Имеется небольшая локальная сеть с устройством PC2, PC1 посредством pptp устанавливает соединение с сервером VPN1 через который пользователи VPN-сети должны иметь возможность обращаться к http-серверу на PC2.
Сейчас на PC1 все правила iptables применяют политику ACCEPT, форвард пакетов включён, попробовал следующие правила
Код: Выделить всё
$ sudo iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 144 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.145:80
Chain INPUT (policy ACCEPT 2 packets, 144 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 44 packets, 2759 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 20 packets, 1319 bytes)
pkts bytes target prot opt in out source destination
25 1500 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 4301 packets, 834K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 20 packets, 1200 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7476 packets, 634K bytes)
pkts bytes target prot opt in out source destination
$ cat /proc/sys/net/ipv4/ip_forward
1
$ ip r
default dev ppp0 proto static scope link metric 50
default via 192.168.1.1 dev eno1 proto static metric 100
80.78.249.31 via 192.168.1.1 dev eno1 src 192.168.1.2
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.2 metric 100
192.168.255.1 dev ppp0 proto kernel scope link src 192.168.255.2 metric 50
Пакеты с VPN1 доходят и перенаправляются дальше
Код: Выделить всё
$ sudo tcpdump -i any host 192.168.1.145
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
18:56:00.104011 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176591095 ecr 0,nop,wscale 7], length 0
18:56:01.104063 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176591345 ecr 0,nop,wscale 7], length 0
18:56:01.731548 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:56:03.113237 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176591846 ecr 0,nop,wscale 7], length 0
18:56:07.122640 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176592848 ecr 0,nop,wscale 7], length 0
18:56:11.790183 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:56:15.133088 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176594852 ecr 0,nop,wscale 7], length 0
18:56:20.345398 ARP, Request who-has 192.168.1.145 tell 192.168.1.2, length 28
18:56:20.345956 ARP, Reply 192.168.1.145 is-at 00:12:17:ca:ad:a7 (oui Unknown), length 46
18:56:21.851140 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:56:31.192615 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176598864 ecr 0,nop,wscale 7], length 0
18:56:31.910545 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:56:42.001157 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:56:52.061990 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:02.121801 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:03.242960 IP 192.168.255.1.58363 > 192.168.1.145.http: Flags [S], seq 2537599639, win 28120, options [mss 1406,sackOK,TS val 176606880 ecr 0,nop,wscale 7], length 0
18:57:08.473401 ARP, Request who-has 192.168.1.145 tell 192.168.1.2, length 28
18:57:08.474057 ARP, Reply 192.168.1.145 is-at 00:12:17:ca:ad:a7 (oui Unknown), length 46
18:57:12.181666 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:22.242318 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:32.302184 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:42.362643 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:57:52.453816 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:58:02.512702 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:58:08.392634 IP 192.168.255.1.58364 > 192.168.1.145.http: Flags [S], seq 3814539985, win 28120, options [mss 1406,sackOK,TS val 176623162 ecr 0,nop,wscale 7], length 0
18:58:09.374876 IP 192.168.255.1.58364 > 192.168.1.145.http: Flags [S], seq 3814539985, win 28120, options [mss 1406,sackOK,TS val 176623412 ecr 0,nop,wscale 7], length 0
18:58:11.384003 IP 192.168.255.1.58364 > 192.168.1.145.http: Flags [S], seq 3814539985, win 28120, options [mss 1406,sackOK,TS val 176623913 ecr 0,nop,wscale 7], length 0
18:58:12.573745 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:58:13.497363 ARP, Request who-has 192.168.1.145 tell 192.168.1.2, length 28
18:58:13.498158 ARP, Reply 192.168.1.145 is-at 00:12:17:ca:ad:a7 (oui Unknown), length 46
18:58:15.394270 IP 192.168.255.1.58364 > 192.168.1.145.http: Flags [S], seq 3814539985, win 28120, options [mss 1406,sackOK,TS val 176624916 ecr 0,nop,wscale 7], length 0
18:58:22.633317 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
18:58:23.406404 IP 192.168.255.1.58364 > 192.168.1.145.http: Flags [S], seq 3814539985, win 28120, options [mss 1406,sackOK,TS val 176626920 ecr 0,nop,wscale 7], length 0
18:58:32.694304 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
Код: Выделить всё
$ sudo tcpdump -i any host 192.168.1.145
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
19:35:16.625645 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
19:35:26.715672 ARP, Request who-has 192.168.1.145 tell 192.168.1.145, length 46
19:35:27.710451 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [S], seq 3505401337, win 29200, options [mss 1460,sackOK,TS val 4286422370 ecr 0,nop,wscale 7], length 0
19:35:27.711201 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [S.], seq 2593046242, ack 3505401338, win 28960, options [mss 1460,sackOK,TS val 1165431 ecr 4286422370,nop,wscale 3], length 0
19:35:27.711236 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 4286422370 ecr 1165431], length 0
19:35:27.711347 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [P.], seq 1:444, ack 1, win 229, options [nop,nop,TS val 4286422371 ecr 1165431], length 443: HTTP: GET /Login.htm HTTP/1.1
19:35:27.712051 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [.], ack 444, win 3754, options [nop,nop,TS val 1165431 ecr 4286422371], length 0
19:35:27.796367 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [P.], seq 1:18, ack 444, win 3754, options [nop,nop,TS val 1165440 ecr 4286422371], length 17: HTTP: HTTP/1.0 200 OK
19:35:27.796427 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [.], ack 18, win 229, options [nop,nop,TS val 4286422456 ecr 1165440], length 0
19:35:27.797036 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [P.], seq 18:485, ack 444, win 3754, options [nop,nop,TS val 1165440 ecr 4286422456], length 467: HTTP
19:35:27.797066 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [.], ack 485, win 237, options [nop,nop,TS val 4286422456 ecr 1165440], length 0
19:35:27.797961 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [P.], seq 485:1272, ack 444, win 3754, options [nop,nop,TS val 1165440 ecr 4286422456], length 787: HTTP
19:35:27.798004 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [.], ack 1272, win 249, options [nop,nop,TS val 4286422457 ecr 1165440], length 0
19:35:27.798952 IP 192.168.1.145.http > 192.168.1.2.45406: Flags [P.], seq 1272:2678, ack 444, win 3754, options [nop,nop,TS val 1165440 ecr 4286422457], length 1406: HTTP
19:35:27.799002 IP 192.168.1.2.45406 > 192.168.1.145.http: Flags [.], ack 2678, win 272, options [nop,nop,TS val 4286422458 ecr 1165440], length 0
В глаза бросается разница значений mss - 1460 для локальной сети и 1406 из vpn, может дело в этом?
Спасибо.