Здравствуйте. Помогите провести пакет от 61000 порта на vps до 6665 порта LAN
Схема: https://yadi.sk/i/R_O_3RN8ryXFg
iptables на vps
# Generated by iptables-save v1.4.21 on Wed May 25 11:41:52 2016
*nat
:PREROUTING ACCEPT [4:220]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [3:156]
-A PREROUTING -d 185.60.X.X/32 -p tcp -m tcp --dport 61000 -j DNAT --to-destination 192.168.0.3:6665
-A POSTROUTING -d 192.168.0.0/24 -p tcp -m tcp --dport 6555 -j SNAT --to-source 185.60.X.X:61000
COMMIT
# Completed on Wed May 25 11:41:52 2016
# Generated by iptables-save v1.4.21 on Wed May 25 11:41:52 2016
*filter
:INPUT DROP [236:15480]
:FORWARD ACCEPT [54:2736]
:OUTPUT ACCEPT [5310:832319]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 7786 -j ACCEPT #ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 61000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -s 192.168.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 10.15.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 10.15.0.0/24 -j ACCEPT
COMMIT
# Completed on Wed May 25 11:41:52 2016
при этом, находясь на vps, telnet на 192.168.0.1:61000 работает
iptables на gate
# Generated by iptables-save v1.6.0 on Wed May 25 16:07:53 2016
*nat
:PREROUTING ACCEPT [71975:7328759]
:INPUT ACCEPT [27204:2804587]
:OUTPUT ACCEPT [14682:1031229]
:POSTROUTING ACCEPT [16690:1119725]
-A POSTROUTING -s 192.168.0.0/24 -o enp0s29f7u4 -j MASQUERADE
-A POSTROUTING -s 10.15.0.0/24 -o tun0 -j MASQUERADE
COMMIT
# Completed on Wed May 25 16:07:53 2016
# Generated by iptables-save v1.6.0 on Wed May 25 16:07:53 2016
*filter
:INPUT ACCEPT [5618:648487]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1518:241899]
-A INPUT -i lo -j ACCEPT
-A FORWARD -i enp1s3 -o enp0s29f7u4 -j ACCEPT
-A FORWARD -i enp0s29f7u4 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp0s29f7u4 -o enp1s3 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.0.0/24 -d 10.15.0.0/24 -j ACCEPT
-A FORWARD -s 10.15.0.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 10.15.0.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
COMMIT
# Completed on Wed May 25 16:07:53 2016
Когда из интренета клиент подключается к 61000 порту vps'a, на gate tcpdump показывает это -
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
15:41:30.197239 IP dnm.44.77.185.178.dsl.xxxx.ru.33114 > 192.168.0.3.6665: Flags [S], seq 3326009501, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
15:41:33.220809 IP dnm.44.77.185.178.dsl.xxxx.ru.33114 > 192.168.0.3.6665: Flags [S], seq 3326009501, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
15:41:39.220415 IP dnm.44.77.185.178.dsl.xxxx.ru.33114 > 192.168.0.3.6665: Flags [S], seq 3326009501, win 8192, options [mss 1366,nop,nop,sackOK], length 0
tcpdump: pcap_loop: The interface went down
3 packets captured
3 packets received by filter
0 packets dropped by kernel
Насколько я понимаю vps пересылает пакет не меняя исходящий адрес пакета. Куда смотреть?
