不能在相同的子网内ping linuxnetworking命名空间

这是对这个问题的简要总结。 我无法与同一子网内的Linuxnetworking名称空间进行通信。 我正在无头服务器上运行Ubuntu 14.04.1 LTS。 我一直在解决这个问题大约一个星期，所以谢谢你的回应。

从一开始:(底部的tcpdump）

我有两个物理接口em1和em2 。 我创build了两个桥梁br0和br1 。 第一个桥br0包含我的外部接口em1 。 第二个网桥br1包含我的内部接口em2和veth0 （链接到名为vpn的networking名称空间中的veth1 ，如下所示）。

cat /etc/network/interfaces

• / etc / network / interfaces文件几乎为空
• openwrt使用一个单一的接口桥？
• snmpdconfiguration启用BRIDGE-MIB或Q-BRIDGE-MIB
• 我可以设置两个NIC桥接在一起，仍SSH进入桥接机器？
• 在Centos5.4上的libvirtd kvmnetworking

 # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # Bridge setup auto br0 em1 iface br0 inet dhcp bridge_ports em1 auto br1 em2 veth0 iface br1 inet static address 10.0.0.1 network 10.0.0.0 netmask 255.255.255.0 broadcast 10.0.0.255 bridge_ports em2 veth0 # pre and post up pre-up ip link add name veth0 type veth peer name veth1 pre-up ip netns add vpn pre-up ip link set veth1 netns vpn post-up ip netns exec vpn ip link set dev lo up post-up ip netns exec vpn ip link set dev veth1 up post-up ip netns exec vpn ip addr add 10.0.0.254/24 broadcast 10.0.0.255 dev veth1 post-up ip netns exec vpn ip route add default via 10.0.0.1 

我正在使用此服务器进行路由。 这里是我的nat.sh，它运行每一次启动。

 echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe EXTIF="br0" INTIF="br1" #INTIF2="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $MODPROBE ip_tables echo -en "nf_conntrack, " $MODPROBE nf_conntrack echo -en "nf_conntrack_ftp, " $MODPROBE nf_conntrack_ftp echo -en "nf_conntrack_irc, " $MODPROBE nf_conntrack_irc echo -en "iptable_nat, " $MODPROBE iptable_nat echo -en "nf_nat_ftp, " $MODPROBE nf_nat_ftp echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " Clearing any existing rules and setting default policy.." iptables-restore <<-EOF *nat -A POSTROUTING -o "$EXTIF" -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT -A FORWARD -j LOG COMMIT EOF echo -e "\nrc.firewall-iptables v$FWVER done.\n" 

networking上的所有设备都有来自此服务器的地址，并且位于同一子网上。 一切都相互交stream完美。 我唯一的问题是，没有任何设备可以在networking命名空间vpn内到达veth1 ，尽pipe它具有像服务器一样的服务器的地址和子网，甚至可以ping谷歌。

例如从我的笔记本电脑的地址10.0.0.4 。 ping 10.0.0.1命令起作用， ping 10.0.0.3 （My Xbox）起作用。 但是ping 10.0.0.254不起作用，尽pipe它和其他东西在同一个networking上。

这里是一些额外的信息：

sysctl net.ipv4.ip_forward

 net.ipv4.ip_forward = 1 

cat /proc/sys/net/ipv4/ip_forward

 1 

ifconfig

 br0 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1d inet addr:71.95.217.302 Bcast:255.255.255.255 Mask:255.255.254.0 inet6 addr: fe80::21e:67ff:fead:9e1d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57249 errors:0 dropped:0 overruns:0 frame:0 TX packets:17297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13724815 (13.7 MB) TX bytes:2606039 (2.6 MB) br1 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1e inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::21e:67ff:fead:9e1e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17716 errors:0 dropped:0 overruns:0 frame:0 TX packets:18625 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2382424 (2.3 MB) TX bytes:11990075 (11.9 MB) em1 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1d UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:58804 errors:0 dropped:0 overruns:0 frame:0 TX packets:17304 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14632304 (14.6 MB) TX bytes:2606465 (2.6 MB) Memory:b1200000-b1280000 em2 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1e UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17636 errors:0 dropped:0 overruns:0 frame:0 TX packets:20125 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2639201 (2.6 MB) TX bytes:12086082 (12.0 MB) Memory:b1100000-b1180000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:4775 errors:0 dropped:0 overruns:0 frame:0 TX packets:4775 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:939016 (939.0 KB) TX bytes:939016 (939.0 KB) veth0 Link encap:Ethernet HWaddr 4e:99:98:cc:48:6d inet6 addr: fe80::4c99:98ff:fecc:486d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:75 errors:0 dropped:0 overruns:0 frame:0 TX packets:1902 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6799 (6.7 KB) TX bytes:140261 (140.2 KB) 

brctl show br0

 bridge name bridge id STP enabled interfaces br0 8000.001e67ad9e1d no em1 

brctl show br1

 bridge name bridge id STP enabled interfaces br1 8000.001e67ad9e1e no em2 veth0 

ip route

 default via 71.95.216.1 dev br0 10.0.0.0/24 dev br1 proto kernel scope link src 10.0.0.1 71.95.216.0/23 dev br0 proto kernel scope link src 71.95.217.302 

route

 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 71-95-216-1.sta 0.0.0.0 UG 0 0 0 br0 10.0.0.0 * 255.255.255.0 U 0 0 0 br1 71.95.216.0 * 255.255.254.0 U 0 0 0 br0 

ip netns exec vpn ifconfig

 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) veth1 Link encap:Ethernet HWaddr 3e:0a:b5:c6:f4:07 inet addr:10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::3c0a:b5ff:fec6:f407/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1987 errors:0 dropped:0 overruns:0 frame:0 TX packets:75 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:146530 (146.5 KB) TX bytes:6799 (6.7 KB) 

ip netns exec vpn ip route

 default via 10.0.0.1 dev veth1 10.0.0.0/24 dev veth1 proto kernel scope link src 10.0.0.254 

ip netns exec vpn route

 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.0.0.1 0.0.0.0 UG 0 0 0 veth1 10.0.0.0 * 255.255.255.0 U 0 0 0 veth1 

我在运行tcpdump -v -i br1 > file同时，从10.0.0.4开始执行ping 10.0.0.254 ，然后为tcpdump输出文件input10.0.0.254 。 您可以在这里http://pastebin.com/raw.php?i=Rs9dpw4V查看整个tcpdump（这不是很长）。

 21:07:55.648413 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.254 tell 10.0.0.4, length 46 21:07:55.648448 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.254 is-at 3e:0a:b5:c6:f4:07 (oui Unknown), length 28 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 0, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 1, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 2, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 3, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 4, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 5, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 6, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 7, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 8, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 9, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 10, length 64 10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 11, length 64 

如果有任何缺less的信息，请让我知道。

编辑：

iptables -L -nv

 Chain INPUT (policy ACCEPT 33M packets, 45G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 17439 packets, 3112K bytes) pkts bytes target prot opt in out source destination 2640K 3411M ACCEPT all -- br0 br1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2470K 464M ACCEPT all -- br1 br0 0.0.0.0/0 0.0.0.0/0 17439 3112K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 21M packets, 35G bytes) pkts bytes target prot opt in out source destination 

iptables -t nat -L -nv

 Chain PREROUTING (policy ACCEPT 280K packets, 30M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 187K packets, 22M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 198K packets, 13M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 58488 packets, 3569K bytes) pkts bytes target prot opt in out source destination 222K 15M MASQUERADE all -- * br0 0.0.0.0/0 0.0.0.0/0 

ip netns exec vpn arping -I veth1 -c 3 10.0.0.2

 ARPING 10.0.0.2 60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=0 time=1.001 sec 60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=1 time=1.001 sec 60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=2 time=1.001 sec --- 10.0.0.2 statistics --- 

arping -I br1 -c 3 10.0.0.254

 ARPING 10.0.0.254 42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=0 time=1.001 sec 42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=1 time=1.001 sec 42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=2 time=1.001 sec --- 10.0.0.254 statistics --- 3 packets transmitted, 3 packets received, 0% unanswered (0 extra) 

 Chain INPUT (policy ACCEPT) Chain FORWARD (policy DROP) Chain OUTPUT (policy ACCEPT)