服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 双IP转发不起作用
Intereting Posts
nginx中的多层次的catch-all index.php Windows 2008 R2 IIS 7.5服务器停止服务网页时 如何以系统用户的身份在networking驱动器上映射/挂载? 所有用户的setfacl 再生石墨仪表板 延迟NTP初始化,Cisco 877W,IOS 12.4(24)T1 挂在CentOS 5.8的证书链上的openssl 0.9.8e握手 桥接模式virtualbox客户端不能正常工作 在Linux上运行Jar 安装PHP 5.1.2,需要:libcurl.so.3()(64位)错误 有没有一种编程方式来确定Linux服务器上的可用磁盘空间? 如何从Windows上的iSCSI详细信息中获取物理分区名称? 在Windows Active Directory域中的Linux计算机(Debian),AD的pipe理员login后应具有root权限 为域设置IPv6地址 停止在Google云端平台上自动更新新的托pipeSSL

双IP转发不起作用

我的场景中有以下两个debian服务器:第一个是我的主要openvpn服务器,它有两个NICS活动eth0(172.25.156.146)和eth3(172.26.16.1) – 第二个服务器也有两个NICS活动eth0 172.26。 16.16,eth1 10.77.144.75。 两台服务器都直接连接在172.26.16.0/24上。

我局域网中的某些服务/服务器只能从第二台服务器访问(因此是直接连接),并且为了使这些内部服务器/服务可以从主服务器(172.25.156.146)访问,启用了以下规则:

在主服务器上: 

Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 172.25.156.145 0.0.0.0 UG 0 0 0 eth0 10.77.144.0 172.26.16.16 255.255.255.0 UG 0 0 0 eth3 # internal servers range 10.250.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tap3 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1 172.17.17.0 0.0.0.0 255.255.255.0 U 0 0 0 tap5 172.25.132.0 172.25.156.145 255.255.255.128 UG 0 0 0 eth0 172.25.156.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0 172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 #route back

到第二台服务器 

 172.31.249.0 0.0.0.0 255.255.255.0 U 0 0 0 tap4 192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 tap6 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap6 192.168.88.0 192.168.88.2 255.255.255.0 UG 0 0 0 tun0 192.168.88.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.200.0 192.168.200.1 255.255.255.0 UG 0 0 0 tap2 192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2 192.168.200.100 192.168.200.1 255.255.255.255 UGH 0 0 0 tap2 /proc/sys/net/ipv4/ip_forward = 1 iptables rules (even though it is not relevant) Chain INPUT (policy ACCEPT 24M packets, 15G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes) pkts bytes target prot opt in out source destination 252 15593 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.128.0/24 ctstate NEW 1671K 742M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.120.0/24 ctstate NEW Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.88.0/24 10.77.128.0/24 ctstate NEW ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.88.0/24 10.77.120.0/24 ctstate NEW Chain OUTPUT (policy ACCEPT) target prot opt source destination

在第二台服务器上 

 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.0.0 10.77.144.1 255.0.0.0 UG 0 0 0 eth1 10.77.144.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # towards the internal servers 172.25.132.0 10.77.144.1 255.255.255.128 UG 0 0 0 eth1 172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # route back to the main server 192.168.88.0 172.26.16.1 255.255.255.0 UG 0 0 0 eth0

iptables规则: 

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state NEW Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:telnet state NEW ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2330 127K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 41784 2293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 14 840 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 947 149K DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4346 833K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 9 512 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state NEW 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 10620 879K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes) pkts bytes target prot opt in out source destination

并且启用了IP转发。

问题:从主服务器我不能ping通的内部服务器,但我可以从第二台服务器。 任何帮助将不胜感激。

以下解决了上述问题(如果它在第二个服务器上执行): 

 root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –