我有一个 Mikrotik (DC),用作 l2tp 服务器,还有一个 CentOS7 (Office) 操作系统连接到该服务器。问题是我可以从 centos 和它后面的网络 ping mikrotik,也可以从 mikrotik 和它后面的网络 ping centos。但我无法访问 mikrotik 和 centos 后面的任何计算机。iptables:
# Generated by iptables-save v1.4.21 on Wed Feb 6 00:26:09 2019
*nat
:PREROUTING ACCEPT [10023:752813]
:INPUT ACCEPT [1512:195812]
:OUTPUT ACCEPT [71:5442]
:POSTROUTING ACCEPT [3521:254098]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Feb 6 00:26:09 2019
# Generated by iptables-save v1.4.21 on Wed Feb 6 00:26:09 2019
*filter
:INPUT ACCEPT [24872:18721138]
:FORWARD ACCEPT [415636:32442804]
:OUTPUT ACCEPT [19025:3915262]
-A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
COMMIT
# Completed on Wed Feb 6 00:26:09 2019
Mikrotik 防火墙:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input src-address=10.192.68.0/24
add action=accept chain=input src-address=10.192.69.0/24
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input src-address=10.192.67.0/24
add action=accept chain=forward disabled=yes dst-address=10.192.69.0/24 \
src-address=10.192.68.0/24
add action=accept chain=forward disabled=yes dst-address=10.192.68.0/24 \
src-address=10.192.69.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
微纳:
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.192.69.0/24 src-address=\
10.192.68.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
add action=masquerade chain=srcnat out-interface=l2tp-in-Jarvis src-address=\
10.192.68.0/24
办公网络:10.192.69.0/24 DC 网络:10.192.68.0/24 我希望能够从办公室访问 mikrotik 后面的网络,反之亦然,请指出我哪里搞砸了?
答案1
您应该在 CentOS Linux 中启用 IP 转发。
sysctl net.ipv4.ip_forward=1
如果您希望永久保留它,请编辑/etc/sysctl.conf并取消注释该net.ipv4.ip_forward=1行。