我有一个多宿主Ubuntu服务器与一组接口,其中包括:
eth2: 10.10.0.131/24 eth3: 10.20.0.2/24 默认的接口是eth2,网关是10.10.0.1。 以下是路由表的样子:
root@c220-1:~# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 eth2 10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.40.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
从一个单独的networking( 192.168.3.5/24 ),我可以在eth2接口(具有默认网关的接口)上连接到本机,而不是eth3接口。 我可以从同一networking(10.20.0.1)上的路由器ping通eth3接口,没有任何问题。
如果我从192.168.3.5 ping 10.10.0.131,数据包到达机器,但它不发送任何答复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 0, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 1, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 2, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 3, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 4, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 5, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 6, length 64 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 7, length 64
如果我从同一networking上的路由器(10.20.0.1)ping,服务器正确回复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80 73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80 73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80 73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80 73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80 c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80 73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
请注意,根据这个类似问题的答案,我在所有的接口上closures了rp_filter,但是它不能解决问题:
$ for i in eth0 eth1 eth2 eth3 all default > do > cat /proc/sys/net/ipv4/conf/$i/rp_filter > done 0 0 0 0 0 0
问题在于,由于默认路由是通过eth2,因此即使在eth3上接收到请求,也会通过eth2发送ping响应。 (如果你使用tcpdump eth2你应该看到正在发送的响应。)那么可能有一些设备正在丢弃这些数据包,因为它们所在networking的源IP是无效的。 您需要一些源策略路由 ,以便将响应从接收到的接口发送出去。
创build一个新的路由表(只需要做一次):
echo 13 eth3 >> /etc/iproute2/rt_tables
添加一个默认路由到这个新的表出去eth3:
ip route add default via 10.20.0.1 table eth3
添加一个策略规则,对源地址为eth3的IP的数据包使用这个新表:
ip rule add from 10.20.0.2 lookup eth3
从一个单独的networking(192.168.3.5/24),我可以在eth2接口(具有默认网关的接口)上连接到本机,而不是eth3接口。 我可以从同一networking(10.20.0.1)上的路由器ping通eth3接口,没有任何问题。
这听起来像是从10.30.0 / 24子网中错过了192.168.3.5/24的路由。 您应该为每个设备的每个networking添加networking图和跟踪路由。