[Sysadmins] Ковчег 5.0 - странно работает NAT через pppoe
Владимир Саломатин
salomatin.ru на mail.ru
Ср Дек 2 03:38:46 UTC 2009
> а если только
> service iptables restart
> iptables -t nat -F
> iptables -F
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp1 -j SNAT --to-source 91.144.134.30
> iptables -n -L -v
> iptables -n -L -v -t nat
[root на myseif ~]# iptables -n -L -v
Chain INPUT (policy ACCEPT 184K packets, 26M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1126 packets, 353K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 187K packets, 29M bytes)
pkts bytes target prot opt in out source destination
[root на myseif ~]# iptables -n -L -v -t nat
Chain PREROUTING (policy ACCEPT 3244K packets, 3307M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14896 packets, 1163K bytes)
pkts bytes target prot opt in out source destination
1 76 SNAT all -- * ppp1 0.0.0.0/0 0.0.0.0/0 to:91.144.134.30
Chain OUTPUT (policy ACCEPT 14551 packets, 976K bytes)
pkts bytes target prot opt in out source destination
На локальной машине:
[vova на rabst ~]$ tracepath 193.1.193.64
1: 192.168.1.2 (192.168.1.2) 1.372ms pmtu 1500
1: myseif.myseif.ru (192.168.1.254) 4.922ms
1: myseif.myseif.ru (192.168.1.254) 0.948ms
2: myseif.myseif.ru (192.168.1.254) 0.736ms pmtu 1476
2: net132.144.91-222.chel.ertelecom.ru (91.144.132.222) 3.381ms asymm 3
3: net132.144.91-202.chel.ertelecom.ru (91.144.132.202) 2.294ms
4: border.chel.ertelecom.ru (91.144.132.73) 2.480ms asymm 5
5: net132.144.91-154.chel.ertelecom.ru (91.144.132.154) 4.297ms asymm 6
6: 90.150.3.201 (90.150.3.201) 2.838ms
7: 10.233.10.29 (10.233.10.29) 3.487ms asymm 9
8: 10.233.10.13 (10.233.10.13) 3.801ms asymm 9
9: 90.150.3.194 (90.150.3.194) 3.029ms
10: 90.150.3.193 (90.150.3.193) 35.012ms asymm 9
11: 217.115.84.225 (217.115.84.225) 3.344ms asymm 7
12: 87.226.142.165 (87.226.142.165) 36.805ms
13: xe-1-3-0.lndn-ar1.intl.ip.rostelecom.ru (87.226.133.130) 102.925ms
14: ldn-b3-link.telia.net (213.248.79.121) 97.846ms asymm 19
15: ldn-bb1-link.telia.net (80.91.249.171) 97.862ms asymm 18
16: dln-b3-link.telia.net (80.91.249.134) 108.032ms asymm 19
17: heanet-ic-126792-dln-b3.c.telia.net (213.248.88.10) 114.248ms asymm 14
18: te5-1-blanch-sr1.services.hea.net (193.1.236.2) 114.753ms asymm 14
19: te5-1-blanch-sr1.services.hea.net (193.1.236.2) 114.830ms !H
Resume: pmtu 1476
При попытках запустить APT
[root на rabst ~]# apt-get update
Err ftp://ftp.altlinux.org noarch release
Connection timeout
Err ftp://ftp.heanet.ie noarch release
Connection timeout [IP: 193.1.193.64 21]
Err ftp://ftp.altlinux.org i586 release
Connection timeout
Err ftp://ftp.heanet.ie i586 release
Connection timeout [IP: 193.1.193.64 21]
Failed to fetch ftp://ftp.altlinux.org/pub/distributions/ALTLinux/4.1/branch/noarch/base/release Connection timeout
Failed to fetch ftp://ftp.altlinux.org/pub/distributions/ALTLinux/4.1/branch/i586/base/release Connection timeout
Failed to fetch ftp://ftp.heanet.ie/mirrors/ftp.altlinux.org/4.1/branch/noarch/base/release Connection timeout [IP:
193.1.193.64 21]
Failed to fetch ftp://ftp.heanet.ie/mirrors/ftp.altlinux.org/4.1/branch/i586/base/release Connection timeout [IP:
193.1.193.64 21]
Reading Package Lists... Done
Building Dependency Tree... Done
W: Release files for some repositories could not be retrieved or authenticated. Such repositories are being ignored.
W: You may want to run apt-get update to correct these problems
E: Some index files failed to download, they have been ignored, or old ones used instead.
А в это время на сервере:
[root на myseif ~]# tcpdump -n -i ppp1 -l | tee tmp.log
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
08:35:02.388481 IP 91.144.134.30.56317 > 194.107.17.7.ftp: S 1001436989:1001436989(0) win 5240 <mss
1310,nop,nop,sackOK,nop,wscale 7>
08:35:02.424449 IP 91.144.134.30.58558 > 193.1.193.64.ftp: S 1002196311:1002196311(0) win 5240 <mss
1310,nop,nop,sackOK,nop,wscale 7>
08:35:04.224451 IP 222.122.205.2.53645 > 91.144.134.30.ssh: F 3860845055:3860845055(0) ack 2372331913 win 46
08:35:04.224493 IP 91.144.134.30.ssh > 222.122.205.2.53645: R 2372331913:2372331913(0) win 0
08:35:05.385524 IP 91.144.134.30.56317 > 194.107.17.7.ftp: S 1001436989:1001436989(0) win 5240 <mss
1310,nop,nop,sackOK,nop,wscale 7>
08:35:05.420765 IP 194.107.17.7.ftp > 192.168.1.2.56317: S 3391405290:3391405290(0) ack 1001436990 win 5840 <mss
1460,nop,nop,sackOK,nop,wscale 7>
08:35:05.422497 IP 91.144.134.30.58558 > 193.1.193.64.ftp: S 1002196311:1002196311(0) win 5240 <mss
1310,nop,nop,sackOK,nop,wscale 7>
08:35:05.425685 IP 91.144.134.30.56317 > 194.107.17.7.ftp: . ack 3391405291 win 41
08:35:05.463661 IP 194.107.17.7.ftp > 192.168.1.2.56317: P 1:66(65) ack 1 win 46
08:35:05.463942 IP 192.168.1.2.56317 > 194.107.17.7.ftp: R 1001436990:1001436990(0) win 0
08:35:05.535541 IP 193.1.193.64.ftp > 192.168.1.2.58558: S 3880214425:3880214425(0) ack 1002196312 win 5840 <mss
1460,nop,nop,sackOK,nop,wscale 7>
08:35:05.536005 IP 91.144.134.30.58558 > 193.1.193.64.ftp: . ack 3880214426 win 41
08:35:05.651931 IP 193.1.193.64.ftp > 192.168.1.2.58558: P 1:7(6) ack 1 win 46
08:35:05.652212 IP 192.168.1.2.58558 > 193.1.193.64.ftp: R 1002196312:1002196312(0) win 0
08:35:08.467032 IP 194.107.17.7.ftp > 192.168.1.2.56317: P 1:66(65) ack 1 win 46
08:35:08.467339 IP 192.168.1.2.56317 > 194.107.17.7.ftp: R 1001436990:1001436990(0) win 0
08:35:08.647394 IP 193.1.193.64.ftp > 192.168.1.2.58558: P 1:7(6) ack 1 win 46
08:35:08.647870 IP 192.168.1.2.58558 > 193.1.193.64.ftp: R 1002196312:1002196312(0) win 0
08:35:13.484657 IP 91.144.134.30.ssh > 222.122.205.2.52976: F 2292946611:2292946611(0) ack 3847923446 win 62
08:35:13.859870 IP 222.122.205.2.52976 > 91.144.134.30.ssh: R 3847923446:3847923446(0) win 0
08:35:14.467028 IP 194.107.17.7.ftp > 192.168.1.2.56317: P 1:66(65) ack 1 win 46
08:35:14.467342 IP 192.168.1.2.56317 > 194.107.17.7.ftp: R 1001436990:1001436990(0) win 0
08:35:14.647322 IP 193.1.193.64.ftp > 192.168.1.2.58558: P 1:7(6) ack 1 win 46
08:35:14.647608 IP 192.168.1.2.58558 > 193.1.193.64.ftp: R 1002196312:1002196312(0) win 0
Подробная информация о списке рассылки Sysadmins