服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 在Ubuntu上configuration路由器/网关问题:无法访问ISP网关后面的主机(提供networking地图)
Intereting Posts
如何使用VBoxManage执行受控closures的guest虚拟机? 迁移身份提供商 – 指定新的用户密码哈希 ADFS 2.0和WebEx 在linux中同时configuration几个硬盘的备份 使用公网IP和无权子网的Strongswan IPSec VPN隧道 ping与icmp Icinga2冲突一些主机 VMWare上的Windows XP VM ESXi 4.1“暂停”/偶尔阻塞 个人在不断变化的IP上受到骚扰的服务器 NGINX不caching内容 nginx:将子域重写为不redirect的子目录 游戏服务器托pipe 重复数据删除量的差异备份 突然不能ssh到任何机器 rsyslog升级失败:subprocess/ usr / bin / dpkg返回错误码(1) 我可以访问AWS RDS上的故障转移服务器吗?

在Ubuntu上configuration路由器/网关问题:无法访问ISP网关后面的主机(提供networking地图)

我尝试将运行Ubuntu 11.04(桌面版)的笔记本configuration为网关(可能需要路由器 – 这对我来说有些困惑),这样我就可以通过WiFi共享Internet连接(在eth0上传入)卡(wlan1)。 问题是,在我的网关一切工作正常,但从本地networking(笔记本电脑后面)任何本地ISP的networking之外的主机无法访问。

这里是我的ISPnetworking的地图: 在这里输入图像说明

我的位置在图像右下angular的一个小PC站上。 从我的网关,我可以ping任何主机,但从通过WiFi连接到它的个人电脑,我可以ping任何内部主机(即在上方交换机左下方的图片上的任何节点)。 据我所知,我的ISP的顶级网关是192.168.1.1(严格低于上层交换机),它在两个不同的外部ISP上路由。

那是我无法战斗的障碍。 假设networking195.19.50.64/29和89.188.114.64/29有相应的网关195.19.50.65和89.188.114.65,我可以从我的网关ping它们,但不能从连接到它的任何节点ping它们。

目前我的网关 

dvolosnykh@xakac:~$ uname -a Linux xakac 2.6.38-9-generic #43-Ubuntu SMP Thu Apr 28 15:23:06 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

configuration如下:

dvolosnykh@xakac:~$ sudo cat /etc/network/interfaces 

 auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.55.151 netmask 255.255.255.0 gateway 192.168.55.1 auto wlan1 iface wlan1 inet static address 10.42.43.1 netmask 255.255.255.0

dvolosnykh@xakac:~$ ifconfig 

 eth0 Link encap:Ethernet HWaddr 00:90:f5:8c:4a:ac inet addr:192.168.55.151 Bcast:192.168.55.255 Mask:255.255.255.0 inet6 addr: fe80::290:f5ff:fe8c:4aac/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39179 errors:0 dropped:1062 overruns:0 frame:0 TX packets:26225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14947312 (14.9 MB) TX bytes:4679160 (4.6 MB) Interrupt:46 Base address:0x6000 lo Link encap:Локальная петля (Loopback) inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1483 errors:0 dropped:0 overruns:0 frame:0 TX packets:1483 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:264884 (264.8 KB) TX bytes:264884 (264.8 KB) mon.wlan1 Link encap:UNSPEC HWaddr 00-1D-D9-29-00-6C-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11017 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:709779 (709.7 KB) TX bytes:0 (0.0 B) wlan1 Link encap:Ethernet HWaddr 00:1d:d9:29:00:6c inet addr:10.42.43.1 Bcast:10.42.43.255 Mask:255.255.255.0 inet6 addr: fe80::21d:d9ff:fe29:6c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1746 errors:0 dropped:0 overruns:0 frame:0 TX packets:1846 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:273576 (273.5 KB) TX bytes:1283725 (1.2 MB)

dvolosnykh@xakac:~$ iwconfig 

 lo no wireless extensions. eth0 no wireless extensions. wlan1 IEEE 802.11bg Mode:Master Frequency:2.412 GHz Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off mon.wlan1 IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:off

Linux内核被configuration为在接口之间转发数据包:

dvolosnykh@xakac:~$ sed 's/#.*//;s/^[ \t]*//;s/[ \t]*$//' /etc/sysctl.conf | grep -v '^$' 

 net.ipv4.ip_forward=1 net.ipv4.ip_dynaddr=1 # do I really need this one?

我的iptablesconfiguration: 

 ============================================ raw -------------------------------------------- Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes) num pkts bytes target prot opt in out source destination ============================================ mangle -------------------------------------------- Chain PREROUTING (policy ACCEPT 2 packets, 120 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 2 packets, 120 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes) num pkts bytes target prot opt in out source destination ============================================ nat -------------------------------------------- Chain PREROUTING (policy ACCEPT 1 packets, 68 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1 packets, 68 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 ============================================ filter -------------------------------------------- Chain INPUT (policy ACCEPT 2 packets, 120 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 52 bytes) num pkts bytes target prot opt in out source destination

dvolosnykh@xakac:~$ route -n 

 Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.42.43.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 0.0.0.0 192.168.55.1 0.0.0.0 UG 100 0 0 eth0

另外,我的网关运行hostapd (将WiFi卡作为接入点):

dvolosnykh@xakac:~$ cat /etc/hostapd/hostapd.conf 

 interface=wlan1 driver=nl80211 ssid=xakac hw_mode=g channel=1 macaddr_acl=0 auth_algs=1 wpa=3 wpa_passphrase=1234567890 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP

dnsmasq (作为DNS和DHCP服务器):

dvolosnykh@xakac:~$ sed 's/#.*//;s/^[ \t]*//;s/[ \t]*$//' /etc/dnsmasq.conf | grep -v '^$' 

 domain-needed bogus-priv interface=wlan1 dhcp-range=10.42.43.10,10.42.43.254,12h log-dhcp log-facility=/var/log/dnsmasq.log

squid (作为透明代理):

dvolosnykh@xakac:~$ sed 's/#.*//;s/^[ \t]*//;s/[ \t]*$//' /etc/squid3/squid.conf | grep -v '^$' 

 acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl wifinet src 10.42.43.0/24 acl virbr0net src 192.168.122.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow wifinet http_access allow virbr0net http_access allow localhost http_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320

注意 :如果通过将代理设置为10.42.43.1:3128来对客户端进行硬编码,则可以浏览Web。 但是,如果我设置客户端直接连接到互联网(在这种情况下,通过转发跳过了squid ),那么我只能看到我的ISP的网页。

通过tcpdump观察得出如下结果:

1) ping 192.168.1.1 (与ISP内部的其他主机相同): 

 12:40:56.902020 IP 10.42.43.199 > inet.icn.bmstu.ru: ICMP echo request, id 1767, seq 1, length 64 12:40:56.902669 IP inet.icn.bmstu.ru > 10.42.43.199: ICMP echo reply, id 1767, seq 1, length 64 12:40:57.903821 IP 10.42.43.199 > inet.icn.bmstu.ru: ICMP echo request, id 1767, seq 2, length 64 12:40:57.904360 IP inet.icn.bmstu.ru > 10.42.43.199: ICMP echo reply, id 1767, seq 2, length 64

2) ping 89.188.114.65 (与google.ru等相同): 

 12:39:59.516094 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 1766, seq 1, length 64 12:40:00.524263 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 1766, seq 2, length 64

编辑

dvolosnykh@xakac-acer:~$ traceroute6 89.188.114.65 

 traceroute: unknown host 89.188.114.65

dvolosnykh@xakac-acer:~$ nslookup 89.188.114.65 

 Server: 10.42.43.1 Address: 10.42.43.1#53 Non-authoritative answer: 65.114.188.89.in-addr.arpa canonical name = he.hoster.ru. Authoritative answers can be found from: hoster.ru origin = ns10.hoster.ru mail addr = info.filanco.ru serial = 2011051902 refresh = 16384 retry = 2048 expire = 1048576 minimum = 2560

编辑2

我做了tracepath (结果等同于mtr s之一),它们都卡在192.168.55.1(这是ISP提供的最接近的网关,在eth0的configuration中静态设置): 

 dvolosnykh@xakac-acer:~$ tracepath 89.188.114.65 1: xakac-acer 0.224ms pmtu 1500 1: 10.42.43.1 1.028ms 1: 10.42.43.1 0.599ms 2: 192.168.55.1 1.296ms 3: no reply

tcpdump输出同时tracepath ing: 

 14:11:45.614219 IP 10.42.43.199.33956 > 89.188.114.65.44444: UDP, length 1472 14:11:45.614313 IP xakac.local > 10.42.43.199: ICMP time exceeded in-transit, length 556 14:11:45.615232 IP 10.42.43.199.54892 > xakac.local.domain: 53509+ PTR? 1.43.42.10.in-addr.arpa. (41) 14:11:45.615386 IP xakac.local.domain > 10.42.43.199.54892: 53509 NXDomain* 0/0/0 (41) 14:11:45.616155 IP 10.42.43.199.33956 > 89.188.114.65.44445: UDP, length 1472 14:11:45.616186 IP xakac.local > 10.42.43.199: ICMP time exceeded in-transit, length 556 14:11:45.616676 IP 10.42.43.199.49164 > xakac.local.domain: 48910+ PTR? 1.43.42.10.in-addr.arpa. (41) 14:11:45.616760 IP xakac.local.domain > 10.42.43.199.49164: 48910 NXDomain* 0/0/0 (41) 14:11:45.621798 IP 10.42.43.199.33956 > 89.188.114.65.44446: UDP, length 1472 14:11:45.622538 IP serv5-2.icn.bmstu.ru > 10.42.43.199: ICMP time exceeded in-transit, length 36 14:11:45.622999 IP 10.42.43.199.47676 > xakac.local.domain: 9789+ PTR? 1.55.168.192.in-addr.arpa. (43) 14:11:45.623084 IP xakac.local.domain > 10.42.43.199.47676: 9789 NXDomain* 0/0/0 (43) 14:11:45.623678 IP 10.42.43.199.33956 > 89.188.114.65.44447: UDP, length 1472 14:11:45.718934 IP6 fe80::21d:d9ff:fe29:6c.mdns > ff02::fb.mdns: 0 PTR (QM)? 65.114.188.89.in-addr.arpa. (44) 14:11:45.719012 IP xakac.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 65.114.188.89.in-addr.arpa. (44) 14:11:46.625502 IP 10.42.43.199.33956 > 89.188.114.65.44448: UDP, length 1472 14:11:46.719943 IP6 fe80::21d:d9ff:fe29:6c.mdns > ff02::fb.mdns: 0 PTR (QM)? 65.114.188.89.in-addr.arpa. (44) 14:11:46.720079 IP xakac.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 65.114.188.89.in-addr.arpa. (44)

编辑3

那么,我们已经赶上了! 这是192.168.55.151上tcpdump的输出,而从连接的客户端ping 89.188.144.65:

在WAN(eth0)接口上: 

 dvolosnykh@xakac:~$ sudo tcpdump -ni eth0 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply' [sudo] password for dvolosnykh: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:24:38.556189 IP 192.168.55.151 > 89.188.114.65: ICMP echo request, id 2174, seq 1, length 64 00:24:39.561864 IP 192.168.55.151 > 89.188.114.65: ICMP echo request, id 2174, seq 2, length 64 00:24:39.627318 IP 89.188.114.65 > 192.168.55.151: ICMP echo reply, id 2174, seq 2, length 64 00:24:40.571398 IP 192.168.55.151 > 89.188.114.65: ICMP echo request, id 2174, seq 3, length 64 00:24:41.570572 IP 192.168.55.151 > 89.188.114.65: ICMP echo request, id 2174, seq 4, length 64 00:24:41.591709 IP 89.188.114.65 > 192.168.55.151: ICMP echo reply, id 2174, seq 4, length 64 00:24:42.577135 IP 192.168.55.151 > 89.188.114.65: ICMP echo request, id 2174, seq 5, length 64 00:24:42.655270 IP 89.188.114.65 > 192.168.55.151: ICMP echo reply, id 2174, seq 5, length 64

在LAN(wlan1)接口上: 

 dvolosnykh@xakac:~$ sudo tcpdump -ni wlan1 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply' [sudo] password for dvolosnykh: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wlan1, link-type EN10MB (Ethernet), capture size 65535 bytes 00:24:38.556105 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 2174, seq 1, length 64 00:24:39.561820 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 2174, seq 2, length 64 00:24:40.571342 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 2174, seq 3, length 64 00:24:41.570546 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 2174, seq 4, length 64 00:24:42.577085 IP 10.42.43.199 > 89.188.114.65: ICMP echo request, id 2174, seq 5, length 64

所以来自外部的回复没有被NAT(反向伪装)。

你的tracepath输出提供了答案。 在192.168.55.1上有一些东西阻止了数据包被正确路由或被传输。 可能是路由问题,可能是防火墙。 如果你有权访问那台计算机,那么先看看这两个。

看到你的无线networking在10.xyz范围内发布地址,而这个networking的其余部分在192.168.ab上运行,这两个问题是最可能出现的问题。

运行

sudo tcpdump -nvvi eth0 'icmp[icmptype] == icmp-echo or icmp[icmptype] == icmp-echoreply'

我发现所有回复都有TTL = 1: 

 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 17:07:58.480713 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.55.151 > 89.188.114.65: ICMP echo request, id 27259, seq 1, length 64 17:07:58.487796 IP (tos 0x0, ttl 1, id 44648, offset 0, flags [DF], proto ICMP (1), length 84) 89.188.114.65 > 192.168.55.151: ICMP echo reply, id 27259, seq 1, length 64 17:07:59.482058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.55.151 > 89.188.114.65: ICMP echo request, id 27259, seq 2, length 64 17:07:59.486828 IP (tos 0x0, ttl 1, id 44734, offset 0, flags [DF], proto ICMP (1), length 84) 89.188.114.65 > 192.168.55.151: ICMP echo reply, id 27259, seq 2, length 64

所以,我的ISP非常友善,为我提供的数据包不会超过我需要在我的PC上处理的数据包(它们应该是在terminal上)。

那么,没办法:) 

 iptables --table mangle --append PREROUTING --in-interface eth0 --jump TTL --ttl-inc 1

我要出去 是啊!