dev ppp0  scope link
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
10.129.0.0 dev ppp0  proto kernel  scope link  src 172.16.0.23
192.168.0.0/16 dev eth0  proto kernel  scope link  src 192.168.20.55
192.168.20.1 dev eth0  scope link  src 192.168.20.55
192.168.21.128/29 dev eth1  proto kernel  scope link  src 192.168.21.132

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:15:17:22:05:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.55/16 brd 192.168.255.255 scope global eth0
    inet6 fe80::215:17ff:fe22:5c0/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:15:17:22:05:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.132/29 brd 192.168.21.135 scope global eth1
    inet6 fe80::215:17ff:fe22:5c1/64 scope link
       valid_lft forever preferred_lft forever
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp
    inet 172.16.0.23 peer 10.129.0.0/32 scope global ppp0
6: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Написано более трёх лет назад

iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:2014 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination

cat /proc/sys/net/ipv4/ip_forward
1

default dev ppp0 scope link 10.8.0.0/24 via 10.8.0.2 dev tun0 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 10.129.0.0 dev ppp0 proto kernel scope link src 172.16.0.23 192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.20.55 192.168.20.1 dev eth0 scope link src 192.168.20.55 192.168.21.128/29 dev eth1 proto kernel scope link src 192.168.21.132

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:22:05:c0 brd ff:ff:ff:ff:ff:ff inet 192.168.20.55/16 brd 192.168.255.255 scope global eth0 inet6 fe80::215:17ff:fe22:5c0/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:15:17:22:05:c1 brd ff:ff:ff:ff:ff:ff inet 192.168.21.132/29 brd 192.168.21.135 scope global eth1 inet6 fe80::215:17ff:fe22:5c1/64 scope link valid_lft forever preferred_lft forever 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet 172.16.0.23 peer 10.129.0.0/32 scope global ppp0 6: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff 13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Answer 1 · 2014-01-28 15:53:42

Всё должно работать.

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -A INPUT -i tun0 -p tcp --dport 564 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp -i tun0 --dport 564 -j DNAT --to-destination 192.168.21.130:564

OpenVPN и проброс портов

Войдите на сайт