Возвратный трафик неправильно маршрутизируется с сервера Passthrough.

Question

Я назначил локальный сервер в моей сети как сервер Passthrough, которому должен быть присвоен публичный IP WAN IP и который должен обрабатывать весь внешне инициированный трафик.

После проброса порта в файрволе я смог настроить базовый nc -l -p <PORT>, чтобы прослушивать интернет-трафик.

На другом удаленном хосте я смог подключиться к этому сокету и отправить данные: nc <WAN IP> <PORT> <<< "hello world".

Хотя я вижу "hello world" на локальном сервере, удаленный сервер не может получить какие-либо ответы.

Если я изменю ситуацию местами, прослушивая IP удаленного сервера и подключаюсь к нему с локального сервера, я могу видеть двустороннюю связь.

IP-адрес моего локального сервера был получен с помощью dhclient, и назначенный IP-адрес действительно является публичным IP шлюза.

Как я могу продолжить отладку этой проблемы с однонаправленным трафиком?

Трассировка curl показывает, что удаленный сервер может подключиться, но зависает бесконечно, даже после того, как я убедился, что локальная программа, прослушивающая сокет, отправила ответ:

curl -i --trace /dev/stderr me.example.com
== Info:   Trying 8.8.8.8:80...
== Info: Connected to me.example.com (8.8.8.8) port 80 (#0)
=> Send header, 79 bytes (0x4f)
0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 GET / HTTP/1.1..
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Host: me.exampl
0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e.com..User-Agen
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 t: curl/7.88.1..
0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    Accept: */*....

Для справки, мой шлюз – это ATT fiber HUMAX BGW320-500, а сервер работает на debian bookworm. Я использую UFW, но могу воспроизвести проблему после его отключения.

Мои iptables выглядят так:

sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
LIBVIRT_INP  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:58988
ACCEPT     all  --  anywhere             anywhere            
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LIBVIRT_FWX  all  --  anywhere             anywhere            
LIBVIRT_FWI  all  --  anywhere             anywhere            
LIBVIRT_FWO  all  --  anywhere             anywhere            
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  anywhere             anywhere            
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain DOCKER (12 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.25.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.22.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.21.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.30.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.30.0.2           tcp dpt:5000
ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:7779
ACCEPT     tcp  --  anywhere             172.26.0.2           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.23.0.3           tcp dpt:7778
ACCEPT     tcp  --  anywhere             172.18.0.3           tcp dpt:bbs
ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:4246
ACCEPT     tcp  --  anywhere             172.23.0.3           tcp dpt:3000
ACCEPT     tcp  --  anywhere             172.18.0.3           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.18.0.4           tcp dpt:http
ACCEPT     tcp  --  anywhere             172.18.0.4           tcp dpt:4008
ACCEPT     tcp  --  anywhere             192.168.64.3         tcp dpt:http
ACCEPT     tcp  --  anywhere             172.29.0.4           tcp dpt:4006

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (12 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         
ACCEPT     all  --  192.168.122.0/24     anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:67

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:68

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             mdns.mcast.net       udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     all  --  192.168.1.0/24       anywhere            
ACCEPT     tcp  --  anywhere             anywhere             multiport dports smtp,submissions
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https
ACCEPT     all  --  10.0.0.0/24          anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:999

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

И это:

sudo iptables -L -tnat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_PRT  all  --  anywhere             anywhere            
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  192.168.64.0/20      anywhere            
MASQUERADE  all  --  172.26.0.0/16        anywhere            
MASQUERADE  all  --  172.23.0.0/16        anywhere            
MASQUERADE  all  --  172.21.0.0/16        anywhere            
MASQUERADE  all  --  172.25.0.0/16        anywhere            
MASQUERADE  all  --  172.29.0.0/16        anywhere            
MASQUERADE  all  --  172.22.0.0/16        anywhere            
MASQUERADE  all  --  172.30.0.0/16        anywhere            
MASQUERADE  all  --  172.18.0.0/16        anywhere            
MASQUERADE  all  --  172.28.0.0/16        anywhere            
MASQUERADE  all  --  172.24.0.0/16        anywhere            
MASQUERADE  all  --  10.8.0.0/24          anywhere            
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.25.0.2           172.25.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.22.0.2           172.22.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.21.0.2           172.21.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.30.0.2           172.30.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.30.0.2           172.30.0.2           tcp dpt:5000
MASQUERADE  tcp  --  172.24.0.2           172.24.0.2           tcp dpt:7779
MASQUERADE  tcp  --  172.26.0.2           172.26.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.23.0.3           172.23.0.3           tcp dpt:7778
MASQUERADE  tcp  --  172.18.0.3           172.18.0.3           tcp dpt:bbs
MASQUERADE  tcp  --  172.24.0.2           172.24.0.2           tcp dpt:4246
MASQUERADE  tcp  --  172.23.0.3           172.23.0.3           tcp dpt:3000
MASQUERADE  tcp  --  172.18.0.3           172.18.0.3           tcp dpt:http
MASQUERADE  tcp  --  172.18.0.4           172.18.0.4           tcp dpt:http
MASQUERADE  tcp  --  172.18.0.4           172.18.0.4           tcp dpt:4008
MASQUERADE  tcp  --  192.168.64.3         192.168.64.3         tcp dpt:http
MASQUERADE  tcp  --  172.29.0.4           172.29.0.4           tcp dpt:4006

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             localhost            tcp dpt:1234 to:172.29.0.2:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:tproxy to:172.25.0.2:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:8082 to:172.22.0.2:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:4242 to:172.21.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8090 to:172.30.0.2:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:5000 to:172.30.0.2:5000
DNAT       tcp  --  anywhere             localhost            tcp dpt:7779 to:172.24.0.2:7779
DNAT       tcp  --  anywhere             localhost            tcp dpt:8083 to:172.26.0.2:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:7778 to:172.23.0.3:7778
DNAT       tcp  --  anywhere             localhost            tcp dpt:bbs to:172.18.0.3:7000
DNAT       tcp  --  anywhere             localhost            tcp dpt:4247 to:172.24.0.2:4246
DNAT       tcp  --  anywhere             localhost            tcp dpt:11407 to:172.23.0.3:3000
DNAT       tcp  --  anywhere             localhost            tcp dpt:4245 to:172.18.0.3:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:4246 to:172.18.0.4:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:4008 to:172.18.0.4:4008
DNAT       tcp  --  anywhere             localhost            tcp dpt:3003 to:192.168.64.3:80
DNAT       tcp  --  anywhere             localhost            tcp dpt:4006 to:172.29.0.4:4006

Chain LIBVIRT_PRT (1 references)
target     prot opt source               destination         
RETURN     all  --  192.168.122.0/24     base-address.mcast.net/24 
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24

Возвратный трафик неправильно маршрутизируется с сервера Passthrough.

Вопрос или проблема

Ответ или решение

Теория (Theory)

Пример (Example)

Применение (Application)

1. Проверка NAT и Маскарада

2. Проверка правил iptables

3. Трассировка проблем

4. Шлюз и маршрутизация

5. Проверка UFW

6. Журналы

Заключение