Цель: поставить VPN сервак дома и с работы подключаться к своей сети. тем самым иметь свой интернет со своим набором открытых портов так как на работе порты урезаны.На работе я подключаюсь к рабочему VPN (после подключения доступ в инет есть через проксю), а затем создаю еще одно соединение с домашним VPN.
VPN-настроен и работает. Клиент с винды конектится через vpn к серверу и даже видит этот сервер и его ресурсы.
Мало того, tracert строит адекватный маршрут через VPN например до www.ya.ru
Трассировка маршрута к ya.ru [213.180.204.8]
с максимальным числом прыжков 30:
1 26 ms 26 ms 28 ms internal-rfc1918.hn.nnov.stream.ru [10.0.0.1]
2 25 ms 25 ms 27 ms internal-rfc1918.hn.nnov.stream.ru [192.168.1.1] #домашняя машина
3 39 ms 37 ms 39 ms 95-37-0-1.dynamic.mts-nn.ru [95.37.0.1]
4 32 ms 31 ms 45 ms 79.126.125.1
5 32 ms 33 ms 31 ms 79.126.126.162
6 38 ms 39 ms 63 ms xe210-301.RT.V10.MSK.RU.retn.net [87.245.244.5]
7 39 ms 39 ms 41 ms GW-Yandex.retn.net [87.245.253.26]
8 49 ms 47 ms 47 ms ya.ru [213.180.204.8]
Трассировка завершена.
НО... не все так без облачно. Пинговать то я могу пинговать, а вот браузер выйти в инет не может. При наборе адреса повисает и молчит какоето время. Такое впечатление что пакеты то от меня (вин-машина ) через vpn уходят, а вот куда вернутся не знают ж(
Чувствую что что-то с роутингом или iptables, а вот что?
вот мой скрипт для для iptables
###########################################################################
#
# 1. Configuration options.
#
#
# 1.1 Internet Configuration.
#
INET_IP="192.168.1.2"
INET_IFACE="eth0"
INET_BROADCAST="192.168.0.255"
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="192.168.0.1"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.7 Air Network Configuaration
#
WIFI_IP="192.168.2.1"
WIFI_IP_RANGE="192.168.2.0/16"
WIFI_IFACE="ath0"
#
# 1.8 VPN Network Configuration
#
VPN_IP="10.0.0.1"
VPN_IP_RANGE="10.0.0.0/24"
VPN_IFACE="ppp0"
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_owner
#/sbin/modprobe ip_nat_pptp
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
#Create chain for out tcp packets
$IPTABLES -N out_tcp_packets
#Сэнди
$IPTABLES -A out_tcp_packets -p tcp -d 193.125.70.0/23 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 194.190.176.0/20 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 195.122.224.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 217.18.52.0/23 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 91.194.192.0/23 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#Агенство деловой связи
$IPTABLES -A out_tcp_packets -p tcp -d 195.98.32.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 212.92.128.0/18 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 217.118.93.0/24 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 89.189.0.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 92.242.64.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#НижегородТелесервис
$IPTABLES -A out_tcp_packets -p tcp -d 78.40.184.0/21 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 217.23.16.0/20 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#ННГУ
$IPTABLES -A out_tcp_packets -p tcp -d 85.143.0.0/20 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 89.28.199.0/24 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#ЗАО НИС
$IPTABLES -A out_tcp_packets -p tcp -d 212.67.0.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 92.246.128.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#ООО ПСС
$IPTABLES -A out_tcp_packets -p tcp -d 217.25.80.0/22 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 85.91.192.0/21 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#Волгателеком
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.96.6/32 -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.96.8/32 -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.96.9/32 -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.96.221/32 -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.97.26/32 -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A out_tcp_packets -p tcp -d 79.126.0.0/17 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 82.208.64.0/18 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 89.109.0.0/18 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 93.120.128.0/17 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A out_tcp_packets -p tcp -d 213.177.96.0/19 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 40890 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 40891 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2710 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed
#
# UDP ports
#
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $WIFI_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WIFI_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WIFI_IFACE -s $WIFI_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $VPN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $WIFI_IFACE -s $VPN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $VPN_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $VPN_IFACE -s $VPN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $VPN_IFACE -s $LAN_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $WIFI_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p 47 -i $INET_IFACE -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $WIFI_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $VPN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WIFI_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $VPN_IP_RANGE -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -s $INET_IP -j out_tcp_packets
$IPTABLES -A OUTPUT -p TCP -s $INET_IP --dport 80 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A OUTPUT -p TCP -s $INET_IP --dport 53 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -s $INET_IP --dport 53 -m owner --uid-owner $TORRENT_EXT_PID -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -m owner --uid-owner $TORRENT_EXT_PID -j DROP
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
#
# 4.2.1 Set policies
#
#
# 4.2.2 Create user specified chains
#
#
# 4.2.3 Create content in user specified chains
#
#
# 4.2.4 PREROUTING chain
#
#
# 4.2.5 POSTROUTING chain
#
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# 4.2.6 OUTPUT chain
#
######
# 4.3 mangle table
#
#
# 4.3.1 Set policies
#
#
# 4.3.2 Create user specified chains
#
#
# 4.3.3 Create content in user specified chains
#
#
# 4.3.4 PREROUTING chain
#
#
# 4.3.5 INPUT chain
#
#
# 4.3.6 FORWARD chain
#
#
# 4.3.7 OUTPUT chain
#
#
# 4.3.8 POSTROUTING chain
#
Чего не хватает? Может что лишнее? Буду очень благодарен за помошь, так как у самого голова уже пухнет ж(
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on 12-Мрт-09, 16:13 
