Ïðîáðîñ PPtP è GRE

[Wolfgun]

Íàðîä êàê ïðîáðîñèòü PPtP ÷åðåç Linux Nat SuSE 9.3 IPTables 1.28 (åñëè íå îøèáàþñü) ïðîáðàñûâàë ïîðò 1723 âñå õîðîøî ê VPN ñåðâåðó öåïëÿþòñÿ íî îòâåòû íå èäóò òàêæå äîáîâëÿë ïðîáðîñ UDP 500 ïîðòà âñå òàæå õðåíü ñî ñòîðîíû êëèåíòà âñå çàâèñàåò íà ïðîâåðêå Login&Password

Ipdump íà ñåâàêå (è ïîñòàâèòü òðàáë cd íà íåì íåò Tftp òîæå ) íå óñòàíîâëåí ïðîâåðèòü íå ìîãó ïðèõîäÿò ïîêåòû èç âíóòðåíåé ñåòè íà Linux ñåðâåð èëè íåò
Åñëè åñòü ñîâåòû êàê ïðîâåðèòü âûñëóøàþ åñëè

Äà ê ñòàòå êàê äàííûé äåâàéñ (Wl500) áóäåò ïðîáðàñûâàòü MS PPtP????????

[Oleg]

Wl500g óìååò ïðîáðàñûâàòü PPTP. Äëÿ ýòîãî íóæíî ðàçðåøèòü ïîðò 1723 (åñëè íà âûõîä) èëè ñäåëàòü âèðóòàëüíûé ñåðâåð, åñëè íà âõîä.

Ïîðò 500 ê PPTP îòíîøåíèÿ íå èìååò. Äëÿ PPTP íóæíî åù¸ ïðîáðàñûâàòü ïðîòîêîë 47 (GRE), òàì ñîáñòâåííî è èäóò äàííûå. Ýòî àâòîìàòè÷åñêè äåëàåòñÿ ñ ïîìîùüþ ñïåöèàëüíûõ ìîäóëåé â iptables - ipt_conntrack_gre èëè ipt_conntrack_pptp, è åãî NAT âàðèàöèÿ, òî÷íî íå ìîãó âñïîìíèòü. Íåîáõîäèìî çàãðóçèòü ìîäóëè, à â ôàåðâîëå äîëæíî áûòü ñòàíäàðòíîå ïðàâèëî

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

[Wolfgun]

Gre (47) ïðîáðàñûâàë
Åäèíñòâåíîå ÷òî íå äåëàë ýòî âåðòóàëüíûé ñåðâåð

[Duke]

Девайс по дефолту все на выход пробрасывает, по крайней мере для того чтобы Pptp на выход работало ничего конфигурячить мне не потребовалось (главное чтоб провайдер не НАТил, или хотя бы Gre пробрасывал тоже)

[icCE]

Девайс по дефолту все на выход пробрасывает, по крайней мере для того чтобы Pptp на выход работало ничего конфигурячить мне не потребовалось (главное чтоб провайдер не НАТил, или хотя бы Gre пробрасывал тоже)

кстати а как можно посмотреть правила iptables по умолчанию?

[Igor.O]

В логе asus wl500g c прошивкой 1.9.2.7-7c
все чаще стала появлятся такая запись: kernel: unknown GRE version 7.
Что за ошибка и как с ней бороться?
Internet по vpn-у, поднятому на асусе + прописаны маршруты в месную локалку.
Спасибо .
кусочек лога:
May 31 21:02:39 ntp client: Synchronizing time with time.nist.gov ...
May 31 21:03:12 kernel: unknown GRE version 7
May 31 21:07:33 kernel: unknown GRE version 7
May 31 21:17:14 kernel: unknown GRE version 7
May 31 21:32:38 kernel: unknown GRE version 7
May 31 22:10:59 kernel: unknown GRE version 7
May 31 22:14:39 kernel: unknown GRE version 7
May 31 22:29:09 kernel: unknown GRE version 7
May 31 22:29:29 kernel: unknown GRE version 7
May 31 22:30:28 kernel: unknown GRE version 7
May 31 23:02:52 ntp client: Synchronizing time with time.nist.gov ...
May 31 23:28:02 kernel: unknown GRE version 7

[vsu]

Ìóñîðèò linux/net/ipv4/netfilter/ip_conntrack_proto_gre.c:gre_pkt_to_tuple() - òàì ïåðåä ýòèì printk ÿâíî íå õâàòàåò êàê ìèíèìóì if (net_ratelimit()), ÷òîáû íå çàâàëèâàòü ëîãè ñîîáùåíèÿìè. Èëè âîîáùå åãî âûêèíóòü.

Ìîæíî ïîïðîáîâàòü ïîëîâèòü ýòî áåçîáðàçèå tcpdump-îì, ÷òîáû ïîíÿòü, êòî æå ïàêîñòèò â ñåòè:

Code:

tcpdump -i vlan1 -n -s 1600 -vvvv '(ip proto gre) and (ip[21] & 0x07 == 7)'

(óñëîâèå íå ñîâñåì ïðàâèëüíîå - íå ó÷èòûâàåò, ÷òî ðàçìåð çàãîëîâêà IP â îáùåì ñëó÷àå ïåðåìåííûé, íî çàäàòü ñìåùåíèå îò íà÷àëà çàãîëîâêà GRE tcpdump, ïîõîæå, íå ïîçâîëÿåò).

Îòôèëüòðîâàòü âñÿêóþ äðÿíü äî ïîïàäàíèÿ â conntrack â òîì ÿäðå, ïîõîæå, íå÷åì...

[Racer35]

Mar 31 04:19:14 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:19:19 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:22:45 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:23:34 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:23:38 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:27:09 pppoe-relay[110]: PADI packet from 00:04:75:79:59:fc on interface vlan1 not permitted
Mar 31 04:42:24 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:42:28 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:42:33 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:49:54 ntp client: Synchronizing time with time.nist.gov ...
Mar 31 04:52:53 pppoe-relay[110]: PADI packet from 00:01:6c:cf:eb:e9 on interface vlan1 not permitted
Mar 31 04:54:16 dnsmasq[88]: DHCPDISCOVER(br0) 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPOFFER(br0) 192.168.1.87 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPREQUEST(br0) 192.168.1.87 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPACK(br0) 192.168.1.87 00:1c:df:58:aa:17 geexbox
Mar 31 04:54:19 kernel: unknown GRE version 7
Mar 31 04:58:19 kernel: unknown GRE version 3
Mar 31 04:58:25 kernel: unknown GRE version 6
Mar 31 04:58:26 kernel: unknown GRE version 3
Mar 31 05:20:23 kernel: unknown GRE version 4
Mar 31 05:22:53 smbd[2307]: [2010/03/31 05:22:53, 0] lib/util_sock.c:read_socket_data(477)
Mar 31 05:22:53 smbd[2307]: read_socket_data: recv failure for 4. Error = No route to host

[TReX]

Mar 31 04:19:14 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:19:19 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:22:45 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:23:34 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:23:38 pppoe-relay[110]: PADI packet from 00:04:61:9f:3a:df on interface vlan1 not permitted
Mar 31 04:27:09 pppoe-relay[110]: PADI packet from 00:04:75:79:59:fc on interface vlan1 not permitted
Mar 31 04:42:24 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:42:28 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:42:33 pppoe-relay[110]: PADI packet from 00:e0:4c:7e:45:98 on interface vlan1 not permitted
Mar 31 04:49:54 ntp client: Synchronizing time with time.nist.gov ...
Mar 31 04:52:53 pppoe-relay[110]: PADI packet from 00:01:6c:cf:eb:e9 on interface vlan1 not permitted
Mar 31 04:54:16 dnsmasq[88]: DHCPDISCOVER(br0) 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPOFFER(br0) 192.168.1.87 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPREQUEST(br0) 192.168.1.87 00:1c:df:58:aa:17
Mar 31 04:54:16 dnsmasq[88]: DHCPACK(br0) 192.168.1.87 00:1c:df:58:aa:17 geexbox
Mar 31 04:54:19 kernel: unknown GRE version 7
Mar 31 04:58:19 kernel: unknown GRE version 3
Mar 31 04:58:25 kernel: unknown GRE version 6
Mar 31 04:58:26 kernel: unknown GRE version 3
Mar 31 05:20:23 kernel: unknown GRE version 4
Mar 31 05:22:53 smbd[2307]: [2010/03/31 05:22:53, 0] lib/util_sock.c:read_socket_data(477)
Mar 31 05:22:53 smbd[2307]: read_socket_data: recv failure for 4. Error = No route to host

Ìîæåò ïîðà óæå îáíîâèòü ïðîøèâêó ? ftp://core.dumped.ru/

[Firemover]

Íà÷àë èñïîëüçîâàòü íà ðàáîòå Àñóñû (ïîêà êàê ïðîñòûå ðîóòåðû) è âîò âîïðîñèê âîçíèê ñëåäóþùåãî õàðàêòåðà: à âîçìîæíî-ëè ïðèçåìëèòü IPIP èëè GRE òóíåëü íà Äåëþêñ èëè Ïðåìèóì? Íóæíî ëè äëÿ ýòîãî ñòàâèòü ìîíñòðà òèïà OpenWRT?

 Linuxe íå ñèëåí ïîêà, íî ó÷óñü âñ¸ áîëüøå

[Oleg]

Ìîæíî èñïîëüçîâàòü OpenVPN. Åñòü òàêàÿ òåìà â àíãëèéñêîì ôîðóìå.

[Firemover]

×òî åñòü â íàëè÷èè:
cisco 3662 â ãîëîâíîì îôèñå.
asus wl500gp â ôèëèàëàõ

âñå àñóñû â ðåæèìå ðîóòåðà, íåêîòîðûå ðàáîòàþò ñ Cisco ÷åðåç ïîäíÿòûå íà íå¸ PPTP òóííåëè, íåêîòîðûå - ïðîñòî ðîóòèíã. Êàíàëû ïî 1 ìåãàáèò äî âñåõ ôèëèàëîâ.

Îáíàðóæèëàñü ñòðàííàÿ ïðîáëåìà - âèäíà ñ Cisco è òîëüêî íà Àñóñû, íà äðóãèå äåâàéñû òàêîãî íåò:

CISCO3662#ping
Protocol [ip]:
Target IP address: 192.168.11.2
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.11.2, timeout is 2 seconds:
!!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!! .!!!!!!!!!.!!!!!!!!!
!!!!!!!!.!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!!.!!!!!!!! !.!!!!!!!!!!.!!!!!!!
!!!!.!!!!!!!!!.!!!!!!!.!!!!!!!!!!.!!!!!!!!!.!!!!!! !!!!!.!!!!!!!!.!!!!!
!!!!.!!!!!!!!!!!!.!!!!!!!!!!!!!!!.!!!!!!!!!!.!!!!! !!!!!.!!!!!!!!!!.!!!
!!!!!!.!!!!!!!!.!!!!!!!!!.!!!!!!!!.!!!!!!!!!!.!!!! !!!!!!!!!.!!!!!!!!!!
.!!!!!!!!.!!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!!.!! !!!!!!.!!!!!!!!!.!!!
!!!!!!.!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!.!!!!!!!!! .!!!!!!!!!.!!!!!!!!!
.!!!!!!!!.!!!!!!!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!.!! !!!!!!.!!!!!!!!.!!!!
!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!!.!!!!!!!!.!!!!!!!! !!.!!!!!!!!!!!.!!!!!
!!!!!.!!!!!!!!!!..!!!!!!!!.!!!!!!!!.!!!!!!!!!.!!!! !!!!!!!!!!.!!!!!!!!!
.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!!.!!!!!!!!!!.!!!!!!! !.!!!!!!!!!.!!!!!!!!
!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!!.!! !!!!!!.!!!!!!!!!.!!!
!!!!!..!!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!!!!.!!!!!! !!!.!!!!!!!!!.!!!!!!
!!.!!!!!!!!!.!!!!!!!!!.!!!!!!!!!!.!!!!!!!!.!!!!!!! !!.!!!!!!!!!.!!!!!!!
!!.!!!!!!!!.!!!!!!!!
Success rate is 90 percent (901/1000), round-trip min/avg/max = 80/107/492 ms

è òàê íà âñå Àñóñû è òîëüêî íà Àñóñû , 3 ðàçíûõ ïðîâàéäåðà, ðàçíûå êàíàëû ñâÿçè è ñïîñîáû ïîäêëþ÷åíèÿ.
Ãäå èñêàòü ñîáàêó?

[Oleg]

Çàùèòà îò DoS àòòàê ïîõîæå. Òàì â INPUT åñòü ïåðåõîä â SECURITY - Ìîæíî ïîïðîáîâàòü ïî÷èñòèòü.

[Firemover]

ñòðàííî ÷òî íå îòêëþ÷àåòñÿ îíî ñàìîñòîÿòåëüíî, à ïîòî÷íåå ÷óòü ìîæíî ãäå ðûòü?

[Firemover]

Ðàçîáðàëñÿ, è äåéñòâèòåëüíî åñòü ïåðåõîä
Çàîäíî è ñêâîçíîé Gre íàñòðîèëè íîðìàëüíî.

Ñïàñèáî Îëåã!