From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Injected-Via-Gmane: http://gmane.org/ To: sysadmins@lists.altlinux.org From: =?KOI8-R?B?98HEyc0g6czMwdLJz87P1w==?= Date: Wed, 20 Sep 2006 17:24:01 +0900 Organization: =?KOI8-R?B?9dPPzNjFLfPJwsnS08vJyiDQz97Uwc3U?= Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 82.211.160.248 User-Agent: KNode/0.9.1 Sender: news Subject: [Sysadmins] PPtP & protocol 47 unreachable X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.9rc1 Precedence: list Reply-To: master@usib.irkps.ru, ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 08:24:33 -0000 Archived-At: List-Archive: Пытаюсь поднять туннель между АДСЛ-рутером D-Link DSL-562T и шлюзом по наземному каналу (ещё есть спутниковый). В настройках клиента на рутере указал: ====================================== Server IP/Name - наземный_IP_шлюза Route Target - 192.168.1.0 (одна внутренних шлюзовых подсеток) Route Mask - 255.255.255.0 PPTP Account - РРТРuser PPTP Password - РРТРpass MPPE Encryption - disabled Далее на шлюзе (Compact-3.0 с апдейтами и бэкпортами): ====================================================== echo "РРТРuser pptpd РРТРpass" >> /etc/ppp/pap-secrets Содержимое /etc/ppp/options.pptpd: ================================== name pptpd require-pap ms-wins 192.168.0.253 proxyarp lock nobsdcomp novj novjccomp nologfd Содержимое /etc/pptpd.conf: =========================== option /etc/ppp/options.pptpd logwtmp localip 192.168.1.254 remoteip 192.168.1.100-111 listen $External_IP Добавил маршрут по земле до АДСЛ-рутера: ======================================== route add -host $ADSL_IP gw 195.46.116.239 Таблица маршрутов: ================== Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.66.254 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 82.211.136.2 195.46.116.239 255.255.255.255 UGH 0 0 0 ppp0 195.46.116.239 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 $ADSL_IP 195.46.116.239 255.255.255.255 UGH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pkd 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lan 0.0.0.0 192.168.66.254 0.0.0.0 UG 0 0 0 tun0 tun0 - OpenVPN-туннель до спутникового провайдера service iptables status ################# # Table: nat ################# Chain PREROUTING (policy ACCEPT 323K packets, 33M bytes) pkts bytes target prot opt in out source destination 74 3652 REDIRECT tcp -- lan * 0.0.0.0/0 !192.168.0.254 tcp dpt:21 redir ports 2121 67432 3287K REDIRECT tcp -- lan * 0.0.0.0/0 !192.168.0.254 multiport dports 80,8080,8081 redir ports 3128 0 0 REDIRECT tcp -- pkd * 0.0.0.0/0 !192.168.1.254 tcp dpt:21 redir ports 2121 67071 3219K REDIRECT tcp -- pkd * 0.0.0.0/0 !192.168.1.254 multiport dports 80,8080,8081 redir ports 3128 Chain POSTROUTING (policy ACCEPT 355K packets, 19M bytes) pkts bytes target prot opt in out source destination 20 1577 SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 to:$External_IP 0 0 SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 to:$External_IP 2255 120K SNAT all -- * tun0 0.0.0.0/0 0.0.0.0/0 to:82.211.160.248 0 0 ACCEPT all -- * * 195.46.116.239 195.46.116.239 Chain OUTPUT (policy ACCEPT 471K packets, 26M bytes) pkts bytes target prot opt in out source destination ################# # Table: filter ################# Chain BLOCK (2 references) pkts bytes target prot opt in out source destination 225K 11M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5 19543 782K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 5024 213K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 39M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain INPUT (policy ACCEPT 3847K packets, 3164M bytes) pkts bytes target prot opt in out source destination 33M 9211M BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 1610 593K ACCEPT udp -- lan * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 1 40 ACCEPT tcp -- lan * 192.168.0.253 0.0.0.0/0 tcp spt:389 453 150K ACCEPT udp -- pkd * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 1117 61112 ACCEPT 47 -- ppp0 * $ADSL_IP $External_IP 53 3180 ACCEPT tcp -- ppp0 * $ADSL_IP $External_IP tcp dpt:1723 140 60399 REJECT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT tcp -- dvb0_0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 135:139,445,1025 reject-with icmp-port-unreachable 0 0 REJECT udp -- dvb0_0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 135:139,445,1025 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 18938 packets, 2560K bytes) pkts bytes target prot opt in out source destination 10M 4909M BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- lan pkd 192.168.0.0/24 192.168.1.0/24 tcp spt:6502 dpt:6502 0 0 ACCEPT tcp -- pkd lan 192.168.1.0/24 192.168.0.0/24 tcp spt:6502 dpt:6502 66 8976 ACCEPT udp -- lan pkd 192.168.0.0/24 192.168.1.0/24 udp spt:6502 dpt:6502 0 0 ACCEPT udp -- pkd lan 192.168.1.0/24 192.168.0.0/24 udp spt:6502 dpt:6502 0 0 ACCEPT tcp -- pkd lan 192.168.1.0/24 192.168.0.253 tcp dpt:389 0 0 ACCEPT tcp -- lan pkd 192.168.0.253 192.168.1.0/24 tcp spt:389 0 0 REJECT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 43M packets, 17G bytes) pkts bytes target prot opt in out source destination 1597 535K ACCEPT udp -- * lan 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 1251K 123M ACCEPT tcp -- * lan 0.0.0.0/0 192.168.0.253 tcp dpt:389 451 151K ACCEPT udp -- * pkd 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 В итоге при попытке подключения АДСЛ-рутера к шлюзу на выходе видим: ==================================================================== tcpdump -i ppp0 dst $ADSL_IP 17:08:59.223667 IP $External_IP.1723 > $ADSL_IP.4721: S 2065017132:2065017132(0) ack 3618307912 win 5808 17:08:59.251985 IP $External_IP.1723 > $ADSL_IP.4721: . ack 157 win 1452 17:08:59.282701 IP $External_IP.1723 > $ADSL_IP.4721: P 1:157(156) ack 157 win 1452: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) [|pptp] 17:09:00.274929 IP $External_IP.1723 > $ADSL_IP.4721: P 157:189(32) ack 325 win 1720: pptp CTRL_MSGTYPE=OCRP CALL_ID(43008) PEER_CALL_ID(4721) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(10000000) RECV_WIN(3) PROC_DELAY(0) PHY_CHAN_ID(0) 17:09:00.276216 IP $External_IP.1723 > $ADSL_IP.4721: F 189:189(0) ack 325 win 1720 17:09:00.296371 IP $External_IP.1723 > $ADSL_IP.4721: R 2065017322:2065017322(0) win 0 17:09:00.297002 IP $External_IP > $ADSL_IP: icmp 64: $External_IP protocol 47 unreachable Присоветуйте, пожалуйста, как это горе одолеть... А буде и другие косяки на свежий взгляд в глаза бросятся - приму поправки с благодарностью. ________________________ С уважением, Вадим Илларионов системный администратор Усолье-Сибирский почтамт JID: см. UIN: 7899517 Телефоны: Мобильный +7 904 658-4154 Рабочий +7 39543 444-00