* [Comm] pptpd & protocol 47 unreachable
@ 2006-09-20 13:23 Вадим Илларионов
0 siblings, 0 replies; only message in thread
From: Вадим Илларионов @ 2006-09-20 13:23 UTC (permalink / raw)
To: community
Прошу прощения за кросс-постинг, но в sysadmins@ за 5 часов ответа, увы, не
дождался.
Пытаюсь поднять туннель между АДСЛ-рутером D-Link DSL-562T и шлюзом
по наземному каналу (ещё есть спутниковый).
В настройках клиента на рутере указал:
======================================
Server IP/Name - наземный_IP_шлюза
Route Target - 192.168.1.0 (одна внутренних шлюзовых подсеток)
Route Mask - 255.255.255.0
PPTP Account - РРТРuser
PPTP Password - РРТРpass
MPPE Encryption - disabled
Далее на шлюзе (Compact-3.0 с апдейтами и бэкпортами):
======================================================
echo "РРТРuser pptpd РРТРpass" >> /etc/ppp/pap-secrets
Содержимое /etc/ppp/options.pptpd:
==================================
name pptpd
require-pap
ms-wins 192.168.0.253
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
Содержимое /etc/pptpd.conf:
===========================
option /etc/ppp/options.pptpd
logwtmp
localip 192.168.1.254
remoteip 192.168.1.100-111
listen $External_IP
Добавил маршрут по земле до АДСЛ-рутера:
========================================
route add -host $ADSL_IP gw 195.46.116.239
Таблица маршрутов:
==================
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.66.254 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
82.211.136.2 195.46.116.239 255.255.255.255 UGH 0 0 0 ppp0
195.46.116.239 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
$ADSL_IP 195.46.116.239 255.255.255.255 UGH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pkd
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lan
0.0.0.0 192.168.66.254 0.0.0.0 UG 0 0 0 tun0
tun0 - OpenVPN-туннель до спутникового провайдера
service iptables status
#################
# Table: nat
#################
Chain PREROUTING (policy ACCEPT 323K packets, 33M bytes)
pkts bytes target prot opt in out source destination
74 3652 REDIRECT tcp -- lan * 0.0.0.0/0 !192.168.0.254
tcp dpt:21 redir ports 2121
67432 3287K REDIRECT tcp -- lan * 0.0.0.0/0 !192.168.0.254
multiport dports 80,8080,8081 redir ports 3128
0 0 REDIRECT tcp -- pkd * 0.0.0.0/0 !192.168.1.254
tcp dpt:21 redir ports 2121
67071 3219K REDIRECT tcp -- pkd * 0.0.0.0/0 !192.168.1.254
multiport dports 80,8080,8081 redir ports 3128
Chain POSTROUTING (policy ACCEPT 355K packets, 19M bytes)
pkts bytes target prot opt in out source destination
20 1577 SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
to:$External_IP
0 0 SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
to:$External_IP
2255 120K SNAT all -- * tun0 0.0.0.0/0 0.0.0.0/0
to:82.211.160.248
0 0 ACCEPT all -- * * 195.46.116.239 195.46.116.239
Chain OUTPUT (policy ACCEPT 471K packets, 26M bytes)
pkts bytes target prot opt in out source destination
#################
# Table: filter
#################
Chain BLOCK (2 references)
pkts bytes target prot opt in out source destination
225K 11M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x16/0x02 limit: avg 1/sec burst 5
19543 782K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x04 limit: avg 1/sec burst 5
5024 213K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8 limit: avg 1/sec burst 5
39M 11G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
Chain INPUT (policy ACCEPT 3847K packets, 3164M bytes)
pkts bytes target prot opt in out source destination
33M 9211M BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
1610 593K ACCEPT udp -- lan * 0.0.0.0/0 0.0.0.0/0
udp spt:68 dpt:67
1 40 ACCEPT tcp -- lan * 192.168.0.253 0.0.0.0/0
tcp spt:389
453 150K ACCEPT udp -- pkd * 0.0.0.0/0 0.0.0.0/0
udp spt:68 dpt:67
1117 61112 ACCEPT 47 -- ppp0 * $ADSL_IP $External_IP
53 3180 ACCEPT tcp -- ppp0 * $ADSL_IP $External_IP
tcp dpt:1723
140 60399 REJECT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT tcp -- dvb0_0 * 0.0.0.0/0 0.0.0.0/0
multiport dports 135:139,445,1025 reject-with icmp-port-unreachable
0 0 REJECT udp -- dvb0_0 * 0.0.0.0/0 0.0.0.0/0
multiport dports 135:139,445,1025 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 18938 packets, 2560K bytes)
pkts bytes target prot opt in out source destination
10M 4909M BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- lan pkd 192.168.0.0/24 192.168.1.0/24
tcp spt:6502 dpt:6502
0 0 ACCEPT tcp -- pkd lan 192.168.1.0/24 192.168.0.0/24
tcp spt:6502 dpt:6502
66 8976 ACCEPT udp -- lan pkd 192.168.0.0/24 192.168.1.0/24
udp spt:6502 dpt:6502
0 0 ACCEPT udp -- pkd lan 192.168.1.0/24 192.168.0.0/24
udp spt:6502 dpt:6502
0 0 ACCEPT tcp -- pkd lan 192.168.1.0/24 192.168.0.253
tcp dpt:389
0 0 ACCEPT tcp -- lan pkd 192.168.0.253 192.168.1.0/24
tcp spt:389
0 0 REJECT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 43M packets, 17G bytes)
pkts bytes target prot opt in out source destination
1597 535K ACCEPT udp -- * lan 0.0.0.0/0 0.0.0.0/0
udp spt:67 dpt:68
1251K 123M ACCEPT tcp -- * lan 0.0.0.0/0 192.168.0.253
tcp dpt:389
451 151K ACCEPT udp -- * pkd 0.0.0.0/0 0.0.0.0/0
udp spt:67 dpt:68
В итоге при попытке подключения АДСЛ-рутера к шлюзу на выходе видим:
====================================================================
tcpdump -i ppp0 dst $ADSL_IP
17:08:59.223667 IP $External_IP.1723 > $ADSL_IP.4721: S
2065017132:2065017132(0) ack 3618307912 win 5808 <mss
1452,nop,nop,sackOK,nop,wscale 2>
17:08:59.251985 IP $External_IP.1723 > $ADSL_IP.4721: . ack 157 win 1452
17:08:59.282701 IP $External_IP.1723 > $ADSL_IP.4721: P 1:157(156) ack 157
win 1452: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0)
FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) [|pptp]
17:09:00.274929 IP $External_IP.1723 > $ADSL_IP.4721: P 157:189(32) ack 325
win 1720: pptp CTRL_MSGTYPE=OCRP CALL_ID(43008) PEER_CALL_ID(4721)
RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(10000000) RECV_WIN(3)
PROC_DELAY(0) PHY_CHAN_ID(0)
17:09:00.276216 IP $External_IP.1723 > $ADSL_IP.4721: F 189:189(0) ack 325
win 1720
17:09:00.296371 IP $External_IP.1723 > $ADSL_IP.4721: R
2065017322:2065017322(0) win 0
17:09:00.297002 IP $External_IP > $ADSL_IP: icmp 64: $External_IP protocol
47 unreachable
Присоветуйте, пожалуйста, как это горе одолеть...
А буде и другие косяки на свежий взгляд в глаза бросятся -
приму поправки с благодарностью.
________________________
С уважением,
Вадим Илларионов
системный администратор
Усолье-Сибирский почтамт
JID: см. <mailto:>
UIN: 7899517
Телефоны:
Мобильный +7 904 658-4154
Рабочий +7 39543 444-00
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-09-20 13:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-09-20 13:23 [Comm] pptpd & protocol 47 unreachable Вадим Илларионов
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git