我有一台 Ubuntu 机器,它有两个 NIC,一个配置了公共 IP 地址,另一个配置在私有 IP 范围内(10.2.0.0)。
其他机器能够 ping 通这两个地址上的机器,但该机器本身无法 ping 通私有网络上的其他机器。
知道我应该检查什么(除了以下数据)来调试该问题吗?
机器的数据(已编辑):
$ uname -a
Linux ubuntumachine 4.4.0-83-generic #106-Ubuntu SMP Mon lll kk 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ ifconfig -a
ensX Link encap:Ethernet HWaddr cc:dd:00:ee:2f:22
inet addr:216.245.aaa.bbb Bcast:216.245.aaa.159 Mask:255.255.255.248
inet6 addr: XXXX::YYYY:ff:fe97:2f22/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28695 errors:0 dropped:0 overruns:0 frame:0
TX packets:29577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3793406 (3.7 MB) TX bytes:4828424 (4.8 MB)
ensY Link encap:Ethernet HWaddr gg:hh:00:ii:2f:22
inet addr:10.2.0.1 Bcast:10.2.0.255 Mask:255.255.255.0
inet6 addr: ZZZZ::WWWW:ff:feee:d402/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1302 (1.3 KB) TX bytes:5310 (5.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:797 errors:0 dropped:0 overruns:0 frame:0
TX packets:797 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:66kk8 (66.2 KB) TX bytes:66kk8 (66.2 KB)
$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 216.245.aaa.153 0.0.0.0 UG 0 0 0 ensX
10.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ensY
216.245.aaa.152 0.0.0.0 255.255.255.248 U 0 0 0 ensX
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 153-aaa-245-216 0.0.0.0 UG 0 0 0 ensX
10.2.0.0 * 255.255.255.0 U 0 0 0 ensY
localnet * 255.255.255.248 U 0 0 0 ensX
$ sudo lshw -c network
[sudo] password for ronbarak:
*-network:0
description: Ethernet interface
product: Virtio network device
vendor: Red Hat, Inc
physical id: 3
bus info: pci@0000:00:03.0
logical name: ensX
version: 00
serial: cc:dd:00:ee:2f:22
width: 32 bits
clock: 33MHz
capabilities: msix bus_master cap_list rom ethernet physical
configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 ip=216.245.aaa.bbb latency=0 link=yes multicast=yes
resources: irq:11 ioport:c060(size=32) memory:fc092000-fc092fff memory:fc000000-fc03ffff
*-network:1
description: Ethernet interface
product: Virtio network device
vendor: Red Hat, Inc
physical id: 4
bus info: pci@0000:00:04.0
logical name: ensY
version: 00
serial: gg:hh:00:ii:2f:22
width: 32 bits
clock: 33MHz
capabilities: msix bus_master cap_list rom ethernet physical
configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 ip=10.2.0.1 latency=0 link=yes multicast=yes
resources: irq:11 ioport:c080(size=32) memory:fc093000-fc093fff memory:fc040000-fc07ffff
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto ensX
iface ensX inet static
address 216.245.aaa.bbb
netmask 255.255.255.248
network 216.245.aaa.152
broadcast 216.245.aaa.159
gateway 216.245.aaa.153
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 208.aaa.bbb.242 208.aaa.bbb.250
dns-search nimhq.net
# Internal interface
auto ensY
iface ensYinet static
address 10.2.0.1
netmask 255.255.255.0
$ service ufw status
? ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: en
Active: active (exited) since Mon 2017-07-01 19:09:05 ZAST; 5h 29min ago
Process: 364 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/
Main PID: 364 (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CPU: 0
CGroup: /system.slice/ufw.service
$ cat /etc/default/ufw
# /etc/default/ufw
#
# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes
# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"
# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"
# Set the default forward policy to ACCEPT, DROP or REJECT. Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"
# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"
# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no
#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf
# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
$ cat /etc/ufw/sysctl.conf
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
# adjust IPT_SYSCTL in /etc/default/ufw.
#
# Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1
# Turn on Source Address Verification in all interfaces to prevent some
# spoofing attacks
net/ipv4/conf/default/rp_filter=1
net/ipv4/conf/all/rp_filter=1
# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/default/accept_source_route=0
net/ipv4/conf/all/accept_source_route=0
net/ipv6/conf/default/accept_source_route=0
net/ipv6/conf/all/accept_source_route=0
# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0
# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0
# Don't log Martian Packets (impossible packets)
net/ipv4/conf/default/log_martians=0
net/ipv4/conf/all/log_martians=0
# Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
# (http://lkml.org/lkml/2008/2/5/167)
net/ipv4/tcp_syncookies=0
#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800
# normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
# earlier pf firewall, should set this to 0
net/ipv4/tcp_sack=1
# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=0
#net/ipv6/conf/all/autoconf=0
# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2
$ sudo service network-manager status
? network-manager.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
$ grep -ve "^#" /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1