路由：同一设备上的多个接口/子网

2024-6-3 • tag-icon

我的网络使用基于 Debian 的网关。它有四个接口：

eth0：动态（连接到ISP）
eth1:
- ip 192.168.1.1
- 连接到交换机
- dnsmasq 为连接的客户端分配 IP 地址 (192.168.1.*)
eth2:
- ip 192.168.2.1
- 连接到交换机
- dnsmasq 为连接的客户端分配 IP 地址 (192.168.2.*)
wlan0：静止的
- ip 192.168.3.1
- 充当 AP
- dnsmasq 为连接的客户端分配 IP 地址 (192.168.3.*)

通过任一接口连接的客户端都能够访问互联网并能够访问网关上的服务：

从 192.168.3.111 ping 192.168.1.1 有效
从 192.168.1.110 ping 192.168.3.1 有效

客户是不能联系其他子网上的客户端：

从 192.168.3.111 ping 192.168.1.40 不起作用

ip route显示以下内容：

default via 80.0.0.1 dev eth0 
80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.7 
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1 linkdown 
192.168.3.0/24 dev wlan0 proto kernel scope link src 192.168.3.1

iptables不是问题

cat /proc/sys/net/ipv4/ip_forward回报1

问题：如何实现所有客户都能够相互联系没有调整每个客户端的网络设置？

补充信息`iptables-save -c`：：

# Generated by iptables-save v1.6.0 on Sat Feb  2 19:03:01 2019
*mangle
:PREROUTING ACCEPT [7068132:2249036546]
:INPUT ACCEPT [6634829:1954826260]
:FORWARD ACCEPT [432992:294164216]
:OUTPUT ACCEPT [3915469:40516939510]
:POSTROUTING ACCEPT [4348507:40811115290]
COMMIT
# Completed on Sat Feb  2 19:03:01 2019
# Generated by iptables-save v1.6.0 on Sat Feb  2 19:03:01 2019
*nat
:PREROUTING ACCEPT [3681:370156]
:INPUT ACCEPT [1605:106410]
:OUTPUT ACCEPT [6748:465680]
:POSTROUTING ACCEPT [325:26525]
[171:12116] -A POSTROUTING -o eth0 -j MASQUERADE
[7374:521015] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Sat Feb  2 19:03:01 2019
# Generated by iptables-save v1.6.0 on Sat Feb  2 19:03:01 2019
*filter
:INPUT DROP [219:37927]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:garbage - [0:0]
[4503:318377] -A INPUT -i lo -j ACCEPT
[3186066:177042527] -A INPUT -i eth1 -j ACCEPT
[16:3840] -A INPUT -i eth2 -j ACCEPT
[523:97073] -A INPUT -i wlan0 -j ACCEPT
[2130075:1081232616] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[1312840:695988466] -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d 192.168.3.130/32 -i eth0 -j REJECT --reject-with icmp-port-unreachable
[798:139319] -A INPUT -j garbage
[5797:6921736] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[5902:682788] -A FORWARD -i eth1 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth2 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth2 -j ACCEPT
[0:0] -A FORWARD -i eth2 -o eth1 -j ACCEPT
[42490:6707236] -A FORWARD -i eth1 -o wlan0 -j ACCEPT
[42582:6765739] -A FORWARD -i wlan0 -o eth1 -j ACCEPT
[224512:260134799] -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[97009:7301815] -A FORWARD -i eth1 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth2 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i eth2 -o wlan0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o eth2 -j ACCEPT
[7517:1453488] -A FORWARD -i wlan0 -o tun0 -j ACCEPT
[7178:4193761] -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -j garbage
[0:0] -A OUTPUT -d 192.168.0.0/16 -o wlan0 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o wlan0 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[2131:982946] -A OUTPUT -d 192.168.0.0/16 -o eth1 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth1 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth2 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth2 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[1026585:1247589085] -A OUTPUT -o tun0 -m owner --uid-owner 109 -j ACCEPT
[218:15112] -A OUTPUT -o lo -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner 109 -j REJECT --reject-with icmp-port-unreachable
[4285:303265] -A OUTPUT -o lo -j ACCEPT
[643670:37873467432] -A OUTPUT -o eth1 -j ACCEPT
[16:3840] -A OUTPUT -o eth2 -j ACCEPT
[479:110432] -A OUTPUT -o wlan0 -j ACCEPT
[2230895:1393337874] -A OUTPUT -o eth0 -j ACCEPT
[7182:1129654] -A OUTPUT -o tun0 -j ACCEPT
[0:0] -A OUTPUT -j garbage
[0:0] -A garbage -p icmp -j LOG --log-prefix "DROP ICMP-Packet: "
[355:109444] -A garbage -p udp -j LOG --log-prefix "DROP UDP-Packet: "
[1022:131267] -A garbage -p tcp -j LOG --log-prefix "DROP TCP-Packet: "
COMMIT
# Completed on Sat Feb  2 19:03:01 2019

激活`tcpdump`时间：

ping 192.168.1.110来自 192.168.3.130（100% 丢包）
ping 192.168.3.140来自 192.168.1.110（0.0% 丢包）
从 192.168.3.140 访问 192.168.1.40:5000（无响应）

总结自tcpdump：

77136 个数据包捕获
77363 个数据包被过滤器接收
0 个数据包被内核丢弃

分析`tcpdump`（已过滤的 ICMP 条目）

ping从 192.168.3.130 到 192.168.1.40：

14:33:10.404428 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:11.443861 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:12.483868 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:13.523863 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:14.563859 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:15.603854 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:16.643855 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:17.683844 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:18.723842 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64
14:33:19.763853 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 10, length 64

wlan0（接口上的相应条目3-子网）在网关处：

14:33:10.506374 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:11.549063 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:12.589103 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:13.629124 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:14.669151 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:15.709198 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:16.749188 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:17.789169 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:18.829243 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64

eth1（接口上的相应条目1-子网）在网关处：

14:33:10.506430 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:10.506703 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 1, length 64
14:33:11.549119 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:11.549373 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 2, length 64
14:33:12.589157 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:12.589431 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 3, length 64
14:33:13.629182 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:13.629458 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 4, length 64
14:33:14.669207 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:14.669486 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 5, length 64
14:33:15.709273 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:15.709547 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 6, length 64
14:33:16.749244 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:16.749522 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 7, length 64
14:33:17.789224 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:17.789496 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 8, length 64
14:33:18.829295 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64
14:33:18.829574 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 9, length 64
14:33:19.869300 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 10, length 64
14:33:19.869576 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 10, length 64

`tcpdump`没有 iptables 防火墙

运行以下命令：

#!/bin/sh
iptables=/sbin/iptables
$iptables -F
$iptables -X
$iptables -Z
$iptables -t nat -F
$iptables -t nat -X
$iptables -t filter -F
$iptables -t mangle -F
$iptables -t mangle -X
echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT

ping -c 5 192.168.1.40来自 192.168.3.130：100% 丢包

tcpdump在wlan0网关接口上：

16:04:15.653830 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 1, length 64
16:04:16.663534 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 2, length 64
16:04:17.705299 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 3, length 64
16:04:18.743570 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 4, length 64
16:04:19.783548 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 5, length 64

tcpdump在eth1网关接口上：

16:04:15.653895 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 1, length 64
16:04:15.654178 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 1, length 64
16:04:16.663579 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 2, length 64
16:04:16.663848 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 2, length 64
16:04:17.705391 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 3, length 64
16:04:17.705676 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 3, length 64
16:04:18.743631 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 4, length 64
16:04:18.743907 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 4, length 64
16:04:19.783596 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 5, length 64

补充信息iptables-save -c：：

激活tcpdump时间：

分析tcpdump（已过滤的 ICMP 条目）

tcpdump没有 iptables 防火墙

相关内容

补充信息`iptables-save -c`：：

激活`tcpdump`时间：

分析`tcpdump`（已过滤的 ICMP 条目）

`tcpdump`没有 iptables 防火墙