机器无法连接到私有 IP(但可以连接到公共 IP)

机器无法连接到私有 IP(但可以连接到公共 IP)

我有一台 Ubuntu 机器,它有两个 NIC,一个配置了公共 IP 地址,另一个配置在私有 IP 范围内(10.2.0.0)。

其他机器能够 ping 通这两个地址上的机器,但该机器本身无法 ping 通私有网络上的其他机器。

知道我应该检查什么(除了以下数据)来调试​​该问题吗?


机器的数据(已编辑):

$ uname -a
Linux ubuntumachine 4.4.0-83-generic #106-Ubuntu SMP Mon lll kk 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ ifconfig -a
ensX      Link encap:Ethernet  HWaddr cc:dd:00:ee:2f:22
          inet addr:216.245.aaa.bbb  Bcast:216.245.aaa.159  Mask:255.255.255.248
          inet6 addr: XXXX::YYYY:ff:fe97:2f22/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28695 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29577 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3793406 (3.7 MB)  TX bytes:4828424 (4.8 MB)

ensY     Link encap:Ethernet  HWaddr gg:hh:00:ii:2f:22
          inet addr:10.2.0.1  Bcast:10.2.0.255  Mask:255.255.255.0
          inet6 addr: ZZZZ::WWWW:ff:feee:d402/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1302 (1.3 KB)  TX bytes:5310 (5.3 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:797 errors:0 dropped:0 overruns:0 frame:0
          TX packets:797 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:66kk8 (66.2 KB)  TX bytes:66kk8 (66.2 KB)

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         216.245.aaa.153 0.0.0.0         UG        0 0          0 ensX
10.2.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ensY
216.245.aaa.152 0.0.0.0         255.255.255.248 U         0 0          0 ensX

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         153-aaa-245-216 0.0.0.0         UG    0      0        0 ensX
10.2.0.0        *               255.255.255.0   U     0      0        0 ensY
localnet        *               255.255.255.248 U     0      0        0 ensX

$ sudo lshw -c network
[sudo] password for ronbarak:
  *-network:0
       description: Ethernet interface
       product: Virtio network device
       vendor: Red Hat, Inc
       physical id: 3
       bus info: pci@0000:00:03.0
       logical name: ensX
       version: 00
       serial: cc:dd:00:ee:2f:22
       width: 32 bits
       clock: 33MHz
       capabilities: msix bus_master cap_list rom ethernet physical
       configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 ip=216.245.aaa.bbb latency=0 link=yes multicast=yes
       resources: irq:11 ioport:c060(size=32) memory:fc092000-fc092fff memory:fc000000-fc03ffff
  *-network:1
       description: Ethernet interface
       product: Virtio network device
       vendor: Red Hat, Inc
       physical id: 4
       bus info: pci@0000:00:04.0
       logical name: ensY
       version: 00
       serial: gg:hh:00:ii:2f:22
       width: 32 bits
       clock: 33MHz
       capabilities: msix bus_master cap_list rom ethernet physical
       configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 ip=10.2.0.1 latency=0 link=yes multicast=yes
       resources: irq:11 ioport:c080(size=32) memory:fc093000-fc093fff memory:fc040000-fc07ffff

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ensX
iface ensX inet static
        address 216.245.aaa.bbb
        netmask 255.255.255.248
        network 216.245.aaa.152
        broadcast 216.245.aaa.159
        gateway 216.245.aaa.153
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 208.aaa.bbb.242 208.aaa.bbb.250
        dns-search nimhq.net

# Internal interface
auto ensY
iface ensYinet static
  address 10.2.0.1
  netmask 255.255.255.0

$ service ufw status
? ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: en
   Active: active (exited) since Mon 2017-07-01 19:09:05 ZAST; 5h 29min ago
  Process: 364 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/
 Main PID: 364 (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/ufw.service

$ cat /etc/default/ufw
# /etc/default/ufw
#

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6=yes

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="DROP"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="ACCEPT"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="DROP"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="SKIP"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS=no

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL=/etc/ufw/sysctl.conf

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"

$ cat /etc/ufw/sysctl.conf
#
# Configuration file for setting network variables. Please note these settings
# override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
# adjust IPT_SYSCTL in /etc/default/ufw.
#

# Uncomment this to allow this host to route packets between interfaces
#net/ipv4/ip_forward=1
#net/ipv6/conf/default/forwarding=1
#net/ipv6/conf/all/forwarding=1

# Turn on Source Address Verification in all interfaces to prevent some
# spoofing attacks
net/ipv4/conf/default/rp_filter=1
net/ipv4/conf/all/rp_filter=1

# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/default/accept_source_route=0
net/ipv4/conf/all/accept_source_route=0
net/ipv6/conf/default/accept_source_route=0
net/ipv6/conf/all/accept_source_route=0

# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
# traffic to those sites.
net/ipv4/conf/default/accept_redirects=0
net/ipv4/conf/all/accept_redirects=0
net/ipv6/conf/default/accept_redirects=0
net/ipv6/conf/all/accept_redirects=0

# Ignore bogus ICMP errors
net/ipv4/icmp_echo_ignore_broadcasts=1
net/ipv4/icmp_ignore_bogus_error_responses=1
net/ipv4/icmp_echo_ignore_all=0

# Don't log Martian Packets (impossible packets)
net/ipv4/conf/default/log_martians=0
net/ipv4/conf/all/log_martians=0

# Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
# (http://lkml.org/lkml/2008/2/5/167)
net/ipv4/tcp_syncookies=0

#net/ipv4/tcp_fin_timeout=30
#net/ipv4/tcp_keepalive_intvl=1800

# normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
# earlier pf firewall, should set this to 0
net/ipv4/tcp_sack=1

# Uncomment this to turn off ipv6 autoconfiguration
#net/ipv6/conf/default/autoconf=0
#net/ipv6/conf/all/autoconf=0

# Uncomment this to enable ipv6 privacy addressing
#net/ipv6/conf/default/use_tempaddr=2
#net/ipv6/conf/all/use_tempaddr=2

$ sudo service network-manager  status
? network-manager.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

$ grep -ve "^#" /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

相关内容