Lor*_*ein 8 networking linux routing icmp
我有一个多宿主 Ubuntu 服务器,其中包含一组接口:
eth2: 10.10.0.131/24
eth3: 10.20.0.2/24
默认接口为 eth2,网关为 10.10.0.1。下面是路由表的样子:
root@c220-1:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 eth2
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.40.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
从单独的网络 ( 192.168.3.5/24) 我可以通过 eth2 接口(具有默认网关的接口)访问这台机器,但不能通过 eth3 接口访问。我可以毫无问题地从同一网络 (10.20.0.1) 上的路由器 ping eth3 接口。
如果我从 192.168.3.5 ping 10.10.0.131,数据包到达机器,但它不发送任何回复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 0, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 1, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 2, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 3, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 4, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 5, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 6, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 7, length 64
如果我从同一网络上的路由器 (10.20.0.1) ping,服务器会正确回复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
请注意,根据这个类似问题中的答案,我在所有接口上都关闭了 rp_filter,但它并没有解决问题:
$ for i in eth0 eth1 eth2 eth3 all default
> do
> cat /proc/sys/net/ipv4/conf/$i/rp_filter
> done
0
0
0
0
0
0
mgo*_*ven 18
问题是,由于默认路由是通过 eth2,即使请求是在 eth3 上收到的,ping 响应也会通过 eth2 发送。(如果你 tcpdump eth2 你应该看到正在发送的响应。)然后可能有一些设备正在丢弃数据包,因为它们对于它们所在的网络具有无效的源 IP。您需要一些源策略路由,以便将响应发送到接收它们的接口。
创建一个新的路由表(只需要做一次):
echo 13 eth3 >> /etc/iproute2/rt_tables
添加一个默认路由到这个从 eth3 出去的新表:
ip route add default via 10.20.0.1 table eth3
添加一个策略规则来使用这个新表来处理源地址为 eth3 的 IP 的数据包:
ip rule add from 10.20.0.2 lookup eth3
| 归档时间: |
|
| 查看次数: |
15124 次 |
| 最近记录: |