Thanks Thanks:  1
Likes Likes:  4
Dislikes Dislikes:  0
Results 1 to 7 of 7

Thread: Rețelistica VPS-VPN

  1. #1
    none
    Join Date
    01 Jan 1999
    Location
    acasa
    Posts
    798
    Mentioned
    35 Post(s)
    Rep Power
    100

    Default Rețelistica VPS-VPN

    salut

    se da un vps cu Openvpn:

    Code:
    root@vps ~ > ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              RX bytes:1295300 (1.2 MB)  TX bytes:1295300 (1.2 MB)
    
    
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    
    venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
              RX bytes:264275751 (264.2 MB)  TX bytes:293221619 (293.2 MB)
    
    
    venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:x.x.x.x  P-t-P:x.x.x.x  Bcast:x.x.x.255  Mask:255.255.255.0
              UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
    se mai da un client local legat prin Openvpn la vps:

    Code:
    root@lunix:~# ifconfig
    enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.0.44  netmask 255.255.255.0  broadcast 192.168.0.255
    
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
    
    
    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
            inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
    deci tunelul vpn e în picioare, merge. de pe vps pot da ping pe 10.8.0.6 (serverul local) si-l vede; si invers la fel

    nu am reusit sa fac rutarea traficului de pe serverul local pe vps în ambele directii, inclusiv deschiderea porturilor pe vps înspre serverul local.

    arhitectura ar fii cam asta:

    Code:
                             |            VPS                 |
                  (x.x.x. IP)|                                |10.8.0.6
     {INTERNET}=============={venet0:0                    tun0}=============<internal network 192.168.0.44
                             |   \                        /   |
                             |    +----------------------+    |
                             |    | iptables and         |    |
                             |    | routing engine       |    |
                             |    +--+----------------+--+    |
                             |       |*1              |*2     |
                             |     (openvpn)-------{tun0}     |
                             |      10.8.0.5      10.8.0.1    |
    pe server am activat IP forwarding in /etc/sysctl.conf prin "net.ipv4.ip_forward = 1"
    am încercat tot felul de reguli pentru iptables, dar nu am reusit.
    cel mai logic ar fii:

    Code:
    # Allow traffic initiated from VPN to access LAN
        iptables -I FORWARD -i tun0 -o venet0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    
    
        # Allow traffic initiated from VPN to access "the world"
        iptables -I FORWARD -i tun0 -o venet0:0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    
    
        # Allow traffic initiated from LAN to access "the world"
        iptables -I FORWARD -i venet0 -o venet0:0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    
    
        # Allow established traffic to pass back and forth
        iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    
        # Notice that -I is used, so when listing it (iptables -vxnL) it
        # will be reversed.  This is intentional in this demonstration.
    
    
        # Masquerade traffic from VPN to "the world" -- done in the nat table
        iptables -t nat -I POSTROUTING -o venet0:0 -s 10.8.0.0/24 -j MASQUERADE
    
    
        # Masquerade traffic from LAN to "the world"
        iptables -t nat -I POSTROUTING -o venet0:0 -s 192.168.0.0/24 -j MASQUERADE


    dar nu vrea...

    Cine ma poate "lumina"? dau o bere!


    PS: ideea e ca in viitorul apropiat tot mai multi provideri de internet vor trece la ipv6 pentru clienţii lor, şi vor fii multe schimbări în reţelistica "schimbului de informaţii"
    ^^^^
    bafta

  2. #2
    maniac lao's Avatar
    Join Date
    02 Sep 2009
    Posts
    3,190
    Mentioned
    29 Post(s)
    Rep Power
    85

    Default

    M-am jucat acum cativa ani cu asta, o sa studiez iar problema.
    Eu ma conectam din alta tara si m-au atentionat prietenii. E adevarat ca era doar un sens, nu mutasem adresa mea ddns acolo.
    E de studiat...
    Doi mari vrăjmași are românul: mila pentru străini și ura pentru ai lui - Grigore Vieru

  3. #3
    none
    Join Date
    01 Jan 1999
    Location
    acasa
    Posts
    798
    Mentioned
    35 Post(s)
    Rep Power
    100

    Default

    am ajuns la punctul in care nu mai stiu ce sa fac... momentan am urmatoarele reguli (sint pe un alt server, deci nu va impiedicati de venet0 sau ens18!)

    Code:
    root@vps:~# iptables -vxnL
    Chain INPUT (policy ACCEPT 1076 packets, 59738 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
           0        0 REJECT     all  --  !lo    *       127.0.0.0/8          0.0.0.0/0            reject-with icmp-port-unreachable
           1       36 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW icmptype 8
           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
           3      180 ACCEPT     tcp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:22
           4      516 ACCEPT     udp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED udp dpt:1194
           0        0 ACCEPT     udp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED udp spt:53
           0        0 ACCEPT     tcp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:53
           0        0 ACCEPT     tcp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:80
           0        0 ACCEPT     tcp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:443
           0        0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           2      152 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
           0        0 ACCEPT     all  --  tun0   ens18   10.8.0.0/24          0.0.0.0/0
           0        0 ACCEPT     all  --  ens18  tun0    10.8.0.0/24          0.0.0.0/0
           2      152 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    
    
    Chain OUTPUT (policy ACCEPT 1011 packets, 42740 bytes)
        pkts      bytes target     prot opt in     out     source               destination
           0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
           1       36 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
           3      120 ACCEPT     tcp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:22
           4      516 ACCEPT     udp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state ESTABLISHED udp spt:1194
           0        0 ACCEPT     udp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED udp dpt:53
           0        0 ACCEPT     tcp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:53
           0        0 ACCEPT     tcp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:80
           0        0 ACCEPT     tcp  --  *      ens18   0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:443
           0        0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    root@vps:~#
    si bineinteles si masqarada aferenta:

    Code:
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens18 -j MASQUERADE
    unde ens0 e intefata din extern... asa imi da ifconfigul:

    Code:
    root@vps:~# ifconfig
    ens18: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet x.x.x.x  netmask 255.255.255.0  broadcast x.x.x.255
            ether xx.xx.xx.xx.xx  txqueuelen 1000  (Ethernet)
            RX packets 7213366  bytes 439730412 (439.7 MB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 174645  bytes 9749894 (9.7 MB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 204  bytes 16695 (16.6 KB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 204  bytes 16695 (16.6 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    
    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
            inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
            unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
            RX packets 57  bytes 4356 (4.3 KB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 57  bytes 4356 (4.3 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


    care ai vreo idee?

    ---------- Post added at 21:05 ---------- Previous post was at 20:45 ----------

    îmi dau o bere!!!!
    am gasit "chichitza":
    Code:
    iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.6:80
    unde 10.8.0.6 e ip-ul meu (local din pivnita) din tunel si 80 e portul care-vreu sa.l deschid...sau oricare altul..

    ---------- Post added at 21:14 ---------- Previous post was at 21:05 ----------

    ...deci am ajuns la concluzia ca nu trebuie sa faci decit o singura regula pe port, dupa care sa faci masqueradingul pe interfata respectiva...
    ^^^^
    bafta

  4. #4
    RSP - TEAM horatyu's Avatar
    Join Date
    16 Aug 2007
    Location
    SIBIU
    Posts
    5,748
    Mentioned
    63 Post(s)
    Rep Power
    113

    Default

    Mirel tu dai randament numai când îţi este sete



    Oricum eşti perseverent.
    Eu mă gândeam că netmask trebuie să aibă la sfârşit şi altceva decât 0, dar aia trebuie făcut doar într-o reţea cu mai multe PC conectate între ele.

    Introducerea conceptului VLSM (Variable Lenght Subnet Masks) ofera o utilizare mai judicioasa a spatiului de adresare IP prin utilizarea mai multor subnet mask-uri intr-o retea IP, deci existenta prefixelor de retea de diferite lungimi.
    LA TOTI NI GREU
    "SGU Stargate Universe"

  5. #5
    none
    Join Date
    01 Jan 1999
    Location
    acasa
    Posts
    798
    Mentioned
    35 Post(s)
    Rep Power
    100

    Default

    horatyu: nu inteleg exact ce vrei sa spui, dar daca te referi la netmasku din "tun0" e normal sa fie 255 ...având în configuratia serverului de vpn: 10.8.0.0/24 (deci 255 de adrese, sau mai bine zis, 254, ca ultimul e brodcastul )
    pe de alta parte...eu nu ma aflu in acea retea decît cu tunelul de vpn!...ca sa zic asa, e usa mea de intrare/iesire!
    ideea a fost sa gasesc o metode SIMPLA sa intru si sa ies prin tunel prin ce porturi vreau, astfel încît sa-mi vad retzeaua interna de acasa prin acest tunel.
    VPN-ul nu a fost problema niciodata, si nici alocatia ip-urilor individuale la clienti din acest vpn-server...e totul din configuratie.
    ^^^^
    bafta

  6. #6
    Standard RSP member
    Join Date
    18 Nov 2018
    Location
    Romania
    Posts
    59
    Mentioned
    1 Post(s)
    Rep Power
    21

    Default

    @mirel clasa /24 detine 255 - 2 adrese IP si anume:
    Din 10.8.0.0/24 omitem 10.8.0.1 - Gateway si 10.8.0.255 - Broadcast

    Comanda : iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.6:80 iti permite accesul din extern catre adresa ip 10.8.0.6 si port 80 (http), mai pe scurt este vorba de port forwarding.
    Dac este de ajutor pot sa fac si un tutorial mult mai explicit.
    Last edited by mirel; 13-02-19 at 20:01. Reason: Regula 12 !!!!
    Птицы ночи, где вы не ожидаете, я там.

  7. #7
    none
    Join Date
    01 Jan 1999
    Location
    acasa
    Posts
    798
    Mentioned
    35 Post(s)
    Rep Power
    100

    Default

    ...dac'o lom asa: 256 minus doua ip (gateway plus broadcast) egal 254 ...parca asa zice CDIR-ul...
    De la început am vrut sa fac port forwarding, şi nu altceva... Nu a ştiut nimeni sa-mi spună ce şi cum.... după ce am citit mai mult de juma' de man de iptables, am înţeles..
    ^^^^
    bafta

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •