(продолжение - форум не захотел длинное сообщение публиковать)
iptables:
Code:
[admin@fvsz root]$ iptables-save
# Generated by iptables-save v1.2.7a on Sun Jan 4 17:44:06 2009
*nat
:PREROUTING ACCEPT [15681:1509814]
:POSTROUTING ACCEPT [453:26276]
:OUTPUT ACCEPT [368:22085]
:VSERVER - [0:0]
:VSERVER2I - [0:0]
-A PREROUTING -d 78.107.239.244 -i ppp0 -j VSERVER
-A PREROUTING -d 10.198.16.208 -i vlan1 -j VSERVER
-A PREROUTING -d 10.177.180.86 -i vlan2 -j VSERVER2I
-A POSTROUTING -s ! 78.107.239.244 -o ppp0 -j SNAT --to-source 78.107.239.244
-A POSTROUTING -s ! 10.198.16.208 -o vlan1 -j SNAT --to-source 10.198.16.208
-A POSTROUTING -s ! 10.177.180.86 -o vlan2 -j SNAT --to-source 10.177.180.86
-A VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.26.1:80
-A VSERVER -p tcp -m tcp --dport 5249 -j DNAT --to-destination 172.18.26.126:5249
-A VSERVER -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.26.126:6443
-A VSERVER2I -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.26.1:80
-A VSERVER2I -p tcp -m tcp --dport 5249 -j DNAT --to-destination 172.18.26.126:5249
-A VSERVER2I -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.26.126:6443
COMMIT
# Completed on Sun Jan 4 17:44:06 2009
# Generated by iptables-save v1.2.7a on Sun Jan 4 17:44:06 2009
*mangle
:PREROUTING ACCEPT [33773:4489193]
:INPUT ACCEPT [23383:3061979]
:FORWARD ACCEPT [8935:1360803]
:OUTPUT ACCEPT [12893:1322219]
:POSTROUTING ACCEPT [21792:2680862]
COMMIT
# Completed on Sun Jan 4 17:44:06 2009
# Generated by iptables-save v1.2.7a on Sun Jan 4 17:44:06 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [2749:127976]
:OUTPUT ACCEPT [12902:1323303]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5246 -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j SECURITY
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 172.18.26.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p tcp -m tcp --dport 5249 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 6443 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j DROP
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -i ! br0 -o vlan2 -j DROP
-A FORWARD -i ! br0 -m state --state NEW -j SECURITY
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -o br0 -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Sun Jan 4 17:44:06 2009
[admin@fvsz root]$
route (в main - что корбина через dhcp придумала и pptp прописал - не менял ничего; в local еще tun* поднагадили; ext2i сделал сам для wan2):
Code:
[admin@fvsz root]$ ip rule list
0: from all lookup local
32765: from 10.177.180.86 lookup ext2i
32766: from all lookup main
32767: from all lookup default
[admin@fvsz root]$ ip route show table local
broadcast 10.177.180.0 dev vlan2 proto kernel scope link src 10.177.180.86
broadcast 10.198.23.255 dev vlan1 proto kernel scope link src 10.198.16.208
broadcast 10.177.183.255 dev vlan2 proto kernel scope link src 10.177.180.86
broadcast 10.198.16.0 dev vlan1 proto kernel scope link src 10.198.16.208
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 10.177.180.86 dev vlan2 proto kernel scope host src 10.177.180.86
local 172.18.26.1 dev br0 proto kernel scope host src 172.18.26.1
broadcast 172.18.26.0 dev br0 proto kernel scope link src 172.18.26.1
local 10.198.16.208 dev vlan1 proto kernel scope host src 10.198.16.208
local 78.107.239.244 dev ppp0 proto kernel scope host src 78.107.239.244
broadcast 78.107.239.244 dev ppp0 proto kernel scope link src 78.107.239.244
broadcast 10.255.255.255 dev vlan2 proto kernel scope link src 10.177.180.86
local 172.18.0.26 dev tun2 proto kernel scope host src 172.18.0.26
local 172.18.0.26 dev tun0 proto kernel scope host src 172.18.0.26
local 172.18.0.26 dev tun3 proto kernel scope host src 172.18.0.26
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 172.18.26.255 dev br0 proto kernel scope link src 172.18.26.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
[admin@fvsz root]$ ip route show table ext2i
172.18.26.0/24 dev br0 scope link
10.177.180.0/22 dev vlan2 scope link src 10.177.180.86
127.0.0.0/8 dev lo scope link
default via 10.177.180.1 dev vlan2
[admin@fvsz root]$ ip route show table main
85.21.88.130 via 10.198.16.1 dev vlan1
85.21.192.3 via 10.198.16.1 dev vlan1 metric 1
195.14.50.16 via 10.198.16.1 dev vlan1
217.118.84.213 via 10.198.16.1 dev vlan1
172.18.0.2 dev tun0 proto kernel scope link src 172.18.0.26
172.18.0.129 dev tun2 proto kernel scope link src 172.18.0.26
85.21.52.254 via 10.198.16.1 dev vlan1
195.14.50.21 via 10.198.16.1 dev vlan1
172.18.0.130 dev tun3 proto kernel scope link src 172.18.0.26
195.14.50.26 via 10.198.16.1 dev vlan1
89.179.135.67 via 10.198.16.1 dev vlan1
213.234.192.8 via 10.198.16.1 dev vlan1 metric 1
85.21.0.253 via 10.198.16.1 dev vlan1 metric 2
195.14.50.93 via 10.198.16.1 dev vlan1
78.107.69.98 via 10.198.16.1 dev vlan1
217.118.84.249 via 10.198.16.1 dev vlan1
78.107.235.4/30 via 10.198.16.1 dev vlan1
85.21.72.80/28 via 10.198.16.1 dev vlan1
78.107.51.0/28 via 10.198.16.1 dev vlan1
85.21.108.16/28 via 10.198.16.1 dev vlan1
83.102.231.32/28 via 10.198.16.1 dev vlan1
85.21.138.208/28 via 10.198.16.1 dev vlan1
83.102.146.96/27 via 10.198.16.1 dev vlan1
233.32.240.0/24 via 10.198.16.208 dev vlan1 scope link
172.18.2.0/24 via 172.18.0.2 dev tun0
172.16.16.0/24 via 10.198.16.1 dev vlan1
85.21.90.0/24 via 10.198.16.1 dev vlan1
172.18.26.0/24 dev br0 proto kernel scope link src 172.18.26.1
78.107.23.0/24 via 10.198.16.1 dev vlan1
85.21.79.0/24 via 10.198.16.1 dev vlan1
10.177.180.0/22 dev vlan2 proto kernel scope link src 10.177.180.86
10.198.16.0/21 dev vlan1 proto kernel scope link src 10.198.16.208
10.0.0.0/8 via 10.198.16.1 dev vlan1
127.0.0.0/8 dev lo scope link
default via 85.21.0.252 dev ppp0
default via 10.198.16.1 dev vlan1 metric 1
[admin@fvsz root]$ ip route show table default
[admin@fvsz root]$
из настроек вроде инересное все... могу еще выложить логи tcpdump'а при подключении ssh через оба wan и его же логи при заходе на web \ https через wan1 и попытке wan2...
Помогите!! ж)