История изменений
Исправление olegkrutov, (текущая версия) :
Шлюзом должен быть таки поднятый ppp0. Вот пример костыля, работающего уж который год (да, костыль, но работает). Локалка 192.168.3.0/24
/etc/ppp/ip-up.d/beeline
#!/bin/bash
echo "Starting...."
#get default gw ip
BEELINEGWIP=`route -n | grep 'UG[ \t]' | awk '{print $2}' | tail -n 1`
DNS1=85.21.192.3
ip route add $DNS1 via $BEELINEGWIP
#get ips for tp.internet.beeline.ru. it`s try get all ip for tp.internet.beeline.ru 20 time with 1 second sleep
count=0
while true; do
if [ $count -eq 20 ]; then
break
fi
IPS=`host tp.internet.beeline.ru $DNS1 | awk '{print $4}' | cut -d. -f1,2,3 | sort -u`
for IP in $IPS
do
if [ "$IP1" == "" ]; then
IP1=$IP
elif [ "$IP1" != "$IP" ]; then
IP2=$IP
break 2
fi
done
count=$(( $count+1 ))
sleep 1
done
echo "IP1: $IP1 IP2: $IP2" >> /var/log/xxxx.log
#set routes for l2tp tunnel
if [ "$IP1" != "" ]; then
ip route add ${IP1}.0/23 via $BEELINEGWIP
fi
if [ "$IP2" != "" ]; then
ip route add ${IP2}.0/24 via $BEELINEGWIP
fi
#add default route
ip route del default
ip route del $PPP_REMOTE dev $PPP_IFACE
ip route add default dev $PPP_IFACE
ip route del $PPP_REMOTE dev $PPP_IFACE
ip route add 192.168.3.0/24 via 192.168.3.2
modprobe ip_conntrack_ftp
modprobe nf_conntrack_pptp
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#always accept lo
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp1s0 -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -i ! $PPP_IFACE -j ACCEPT
#www
iptables -A INPUT -m multiport -p tcp --dports 80,443 -j ACCEPT
#ftp
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -P FORWARD DROP
iptables -I FORWARD 1 -i enp1s0 -s 192.168.3.1/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i $PPP_IFACE -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp1s0 -o $PPP_IFACE -j ACCEPT
iptables -A FORWARD -i $PPP_IFACE -o $PPP_IFACE -j REJECT
iptables -t nat -A POSTROUTING -o $PPP_IFACE -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Исправление olegkrutov, :
Шлюзом должен быть таки поднятый ppp0. Вот пример костыля, работающего уж который год (да, костыль, но работает). Локалка 192.168.3.0/24
/etc/ppp/ip-up.d/beeline
#!/bin/bash
echo "Starting...."
#get default gw ip
BEELINEGWIP=`route -n | grep 'UG[ \t]' | awk '{print $2}' | tail -n 1`
DNS1=85.21.192.3
ip route add $DNS1 via $BEELINEGWIP
#get ips for tp.internet.beeline.ru. it`s try get all ip for tp.internet.beeline.ru 20 time with 1 second sleep
count=0
while true; do
if [ $count -eq 20 ]; then
break
fi
IPS=`host tp.internet.beeline.ru $DNS1 | awk '{print $4}' | cut -d. -f1,2,3 | sort -u`
for IP in $IPS
do
if [ "$IP1" == "" ]; then
IP1=$IP
elif [ "$IP1" != "$IP" ]; then
IP2=$IP
break 2
fi
done
count=$(( $count+1 ))
sleep 1
done
echo "IP1: $IP1 IP2: $IP2" >> /var/log/xxxx.log
#set routes for l2tp tunnel
if [ "$IP1" != "" ]; then
ip route add ${IP1}.0/23 via $BEELINEGWIP
echo "ip route add ${IP1}.0/23 via $BEELINEGWIP" >> /var/log/xxxx.log
fi
if [ "$IP2" != "" ]; then
ip route add ${IP2}.0/24 via $BEELINEGWIP
echo "ip route add ${IP2}.0/23 via $BEELINEGWIP" >> /var/log/xxxx.log
fi
#add default route
ip route del default
echo "ip route del default" >> /var/log/xxxx.log
ip route del $PPP_REMOTE dev $PPP_IFACE
echo "ip route del $PPP_REMOTE dev $PPP_IFACE" >> /var/log/xxxx.log
ip route add default dev $PPP_IFACE
echo "ip route add default dev $PPP_IFACE" >> /var/log/xxxx.log
ip route del $PPP_REMOTE dev $PPP_IFACE
echo "ip route del $PPP_REMOTE dev $PPP_IFACE" >> /var/log/xxxx.log
ip route add 192.168.3.0/24 via 192.168.3.2
modprobe ip_conntrack_ftp
modprobe nf_conntrack_pptp
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#always accept lo
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i enp1s0 -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -i ! $PPP_IFACE -j ACCEPT
#www
iptables -A INPUT -m multiport -p tcp --dports 80,443 -j ACCEPT
#ftp
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED,NEW -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -P FORWARD DROP
iptables -I FORWARD 1 -i enp1s0 -s 192.168.3.1/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i $PPP_IFACE -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i enp1s0 -o $PPP_IFACE -j ACCEPT
iptables -A FORWARD -i $PPP_IFACE -o $PPP_IFACE -j REJECT
iptables -t nat -A POSTROUTING -o $PPP_IFACE -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Исходная версия olegkrutov, :
Шлюзом должен быть таки поднятый ppp0. Вот пример костыля, работающего уж который год (да, костыль, но работает). Локалка 192.168.3.0/24
/etc/ppp/ip-up.d/beeline
[code]
#!/bin/bash
echo «Starting….»
#get default gw ip
BEELINEGWIP=route -n | grep 'UG[ \t]' | awk '{print $2}' | tail -n 1
DNS1=85.21.192.3
ip route add $DNS1 via $BEELINEGWIP
#get ips for tp.internet.beeline.ru. its try get all ip for tp.internet.beeline.ru 20 time with 1 second sleep count=0 while true; do if [ $count -eq 20 ]; then break fi IPS=host tp.internet.beeline.ru $DNS1 | awk ‘{print $4}’ | cut -d. -f1,2,3 | sort -u`
for IP in $IPS
do
if [ «$IP1» == "" ]; then
IP1=$IP
elif [ «$IP1» != «$IP» ]; then
IP2=$IP
break 2
fi
done
count=$(( $count+1 ))
sleep 1
done
echo «IP1: $IP1 IP2: $IP2» >> /var/log/xxxx.log
#set routes for l2tp tunnel if [ «$IP1» != "" ]; then ip route add ${IP1}.0/23 via $BEELINEGWIP echo «ip route add ${IP1}.0/23 via $BEELINEGWIP» >> /var/log/xxxx.log fi if [ «$IP2» != "" ]; then ip route add ${IP2}.0/24 via $BEELINEGWIP echo «ip route add ${IP2}.0/23 via $BEELINEGWIP» >> /var/log/xxxx.log fi
#add default route ip route del default echo «ip route del default» >> /var/log/xxxx.log ip route del $PPP_REMOTE dev $PPP_IFACE echo «ip route del $PPP_REMOTE dev $PPP_IFACE» >> /var/log/xxxx.log ip route add default dev $PPP_IFACE echo «ip route add default dev $PPP_IFACE» >> /var/log/xxxx.log ip route del $PPP_REMOTE dev $PPP_IFACE echo «ip route del $PPP_REMOTE dev $PPP_IFACE» >> /var/log/xxxx.log
ip route add 192.168.3.0/24 via 192.168.3.2
modprobe ip_conntrack_ftp modprobe nf_conntrack_pptp
iptables -F iptables -t nat -F iptables -t mangle -F iptables -X
#always accept lo iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i enp1s0 -j ACCEPT iptables -A INPUT -p tcp –dport 51413 -j ACCEPT iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m conntrack –ctstate NEW -i ! $PPP_IFACE -j ACCEPT
#www iptables -A INPUT -m multiport -p tcp –dports 80,443 -j ACCEPT
#ftp iptables -A INPUT -p tcp -m tcp –dport 21 -m conntrack –ctstate ESTABLISHED,NEW -j ACCEPT -m comment –comment «Allow ftp connections on port 21» iptables -A OUTPUT -p tcp -m tcp –dport 21 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT -m comment –comment «Allow ftp connections on port 21» iptables -A INPUT -p tcp -m tcp –dport 20 -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT -m comment –comment «Allow ftp connections on port 20» iptables -A OUTPUT -p tcp -m tcp –dport 20 -m conntrack –ctstate ESTABLISHED -j ACCEPT -m comment –comment «Allow ftp connections on port 20» iptables -A INPUT -p tcp -m tcp –sport 1024: –dport 1024: -m conntrack –ctstate ESTABLISHED -j ACCEPT -m comment –comment «Allow passive inbound connections» iptables -A OUTPUT -p tcp -m tcp –sport 1024: –dport 1024: -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT -m comment –comment «Allow passive inbound connections»
iptables -P FORWARD DROP iptables -I FORWARD 1 -i enp1s0 -s 192.168.3.1/24 -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu iptables -A FORWARD -i $PPP_IFACE -o enp1s0 -m state –state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i enp1s0 -o $PPP_IFACE -j ACCEPT iptables -A FORWARD -i $PPP_IFACE -o $PPP_IFACE -j REJECT
iptables -t nat -A POSTROUTING -o $PPP_IFACE -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
[/code]