Добрый день!
Хочу настроить шлюз, чтобы домашняя сетка через него в интернет ходила...
Есть соединение pppoe на МТУ-СТРИМ - ppp0 через eth1, сам шлюз его отлично поднимает и использует. И домашняя сетка 192.168.254.0/24 на eth2(192.168.254.1).
Сервер у меня такой:
1.
2.
root@safary:~/sys# uname -a
Linux safary 2 . 6 . 15 - 27 -server # 1 SMP Sat Sep 16 02 : 57 : 21 UTC 2006 i686 GNU/Linux
Много чего читал, пробовал и так и сяк, набрал такой скрипт:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
#!/bin/sh
# Start safary server
# Oleg Shulyaev
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
consolechars -f Cyr_a8x16
# Start network interfaces
# eth2
ifconfig eth2 down
ifconfig eth2 up
# MTU
ifconfig ppp0 > /dev/null
if [ $? ]
then
ifconfig ppp0 down
fi
ifconfig eth1 down
ifconfig eth1 up
pppd call MTU
# Firewall setup
# Tuning proc
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/secure_redirects
do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects
do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/log_martians
do
echo 1 > $f
done
echo 200 > /proc/sys/net/ipv4/icmp_ratelimit
echo 20 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 256 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#Flush all rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# DROP on default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# ACCEPT lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# ACCEPT eth2
iptables -A INPUT -i eth2 -s 192 . 168 . 254 . 0 / 24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ACCEPT ppp0
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# MASQ on ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
exit 0
После прогона имеем:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
root@safary:~/sys# ifconfig
eth1 Link encap:Ethernet HWaddr 00 : 80 : 48 : 38 :CC:DB
inet6 addr: fe80:: 280 :48ff:fe38:ccdb/ 64 Диапазон:Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1235 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 831 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 209012 ( 204 . 1 KiB) TX bytes: 102094 ( 99 . 7 KiB)
Interrupt: 10 Base address:0x8000
eth2 Link encap:Ethernet HWaddr 00 : 10 :DC:C1: 69 :D8
inet addr: 192 . 168 . 254 . 1 Bcast: 192 . 168 . 254 . 255 Mask: 255 . 255 . 255 . 0
inet6 addr: fe80:: 210 :dcff:fec1:69d8/ 64 Диапазон:Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 5380 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 3579 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 520465 ( 508 . 2 KiB) TX bytes: 609005 ( 594 . 7 KiB)
Interrupt: 11 Base address:0xe400
lo Link encap:Local Loopback
inet addr: 127 . 0 . 0 . 1 Mask: 255 . 0 . 0 . 0
inet6 addr: :: 1 / 128 Диапазон:Host
UP LOOPBACK RUNNING MTU: 16436 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX bytes: 0 ( 0 . 0 b) TX bytes: 0 ( 0 . 0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr: 85 . 141 . 175 . 174 P-t-P: 85 . 141 . 172 . 1 Mask: 255 . 255 . 255 . 255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU: 1492 Metric: 1
RX packets: 151 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 163 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 3
RX bytes: 36365 ( 35 . 5 KiB) TX bytes: 21299 ( 20 . 7 KiB)
root@safary:~/sys# route
Таблица маршутизации ядра протокола IP
Destination Gateway Genmask Flags Metric Ref Use Iface
ppp85- 141 - 172 - 1 * 255 . 255 . 255 . 255 UH 0 0 0 ppp0
192 . 168 . 254 . 0 * 255 . 255 . 255 . 0 U 0 0 0 eth2
default * 0 . 0 . 0 . 0 U 0 0 0 ppp0
root@safary:~/sys# iptables -L -v
Chain INPUT (policy DROP 2 packets, 96 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
213 17444 ACCEPT all -- eth2 any 192.168.254.0/24 anywhere state NEW,RELATED,ESTABLISHED
2 321 ACCEPT all -- ppp0 any anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
159 21196 ACCEPT all -- eth2 ppp0 anywhere anywhere state NEW,RELATED,ESTABLISHED
138 35887 ACCEPT all -- ppp0 eth2 anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
168 32200 ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED
2 144 ACCEPT all -- any ppp0 anywhere anywhere state NEW,RELATED,ESTABLISHED
root@safary:~/sys# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 585 packets, 93014 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34 2071 MASQUERADE all -- any ppp0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 17 packets, 1358 bytes)
pkts bytes target prot opt in out source destination
root@safary:~/sys# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 6309 packets, 614K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 5770 packets, 510K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 539 packets, 104K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3369 packets, 504K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3908 packets, 608K bytes)
pkts bytes target prot opt in out source destination
root@safary:~/sys# uname -a
Linux safary 2 . 6 . 15 - 27 -server # 1 SMP Sat Sep 16 02 : 57 : 21 UTC 2006 i686 GNU/Linux
При этом шлюз в интернет ходит отлично, а локальная сеть:
-большенство сайтов не открывает
-тормозит
-соединения сбрасывает
ПОМОГИТЕ!!!!!!!!!!
