Пытаюсь поднять GRE между роутером и Ubuntu 20
С роутера GRE пакеты улетают, а сервак отвечает анричибл.(логи с сервера) На роутере тоже тоже видно что пакеты по 3 gre\icmp прилетают\улетают.
tcpdump
13:14:41.894242 IP mikrotik > Ubuntu20: GREv0, length 141: IP mikrotik_gre.5678 > 255.255.255.255.5678: UDP, length 109
13:14:41.894284 IP Ubuntu20 > mikrotik: ICMP Ubuntu20 protocol 47 port 2048 unreachable, length 169
13:14:41.894965 IP mikrotik > Ubuntu20: GREv0, length 106: gre-proto-0x4
13:14:41.894977 IP Ubuntu20 > mikrotik: ICMP Ubuntu20 protocol 47 port 4 unreachable, length 134
13:14:41.894989 IP mikrotik > Ubuntu20: GREv0, length 122: gre-proto-0x88cc
13:14:41.894994 IP Ubuntu20 > mikrotik: ICMP Ubuntu20 protocol 47 port 35020 unreachable, length 150
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 02:00:17:00:86:31 brd ff:ff:ff:ff:ff:ff
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/gre Ubuntu20 peer Mikrotik
sudo ufw status
Status: inactive
ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9000
inet 10.0.0.3 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::17ff:fe00:8631 prefixlen 64 scopeid 0x20<link>
ether 02:00:17:00:86:31 txqueuelen 1000 (Ethernet)
RX packets 7146 bytes 2898696 (2.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8988 bytes 5897030 (5.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
gre1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1476
inet 192.168.255.254 netmask 255.255.255.0 destination 192.168.255.254 -Вот незнаю откуда это вылезло
unspec 9E-65-C3-E6-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 6 dropped 0 overruns 0 carrier 6 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 2256 bytes 246084 (246.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2256 bytes 246084 (246.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
netplan
network:
ethernets:
ens3:
dhcp4: true
match:
macaddress: 02:00:17:00:86:31
set-name: ens3
version: 2
tunnels:
gre1:
mode: gre
local: Ubuntu20
remote: Mikrotik
mtu: 1476
addresses: [192.168.255.254/24]
ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote mikrotik local ubuntu20 ttl inherit
Если пытаться пинговать с сервера роутер, то растёт счётчик carrier, пинги не проходят
iptables-save
# Generated by iptables-save v1.8.4 on Sat Jul 18 10:43:24 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:InstanceServices - [0:0]
-A INPUT -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dpo rt 3260 -m comment --comment "See the Oracle-Provided Images section in the Orac le Cloud Infrastructure documentation for security impact of modifying or removi ng this rule" -j ACCEPT
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dpo rt 3260 -m comment --comment "See the Oracle-Provided Images section in the Orac le Cloud Infrastructure documentation for security impact of modifying or removi ng this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comm ent "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure d ocumentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment -- comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructu re documentation for security impact of modifying or removing this rule" -j ACCE PT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment -- comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructu re documentation for security impact of modifying or removing this rule" -j ACCE PT
-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dpo rt 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comm ent "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure d ocumentation for security impact of modifying or removing this rule" -j ACCEPT
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment -- comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructu re documentation for security impact of modifying or removing this rule" -j ACCE PT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment -- comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructu re documentation for security impact of modifying or removing this rule" -j ACCE PT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment -- comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructu re documentation for security impact of modifying or removing this rule" -j ACCE PT
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 123 -m comment - -comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastruct ure documentation for security impact of modifying or removing this rule" -j ACC EPT
-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See th e Oracle-Provided Images section in the Oracle Cloud Infrastructure documentatio n for security impact of modifying or removing this rule" -j REJECT --reject-wit h tcp-reset
-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See th e Oracle-Provided Images section in the Oracle Cloud Infrastructure documentatio n for security impact of modifying or removing this rule" -j REJECT --reject-wit h icmp-port-unreachable
COMMIT
# Completed on Sat Jul 18 10:43:24 2020