Три роутера заблудились - связь есть, но боком
Переношу сайт на другой сервер, который под микротиком. Рабочий вариант такой :
[белый IP]
микротик
[192.168.0.1][192.168.1.1]
| |
[192.168.0.72][192.168.1.2]
сервер старый ubuntu
добавил новый сервер opensuse и перенёс туда службы ssh,http,https.
[белый IP]
микротик
[192.168.0.1][192.168.1.1]
/ \ \
/ \ \
/ \ \
[192.168.0.71] [192.168.0.72][192.168.1.2]
сервер новый opensuse сервер старый ubuntu
рабочий вариант сети был у opensuse с gateway=192.168.0.72
Причём порты для ssh,http,https перенаправлялись микротиком на адрес 192.168.0.71 и всё работало. Сервер ubuntu помогал.
Если я у opensuse меняю gateway на микротик 192.168.0.1 то внешняя связь пропадает. Внутренняя сеть пока пашет.
микротик стучит ssh = 31103
18:45:41 firewall,info dstnat: in:bridge1WAN out:(unknown 0), src-mac d8:18:d3:15:ae:*, proto TCP (SYN), 46.173.93.*:56420->195.18.17.*:31103, len 60
18:45:41 firewall,info forward: in:bridge1WAN out:bridge2, src-mac d8:18:d3:15:ae:*, proto TCP (SYN), 46.173.93.*:56420->192.168.0.71:31103, NAT 46.173.93.*:56420->(195.18.17.*:31103->192.168.0.71:31103), len 60
а сервер opensuse молчит. Причем отключение systemctl stop firewalld.service не даёт никакой пользы - связи всё равно нет.
Как подружить микротик с opensuse ?
[MikroG] /ip> export
/ip address
add address=192.168.0.1/24 interface=bridge2 network=192.168.0.0
add address=192.168.1.1/24 interface=bridge3 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=bridge1WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=195.18.17.0/24 gateway=195.18.17.254
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall filter
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=accept chain=input comment="Good connections" connection-state=established,related
add action=drop chain=input comment="Kill bad" connection-state=invalid
add action=accept chain=input comment="Ping me" protocol=icmp
add action=accept chain=input comment="For mikrotik outside access" dst-port=57472 protocol=tcp
add action=accept chain=input comment="mikrotik www-ssl https" dst-port=16190 protocol=tcp
add action=accept chain=input protocol=ipv6-encap
add action=accept chain=input comment="mikrotik www http" dst-port=18671 protocol=tcp
add action=accept chain=input comment="DHCP get ip address from provider" dst-port=68 in-interface=bridge1WAN protocol=udp
add action=accept chain=input dst-port=68 in-interface=bridge1WAN protocol=tcp
add action=accept chain=input comment="from Lan" in-interface-list=LAN
add action=drop chain=input comment="DNS answer from web" dst-port=53 in-interface=bridge1WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=bridge1WAN protocol=udp
add action=drop chain=input comment="Kill all inputs"
add action=accept chain=forward comment="Good transit" connection-state=established,related,untracked in-interface=bridge1WAN out-interface-list=LAN
add action=drop chain=forward comment="Bad transit" connection-state=invalid
add action=accept chain=forward comment="pass from WAN to Server1 14396,ssh 58259" dst-port=14396,58259 in-interface=bridge1WAN out-interface=bridge3 protocol=tcp
add action=accept chain=forward comment="ssh server2 for alex 31892" dst-address=192.168.0.71 dst-port=31892 in-interface=bridge1WAN log=yes protocol=tcp
add action=accept chain=forward comment="http,https,ssh,mysql to server2" dst-address=192.168.0.71 dst-port=80,443,3306,31103 in-interface=bridge1WAN log=yes protocol=\
tcp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=drop chain=forward comment="drop DHCP from lan to wan" dst-port=67,68 out-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=67,68 out-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=67,68 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=67,68 in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="DNS answer from web" dst-port=53 in-interface=bridge1WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface=bridge1WAN protocol=udp
add action=drop chain=forward comment="drop all from WAN to LAN" connection-nat-state=!dstnat connection-state=new in-interface=bridge1WAN
add action=drop chain=forward comment="drop from local to wan" in-interface=bridge2 out-interface=bridge1WAN
add action=accept chain=forward comment="from Lan to anywhere" in-interface-list=LAN
/ip firewall nat
add action=src-nat chain=srcnat comment=Internet out-interface=bridge1WAN to-addresses=195.18.17.*
add action=dst-nat chain=dstnat comment="HTTPS From Local Net to Public IP -> masque to 0.71" dst-address=195.18.17.* dst-port=8080,443 protocol=tcp src-address=\
192.168.0.0/16 to-addresses=192.168.0.71
add action=src-nat chain=srcnat dst-address=192.168.0.71 dst-port=8080,443 protocol=tcp src-address=192.168.0.0/16 to-addresses=192.168.0.1
add action=dst-nat chain=dstnat comment="14396,ssh 58259 to server 1.2" dst-port=14396,58259 in-interface=bridge1WAN protocol=tcp to-addresses=192.168.1.2
add action=dst-nat chain=dstnat comment="80,443, ssh to server2" dst-port=80,443,31103 in-interface=bridge1WAN log=yes protocol=tcp to-addresses=192.168.0.71
add action=dst-nat chain=dstnat comment="server2 for alex ssh 31892" dst-port=31892 log=yes protocol=tcp to-addresses=192.168.0.71
add action=dst-nat chain=dstnat comment="mysql server2" dst-port=23801 in-interface=bridge1WAN log=yes protocol=tcp to-addresses=192.168.0.71 to-ports=3306
add action=src-nat chain=srcnat comment="0.x source to 1.1" out-interface=bridge3 src-address=192.168.0.0/24 to-addresses=192.168.1.1
add action=src-nat chain=srcnat comment="1.x source to 0.1" out-interface=bridge2 src-address=192.168.1.0/24 to-addresses=192.168.0.1
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
/ip service
set www port=18671
set ssh port=57472
set www-ssl certificate=Webfig disabled=no port=16190
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add type=external
add interface=bridge2 type=internal
add interface=bridge1WAN type=external
opensuse net
[x] Enable IPv4 Forwarding
Destination │Gateway │Device│Options
192.168.0.0/24│192.168.0.1 │eth0 │metric 120
default │192.168.0.1 │eth0 │metric 240
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: apache2 apache2-ssl dhcp dhcpv6 dhcpv6-client dns dns-over-tls http https mysql nfs nfs3 ssh
ports: 31103/tcp 8080/tcp 5678/udp 33434-33534/udp
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m tcp --dport 31103 -j ACCEPT
ipv4 filter FORWARD 0 -i eth0 -j ACCEPT
ipv4 filter FORWARD 0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ipv4 filter FORWARD 0 --source 192.168.0.0/16 --protocol tcp --match tcp -j ACCEPT
ipv4 filter FORWARD 0 --source 192.168.0.0/16 --protocol udp --match udp -j ACCEPT
ipv6 filter FORWARD 0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ipv6 filter FORWARD 0 -i eth0 -j ACCEPT
ipv4 nat PREROUTING 0 -i eth0 -p tcp -m tcp --dport 31892 -j DNAT --to-destination 192.168.0.10
ipv4 nat POSTROUTING 0 -d 192.168.0.10 -p tcp -m tcp --dport 31892 -j SNAT --to-source 192.168.0.71
Источник: Stack Overflow на русском