Привет ребята! Тут такая паранойя небольшая, не могу разобраться с диагностикой сети помогите. Есть шлюз на Debian около 500 человек выходят в сеть через него. На мониторинге заметил обрывы на аплинке. http://piccy.info/view3/9042188/dcaf553a74b4c4af234d97d8d5fcb343/
Выяснилось следующее - скрипт который пингом проверяет доступность шлюза в момент проверки натыкается на потерю и переключает на резерв, в следующую проверку все нормально и переключает назад. Пингуя этот шлюз
ping -v -c100 *.*.*.*
Если пинговать свое оборудования в сети то потерь нет все окей.
И тут вопрос как мне проверить свой шлюз на предмет того что он не справляется или это какой-то сбой\ошибка или неправильная конфигурация, не хочется бежать к провайдеру с таким вопросом, а потом еще выясниться что проблема у меня.
На шлюзе ванильное ядро 3.18.23 патчилось ядро,iptables под imq это как-то может повлиять? Может фаервол на этот как-то повлиять или его неправильная настройка?
Скрипт проверки аплинков
#!/bin/bash
. /usr/net-conf/vars
arr_stat_isp=( )
for i in 1 2 3 4 5 6 7; do
curtable=isp$i
curint1=${curtable}_if
curint2=${!curint1}
curfwmark1=${curtable}_fwmark
curfwmark2=${!curfwmark1}
currule=$(ip rule | awk '/fwmark '$curfwmark2'/{print $7}')
curip=$(ip a l $curint2 | grep " inet " | head -n 1 | cut -d " " -f 6 | cut -d / -f 1)
curdef=$(ip route | awk '/default/ && /'$curint2'/{print $5}')
curgw=$(ip route show table $curtable | awk '/default/ && /'$curint2'/{print $3}')
if ping -c1 -I $curip $pinghost; then
arr_stat_isp+=([$i]=works)
if [ "$curtable" = "$currule" ]; then
echo "ip rule yes"
else
# echo "add ip rule"
ip rule add fwmark $curfwmark2 table $curtable prio $prio_mark
ip route flush cache
fi
if [ "$curint2" = "$curdef" ]; then
echo "default route yes"
else
# echo "add default route"
ip route add default via $curgw dev $curint2 metric $i
ip route flush cache
fi
else
arr_stat_isp+=([$i]=not_works)
if [ "$curtable" = "$currule" ]; then
# echo "ip rule yes"
ip rule del fwmark $curfwmark2
ip route flush cache
else
echo "no ip rule"
fi
if [ "$curint2" = "$curdef" ]; then
# echo "default route yes"
ip route del default via $curgw dev $curint2 metric $i
ip route flush cache
else
echo "no default route"
fi
fi
done
flag=0
for i2 in "${arr_stat_isp[@]}"; do
if [ "$i2" = "works" ]
then
flag=1
fi
done
redirect2="$(iptables-save | awk '/'PREROUTING'/&&'/redirect2'/')"
if [ "$flag" -eq 0 ]; then
echo "ничего не работает"
if [ -z "$redirect2" ]; then
echo "строка пустая"
$IPT -w -t nat -A PREROUTING -i $clients_if -s $clients_ippool -j redirect2
fi
else
echo "минимум 1 аплинк работает"
if [ -n "$redirect2" ]; then
echo "строка не пустая"
$IPT -w -t nat -D PREROUTING -i $clients_if -s $clients_ippool -j redirect2
fi
fi
exit 0
iptables-save
iptables-save
# Generated by iptables-save v1.4.21 on Sat Nov 21 22:12:03 2015
*mangle
:PREROUTING ACCEPT [956223385:836581798825]
:INPUT ACCEPT [9849265:712417670]
:FORWARD ACCEPT [946313355:835864730969]
:OUTPUT ACCEPT [124518:71314230]
:POSTROUTING ACCEPT [946395895:835933065624]
:add_set_isp1 - [0:0]
:add_set_isp2 - [0:0]
:add_set_isp3 - [0:0]
:add_set_isp4 - [0:0]
:add_set_isp5 - [0:0]
:add_set_isp6 - [0:0]
:add_set_isp7 - [0:0]
:balancing - [0:0]
:class_imq0_isp1 - [0:0]
:class_imq0_isp2 - [0:0]
:class_imq0_isp3 - [0:0]
:class_imq1_isp1 - [0:0]
:class_imq1_isp2 - [0:0]
:class_imq1_isp3 - [0:0]
:ipt_isp1 - [0:0]
:ipt_isp2 - [0:0]
:ipt_isp3 - [0:0]
:ipt_isp4 - [0:0]
:ipt_isp5 - [0:0]
:ipt_isp6 - [0:0]
:ipt_isp7 - [0:0]
-A PREROUTING -s 10.193.0.0/16 -i ppp+ -j NETFLOW
-A PREROUTING -s 10.193.0.0/16 -i ppp+ -m conntrack --ctstate NEW -m set --match-set ALLOWED src -j balancing
-A PREROUTING -s 10.193.0.0/16 -i vlan10 -m conntrack --ctstate NEW -j balancing
-A PREROUTING -s 10.192.0.0/16 -i vlan10 -m conntrack --ctstate NEW -j balancing
-A PREROUTING -m set --match-set isp1 src -j ipt_isp1
-A PREROUTING -m set --match-set isp2 src -j ipt_isp2
-A PREROUTING -m set --match-set isp3 src -j ipt_isp3
-A PREROUTING -m set --match-set isp4 src -j ipt_isp4
-A PREROUTING -m set --match-set isp5 src -j ipt_isp5
-A PREROUTING -m set --match-set isp6 src -j ipt_isp6
-A PREROUTING -m set --match-set isp7 src -j ipt_isp7
-A PREROUTING -i ppp10001 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x1/0xffffffff
-A PREROUTING -i ppp10002 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x2/0xffffffff
-A PREROUTING -i vlan9 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x3/0xffffffff
-A PREROUTING -i vlan13 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x4/0xffffffff
-A PREROUTING -i ppp10005 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x5/0xffffffff
-A PREROUTING -i ppp10006 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x6/0xffffffff
-A PREROUTING -i ppp10007 -m conntrack --ctstate NEW -j CONNMARK --set-xmark 0x7/0xffffffff
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -d 10.193.0.0/16 -o ppp+ -j NETFLOW
-A add_set_isp1 -j SET --add-set isp1 src
-A add_set_isp2 -m set --match-set isp1 src -j RETURN
-A add_set_isp2 -j SET --add-set isp2 src
-A add_set_isp3 -m set --match-set isp1 src -j RETURN
-A add_set_isp3 -m set --match-set isp2 src -j RETURN
-A add_set_isp3 -j SET --add-set isp3 src
-A add_set_isp4 -m set --match-set isp1 src -j RETURN
-A add_set_isp4 -m set --match-set isp2 src -j RETURN
-A add_set_isp4 -m set --match-set isp3 src -j RETURN
-A add_set_isp4 -j SET --add-set isp4 src
-A add_set_isp5 -m set --match-set isp1 src -j RETURN
-A add_set_isp5 -m set --match-set isp2 src -j RETURN
-A add_set_isp5 -m set --match-set isp3 src -j RETURN
-A add_set_isp5 -m set --match-set isp4 src -j RETURN
-A add_set_isp5 -j SET --add-set isp5 src
-A add_set_isp6 -m set --match-set isp1 src -j RETURN
-A add_set_isp6 -m set --match-set isp2 src -j RETURN
-A add_set_isp6 -m set --match-set isp3 src -j RETURN
-A add_set_isp6 -m set --match-set isp4 src -j RETURN
-A add_set_isp6 -m set --match-set isp5 src -j RETURN
-A add_set_isp6 -j SET --add-set isp6 src
-A add_set_isp7 -m set --match-set isp1 src -j RETURN
-A add_set_isp7 -m set --match-set isp2 src -j RETURN
-A add_set_isp7 -m set --match-set isp3 src -j RETURN
-A add_set_isp7 -m set --match-set isp4 src -j RETURN
-A add_set_isp7 -m set --match-set isp5 src -j RETURN
-A add_set_isp7 -m set --match-set isp6 src -j RETURN
-A add_set_isp7 -j SET --add-set isp7 src
-A balancing -m set --match-set isp1 src -j RETURN
-A balancing -m set --match-set isp2 src -j RETURN
-A balancing -m set --match-set isp3 src -j RETURN
-A balancing -m set --match-set isp4 src -j RETURN
-A balancing -m set --match-set isp5 src -j RETURN
-A balancing -m set --match-set isp6 src -j RETURN
-A balancing -m set --match-set isp7 src -j RETURN
-A balancing -m statistic --mode random --probability 0.14300000016 -j add_set_isp1
-A balancing -m statistic --mode random --probability 0.16699999990 -j add_set_isp2
-A balancing -m statistic --mode random --probability 0.20000000019 -j add_set_isp3
-A balancing -m statistic --mode random --probability 0.25000000000 -j add_set_isp4
-A balancing -m statistic --mode random --probability 0.33300000010 -j add_set_isp5
-A balancing -m statistic --mode random --probability 0.50000000000 -j add_set_isp6
-A balancing -j add_set_isp7
-A class_imq0_isp1 -j CLASSIFY --set-class 0001:0103
-A class_imq0_isp1 -p icmp -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp1 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp1 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp1 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp1 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp1 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0102
-A class_imq0_isp1 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0102
-A class_imq0_isp1 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0102
-A class_imq0_isp1 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0102
-A class_imq0_isp1 -m set --match-set speedtest dst -j CLASSIFY --set-class 0001:0101
-A class_imq0_isp2 -j CLASSIFY --set-class 0001:0203
-A class_imq0_isp2 -p icmp -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp2 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp2 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp2 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp2 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp2 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0202
-A class_imq0_isp2 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0202
-A class_imq0_isp2 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0202
-A class_imq0_isp2 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0202
-A class_imq0_isp2 -m set --match-set speedtest dst -j CLASSIFY --set-class 0001:0201
-A class_imq0_isp3 -j CLASSIFY --set-class 0001:0303
-A class_imq0_isp3 -p icmp -j CLASSIFY --set-class 0001:0301
-A class_imq0_isp3 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0301
-A class_imq0_isp3 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0301
-A class_imq0_isp3 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0301
-A class_imq0_isp3 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0301
-A class_imq0_isp3 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0302
-A class_imq0_isp3 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0302
-A class_imq0_isp3 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0302
-A class_imq0_isp3 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0302
-A class_imq0_isp3 -m set --match-set speedtest dst -j CLASSIFY --set-class 0001:0301
-A class_imq1_isp1 -j CLASSIFY --set-class 0001:0013
-A class_imq1_isp1 -p icmp -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp1 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp1 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp1 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp1 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp1 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0012
-A class_imq1_isp1 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0012
-A class_imq1_isp1 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0012
-A class_imq1_isp1 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0012
-A class_imq1_isp1 -m set --match-set speedtest src -j CLASSIFY --set-class 0001:0011
-A class_imq1_isp2 -j CLASSIFY --set-class 0001:0023
-A class_imq1_isp2 -p icmp -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp2 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp2 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp2 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp2 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp2 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0022
-A class_imq1_isp2 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0022
-A class_imq1_isp2 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0022
-A class_imq1_isp2 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0022
-A class_imq1_isp2 -m set --match-set speedtest src -j CLASSIFY --set-class 0001:0021
-A class_imq1_isp3 -j CLASSIFY --set-class 0001:0033
-A class_imq1_isp3 -p icmp -j CLASSIFY --set-class 0001:0031
-A class_imq1_isp3 -p tcp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0031
-A class_imq1_isp3 -p tcp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0031
-A class_imq1_isp3 -p udp -m multiport --sports 22,53,953 -j CLASSIFY --set-class 0001:0031
-A class_imq1_isp3 -p udp -m multiport --dports 22,53,953 -j CLASSIFY --set-class 0001:0031
-A class_imq1_isp3 -p tcp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0032
-A class_imq1_isp3 -p tcp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0032
-A class_imq1_isp3 -p udp -m multiport --sports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0032
-A class_imq1_isp3 -p udp -m multiport --dports 80,443,110,25,143,220 -j CLASSIFY --set-class 0001:0032
-A class_imq1_isp3 -m set --match-set speedtest src -j CLASSIFY --set-class 0001:0031
-A ipt_isp1 -j CONNMARK --set-xmark 0x1/0xffffffff
-A ipt_isp1 -j SET --add-set isp1 src --exist
-A ipt_isp2 -j CONNMARK --set-xmark 0x2/0xffffffff
-A ipt_isp2 -j SET --add-set isp2 src --exist
-A ipt_isp3 -j CONNMARK --set-xmark 0x3/0xffffffff
-A ipt_isp3 -j SET --add-set isp3 src --exist
-A ipt_isp4 -j CONNMARK --set-xmark 0x4/0xffffffff
-A ipt_isp4 -j SET --add-set isp4 src --exist
-A ipt_isp5 -j CONNMARK --set-xmark 0x5/0xffffffff
-A ipt_isp5 -j SET --add-set isp5 src --exist
-A ipt_isp6 -j CONNMARK --set-xmark 0x6/0xffffffff
-A ipt_isp6 -j SET --add-set isp6 src --exist
-A ipt_isp7 -j CONNMARK --set-xmark 0x7/0xffffffff
-A ipt_isp7 -j SET --add-set isp7 src --exist
COMMIT
# Completed on Sat Nov 21 22:12:03 2015
# Generated by iptables-save v1.4.21 on Sat Nov 21 22:12:03 2015
*nat
:PREROUTING ACCEPT [18681272:1333376593]
:INPUT ACCEPT [12014:768269]
:OUTPUT ACCEPT [31309:2882521]
:POSTROUTING ACCEPT [23115:2187998]
:redirect - [0:0]
:redirect2 - [0:0]
-A PREROUTING -s 10.193.0.0/16 -i ppp+ -j redirect
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 172.19.0.1
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 6036,50000 -j DNAT --to-destination 10.193.0.1
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50001,50002 -j DNAT --to-destination 10.193.0.2
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50004,50005 -j DNAT --to-destination 10.193.0.3
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50006,50007 -j DNAT --to-destination 10.193.0.4
-A PREROUTING -d *.*.*.*/32 -p udp -m multiport --dports 50006,50007 -j DNAT --to-destination 10.193.0.4
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50008,50029 -j DNAT --to-destination 10.193.0.6
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50009,50010,50012 -j DNAT --to-destination 10.193.0.5
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50013 -j DNAT --to-destination 10.193.0.5:80
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50014,50015,50050 -j DNAT --to-destination 10.193.0.7
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50016,50017,50025 -j DNAT --to-destination 10.193.0.8
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50027,50028 -j DNAT --to-destination 10.193.0.9
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50029,50030,50031,50032 -j DNAT --to-destination 10.193.0.11
-A PREROUTING -d *.*.*.*/32 -p tcp -m multiport --dports 50033,50034,50035,50036 -j DNAT --to-destination 10.193.0.13
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 172.19.0.1
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 6036,50000 -j DNAT --to-destination 10.193.0.1
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50001,50002 -j DNAT --to-destination 10.193.0.2
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50004,50005 -j DNAT --to-destination 10.193.0.3
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50006,50007 -j DNAT --to-destination 10.193.0.4
-A OUTPUT -d *.*.*.*/32 -p udp -m multiport --dports 50006,50007 -j DNAT --to-destination 10.193.0.4
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50008,50029 -j DNAT --to-destination 10.193.0.6
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50009,50010,50012 -j DNAT --to-destination 10.193.0.5
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50013 -j DNAT --to-destination 10.193.0.5:80
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50014,50015,50050 -j DNAT --to-destination 10.193.0.7
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50016,50017,50025 -j DNAT --to-destination 10.193.0.8
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50027,50028 -j DNAT --to-destination 10.193.0.9
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50029,50030,50031,50032 -j DNAT --to-destination 10.193.0.11
-A OUTPUT -d *.*.*.*/32 -p tcp -m multiport --dports 50033,50034,50035,50036 -j DNAT --to-destination 10.193.0.13
-A POSTROUTING -o ppp10001 -j MASQUERADE
-A POSTROUTING -o ppp10002 -j MASQUERADE
-A POSTROUTING -o vlan9 -j MASQUERADE
-A POSTROUTING -o vlan13 -j MASQUERADE
-A POSTROUTING -o ppp10005 -j MASQUERADE
-A POSTROUTING -o ppp10006 -j MASQUERADE
-A POSTROUTING -o ppp10007 -j MASQUERADE
-A POSTROUTING -d 172.19.0.0/24 -o vlan10 -j MASQUERADE
-A POSTROUTING -s 10.193.0.0/16 -d 172.19.0.1/32 -p tcp -m multiport --dports 80,443 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.1/32 -p tcp -m multiport --dports 6036,50000 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.2/32 -p tcp -m multiport --dports 50001,50002 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.3/32 -p tcp -m multiport --dports 50004,50005 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.4/32 -p tcp -m multiport --dports 50006,50007 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.4/32 -p udp -m multiport --dports 50006,50007 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.6/32 -p tcp -m multiport --dports 50008,50029 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.5/32 -p tcp -m multiport --dports 50009,50010,50012 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.5/32 -p tcp -m multiport --dports 80 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.7/32 -p tcp -m multiport --dports 50014,50015,50050 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.8/32 -p tcp -m multiport --dports 50016,50017,50025 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.9/32 -p tcp -m multiport --dports 50027,50028 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.11/32 -p tcp -m multiport --dports 50029,50030,50031,50032 -j SNAT --to-source 172.31.1.254
-A POSTROUTING -s 10.193.0.0/16 -d 10.193.0.13/32 -p tcp -m multiport --dports 50033,50034,50035,50036 -j SNAT --to-source 172.31.1.254
-A redirect -m set --match-set ALLOWED src -j RETURN
-A redirect -m set --match-set liqpay dst -j RETURN
-A redirect -d 172.30.0.1/32 -j RETURN
-A redirect -d 172.30.1.1/32 -j RETURN
-A redirect -d *.*.*.*/32 -j RETURN
-A redirect -p tcp -j DNAT --to-destination 172.30.1.1:8080
-A redirect -p udp -j DNAT --to-destination 172.30.1.1:8080
-A redirect2 -d 172.30.0.1/32 -j RETURN
-A redirect2 -d 172.30.1.1/32 -j RETURN
-A redirect2 -d *.*.*.*/32 -j RETURN
-A redirect2 -p tcp -j DNAT --to-destination 172.30.1.1:8081
-A redirect2 -p udp -j DNAT --to-destination 172.30.1.1:8081
COMMIT
# Completed on Sat Nov 21 22:12:03 2015
# Generated by iptables-save v1.4.21 on Sat Nov 21 22:12:03 2015
*filter
:INPUT DROP [9568763:651070390]
:FORWARD DROP [124:7420]
:OUTPUT ACCEPT [122785:70314662]
:forwarding - [0:0]
:incoming - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -j incoming
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j forwarding
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A forwarding -s 10.193.0.50/32 -i ppp+ -m set --match-set ALLOWED src -j ACCEPT
-A forwarding -d 10.193.0.50/32 -o ppp+ -m set --match-set ALLOWED dst -j ACCEPT
-A forwarding -i ppp+ ! -o vlan10 -m set --match-set ALLOWED src -j ACCEPT
-A forwarding ! -i vlan10 -o ppp+ -m set --match-set ALLOWED dst -j ACCEPT
-A forwarding -s 10.193.0.0/16 -i ppp+ ! -o vlan10 -m set --match-set liqpay dst -j ACCEPT
-A forwarding -d 10.193.0.0/16 ! -i vlan10 -o ppp+ -m set --match-set liqpay src -j ACCEPT
-A forwarding -i vlan10 -j ACCEPT
-A forwarding -o vlan10 -j ACCEPT
-A incoming -i ppp10001 -j RETURN
-A incoming -i ppp10002 -j RETURN
-A incoming -i vlan9 -j RETURN
-A incoming -i ppp10005 -j RETURN
-A incoming -i ppp10006 -j RETURN
-A incoming -i ppp10007 -j RETURN
-A incoming -i lo -j ACCEPT
-A incoming -s 10.193.0.50/32 -j ACCEPT
-A incoming -i vlan10 -p tcp -m multiport --dports 22 -j ACCEPT
-A incoming -p tcp -m multiport --dports 53,80,443,953 -j ACCEPT
-A incoming -p udp -m multiport --dports 53 -j ACCEPT
-A incoming -p icmp -j ACCEPT
COMMIT
# Completed on Sat Nov 21 22:12:03 2015