Centos 7上网关服务器配置问题

tag-icon tag-icon centos networking iptables forwarding gateway
Centos 7上网关服务器配置问题

我正在尝试将一台带有 Centos 7 和一个网络接口 (eth0) 的主机配置为网关。

问题是网关可以转发包,接收答案,但无法向主机发送响应:

Host --> Gateway --> Destination --> Gateway -/-> Host

实际上我可以在 tcpdump 中看到网关正在发送响应,但主机没有收到它。

tcpdumpnc -v 192.168.253.113 22请求:

  • 主持人:

    12:10:22.038563 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
12:10:23.040527 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0

  • 网关:

    12:10:22.038972 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
12:10:22.039017 22:22:22:22:22:22 > 33:33:33:33:33:33, ethertype IPv4 (0x0800), length 74: 10.0.0.19.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
12:10:22.140408 33:33:33:33:33:33 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.19.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584010 ecr 259369415,nop,wscale 10], length 0
12:10:22.140427 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.47.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584010 ecr 259369415,nop,wscale 10], length 0
12:10:23.040940 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0
12:10:23.040958 22:22:22:22:22:22 > 33:33:33:33:33:33, ethertype IPv4 (0x0800), length 74: 10.0.0.19.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0
12:10:23.141986 33:33:33:33:33:33 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.19.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584260 ecr 259369415,nop,wscale 10], length 0
12:10:23.141998 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.47.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584260 ecr 259369415,nop,wscale 10], length 0

当我尝试使用网关作为目的地(nc -v 10.0.0.19 22)的相同请求时,一切正常:

  • 主持人:

    12:16:46.222903 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [S], seq 725877336, win 29200, options [mss 1460,sackOK,TS val 259753600 ecr 0,nop,wscale 9], length 0
12:16:46.224050 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [S.], seq 3167329297, ack 725877337, win 28960, options [mss 1460,sackOK,TS val 96976164 ecr 259753600,nop,wscale 9], length 0
12:16:46.224104 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 1, win 58, options [nop,nop,TS val 259753601 ecr 96976164], length 0
12:16:46.232678 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 87: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [P.], seq 1:22, ack 1, win 57, options [nop,nop,TS val 96976173 ecr 259753601], length 21
12:16:46.232731 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 22, win 58, options [nop,nop,TS val 259753610 ecr 96976173], length 0
12:16:49.692764 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [F.], seq 1, ack 22, win 58, options [nop,nop,TS val 259757070 ecr 96976173], length 0
12:16:49.693905 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 66: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [F.], seq 22, ack 2, win 57, options [nop,nop,TS val 96979634 ecr 259757070], length 0
12:16:49.693938 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 23, win 58, options [nop,nop,TS val 259757071 ecr 96979634], length 0

  • 网关:

    12:16:46.223731 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [S], seq 725877336, win 29200, options [mss 1460,sackOK,TS val 259753600 ecr 0,nop,wscale 9], length 0
12:16:46.223793 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [S.], seq 3167329297, ack 725877337, win 28960, options [mss 1460,sackOK,TS val 96976164 ecr 259753600,nop,wscale 9], length 0
12:16:46.224401 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 1, win 58, options [nop,nop,TS val 259753601 ecr 96976164], length 0
12:16:46.232728 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 87: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [P.], seq 1:22, ack 1, win 57, options [nop,nop,TS val 96976173 ecr 259753601], length 21
12:16:46.233033 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 22, win 58, options [nop,nop,TS val 259753610 ecr 96976173], length 0
12:16:49.693106 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [F.], seq 1, ack 22, win 58, options [nop,nop,TS val 259757070 ecr 96976173], length 0
12:16:49.693928 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 66: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [F.], seq 22, ack 2, win 57, options [nop,nop,TS val 96979634 ecr 259757070], length 0
12:16:49.694218 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 23, win 58, options [nop,nop,TS val 259757071 ecr 96979634], length 0

我也可以从网关到主机做同样的事情。

我不知道可能出了什么问题。这是我的网关配置:

路线:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     100    0        0 eth0

网关上的 Iptables(使用 保存iptables-save):

*filter
:INPUT ACCEPT [46:4191]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:11217]
-A FORWARD -i eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [19:1044]
:INPUT ACCEPT [13:684]
:OUTPUT ACCEPT [10:1312]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

我所做的是:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo FORWARD_IPV4=true >> /etc/sysconfig/network
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

答案1

我没有看到您设置任何到远程主机的特定路由。

为了允许主机到达远程主机(假设它位于不同的网络上),它需要一条到达那里的路由。而远程主机本身需要知道如何回到该主机,这就需要一条路由返回到本地主机所在的网络。

如果远程主机位于 10.0.5.0/24 等网络中,远程网关位于 10.0.5.1。您的本地网关是:10.0.3.1,您的本地网络是:10.0.3.0/24。在本地主机上添加静态路由: ip route add 10.0.5.0/24 via 10.0.3.1

并在远程主机上添加另一个静态路由:

ip route add 10.0.3.0/24 via 10.0.5.1

这就是我在与您类似的情况下配置网络的方法。

相关内容