服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Linux路由器:ping不回路由
Intereting Posts
远程访问USB上托pipe的服务器 如何避免GooglecachingOpenShift子域名? 如何在运行虚拟服务器时监控HP硬件? 使用主机文件testing域的DNSconfiguration? mdadm汽车种族突袭 mysql_upgrade在多个mysql实例上 编辑stage2.img OpenVPN连接到Azure VPN点对点(p2s) 在公共联系人中创build分发列表 grep命令从文件中提取数据 HTTPS警告:在桌面上工作,在移动设备上发出警告 Microsoft Dynamics GP没有安装数据库 如何在CentOS上编译带有zip支持的PHP 5.2.13版本? 如何查找哪个模板用于SharePoint中的站点或页面 MySQL Cluster数据节点在内存中的限制

Linux路由器:ping不回路由

我有一个Debian框,我试图build立一个路由器和一个Ubuntu框,我用作客户端。

我的问题是,当Ubuntu客户端尝试在互联网上ping一台服务器时,所有的数据包都会丢失 (尽pipe如下所示,它们似乎进入服务器而没有问题)。

我在Ubuntu Box中这样做: 

# ping -I eth1 my.remote-server.com PING my.remote-server.com (XXXX) from 10.1.1.12 eth1: 56(84) bytes of data. ^C --- my.remote-server.com ping statistics --- 13 packets transmitted, 0 received, 100% packet loss, time 12094ms

(我改变了隐私的远程服务器的名称和IP)。

从Debian路由器我看到这​​个: 

 # tcpdump -i eth1 -qtln icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes IP XXXX > 10.1.1.12: ICMP echo reply, id 305, seq 7, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 305, seq 8, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 305, seq 8, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 305, seq 9, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 305, seq 9, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 305, seq 10, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 305, seq 10, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 305, seq 11, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 305, seq 11, length 64 ^C 9 packets captured 9 packets received by filter 0 packets dropped by kernel # tcpdump -i eth2 -qtln icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes IP 192.168.1.10 > XXXX: ICMP echo request, id 360, seq 213, length 64 IP XXXX > 192.168.1.10: ICMP echo reply, id 360, seq 213, length 64 IP 192.168.1.10 > XXXX: ICMP echo request, id 360, seq 214, length 64 IP XXXX > 192.168.1.10: ICMP echo reply, id 360, seq 214, length 64 IP 192.168.1.10 > XXXX: ICMP echo request, id 360, seq 215, length 64 IP XXXX > 192.168.1.10: ICMP echo reply, id 360, seq 215, length 64 IP 192.168.1.10 > XXXX: ICMP echo request, id 360, seq 216, length 64 IP XXXX > 192.168.1.10: ICMP echo reply, id 360, seq 216, length 64 IP 192.168.1.10 > XXXX: ICMP echo request, id 360, seq 217, length 64 IP XXXX > 192.168.1.10: ICMP echo reply, id 360, seq 217, length 64 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel

而在远程服务器,我看到这个: 

 # tcpdump -i eth0 -qtln icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP YYYY > XXXX: ICMP echo request, id 360, seq 1, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 1, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 2, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 2, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 3, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 3, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 4, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 4, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 5, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 5, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 6, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 6, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 7, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 7, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 8, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 8, length 64 IP YYYY > XXXX: ICMP echo request, id 360, seq 9, length 64 IP XXXX > YYYY: ICMP echo reply, id 360, seq 9, length 64 18 packets captured 228 packets received by filter 92 packets dropped by kernel

这里“XXXX”是我的远程服务器的IP,“YYYY”是我本地networking的公有IP。 所以,我的理解是,ping数据包从Ubuntu盒(10.1.1.12),到路由器(10.1.1.1),从那里到下一个路由器(192.168.1.1),到达远程服务器(XXXX )。 然后他们一路回到Debian路由器,但他们永远不会到达Ubuntu盒子。

我错过了什么?

这里是Debian路由器设置: 

 # ifconfig eth1 Link encap:Ethernet HWaddr 94:0c:6d:82:0d:98 inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: fe80::960c:6dff:fe82:d98/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:105761 errors:0 dropped:0 overruns:0 frame:0 TX packets:48944 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:40298768 (38.4 MiB) TX bytes:44831595 (42.7 MiB) Interrupt:19 Base address:0x6000 eth2 Link encap:Ethernet HWaddr 6c:f0:49:a4:47:38 inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::6ef0:49ff:fea4:4738/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:38335992 errors:0 dropped:0 overruns:0 frame:0 TX packets:37097705 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:1000 RX bytes:4260680226 (3.9 GiB) TX bytes:3759806551 (3.5 GiB) Interrupt:27 eth3 Link encap:Ethernet HWaddr 94:0c:6d:82:c8:72 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:20 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3408 errors:0 dropped:0 overruns:0 frame:0 TX packets:3408 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:358445 (350.0 KiB) TX bytes:358445 (350.0 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 PtP:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:2767779 errors:0 dropped:0 overruns:0 frame:0 TX packets:1569477 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3609469393 (3.3 GiB) TX bytes:96113978 (91.6 MiB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth2 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth2 # arp -n # Note: Here I have changed all the different MACs except the ones corresponding to the Ubuntu box (on 10.1.1.12 and 192.168.1.12) Address HWtype HWaddress Flags Mask Iface 192.168.1.118 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.72 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.94 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.102 ether NN:NN:NN:NN:NN:NN C eth2 10.1.1.12 ether 00:1e:67:15:2b:f0 C eth1 192.168.1.86 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.2 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.61 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.64 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.116 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.91 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.52 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.93 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.87 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.92 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.100 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.40 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.53 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.1 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.83 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.89 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.12 ether 00:1e:67:15:2b:f1 C eth2 192.168.1.77 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.66 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.90 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.65 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.41 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.78 ether NN:NN:NN:NN:NN:NN C eth2 192.168.1.123 ether NN:NN:NN:NN:NN:NN C eth2 # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 10.1.1.0/24 !10.1.1.0/24 MASQUERADE all -- !10.1.1.0/24 10.1.1.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination

这里是Ubuntu的盒子: 

 # ifconfig eth0 Link encap:Ethernet HWaddr 00:1e:67:15:2b:f1 inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21e:67ff:fe15:2bf1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:28785139 errors:0 dropped:0 overruns:0 frame:0 TX packets:19050735 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:32068182803 (32.0 GB) TX bytes:6061333280 (6.0 GB) Interrupt:16 Memory:b1a00000-b1a20000 eth1 Link encap:Ethernet HWaddr 00:1e:67:15:2b:f0 inet addr:10.1.1.12 Bcast:10.1.1.255 Mask:255.255.255.0 inet6 addr: fe80::21e:67ff:fe15:2bf0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:285086 errors:0 dropped:0 overruns:0 frame:0 TX packets:12719 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:30817249 (30.8 MB) TX bytes:2153228 (2.1 MB) Interrupt:16 Memory:b1900000-b1920000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:86048 errors:0 dropped:0 overruns:0 frame:0 TX packets:86048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11426538 (11.4 MB) TX bytes:11426538 (11.4 MB) # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 10.1.1.1 0.0.0.0 UG 100 0 0 eth1 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 10.8.0.0 192.168.1.10 255.255.255.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 # arp -n # Note: Here I have changed all the different MACs except the ones corresponding to the Debian box (on 10.1.1.1 and 192.168.1.10) Address HWtype HWaddress Flags Mask Iface 192.168.1.70 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.90 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.97 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.103 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.13 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.120 (incomplete) eth0 192.168.1.111 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.118 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.51 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.102 (incomplete) eth0 192.168.1.64 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.52 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.74 (incomplete) eth0 192.168.1.94 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.121 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.72 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.87 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.91 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.71 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.78 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.83 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.88 (incomplete) eth0 192.168.1.82 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.98 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.100 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.93 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.73 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.11 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.85 (incomplete) eth0 192.168.1.112 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.89 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.65 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.81 ether NN:NN:NN:NN:NN:NN C eth0 10.1.1.1 ether 94:0c:6d:82:0d:98 C eth1 192.168.1.53 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.116 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.61 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.10 ether 6c:f0:49:a4:47:38 C eth0 192.168.1.86 (incomplete) eth0 192.168.1.119 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.66 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.1 ether NN:NN:NN:NN:NN:NN C eth0 192.168.1.1 ether NN:NN:NN:NN:NN:NN C eth1 192.168.1.92 ether NN:NN:NN:NN:NN:NN C eth0 # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination

编辑:遵循帕特里克的build议,我做了一个tcpdump的Ubuntu的盒子,我看到这个: 

 # tcpdump -i eth1 -qtln icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 1, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 1, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 2, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 2, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 3, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 3, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 4, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 4, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 5, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 5, length 64 IP 10.1.1.12 > XXXX: ICMP echo request, id 21967, seq 6, length 64 IP XXXX > 10.1.1.12: ICMP echo reply, id 21967, seq 6, length 64 ^C 12 packets captured 12 packets received by filter 0 packets dropped by kernel

所以问题是:如果所有数据包似乎都来来去去,为什么ping报告100%的数据包丢失?

从你的评论中的问题:

在远程服务器上,我看到请求和答复。 但在Debian路由器上,我没有看到任何东西…没有一个接口! 我的猜测是,现在,Ubuntu的盒子正在和192.168.1.1上的路由器直接通话,但是通过IP地址10.1.1.12发送请求,所以无法路由回去。 但为什么??

从Ubuntu服务器: 

 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 <--- 0.0.0.0 10.1.1.1 0.0.0.0 UG 100 0 0 eth1

在捕获这个路由表的时候,通过eth0指向你的路由器的192.168.1.1(即不是debian机器)的默认值是较低的。 一个较低的度量默认值总是先遵循,这意味着Ubuntu想要将所有未连接的stream量直接发送到192.168.1.1。

如果有停机时间,请使用删除该默认设置 

 route del default gw 192.168.1.1 dev eth0

我仍然在酝酿更大的问题(原始嗅探器跟踪在Ubuntu上显示ping回复:eth1,但没有被操作系统接受)。 您可以从Ubuntu:eth1 ping,同时在Debian:eth2上捕获,以便在您强制Ubuntu再次通过Debian发送所有stream量之后,演示NAT正在发生什么?

你有没有检查在Ubuntu盒子上是否启用反向path过滤 ?

这是一个sysctl设置( net.ipv4.conf.all.rp_filter ),如果源地址进入“错误的”接口(即不是内核将它路由到的接口),它将过滤传入的数据包,

你也可以尝试net.ipv4.conf.all.log_martians=1试图看看发生了什么。

使这项工作的关键是为不同的接口创build单独的路由表,并告诉networking堆栈使用这些路由表而不是默认路由表。

在你的情况下,这应该使ping -I eth2 8.8.8.8工作: 

 # register the 'foo' table name and give it id 1 echo '1 foo' >> /etc/iproute2/rt_tables # setup routing table 'foo' ip route add 192.168.1.0/24 dev eth2 src 192.168.1.10 table foo ip route add default via 192.168.1.1 table foo # use routing table 'foo' for address 192.168.1.10 ip rule add from 192.168.1.10 table foo

有关多个上行链路路由的更多信息可以在LARTC HOWTO中find: http ://lartc.org/howto/lartc.rpdb.multiple-links.html

如果你的iptables是完全空白的(除了伪装声明),那么你可能需要添加一个FORWARDING链,以允许通过盒子的stream量。 尝试从已知的工作configuration开始 –

http://wiki.debian.org/DebianFirewall#Using_iptables_for_IPv4_traffic

这也包括确认你被设置为在sysctl等转发。

你需要configurationNAT。

在典型configuration中,本地networking使用指定的“专用”IP地址子网之一。 该networking上的路由器在该地址空间中具有私有地址。 路由器还通过互联网服务提供商分配的“公共”地址连接到互联网。 当stream量从本地networkingstream向Internet时,每个数据包中的源地址将从私有地址转换为公有地址。 路由器跟踪每个活动连接的基本数据(特别是目标地址和端口)。 当答复返回到路由器时,它使用在出站阶段存储的连接跟踪数据来确定转发答复的内部networking上的专用地址。