Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[solved] Полетел форвардинг после апгрейда ядра.
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Russian
View previous topic :: View next topic  
Author Message
KUV
Tux's lil' helper
Tux's lil' helper


Joined: 18 Mar 2005
Posts: 128
PostPosted: Thu Oct 11, 2007 7:56 am    Post subject: [solved] Полетел форвардинг после апгрейда ядра. Reply with quote
Ядро было ванильное 2.6.20.7, стало 2.6.22.1. В нем баги с созданием мостов (https://forums.gentoo.org/viewtopic.php?t=570686), так что перешел на gentoo-sources-2.6.22-r8.
Еще почему-то не работает форвардинг (перестал работать еще в ванильном 2.6.22.1), вот iptables:
Code:
# Generated by iptables-save v1.3.8 on Thu Oct 11 11:43:20 2007
*nat
:PREROUTING ACCEPT [56818443:6779386074]
:POSTROUTING ACCEPT [49438542:6372299463]
:OUTPUT ACCEPT [3004979:266480795]
-A PREROUTING -p udp -m physdev  --physdev-in eth0 -m udp --dport 67:68 -j DROP
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -p udp -m physdev  --physdev-out eth0 -m udp --sport 67:68 -j DROP
COMMIT
# Completed on Thu Oct 11 11:43:20 2007
# Generated by iptables-save v1.3.8 on Thu Oct 11 11:43:20 2007
*mangle
:PREROUTING ACCEPT [1105952026:599586834299]
:INPUT ACCEPT [539901013:95549934922]
:FORWARD ACCEPT [749783902:519748765409]
:OUTPUT ACCEPT [519149643:642024587648]
:POSTROUTING ACCEPT [1268846430:1161770446521]
-A OUTPUT -p icmp -j CLASSIFY --set-class 0001:0100
-A OUTPUT -p udp -m multiport --sports 53,67,123,161 -j CLASSIFY --set-class 0001:0100
-A OUTPUT -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0100
-A OUTPUT -p udp -m multiport --sports 5000 -j CLASSIFY --set-class 0001:0101
-A OUTPUT -p tcp -m multiport --sports 80,443,5222,5223,5269 -j CLASSIFY --set-class 0001:0101
-A OUTPUT -p udp -m multiport --sports 137,138 -j CLASSIFY --set-class 0001:0102
-A OUTPUT -p tcp -m multiport --sports 139,445,873 -j CLASSIFY --set-class 0001:0102
COMMIT
# Completed on Thu Oct 11 11:43:21 2007
# Generated by iptables-save v1.3.8 on Thu Oct 11 11:43:21 2007
*filter
:INPUT ACCEPT [2565755900:797612324862]
:FORWARD ACCEPT [3641599793:2509418352422]
:OUTPUT ACCEPT [2305027902:2416785930638]
-A FORWARD -i ! tun0 -o ppp0 -j DROP
COMMIT
# Completed on Thu Oct 11 11:43:21 2007

Соединения:
Code:
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:c0:26:30:cd:79 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2c0:26ff:fe30:cd79/64 scope link
       valid_lft forever preferred_lft forever
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:80:48:28:0e:ae brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:2f:b2:bb:40 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::211:2fff:feb2:bb40/64 scope link
       valid_lft forever preferred_lft forever
5: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void
6: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
7: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb qlen 100
    link/ether 00:11:2f:b2:bb:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.25/17 brd 192.168.127.255 scope global br0
    inet6 fdce:14dd:5982:0:62da:4fb3:5d18:db07/48 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::211:2fff:feb2:bb40/64 scope link
       valid_lft forever preferred_lft forever
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 192.168.138.117 peer 10.1.1.1/32 scope global ppp0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 10.42.0.1 peer 10.42.0.2/32 scope global tun0

Маршрутизация:
Code:
# ip route
10.42.0.2 dev tun0  proto kernel  scope link  src 10.42.0.1
10.1.1.1 dev ppp0  proto kernel  scope link  src 192.168.138.117
10.42.0.0/24 via 10.42.0.2 dev tun0
192.168.0.0/17 dev br0  proto kernel  scope link  src 192.168.0.25
127.0.0.0/8 dev lo  scope link
default via 10.1.1.1 dev ppp0

На tun0 сидит openvpn, после создания подключения клиенту выдается следующее, как обычно:
Code:
120: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/[65534]
    inet 10.42.0.6 peer 10.42.0.5/32 scope global tun0

Пинги с клиента до 10.42.0.1 и с сервера на 10.42.0.6 (клиент), идут нормально. Локально на сервере инет работает, на клиенте нет. Попробовал понаблюдать за счетчиком "-A POSTROUTING -o ppp0 -j MASQUERADE" - он тикает, когда я с клиента пытаюсь пинговать внешний хост. Т.е. бага какая-то в маршрутизации. Помогите плиз.

Last edited by KUV on Fri Oct 12, 2007 10:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
smk
Tux's lil' helper
Tux's lil' helper


Joined: 31 May 2007
Posts: 80
Location: SPB
PostPosted: Thu Oct 11, 2007 11:36 am    Post subject: Reply with quote
Уважаемый, а у все ли у вас правильно в файле /etc/sysctl.conf , а конкретно в строке про форвардинг?
Заодно
Code:
 echo "1" > /proc/sys/net/ipv4/ip_forward


Так же не помешало бы проверить нормально ли собрались модули айпитэйблесов
Code:

# modprobe ip_tables
# modprobe iptable_filter
# modprobe iptable_nat
# modprobe ipt_state
# modprobe ipt_MASQUERADE

_________________
USE --force, Luke
Back to top
View user's profile Send private message
KUV
Tux's lil' helper
Tux's lil' helper


Joined: 18 Mar 2005
Posts: 128
PostPosted: Thu Oct 11, 2007 12:50 pm    Post subject: Reply with quote
Про форвардинг:
Code:
# cat /proc/sys/net/ipv4/ip_forward
1

Модули iptables вкомпилены в ядро, вот выдержка из /proc/config.gz:
Code:
IP_NF_IPTABLES=y
IP_NF_FILTER=y
NF_NAT=y
IP_NF_TARGET_MASQUERADE=y
NETFILTER_XT_MATCH_STATE=y

Пробовал также убрать запрещающее правило "-A FORWARD -i ! tun0 -o ppp0 -j DROP" и форвардить через 192.168.0.25 - не помогло.
Back to top
View user's profile Send private message
KUV
Tux's lil' helper
Tux's lil' helper


Joined: 18 Mar 2005
Posts: 128
PostPosted: Fri Oct 12, 2007 10:27 pm    Post subject: Reply with quote
Наконец-то решил проблему! Все заработало после того как выставил /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged в ноль. Если кто-то сможет подробно изъяснить что это значит - будет здорово.
Back to top
View user's profile Send private message
calculator
Apprentice
Apprentice


Joined: 16 Oct 2006
Posts: 183
Location: Russia, Moscow
PostPosted: Sat Oct 13, 2007 11:35 am    Post subject: Reply with quote
/usr/src/linux/Documentation/networking/ip-sysctl.txt:
Code:
bridge-nf-filter-pppoe-tagged - BOOLEAN
        1 : pass bridged pppoe-tagged IP/IPv6 traffic to {ip,ip6}tables.
        0 : disable this.
        Default: 1
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Russian All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy