>А если поставить вместо 1753 порт 1723, и включить логирование дропнутых пакетов.
>Упс, порты попутал. Но результата ноль.
Логгирование включено. Хотя кроме /proc/net/nf_conntrack я других логов не могу найти. Из указанного мало полезной инфы:
ipv4 2 tcp 6 118 SYN_SENT src=192.168.1.2 dst=89.202.157.202 sport=52938 dport=80 packets=1 bytes=60 [UNREPLIED] src=89.202.157.202 dst=192.168.1.2 sport=80 dport=52938 packets=0 bytes=0 mark=0 secmark=0 use=1
ipv4 2 tcp 6 431958 ESTABLISHED src=192.168.50.14 dst=192.168.50.77 sport=3038 dport=3128 packets=106 bytes=12325 src=192.168.50.77 dst=192.168.50.14 sport=3128 dport=3038 packets=118 bytes=18470 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 unknown 47 590 src=192.168.1.2 dst=*VPN remote IP* packets=329 bytes=15997 src=*VPN remote IP* dst=192.168.1.2 packets=361 bytes=20127 mark=0 secmark=0 use=1
ipv4 2 tcp 6 96 TIME_WAIT src=192.168.50.14 dst=192.168.50.77 sport=3093 dport=3128 packets=37 bytes=1796 src=192.168.50.77 dst=192.168.50.14 sport=3128 dport=3093 packets=65 bytes=87198 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 tcp 6 431988 ESTABLISHED src=192.168.1.2 dst=*VPN remote IP* sport=53001 dport=1723 packets=6 bytes=644 src=*VPN remote IP* dst=192.168.1.2 sport=1723 dport=53001 packets=3 bytes=352 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 tcp 6 95 TIME_WAIT src=192.168.50.14 dst=192.168.50.77 sport=3092 dport=3128 packets=5 bytes=512 src=192.168.50.77 dst=192.168.50.14 sport=3128 dport=3092 packets=5 bytes=1543 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.50.14 dst=192.168.50.77 sport=3032 dport=22 packets=12471 bytes=1084735 src=192.168.50.77 dst=192.168.50.14 sport=22 dport=3032 packets=14529 bytes=3432520 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 udp 17 178 src=192.168.1.2 dst=192.168.1.1 sport=55607 dport=53 packets=2 bytes=117 src=192.168.1.1 dst=192.168.1.2 sport=53 dport=55607 packets=2 bytes=549 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 tcp 6 431998 ESTABLISHED src=192.168.50.14 dst=192.168.50.77 sport=3094 dport=3128 packets=4 bytes=2465 src=192.168.50.77 dst=192.168.50.14 sport=3128 dport=3094 packets=3 bytes=128 [ASSURED] mark=0 secmark=0 use=1
ipv4 2 tcp 6 431958 ESTABLISHED src=192.168.1.2 dst=209.85.137.125 sport=60933 dport=5223 packets=108 bytes=12422 src=209.85.137.125 dst=192.168.1.2 sport=5223 dport=60933 packets=108 bytes=18027 [ASSURED] mark=0 secmark=0 use=1
*VPN remote IP* - адрес ВПН сервера, который при подключении выдает локальный 192.168.80.40
В rsyslog.conf вывел логи info в отдельный файл, но там мусор сплошной и инфы по пакетам и т.д. нету.
=====================
Также прилагаю iptables-save, так наверное все-же очевиднее будет, что творится:
# Generated by iptables-save v1.4.0 on Fri Apr 3 13:28:21 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.50.0/24 -i eth2 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 192.168.50.77/24 -i lo -j ACCEPT
-A INPUT -s 192.168.1.2/24 -i lo -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -d 192.168.1.2/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -j tcp_packets
-A INPUT -i eth1 -p udp -j udp_packets
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p gre -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -s 192.168.50.77/24 -j ACCEPT
-A OUTPUT -s 192.168.1.2/24 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A OUTPUT -p gre -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
-A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 21 -j allowed
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 113 -j allowed
-A tcp_packets -p tcp -m tcp --dport 3128 -j allowed
-A udp_packets -p udp -m udp --dport 2074 -j ACCEPT
-A udp_packets -p udp -m udp --dport 4000 -j ACCEPT
COMMIT
# Completed on Fri Apr 3 13:28:21 2009
# Generated by iptables-save v1.4.0 on Fri Apr 3 13:28:21 2009
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.50.0/24 -o eth1 -p tcp -m tcp --dport 25 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -s 192.168.50.0/24 -o eth1 -p tcp -m tcp --dport 110 -j SNAT --to-source 192.168.1.2
COMMIT
# Completed on Fri Apr 3 13:28:21 2009
# Generated by iptables-save v1.4.0 on Fri Apr 3 13:28:21 2009
*mangle
:PREROUTING ACCEPT [150:12552]
:INPUT ACCEPT [26633:3788214]
:FORWARD ACCEPT [10:580]
:OUTPUT ACCEPT [192:43020]
:POSTROUTING ACCEPT [27648:6141062]
COMMIT
# Completed on Fri Apr 3 13:28:21 2009
