我是一个初级的系统pipe理员,在一个CentOS服务器系统上工作,用CentOS服务器伪装客户端机器的stream量。 与表的东西搞砸了,我的客户不再有互联网连接。
我试图让ping请求作为第一步工作,并且指出了stream量不通的地方,但是我不明白这个configuration足以知道下一步该做什么。 对于更有经验的系统pipe理员,快速浏览一下我的桌面是否显示出任何exception?
IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP"
» IP=98.139.183.24; ping $IP PING 98.139.183.24 (98.139.183.24) 56(84) bytes of data
对于正常的操作,我应该看到响应,这让我怀疑主节点上的iptableconfiguration有问题。
注意: b6映射到/etc/hosts 10.0.2.6 。
» IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 20:07:38.553547 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64 20:07:38.553580 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64 20:07:39.552969 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64 20:07:39.552983 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64 20:07:40.552963 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64 20:07:40.552975 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64 ^C 6 packets captured 6 packets received by filter
注:我已经修改了这个configuration为我工作,以帮助任何人在未来相同的问题。
~ » ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: p2p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 90:e2:ba:21:b8:10 brd ff:ff:ff:ff:ff:ff inet 10.0.1.0/8 brd 10.255.255.255 scope global p2p1 inet6 fe80::92e2:baff:fe21:b810/64 scope link valid_lft forever preferred_lft forever 3: p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 90:e2:ba:21:b8:11 brd ff:ff:ff:ff:ff:ff inet <ext IP>/24 brd <ext ip prefix>.255 scope global p2p2 inet6 2001:468:c80:2106:92e2:baff:fe21:b811/64 scope global dynamic valid_lft 2591809sec preferred_lft 604609sec inet6 fe80::92e2:baff:fe21:b811/64 scope link valid_lft forever preferred_lft forever 4: p2p3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000 link/ether 90:e2:ba:21:b8:14 brd ff:ff:ff:ff:ff:ff 5: p2p4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000 link/ether 90:e2:ba:21:b8:15 brd ff:ff:ff:ff:ff:ff 6: em1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000 link/ether d4:ae:52:99:8c:29 brd ff:ff:ff:ff:ff:ff 7: em2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000 link/ether d4:ae:52:99:8c:2a brd ff:ff:ff:ff:ff:ff
~ » ip route <ext ip prefix>.0/24 dev p2p2 proto kernel scope link src <ext ip> <prefix 1>.0.0/16 dev p2p1 scope link metric 1002 <prefix 1>.0.0/16 dev p2p2 scope link metric 1003 10.0.0.0/8 dev p2p1 proto kernel scope link src 10.0.1.0 default via <ext ip prefix>.1 dev p2p2 proto static
~ » _ iptables -t filter -L -v -n Chain INPUT (policy ACCEPT 3715K packets, 531M bytes) pkts bytes target prot opt in out source destination 76M 111G fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 151M 183G ACCEPT all -- p2p2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 38M 6612M ACCEPT all -- p2p1 * 0.0.0.0/0 0.0.0.0/0 1604K 101M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1923 142K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 755K 62M ACCEPT all -- p2p1 p2p2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- p2p2 p2p1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 171M packets, 35G bytes) pkts bytes target prot opt in out source destination Chain fail2ban-SSH (1 references) pkts bytes target prot opt in out source destination 76M 111G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ~ » _ iptables -t mangle -L -v -n Chain PREROUTING (policy ACCEPT 1733K packets, 974M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1722K packets, 973M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 10956 packets, 892K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1989K packets, 201M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2001K packets, 202M bytes) pkts bytes target prot opt in out source destination ~ » _ iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 26992 packets, 6507K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes) pkts bytes target prot opt in out source destination 532K 54M MASQUERADE all -- * p2p2 10.0.0.0/8 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 3229 packets, 394K bytes) pkts bytes target prot opt in out source destination
»cat / proc / sys / net / ipv4 / ip_forward 1
»cat /etc/sysctl.conf | grep ip_forward net.ipv4.ip_forward = 1
10.0.2.6 。 ~ » ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 18:03:73:0d:89:15 brd ff:ff:ff:ff:ff:ff inet 10.0.2.6/8 brd 10.0.0.255 scope global em1 inet6 fe80::1a03:73ff:fe0d:8915/64 scope link valid_lft forever preferred_lft forever 3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 18:03:73:0d:89:17 brd ff:ff:ff:ff:ff:ff
~ » ip route <prefix 1>.0.0/16 dev em1 scope link metric 1002 10.0.0.0/8 dev em1 proto kernel scope link src 10.0.2.6 default via 10.0.1.0 dev em1
» _ iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ~ » _ iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ~ » _ iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
从tcpdump的输出,数据包被转发到目的地,但没有答复。 这也难怪POSTROUTING链中的规则被破坏了:
Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes) pkts bytes target prot opt in out source destination 532K 54M all -- * * 10.0.0.0/8 0.0.0.0/0
规则的目标不见了。 这应该是“SNAT”或“MASQUERADE”。 没有这个,数据包的源地址将不会被重写。 这将导致ping服务器回复到10.0.2.6 (不可路由)而不是服务器IP。
如果我理解相同:问题是双重的
1:你想拍的路由/路由通过没有configurationiptables masquardade。 在pat / masq'ing互联网facinf路由器上:
iptbales -A PORTROUTING -t NAT -o eth0 -j MASQUARADE
echo 1> / proc / sys / net / ip4v / ip_forward
2)客户希望所有的stream量都来自远程masq'ing路由器,所以所有的客户端都必须使用这个互联网路由器作为他们的默认网关。 客户端可以有所有的stream量来源,但他们需要一个路由告诉他们这样做,,,,默认路由沉思的客户端,然后告诉那里发送交通\
ip route del default
IP路由添加默认通过ip-of-masq'ing-router
我不能发表评论,要求澄清你的问题,所以我会把这些问题放在这里。 无论如何,你没有提供足够的信息来得到这个答案。 我怀疑你化妆舞会不行,但不能确定。
首先,在tcpdump的输出中有名字“b6”,那是什么? 既然我不指望在互联网上的名字,它可能是你的私人IP地址泄漏到互联网上,如果这是真的,你MASQUERADE不起作用。 在任何情况下,最好使用-n选项,这样IP地址就不会转换为在这种情况下没有意义的DNS名称。
接下来,你的iptables列表是不完整的。 使用选项-v转储将帮助很多的附加信息。 因为有了这个选项,我可以确认或驳斥你的私人IP地址泄露到互联网的假设。 而且,使用-n选项不要执行反向DNS查询。
最后,你从路由表中删除了IP地址,并没有解释你的拓扑结构。 通过这种方式,您还可以删除可能有助于debugging问题的信息。
而且,作为一个离题,ip命令比ifconfig / route组合更适合于Linux。