[equinux] Problemas del enroutamiento
Guillermo Salas M.
gsalas en mantareys.com
Lun Jul 17 10:00:55 EDT 2006
On Fri, 2006-07-14 at 12:02 -0500, Burkhard Vogel wrote:
> Estimados,
> tengo un servidor en producción que maneja correo/enroutamiento en
> firewall para un cliente mio. La oficina de Quito tiene dos surcusales
> en Puembo y en Quinche conectados con escalas VPN.
>
> El problema:
> Los surcusales no puedan conectarse establemente son el servidor de la
> red en Quito. El ping llega y a veces no llega... A los cabezas del VPN
> y als servidor siempre llega, el servidor local is un equipo Guidows XP
> con firewall apagado...
>
Que puerta de enlace tiene el gu-indo-us equispe? Deberia ser
192.168.0.100
Pasanos una traza desde las sucursales hasta el servidor local con
firewall apagado.
> La configuración:
> servidor principal 192.168.0.100 (eth1) y 6xxxxxxxx.254 (eth0)
> servidor del red local: 192.168.0.44
> equipo en Puembo (p.e.): 192.168.1.5
>
> host:~ # route -n
> 192.168.2.0 192.168.0.10 255.255.255.0 UG 0 0 0 eth1
> 192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth1
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 6xxxxxxxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 6xxxxxxxx.254 0.0.0.0 UG 0 0 0 eth0
> 192.168.0.10 cabeza del canal VPN hacia Puembo
> 192.168.0.254 cabeza del canal VPN hacia Quinche
>
> host: ~ # iptables -nL FORWARD
> Chain FORWARD (policy DROP)
> target prot opt source destination
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU
> forward_int all -- 0.0.0.0/0 0.0.0.0/0
> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> host:~ # iptables -nL forward_int
> Chain forward_int (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
> icmp type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> host:~ # iptables -nL forward_ext
> Chain forward_ext (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
> RELATED,ESTABLISHED
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> host:~ # tail /var/log/firewall
> Jul 14 12:03:37 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=34885 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=39426
> Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
> Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
> Jul 14 12:04:17 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=35276 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=41474
>
> Ayudanme!
> Burkhard
>
--
Guillermo Salas M.
Celular : +593 9 985 5138
e-mail : gsalas en mantareys.com
www : http://www.mantareys.com
Linux User: 255902
Beat me, whip me, make me use Windows!
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
Please avoid the Top Posting, see
http://es.wikipedia.org/wiki/Top-posting
Más información sobre la lista de distribución equinux