NAT + VPN + squid

[kavenchuk]

Прошу прощения за полное ламерство, но очень поджимает время Обязуюсь исправиться после цейтнота!

Пара вопросов:
http://www.adsl.by/forum_topic.htm?id=2862
http://www.adsl.by/forum_topic.htm?id=2865

Извините, что ссылками. Просто много текста.

Pls, ткните носом, что надо сделать.

Спасибо.

[Llama]

1) apt-get install iputils-tracepath
tracepath spameater.tutby.com/25
Результаты в студию...
2) iptables -nL FORWARD посмотри..

[kavenchuk]

server:~# tracepath spameater.tutby.com/25
1: 81.25.39.121 (81.25.39.121) 0.753ms pmtu 552
1: 81.25.39.121 (81.25.39.121) 0.089ms pmtu 552
1: 81.25.39.121 (81.25.39.121) 0.087ms pmtu 552
и так далее
server:~# iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination

Что дальше?
А по второму вопросу ничего не подскажете?

[Llama]

информации мало... Как я понял, интернет доступен через pptp, сам pptp поднят и работает? интернет с сервера доступен?

Нужен вывод

Код: Выделить всё

ip address show
ip route show

Насчет поднятия pptp - практически все равно. При условии что старт сервисов не завязан на DNS, например на reverse lookup. Я бы засунул поднятие интерфейса куда-то пораньше... А опускание - попозже...

[kavenchuk]

Интернет поднят и доступен. Интернет работает и на сервере, и на станциях. Интернет работает на станциях через squid. Я пытаюсь раздать всем почту через NAT (MASQUERADE) только почтовых портов (не открывая остальные). Вот это то и не работает.

Есть ли советы по поводу разницы в уровнях (Sxx - Syy) скриптов запуска зависимых служб?

Спасибо.

[kavenchuk]

server:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0

iface eth0 inet static
address 192.168.0.200
netmask 255.255.255.0

auto eth0:1
iface eth0:1 inet static
address 10.75.100.42
netmask 255.255.255.252
gateway 10.75.100.41


server:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:C0:F6:B1:46:36
inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:f6ff:feb1:4636/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3867 errors:0 dropped:0 overruns:0 frame:0
TX packets:3069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:690777 (674.5 KiB) TX bytes:602863 (588.7 KiB)
Interrupt:10 Base address:0xcc00

eth0:1 Link encap:Ethernet HWaddr 00:C0:F6:B1:46:36
inet addr:10.75.100.42 Bcast:10.255.255.255 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xcc00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

ppp0 Link encap:Point-to-Point Protocol
inet addr:81.25.36.13 P-t-P:81.25.36.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:380 errors:0 dropped:0 overruns:0 frame:0
TX packets:422 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:308815 (301.5 KiB) TX bytes:41270 (40.3 KiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

server:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
port-1-adslby-p * 255.255.255.255 UH 0 0 0 ppp0
vpn-gate.infone 10.75.100.41 255.255.255.255 UGH 0 0 0 eth0
10.75.100.40 * 255.255.255.252 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default port-1-adslby-p 0.0.0.0 UG 0 0 0 ppp0


server:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

server:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere tcp dpt:smtp
MASQUERADE tcp -- anywhere anywhere tcp dpt:pop3
MASQUERADE tcp -- anywhere anywhere tcp dpt:nntp
MASQUERADE tcp -- anywhere anywhere tcp dpt:imap2
MASQUERADE tcp -- anywhere anywhere tcp dpt:imap3
MASQUERADE tcp -- anywhere anywhere tcp dpt:2525

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


P.S. А как сказать, чтобы запомнил таблицу iptables?

[Llama]

iptables-save > filename
PS: можно вывод route -n в тегах [ code ] [ /code ], а то с именами как-то неудобно разбираться что к чему...
PPS: Есть ли какой-то не-виндовый клиент чтобы с него пустить tracepath ?

[kavenchuk]

Уже есть - coLinux

Результат:
colinux:~# tracepath spameater.tutby.com/25
gethostbyname: Host name lookup failure

Оопс. squid и этого не делает, или я не настроил?

[Llama]

kavenchuk, нет конечно, не делает... давай тогда по ip. Просто интересно, где же все-таки пакеты умирают...

[kavenchuk]

Попробую чуть позже.

По поводу не делает - дык собственными глазами читал, что squid кэширует и DNS-запросы. Или это тоже не относится к почтовым протоколам?

Как все запущено... /* у меня */

Неужели named (или как там его) придется ставить?

[Llama]

kavenchuk, конечно кэширует. Но как DNS-сервер он не работает. Bind стаить естественно придется.

[kavenchuk]

итак, ответ по ip:

colinux:~# tracepath 195.209.34.115/25
1: 192.168.0.219 (192.168.0.219) 2.427ms pmtu 1500
1: no reply
2: no reply
...
И так далее. И очем это говорит?
Сейчас bind поставлю...

[kavenchuk]

поставил bind, стало легче, но не намного:

colinux:~# tracepath spameater.tutby.com/25
1: 192.168.0.219 (192.168.0.219) 1.837ms pmtu 1500
1: no reply
2: no reply
...
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

Почто все равно не работает. Что-то я еще не сдалал. Что?

[Llama]

чудеса какие-то... покажи чтоль вывод
sysctl -a |grep net.ipv4

[kavenchuk]

Ну, у меня есть подозрение, кто здесь главный чудила (это я про себя)...
и так (на сервере надо было, я так понимаю)
net.ipv4.ip_conntrack_max = 18424
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_buckets = 2303
net.ipv4.netfilter.ip_conntrack_max = 18424
net.ipv4.conf.ppp0.force_igmp_version = 0
net.ipv4.conf.ppp0.disable_policy = 0
net.ipv4.conf.ppp0.disable_xfrm = 0
net.ipv4.conf.ppp0.arp_ignore = 0
net.ipv4.conf.ppp0.arp_announce = 0
net.ipv4.conf.ppp0.arp_filter = 0
net.ipv4.conf.ppp0.tag = 0
net.ipv4.conf.ppp0.log_martians = 0
net.ipv4.conf.ppp0.bootp_relay = 0
net.ipv4.conf.ppp0.medium_id = 0
net.ipv4.conf.ppp0.proxy_arp = 0
net.ipv4.conf.ppp0.accept_source_route = 1
net.ipv4.conf.ppp0.send_redirects = 1
net.ipv4.conf.ppp0.rp_filter = 1
net.ipv4.conf.ppp0.shared_media = 1
net.ipv4.conf.ppp0.secure_redirects = 1
net.ipv4.conf.ppp0.accept_redirects = 1
net.ipv4.conf.ppp0.mc_forwarding = 0
net.ipv4.conf.ppp0.forwarding = 0
net.ipv4.conf.eth0.force_igmp_version = 0
net.ipv4.conf.eth0.disable_policy = 0
net.ipv4.conf.eth0.disable_xfrm = 0
net.ipv4.conf.eth0.arp_ignore = 0
net.ipv4.conf.eth0.arp_announce = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.tag = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.eth0.bootp_relay = 0
net.ipv4.conf.eth0.medium_id = 0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.shared_media = 1
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.accept_source_route = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.accept_redirects = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.neigh.ppp0.locktime = 99
net.ipv4.neigh.ppp0.proxy_delay = 79
net.ipv4.neigh.ppp0.anycast_delay = 99
net.ipv4.neigh.ppp0.proxy_qlen = 64
net.ipv4.neigh.ppp0.unres_qlen = 3
net.ipv4.neigh.ppp0.gc_stale_time = 60
net.ipv4.neigh.ppp0.delay_first_probe_time = 5
net.ipv4.neigh.ppp0.base_reachable_time = 30
net.ipv4.neigh.ppp0.retrans_time = 99
net.ipv4.neigh.ppp0.app_solicit = 0
net.ipv4.neigh.ppp0.ucast_solicit = 3
net.ipv4.neigh.ppp0.mcast_solicit = 3
net.ipv4.neigh.eth0.locktime = 99
net.ipv4.neigh.eth0.proxy_delay = 79
net.ipv4.neigh.eth0.anycast_delay = 99
net.ipv4.neigh.eth0.proxy_qlen = 64
net.ipv4.neigh.eth0.unres_qlen = 3
net.ipv4.neigh.eth0.gc_stale_time = 60
net.ipv4.neigh.eth0.delay_first_probe_time = 5
net.ipv4.neigh.eth0.base_reachable_time = 30
net.ipv4.neigh.eth0.retrans_time = 99
net.ipv4.neigh.eth0.app_solicit = 0
net.ipv4.neigh.eth0.ucast_solicit = 3
net.ipv4.neigh.eth0.mcast_solicit = 3
net.ipv4.neigh.lo.locktime = 99
net.ipv4.neigh.lo.proxy_delay = 79
net.ipv4.neigh.lo.anycast_delay = 99
net.ipv4.neigh.lo.proxy_qlen = 64
net.ipv4.neigh.lo.unres_qlen = 3
net.ipv4.neigh.lo.gc_stale_time = 60
net.ipv4.neigh.lo.delay_first_probe_time = 5
net.ipv4.neigh.lo.base_reachable_time = 30
net.ipv4.neigh.lo.retrans_time = 99
net.ipv4.neigh.lo.app_solicit = 0
net.ipv4.neigh.lo.ucast_solicit = 3
net.ipv4.neigh.lo.mcast_solicit = 3
net.ipv4.neigh.default.gc_thresh3 = 1024
net.ipv4.neigh.default.gc_thresh2 = 512
net.ipv4.neigh.default.gc_thresh1 = 128
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.locktime = 99
net.ipv4.neigh.default.proxy_delay = 79
net.ipv4.neigh.default.anycast_delay = 99
net.ipv4.neigh.default.proxy_qlen = 64
net.ipv4.neigh.default.unres_qlen = 3
net.ipv4.neigh.default.gc_stale_time = 60
net.ipv4.neigh.default.delay_first_probe_time = 5
net.ipv4.neigh.default.base_reachable_time = 30
net.ipv4.neigh.default.retrans_time = 99
net.ipv4.neigh.default.app_solicit = 0
net.ipv4.neigh.default.ucast_solicit = 3
net.ipv4.neigh.default.mcast_solicit = 3
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_default_win_scale = 0
net.ipv4.tcp_bic_low_window = 14
net.ipv4.tcp_bic_fast_convergence = 1
net.ipv4.tcp_bic = 1
net.ipv4.tcp_vegas_gamma = 2
net.ipv4.tcp_vegas_beta = 6
net.ipv4.tcp_vegas_alpha = 2
net.ipv4.tcp_vegas_cong_avoid = 0
net.ipv4.tcp_westwood = 0
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.ipfrag_secret_interval = 600
net.ipv4.tcp_low_latency = 0
net.ipv4.tcp_frto = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.icmp_ratemask = 6168
net.ipv4.icmp_ratelimit = 1000
net.ipv4.tcp_adv_win_scale = 2
net.ipv4.tcp_app_win = 31
net.ipv4.tcp_rmem = 4096 87380 174760
net.ipv4.tcp_wmem = 4096 16384 131072
net.ipv4.tcp_mem = 49152 65536 98304
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_fack = 1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.inet_peer_gc_maxtime = 120
net.ipv4.inet_peer_gc_mintime = 10
net.ipv4.inet_peer_maxttl = 600
net.ipv4.inet_peer_minttl = 120
net.ipv4.inet_peer_threshold = 65664
net.ipv4.igmp_max_msf = 10
net.ipv4.igmp_max_memberships = 20
net.ipv4.route.secret_interval = 600
net.ipv4.route.min_adv_mss = 256
net.ipv4.route.min_pmtu = 552
net.ipv4.route.mtu_expires = 600
net.ipv4.route.gc_elasticity = 8
net.ipv4.route.error_burst = 5000
net.ipv4.route.error_cost = 1000
net.ipv4.route.redirect_silence = 20480
net.ipv4.route.redirect_number = 9
net.ipv4.route.redirect_load = 20
net.ipv4.route.gc_interval = 60
net.ipv4.route.gc_timeout = 300
net.ipv4.route.gc_min_interval = 0
net.ipv4.route.max_size = 32768
net.ipv4.route.gc_thresh = 2048
net.ipv4.route.max_delay = 10
net.ipv4.route.min_delay = 2
net.ipv4.icmp_ignore_bogus_error_responses = 0
net.ipv4.icmp_echo_ignore_broadcasts = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.ip_local_port_range = 32768 61000
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_stdurg = 0
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.ipfrag_time = 30
net.ipv4.ip_dynaddr = 0
net.ipv4.ipfrag_low_thresh = 196608
net.ipv4.ipfrag_high_thresh = 262144
net.ipv4.tcp_max_tw_buckets = 180000
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syn_retries = 5
net.ipv4.ip_nonlocal_bind = 0
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.ip_autoconfig = 0
net.ipv4.ip_default_ttl = 64
net.ipv4.ip_forward = 0
net.ipv4.tcp_retrans_collapse = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1