[equinux] Problemas del enroutamiento
Burkhard Vogel
burkhard en andean-netservice.com
Vie Jul 14 13:02:30 EDT 2006
Estimados,
tengo un servidor en producción que maneja correo/enroutamiento en
firewall para un cliente mio. La oficina de Quito tiene dos surcusales
en Puembo y en Quinche conectados con escalas VPN.
El problema:
Los surcusales no puedan conectarse establemente son el servidor de la
red en Quito. El ping llega y a veces no llega... A los cabezas del VPN
y als servidor siempre llega, el servidor local is un equipo Guidows XP
con firewall apagado...
La configuración:
servidor principal 192.168.0.100 (eth1) y 6xxxxxxxx.254 (eth0)
servidor del red local: 192.168.0.44
equipo en Puembo (p.e.): 192.168.1.5
host:~ # route -n
192.168.2.0 192.168.0.10 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
6xxxxxxxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 6xxxxxxxx.254 0.0.0.0 UG 0 0 0 eth0
192.168.0.10 cabeza del canal VPN hacia Puembo
192.168.0.254 cabeza del canal VPN hacia Quinche
host: ~ # iptables -nL FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
host:~ # iptables -nL forward_int
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
host:~ # iptables -nL forward_ext
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 state INVALID LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
host:~ # tail /var/log/firewall
Jul 14 12:03:37 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=34885 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=39426
Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
Jul 14 12:04:17 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=35276 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=41474
Ayudanme!
Burkhard
--
Burkhard Vogel
Andean-NetService
Guangüiltagua 551B y Diego Noboa
Batán Alto
Quito - ECUADOR
Tel: +593 (02) 246 20 86
Cel: +593 (09) 577 18 00
Más información sobre la lista de distribución equinux