我有一台家庭服务器,它也可以用作路由器(网关)。它有 2 个接口,一个用于互联网(enp4s0
),另一个(enp4s1
)用于查看本地网络。本地网络中的所有设备都使用互联网enp4s0
(通过masquerading
和设置dnsmasq
),并且运行正常,但我无法从网关 ping 通 LAN 内的任何设备,我可以从 LAN 中的设备 ping 通的唯一设备是网关。此外还有端口转发,运行良好(我可以访问已转发端口的 LAN 中的设备,但只能从远程主机访问)。我做错了什么?
这是我的配置:
smt-server ~ # iptables-save
*nat
:PREROUTING ACCEPT [3059:171583]
:INPUT ACCEPT [2567:132938]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A OUTPUT -d X.X.X.X/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [372724122:553710820064]
:INPUT ACCEPT [365684276:547976820091]
:FORWARD ACCEPT [7037750:5732930849]
:OUTPUT ACCEPT [193052833:10399179735]
:POSTROUTING ACCEPT [200090538:16132105927]
COMMIT
*filter
:INPUT ACCEPT [2775:188343]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2604:109020]
:DOCKER - [0:0]
-A FORWARD -i enp4s1 -o enp4s0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o enp4s1 -j ACCEPT
COMMIT
smt-server ~ # ip ro list
default via X.X.X.X dev enp4s0 metric 204
169.254.0.0/16 dev enp4s1 proto kernel scope link src 169.254.151.102 metric 205
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
X.X.X.X/24 dev enp4s0 proto kernel scope link src X.X.X.X metric 204
192.168.0.0/24 dev enp4s1 proto kernel scope link src 192.168.0.1
smt-server ~ # ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 00:80:48:28:1e:57 brd ff:ff:ff:ff:ff:ff
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 50:e5:49:e4:43:4d brd ff:ff:ff:ff:ff:ff
4: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:13:d3:9a:af:33 brd ff:ff:ff:ff:ff:ff
5: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether e8:cc:18:e8:c6:90 brd ff:ff:ff:ff:ff:ff
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default
link/sit 0.0.0.0 brd 0.0.0.0
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:16:6c:f2:cf brd ff:ff:ff:ff:ff:ff
smt-server ~ # ip add list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:80:48:28:1e:57 brd ff:ff:ff:ff:ff:ff
inet6 fe80::91f4:69a4:2375:9e71/64 scope link tentative
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 50:e5:49:e4:43:4d brd ff:ff:ff:ff:ff:ff
inet6 fe80::59e:56ea:7de3:cd5e/64 scope link tentative
valid_lft forever preferred_lft forever
4: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:13:d3:9a:af:33 brd ff:ff:ff:ff:ff:ff
inet X.X.X.X/24 brd X.X.X.X scope global enp4s0
valid_lft forever preferred_lft forever
inet6 fe80::5c50:880a:b7ba:7b38/64 scope link
valid_lft forever preferred_lft forever
5: enp4s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether e8:cc:18:e8:c6:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 scope global enp4s1
valid_lft forever preferred_lft forever
inet 169.254.151.102/16 brd 169.254.255.255 scope global enp4s1
valid_lft forever preferred_lft forever
inet6 fe80::f987:2ed0:61ed:ddaf/64 scope link
valid_lft forever preferred_lft forever
6: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/sit 0.0.0.0 brd 0.0.0.0
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:16:6c:f2:cf brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::ee83:8058:deee:dd8c/64 scope link
valid_lft forever preferred_lft forever
smt-server ~ # sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
smt-server ~ # cat /etc/dnsmasq.conf
interface=enp4s1
dhcp-range=192.168.0.100,192.168.0.250,72h
smt-server ~ # netstat -rna
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 X.X.X.X 0.0.0.0 UG 0 0 0 enp4s0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp4s1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
X.X.X.X 0.0.0.0 255.255.255.0 U 0 0 0 enp4s0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp4s1
为了避免被问到“你是傻子吗?你真的想访问 NAT 后面的设备吗?” - 不,我正尝试访问可以通过 DMZ 访问的设备。
另外,我的服务器上还有 3 个空的以太网端口,我想知道是否可以将它们全部连接到一个 LAN?(这不是很重要,但无论如何,使用此功能确实很好)
UPD:这是我用来配置 LAN 的脚本:
#!/bin/bash
source="enp4s0"
targets="enp4s1"
sysctl -w net.ipv4.ip_forward=1 &> /dev/null
sysctl -p &> /dev/null
iptables -t nat -F POSTROUTING
iptables -F FORWARD
for iface in $targets; do
ip addr add 192.168.0.1/24 dev $iface &> /dev/null
iptables -A FORWARD -i $iface -o $source -j ACCEPT &> /dev/null
done
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT &> /dev/null
iptables -t nat -F POSTROUTING &> /dev/null
iptables -t nat -A POSTROUTING -o $source -j MASQUERADE &> /dev/null
答案1
请检查客户端上的网络掩码和广播是否配置正确 - 其应与 gw 上的参数匹配。另一个想法是 - 如果您在 LAN 上使用托管交换机 - 检查其上是否未启用诸如专用 VLAN 之类的功能。