openSUSE PC jako router

[Tomáš Tichý]

Dobrý den,
potřeboval bych poradit či nakopnout.
Chtěl jsem si postavit router z počítače, který má dvě síťové karty. Jedna je nazvaná wan a je připojena do sítě 10.0.0.0/24.
Druhá je lan a přiděluje adresy z rozsahu 192.168.2.0/24. DHCP i DNS fungují, ale menší problém je s předáváním provozu z lan do wan.
Na počítači běží openSUSE Tumbleweed a firewalld.
U příkazu ping z místní sítě lan na počítač v síti wan se zobrazuje toto:

Kód: [Vybrat]

ping 10.0.0.152
PING 10.0.0.152 (10.0.0.152) 56(84) bytes of data.
From 192.168.2.1 icmp_seq=1 Packet filtered
From 192.168.2.1 icmp_seq=2 Packet filtered
From 192.168.2.1 icmp_seq=3 Packet filtered
From 192.168.2.1 icmp_seq=4 Packet filtered
From 192.168.2.1 icmp_seq=5 Packet filtered
From 192.168.2.1 icmp_seq=6 Packet filtered
From 192.168.2.1 icmp_seq=7 Packet filtered
From 192.168.2.1 icmp_seq=8 Packet filtered
From 192.168.2.1 icmp_seq=9 Packet filtered
From 192.168.2.1 icmp_seq=10 Packet filtered
Pomocí nástroje TCPDUMP jsem na routeru zachytával provoz:

Kód: [Vybrat]

tcpdump -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
08:44:27.311669 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 1, length 64
08:44:27.311730 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:28.316507 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 2, length 64
08:44:28.316551 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:29.340507 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 3, length 64
08:44:29.340547 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:30.364431 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 4, length 64
08:44:30.364472 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:31.388411 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 5, length 64
08:44:31.388457 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:32.412413 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 6, length 64
08:44:32.412454 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:33.436361 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 7, length 64
08:44:33.436402 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:34.460316 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 8, length 64
08:44:34.460356 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:35.484306 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 9, length 64
08:44:35.484346 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:36.508247 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 10, length 64
08:44:36.508288 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
08:44:37.532285 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 72, seq 11, length 64
08:44:37.532325 lan   Out IP ROUTER > 192.168.2.50: ICMP host 10.0.0.152 unreachable - admin prohibited filter, length 92
Pokud firewall vypnu zachytávání provozu se změní a dorazí na cílový stroj. Nedojde však ke změně adresy a tak cílový stroj nemá kam odpovědět.
Zde je zachycený provoz na routeru:

Kód: [Vybrat]

tcpdump -i any icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:39:29.122895 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 1, length 64
09:39:29.122929 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 1, length 64
09:39:30.143463 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 2, length 64
09:39:30.143481 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 2, length 64
09:39:31.167414 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 3, length 64
09:39:31.167431 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 3, length 64
09:39:32.191408 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 4, length 64
09:39:32.191427 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 4, length 64
09:39:33.215340 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 5, length 64
09:39:33.215357 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 5, length 64
09:39:34.239353 lan   In  IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 6, length 64
09:39:34.239371 wan   Out IP 192.168.2.50 > 10.0.0.152: ICMP echo request, id 80, seq 6, length 64
A zde na cílovém počítači:

Kód: [Vybrat]

tcpdump -i enp0s31f6 icmp
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
09:39:28.668370 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 1, length 64
09:39:28.668513 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 1, length 64
09:39:29.688989 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 2, length 64
09:39:29.689088 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 2, length 64
09:39:30.712961 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 3, length 64
09:39:30.713073 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 3, length 64
09:39:31.736939 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 4, length 64
09:39:31.737043 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 4, length 64
09:39:32.760819 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 5, length 64
09:39:32.760935 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 5, length 64
09:39:33.784821 enp0s31f6 In  IP 192.168.2.50 > thinkpadX270: ICMP echo request, id 80, seq 6, length 64
09:39:33.784922 enp0s31f6 Out IP thinkpadX270 > 192.168.2.50: ICMP echo reply, id 80, seq 6, length 64
Routování je nastaveno příkazy:

Kód: [Vybrat]

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -p
Výpis routovací tabulky:

Kód: [Vybrat]

ip rou
default via 10.0.0.138 dev wan
10.0.0.0/24 dev wan proto kernel scope link src 10.0.0.237
192.168.2.0/24 dev lan proto kernel scope link src 192.168.2.1
Výpis rozhraní:

Kód: [Vybrat]

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 10:60:4b:60:03:92 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    altname eno1
    inet 10.0.0.237/24 brd 10.0.0.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::1260:4bff:fe60:392/64 scope link
       valid_lft forever preferred_lft forever
3: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether a0:36:9f:a0:65:ec brd ff:ff:ff:ff:ff:ff
    altname enp1s0
    inet 192.168.2.1/24 brd 192.168.2.255 scope global lan
       valid_lft forever preferred_lft forever
    inet6 fe80::a236:9fff:fea0:65ec/64 scope link
       valid_lft forever preferred_lft forever
A nastavení firewallu pro lan:

Kód: [Vybrat]

firewall-cmd --zone=internal --list-all
internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
a pro wan:

Kód: [Vybrat]

firewall-cmd --zone=external --list-all
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1 wan
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Děkuji za případnou pomoc.

[Reklama]

[Tomáš Tichý]

Po vypnutí firewalld a doplnění pravidel nftables dle článku https://www.root.cz/clanky/nftables-priklad-konfigurace-firewallu-a-vzorove-situace/ router funguje.

[František Ryšánek]

Vida, poradil jste si - palec nahoru :-)

Dokud byl firewalld v sedle, byla možnost se podívat, jak to navlékl pod kapotou - pomocí
iptables -L
iptables -t nat -L
nft list ruleset
...ale to už je asi jedno.