本地网络中的设备之间无连接

本地网络中的设备之间无连接

我有一台家庭服务器,它也可以用作路由器(网关)。它有 2 个接口,一个用于互联网(enp4s0),另一个(enp4s1)用于查看本地网络。本地网络中的所有设备都使用互联网enp4s0(通过masquerading和设置dnsmasq),并且运行正常,但我无法从网关 ping 通 LAN 内的任何设备,我可以从 LAN 中的设备 ping 通的唯一设备是网关。此外还有端口转发,运行良好(我可以访问已转发端口的 LAN 中的设备,但只能从远程主机访问)。我做错了什么?

这是我的配置:

smt-server ~ # iptables-save
*nat
:PREROUTING ACCEPT [3059:171583]
:INPUT ACCEPT [2567:132938]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A OUTPUT -d X.X.X.X/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [372724122:553710820064]
:INPUT ACCEPT [365684276:547976820091]
:FORWARD ACCEPT [7037750:5732930849]
:OUTPUT ACCEPT [193052833:10399179735]
:POSTROUTING ACCEPT [200090538:16132105927]
COMMIT
*filter
:INPUT ACCEPT [2775:188343]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2604:109020]
:DOCKER - [0:0]
-A FORWARD -i enp4s1 -o enp4s0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o enp4s1 -j ACCEPT
COMMIT

smt-server ~ # ip ro list
default via X.X.X.X dev enp4s0  metric 204
169.254.0.0/16 dev enp4s1  proto kernel  scope link  src 169.254.151.102  metric 205
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown
X.X.X.X/24 dev enp4s0  proto kernel  scope link  src X.X.X.X  metric 204
192.168.0.0/24 dev enp4s1  proto kernel  scope link  src 192.168.0.1

smt-server ~ # ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:80:48:28:1e:57 brd ff:ff:ff:ff:ff:ff
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 50:e5:49:e4:43:4d brd ff:ff:ff:ff:ff:ff
4: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:13:d3:9a:af:33 brd ff:ff:ff:ff:ff:ff
5: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether e8:cc:18:e8:c6:90 brd ff:ff:ff:ff:ff:ff
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default
    link/sit 0.0.0.0 brd 0.0.0.0
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:16:6c:f2:cf brd ff:ff:ff:ff:ff:ff

smt-server ~ # ip add list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:80:48:28:1e:57 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::91f4:69a4:2375:9e71/64 scope link tentative
       valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 50:e5:49:e4:43:4d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::59e:56ea:7de3:cd5e/64 scope link tentative
       valid_lft forever preferred_lft forever
4: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:13:d3:9a:af:33 brd ff:ff:ff:ff:ff:ff
    inet X.X.X.X/24 brd X.X.X.X scope global enp4s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5c50:880a:b7ba:7b38/64 scope link
       valid_lft forever preferred_lft forever
5: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether e8:cc:18:e8:c6:90 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 scope global enp4s1
       valid_lft forever preferred_lft forever
    inet 169.254.151.102/16 brd 169.254.255.255 scope global enp4s1
       valid_lft forever preferred_lft forever
    inet6 fe80::f987:2ed0:61ed:ddaf/64 scope link
       valid_lft forever preferred_lft forever
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
    link/sit 0.0.0.0 brd 0.0.0.0
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:16:6c:f2:cf brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::ee83:8058:deee:dd8c/64 scope link
       valid_lft forever preferred_lft forever

smt-server ~ # sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

smt-server ~ # cat /etc/dnsmasq.conf
interface=enp4s1
dhcp-range=192.168.0.100,192.168.0.250,72h

smt-server ~ # netstat -rna
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         X.X.X.X         0.0.0.0         UG        0 0          0 enp4s0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enp4s1
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
X.X.X.X         0.0.0.0         255.255.255.0   U         0 0          0 enp4s0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 enp4s1

为了避免被问到“你是傻子吗?你真的想访问 NAT 后面的设备吗?” - 不,我正尝试访问可以通过 DMZ 访问的设备。

另外,我的服务器上还有 3 个空的以太网端口,我想知道是否可以将它们全部连接到一个 LAN?(这不是很重要,但无论如何,使用此功能确实很好)

UPD:这是我用来配置 LAN 的脚本:

#!/bin/bash

source="enp4s0"

targets="enp4s1"

sysctl -w net.ipv4.ip_forward=1 &> /dev/null
sysctl -p &> /dev/null

iptables -t nat -F POSTROUTING
iptables -F FORWARD

for iface in $targets; do
    ip addr add 192.168.0.1/24 dev $iface &> /dev/null
    iptables -A FORWARD -i $iface -o $source -j ACCEPT &> /dev/null
done

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &> /dev/null
iptables -t nat -F POSTROUTING &> /dev/null
iptables -t nat -A POSTROUTING -o $source -j MASQUERADE &> /dev/null

答案1

请检查客户端上的网络掩码和广播是否配置正确 - 其应与 gw 上的参数匹配。另一个想法是 - 如果您在 LAN 上使用托管交换机 - 检查其上是否未启用诸如专用 VLAN 之类的功能。

相关内容