我有2个Linux的盒子A和B,都是RHEL 7。
B nicconfiguration:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 10.74.61.131 netmask 255.255.254.0 broadcast 10.74.61.255 inet6 fe80::1011:12ff:fec7:d118 prefixlen 64 scopeid 0x20<link> ether 12:11:12:c7:d1:18 txqueuelen 1000 (Ethernet) RX packets 4599 bytes 503250 (491.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4489 bytes 693330 (677.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 10.74.60.97 netmask 255.255.254.0 broadcast 10.74.61.255 inet6 fe80::10b3:c9ff:fe85:47b5 prefixlen 64 scopeid 0x20<link> ether 12:b3:c9:85:47:b5 txqueuelen 1000 (Ethernet) RX packets 136 bytes 8864 (8.6 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 274 bytes 22184 (21.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 B内核IP路由表
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.74.60.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 10.74.60.1 0.0.0.0 UG 101 0 0 eth1 10.74.60.0 0.0.0.0 255.255.254.0 U 100 0 0 eth0 10.74.60.0 0.0.0.0 255.255.254.0 U 101 0 0 eth1 146.1.242.0 10.74.61.26 255.255.254.0 UG 0 0 0 eth1
B ip路由
default via 10.74.60.1 dev eth0 proto static metric 100 default via 10.74.60.1 dev eth1 proto static metric 101 10.74.60.0/23 dev eth0 proto kernel scope link src 10.74.61.131 metric 100 10.74.60.0/23 dev eth1 proto kernel scope link src 10.74.60.97 metric 101 146.1.242.0/23 via 10.74.61.26 dev eth1
B路线到146.1.242.62:
ip route get 146.1.242.62 146.1.242.62 via 10.74.61.26 dev eth1 src 10.74.60.97 cache
一个很好的configuration
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 10.74.61.26 netmask 255.255.254.0 broadcast 10.74.61.255 ether 12:d5:c1:64:c1:84 txqueuelen 1000 (Ethernet) RX packets 41439 bytes 2210425 (2.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 78272 bytes 23367775 (22.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 10.74.60.101 netmask 255.255.254.0 broadcast 10.74.61.255 ether 12:f6:c9:b0:75:05 txqueuelen 1000 (Ethernet) RX packets 521 bytes 32470 (31.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 275 bytes 22494 (21.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
内核IP路由表
Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.74.60.1 0.0.0.0 UG 100 0 0 eth0 0.0.0.0 10.74.60.1 0.0.0.0 UG 101 0 0 eth1 10.74.60.0 0.0.0.0 255.255.254.0 U 100 0 0 eth0 10.74.60.0 0.0.0.0 255.255.254.0 U 101 0 0 eth1
一个ip路由
default via 10.74.60.1 dev eth0 proto static metric 100 default via 10.74.60.1 dev eth1 proto static metric 101 10.74.60.0/23 dev eth0 proto kernel scope link src 10.74.61.26 metric 100 10.74.60.0/23 dev eth1 proto kernel scope link src 10.74.60.101 metric 101
A被用作网关,在B中任何去往146.1.242.0/23的stream量通过eth1,其具有10.74.61.26网关。
B – > eth1(gw 10.74.61.26)—-> A(eth0 10.74.61.26)
到146.1.242.62的路线:
ip route get 146.1.242.62 146.1.242.62 via 10.74.61.26 dev eth1 src 10.74.60.97 cache
我做了一个可路由的IP路由conf /etc/sysctl.conf
net.ipv4.ip_forward = 1 net.ipv6.conf.eth0.disable_ipv6 = 1 #disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1 net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.all.rp_filter = 2
启用并启动防火墙。 iptables都是可以接受的,没有任何东西被丢弃或拒绝。
所以当我从B平
ping -I eth1 146.1.242.62 PING 146.1.242.62 (146.1.242.62) from 10.74.60.97 eth1: 56(84) bytes of data. ^C --- 146.1.242.62 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms
它从来没有经过,我做错了什么。
当我从B到A ping下面是tcpdump的结果
ping -I eth0 146.1.242.62 PING 146.1.242.62 (146.1.242.62) from 10.74.61.131 eth0: 56(84) bytes of data. 64 bytes from 146.1.242.62: icmp_seq=1 ttl=50 time=36.8 ms ^C --- 146.1.242.62 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5009ms
tcpdump icmp响应:
IP 146.1.242.62 > ip-10-74-61-131.ebiz.ee.com: ICMP echo reply, id 3405, seq 1, length 64 IP ip-10-74-61-131.ebiz.ee.com > 146.1.242.62: ICMP echo request, id 3405, seq 2, length 64 IP 146.1.242.62 > ip-10-74-61-131.ebiz.ee.com: ICMP echo reply, id 3405, seq 2, length 64 IP ip-10-74-61-131.ebiz.ee.com > 146.1.242.62: ICMP echo request, id 3405, seq 3, length 64 IP 146.1.242.62 > ip-10-74-61-131.ebiz.ee.com: ICMP echo reply, id 3405, seq 3, length 64 IP ip-10-74-61-131.ebiz.ee.com > 146.1.242.62: ICMP echo request, id 3405, seq 4, length 64 IP 146.1.242.62 > ip-10-74-61-131.ebiz.ee.com: ICMP echo reply, id 3405, seq 4, length 64 IP ip-10-74-61-131.ebiz.ee.com > 146.1.242.62: ICMP echo request, id 3405, seq 5, length 64
但是当我这样做
ping -I eth1 146.1.242.62 PING 146.1.242.62 (146.1.242.62) from 10.74.60.97 eth1: 56(84) bytes of data. ^C --- 146.1.242.62 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 2999ms
没有tcpdump icmp响应。
A的iptables截至11/21/2016
iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT ... -A PREROUTING -j LOG --log-prefix "-- PRE ROUTE--" --log-level 6 -A POSTROUTING -j LOG --log-prefix "-- POST ROUTE--" --log-level 6 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT
B的iptables:
iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -A POSTROUTING -j LOG --log-prefix "-- POST ROUTE--" --log-level 6
在B中开启了后台路由的日志并且在A前后路由日志中,我ping了目标(146.1.242.62),它login了B后台路由,但是前面的路由没有任何东西。下面是日志条目和ping
ping 146.1.242.62 PING 146.1.242.62 (146.1.242.62) from 10.74.60.97 eth1: 56(84) bytes of data. ^C --- 146.1.242.62 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 2999ms B log: Nov 21 10:36:25 localhost kernel: -- POST ROUTE--IN= OUT=eth1 SRC=10.74.60.97 DST=146.1.242.62 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=19877 DF PROTO=ICMP TYPE=8 CODE=0 ID=4920 SEQ=1 A log: none, no log in PRE ROUTE & POST ROUTE about the ping
您的文章不显示任何iptables规则。 我的猜测是,在你的主机A上,你应该确保通过的stream量获得NAT。
以root身份运行以下命令可能会有所帮助:
iptables -t nat -A POSTROUTING --src 10.74.60.97/32 \! --dst 10.74.61.26/32 -o eth0 -j MASQUERADE
你也可以发现tcpdump有用,解决networking问题。