[equinux] Problemas del enroutamiento
Burkhard Vogel
burkhard en andean-netservice.com
Lun Jul 17 17:41:34 EDT 2006
Estimados,
otra novedad, por problemas en la comunicación entre Quito y Quinche
hemos apagado el segundo VPN sin cambiar nada en la configuración - y
ahora todo funciona de maravilla? De que se debe esto??? Alguien tiene
una buena explicación para esto?
... no entiendo nada.... Si alguien quiere ayudarme y necesita un acceso
ssh - avisame.
Gracias,
Burkhard
Guillermo Salas M. wrote:
> On Fri, 2006-07-14 at 12:02 -0500, Burkhard Vogel wrote:
>
>> Estimados,
>> tengo un servidor en producción que maneja correo/enroutamiento en
>> firewall para un cliente mio. La oficina de Quito tiene dos surcusales
>> en Puembo y en Quinche conectados con escalas VPN.
>>
>> El problema:
>> Los surcusales no puedan conectarse establemente son el servidor de la
>> red en Quito. El ping llega y a veces no llega... A los cabezas del VPN
>> y als servidor siempre llega, el servidor local is un equipo Guidows XP
>> con firewall apagado...
>>
>>
>
> Que puerta de enlace tiene el gu-indo-us equispe? Deberia ser
> 192.168.0.100
>
> Pasanos una traza desde las sucursales hasta el servidor local con
> firewall apagado.
>
>
>> La configuración:
>> servidor principal 192.168.0.100 (eth1) y 6xxxxxxxx.254 (eth0)
>> servidor del red local: 192.168.0.44
>> equipo en Puembo (p.e.): 192.168.1.5
>>
>> host:~ # route -n
>> 192.168.2.0 192.168.0.10 255.255.255.0 UG 0 0 0 eth1
>> 192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth1
>> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
>> 6xxxxxxxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
>> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
>> 0.0.0.0 6xxxxxxxx.254 0.0.0.0 UG 0 0 0 eth0
>> 192.168.0.10 cabeza del canal VPN hacia Puembo
>> 192.168.0.254 cabeza del canal VPN hacia Quinche
>>
>> host: ~ # iptables -nL FORWARD
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> flags:0x06/0x02 TCPMSS clamp to PMTU
>> forward_int all -- 0.0.0.0/0 0.0.0.0/0
>> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> host:~ # iptables -nL forward_int
>> Chain forward_int (1 references)
>> target prot opt source destination
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
>> icmp type 8
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 11
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 12
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 14
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 18
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3 code 2
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 5
>> LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
>> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
>> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
>> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-FORW '
>> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
>> RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
>> `SFW2-FWDint-DROP-DEFLT '
>> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
>> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
>> `SFW2-FWDint-DROP-DEFLT-INV '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> host:~ # iptables -nL forward_ext
>> Chain forward_ext (1 references)
>> target prot opt source destination
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 11
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 12
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 14
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 18
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3 code 2
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 5
>> LOG all -- 192.168.0.0/24 192.168.1.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
>> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.1.0/24 192.168.0.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
>> ACCEPT all -- 192.168.1.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.1.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.0.0/24 192.168.2.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
>> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG all -- 192.168.2.0/24 192.168.0.0/24 limit: avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-FORW '
>> ACCEPT all -- 192.168.2.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.2.0/24 state
>> RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 state
>> RELATED,ESTABLISHED
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
>> `SFW2-FWDext-DROP-DEFLT '
>> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
>> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
>> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
>> `SFW2-FWDext-DROP-DEFLT-INV '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> host:~ # tail /var/log/firewall
>> Jul 14 12:03:37 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
>> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=34885 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=39426
>> Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
>> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
>> Jul 14 12:03:57 host kernel: SFW2-FWDint-DROP-DEFLT-INV IN=eth1 OUT=eth1
>> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=35052 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=40450
>> Jul 14 12:04:17 host kernel: SFW2-FWDint-DROP-DEFLT IN=eth1 OUT=eth1
>> SRC=192.168.0.44 DST=192.168.1.5 LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=35276 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=41474
>>
>> Ayudanme!
>> Burkhard
>>
>>
--
Burkhard Vogel
Andean-NetService
Guangüiltagua 551B y Diego Noboa
Batán Alto
Quito - ECUADOR
Tel: +593 (02) 246 20 86
Cel: +593 (09) 577 18 00
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: http://nuevared.org/pipermail/equinux_nuevared.org/attachments/20060717/a8b389b7/attachment-0001.htm
Más información sobre la lista de distribución equinux