Добрый день! Есть два канала в инет с балансировкой трафика. Появилась задачка выпустить SIP-сервер IP 192.168.0.251 наружу через определенный IP XXX.XXX.XXX.188 до провайдера IP ZZZ.ZZZ.ZZZ.36. На шлюзе 4 физических интерфейса + 17 виртуальных...
eth0 Link encap:Ethernet HWaddr 00:1B:21:8A:82:2C
inet addr:XXX.XXX.XXX.188 Bcast:XXX.XXX.XXX.191 Mask:255.255.255.248
eth1 Link encap:Ethernet HWaddr 00:1B:21:8A:82:2D
inet addr:XXX.XXX.XXX.190 Bcast:XXX.XXX.XXX.191 Mask:255.255.255.248
eth2 Link encap:Ethernet HWaddr 00:30:48:F8:18:E0
inet addr:YYY.YYY.YYY.195 Bcast:YYY.YYY.YYY.199 Mask:255.255.255.248
eth3 Link encap:Ethernet HWaddr 00:30:48:F8:18:E1
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.254.0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.100.100.1 P-t-P:10.100.100.2 Mask:255.255.255.255
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.5.0.1 P-t-P:5.5.0.1 Mask:255.255.255.0
...
as0t15 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:5.5.15.1 P-t-P:5.5.15.1 Mask:255.255.255.0
на шлюзе поднят openvpn (интерфейс tun0) для связи с филиалами и openvpnas для сотрудников (интерфейсы as0t+). Созданы несколько таблиц маршрутизации.
ip ro list table localnets
192.168.7.0/24 dev tun0 scope link
192.168.6.0/24 dev tun0 scope link
192.168.5.0/24 dev tun0 scope link
192.168.4.0/24 dev tun0 scope link
192.168.3.0/24 dev tun0 scope link
192.168.2.0/24 dev tun0 scope link
10.100.100.0/24 dev tun0 scope link
192.168.9.0/24 dev tun0 scope link
192.168.8.0/24 dev tun0 scope link
192.168.0.0/23 dev eth3 scope link
127.0.0.0/8 dev lo scope link
ip ro list table openvpnas
5.5.3.0/24 dev as0t3 scope link
5.5.2.0/24 dev as0t2 scope link
5.5.1.0/24 dev as0t1 scope link
5.5.0.0/24 dev as0t0 scope link
5.5.7.0/24 dev as0t7 scope link
5.5.6.0/24 dev as0t6 scope link
5.5.5.0/24 dev as0t5 scope link
5.5.4.0/24 dev as0t4 scope link
5.5.11.0/24 dev as0t11 scope link
5.5.10.0/24 dev as0t10 scope link
5.5.9.0/24 dev as0t9 scope link
5.5.8.0/24 dev as0t8 scope link
5.5.15.0/24 dev as0t15 scope link
5.5.14.0/24 dev as0t14 scope link
5.5.13.0/24 dev as0t13 scope link
5.5.12.0/24 dev as0t12 scope link
ip ro list table provY
YYY.YYY.YYY.192/29 dev eth2 scope link src YYY.YYY.YYY.195
default via YYY.YYY.YYY.193 dev eth2
ip ro list table provX
XXX.XXX.XXX.184/29 dev eth1 scope link src XXX.XXX.XXX.190
default via XXX.XXX.XXX.185 dev eth1
ip ro list table provX_sip
XXX.XXX.XXX.184/29 dev eth0 scope link src XXX.XXX.XXX.188
default via XXX.XXX.XXX.185 dev eth0
ip ru
0: from all lookup 255
1000: from all lookup localnets
1100: from all lookup openvpnas
10000: from 192.168.0.238 lookup provY
10100: from YYY.YYY.YYY.195 lookup provY
10200: from 192.168.0.251 lookup provX_sip
10300: from XXX.XXX.XXX.188 lookup provX_sip
10400: from XXX.XXX.XXX.190 lookup provX
32766: from all lookup main
32767: from all lookup default
ip ro
10.100.100.2 dev tun0 proto kernel scope link src 10.100.100.1
XXX.XXX.XXX.184/29 dev eth0 proto kernel scope link src XXX.XXX.XXX.188
XXX.XXX.XXX.184/29 dev eth1 proto kernel scope link src XXX.XXX.XXX.190
YYY.YYY.YYY.192/29 dev eth2 proto kernel scope link src YYY.YYY.YYY.195
5.5.3.0/24 dev as0t3 proto kernel scope link src 5.5.3.1
192.168.7.0/24 via 10.100.100.2 dev tun0
5.5.2.0/24 dev as0t2 proto kernel scope link src 5.5.2.1
192.168.6.0/24 via 10.100.100.2 dev tun0
5.5.1.0/24 dev as0t1 proto kernel scope link src 5.5.1.1
192.168.5.0/24 via 10.100.100.2 dev tun0
5.5.0.0/24 dev as0t0 proto kernel scope link src 5.5.0.1
192.168.4.0/24 via 10.100.100.2 dev tun0
5.5.7.0/24 dev as0t7 proto kernel scope link src 5.5.7.1
192.168.3.0/24 via 10.100.100.2 dev tun0
5.5.6.0/24 dev as0t6 proto kernel scope link src 5.5.6.1
192.168.2.0/24 via 10.100.100.2 dev tun0
5.5.5.0/24 dev as0t5 proto kernel scope link src 5.5.5.1
5.5.4.0/24 dev as0t4 proto kernel scope link src 5.5.4.1
5.5.11.0/24 dev as0t11 proto kernel scope link src 5.5.11.1
5.5.10.0/24 dev as0t10 proto kernel scope link src 5.5.10.1
5.5.9.0/24 dev as0t9 proto kernel scope link src 5.5.9.1
10.100.100.0/24 via 10.100.100.2 dev tun0
5.5.8.0/24 dev as0t8 proto kernel scope link src 5.5.8.1
5.5.15.0/24 dev as0t15 proto kernel scope link src 5.5.15.1
5.5.14.0/24 dev as0t14 proto kernel scope link src 5.5.14.1
5.5.13.0/24 dev as0t13 proto kernel scope link src 5.5.13.1
192.168.9.0/24 via 10.100.100.2 dev tun0
5.5.12.0/24 dev as0t12 proto kernel scope link src 5.5.12.1
192.168.8.0/24 via 10.100.100.2 dev tun0
192.168.0.0/23 dev eth3 proto kernel scope link src 192.168.0.254
169.254.0.0/16 dev eth3 scope link
default
nexthop via YYY.YYY.YYY.193 dev eth2 weight 3
nexthop via XXX.XXX.XXX.185 dev eth1 weight 7
# Generated by iptables-save v1.3.5 on Wed May 30 06:46:17 2012
*nat
:PREROUTING ACCEPT [1921418:202259400]
:POSTROUTING ACCEPT [875783:70465875]
:OUTPUT ACCEPT [745470:52546809]
-A PREROUTING -s XXX.XXX.XXX.36 -d XXX.XXX.XXX.188 -p udp -m udp --dport 5060:5061 -j DNAT --to-destination 192.168.0.251
-A PREROUTING -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.238:25
-A PREROUTING -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.238:80
-A PREROUTING -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.0.238:993
-A PREROUTING -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 7025 -j DNAT --to-destination 192.168.0.238:7025
-A PREROUTING -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 7071 -j DNAT --to-destination 192.168.0.238:7071
-A POSTROUTING -s XXX.XXX.XXX.36 -d 192.168.0.251 -p udp -m udp --dport 5060:5061 -j SNAT --to-source XXX.XXX.XXX.188
-A POSTROUTING -d 192.168.0.251 -p tcp -m tcp --dport 5060:5061 -j SNAT --to-source 192.168.0.254
-A POSTROUTING -d 192.168.0.238 -p tcp -m tcp --dport 25 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -d 192.168.0.238 -p tcp -m tcp --dport 80 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -d 192.168.0.238 -p tcp -m tcp --dport 993 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -d 192.168.0.238 -p tcp -m tcp --dport 7025 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -d 192.168.0.238 -p tcp -m tcp --dport 7071 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -s 192.168.0.0/255.255.254.0 -d ! 192.168.0.0/255.255.0.0 -o eth1 -j SNAT --to-source XXX.XXX.XXX.190
-A POSTROUTING -s 192.168.0.0/255.255.254.0 -d ! 192.168.0.0/255.255.0.0 -o eth2 -j SNAT --to-source YYY.YYY.YYY.195
-A POSTROUTING -s 192.168.0.0/255.255.254.0 -d ! 192.168.0.0/255.255.0.0 -o eth0 -j SNAT --to-source XXX.XXX.XXX.188
-A OUTPUT -d XXX.XXX.XXX.188 -p tcp -m tcp --dport 5060:5061 -j DNAT --to-destination 192.168.0.251
-A OUTPUT -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.238
-A OUTPUT -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.238
-A OUTPUT -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.0.238
-A OUTPUT -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 7025 -j DNAT --to-destination 192.168.0.238
-A OUTPUT -d YYY.YYY.YYY.195 -p tcp -m tcp --dport 7071 -j DNAT --to-destination 192.168.0.238
COMMIT
0024/0024 192.168.1.53 D N A 5060 OK (5 ms)
0026 (Unspecified) D N A 0 UNKNOWN
0027 (Unspecified) D N A 0 UNKNOWN
0028/0028 192.168.0.84 D N A 5060 OK (5 ms)
0029/0029 192.168.1.44 D N A 5060 OK (5 ms)
0036/0036 192.168.1.33 D N A 5060 OK (6 ms)
0037/0037 192.168.0.197 D N A 5060 OK (5 ms)
0041/0041 192.168.0.113 D N A 5060 OK (5 ms)
0042/0042 192.168.1.16 D N A 5060 OK (4 ms)
0043/0043 192.168.1.31 D N A 5060 OK (4 ms)
0044 (Unspecified) D N A 0 UNKNOWN
0045/0045 192.168.1.4 D N A 5060 OK (10 ms)
0111/0111 192.168.0.193 D N A 5060 OK (5 ms)
0112/0112 192.168.0.194 D N A 5060 OK (5 ms)
0211/0211 192.168.2.193 D N A 5060 OK (7 ms)
0212/0212 192.168.2.194 D N A 5060 OK (7 ms)
0311/0311 192.168.3.194 D N A 5060 OK (6 ms)
0312/0312 (Unspecified) D N A 0 UNKNOWN
0314/0314 (Unspecified) D N A 0 UNKNOWN
0315 (Unspecified) D N A 0 UNKNOWN
0316/0316 (Unspecified) D N A 0 UNKNOWN
0401/0401 (Unspecified) D N A 0 UNKNOWN
0402/0402 (Unspecified) D N A 0 UNKNOWN
0403/0403 (Unspecified) D N A 0 UNKNOWN
0411/0411 192.168.4.193 D N A 5060 OK (6 ms)
0412/0412 (Unspecified) D N A 0 UNKNOWN
0511/0511 192.168.5.193 D N A 5060 OK (7 ms)
0512/0512 (Unspecified) D N A 0 UNKNOWN
0513/0513 (Unspecified) D N A 0 UNKNOWN
0601/0601 (Unspecified) D N A 0 UNKNOWN
0602/0602 192.168.6.194 D N A 5060 OK (8 ms)
0603/0603 192.168.6.192 D N A 5060 OK (8 ms)
0611/0611 192.168.6.190 D N A 5060 OK (8 ms)
0612/0612 192.168.6.191 D N A 5060 OK (10 ms)
0701/0701 192.168.3.201 D N A 5060 OK (8 ms)
0702/0702 (Unspecified) D N A 0 UNKNOWN
0711/0711 192.168.3.199 D N A 5060 OK (6 ms)
0712/0712 192.168.3.233 D N A 5060 OK (6 ms)
0801/0801 192.168.8.13 D N A 5060 OK (30 ms)
0803 (Unspecified) D N A 0 UNKNOWN
0804 (Unspecified) D N A 0 UNKNOWN
0811/0811 192.168.8.5 D N A 5060 OK (30 ms)
0901/0901 192.168.9.36 D N A 5060 OK (25 ms)
0902/0902 192.168.9.37 D N A 5060 OK (11 ms)
0903/0903 192.168.9.27 D N A 5060 OK (10 ms)
0904/0904 192.168.9.47 D N A 5060 OK (10 ms)
0905/0905 192.168.9.48 D N A 5060 OK (10 ms)
0906/0906 192.168.9.24 D N A 5060 OK (11 ms)
0911/0911 192.168.9.34 D N A 5060 OK (9 ms)
0912/0912 192.168.9.35 D N A 5060 OK (20 ms)
infracc 192.168.0.4 5060 OK (2 ms)
Подскажите куда копать и чего курить или наоборот ;) Спасибо!
