我正在尝试将数据包从机器 A 复制到机器 B。当我从机器 A ping 机器 B 时,我得到了 ping 响应。当我从机器 B ping 机器 A 时,我没有得到响应。机器 A 有 1 个网络接口。机器 B 有两个网络接口,其中 eth0 与机器 A 位于不同的子网,eth1 与机器 A 位于同一子网。
机器 B (eth1) 可以 ping 通 10.0.3.1(网关),但不能 ping 通 10.0.3.100(机器 A)。
两台机器都在 AWS 上运行。
这是机器 B(ping 不工作):
SELinux 设置为宽松。
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip 路由显示表全部:
default via 10.0.3.1 dev eth1 table 1000
10.0.3.102 dev eth1 table 1000 scope link
default via 10.0.4.1 dev eth0
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.102
10.0.4.0/24 dev eth0 proto kernel scope link src 10.0.4.100
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
broadcast 10.0.3.0 dev eth1 table local proto kernel scope link src 10.0.3.102
local 10.0.3.102 dev eth1 table local proto kernel scope host src 10.0.3.102
broadcast 10.0.3.255 dev eth1 table local proto kernel scope link src 10.0.3.102
broadcast 10.0.4.0 dev eth0 table local proto kernel scope link src 10.0.4.100
local 10.0.4.100 dev eth0 table local proto kernel scope host src 10.0.4.100
broadcast 10.0.4.255 dev eth0 table local proto kernel scope link src 10.0.4.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 mtu 9001 pref medium
fe80::/64 dev eth1 proto kernel metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::3f:c2ff:fe84:c930 dev lo table local proto unspec metric 0 pref medium
local fe80::ff:4ff:fefb:9a86 dev lo table local proto unspec metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 mtu 9001 pref medium
ff00::/8 dev eth1 table local metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
ip规则显示表1000:
32764: from all to 10.0.3.102 lookup 1000
32765: from 10.0.3.102 lookup 1000
如果配置:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.4.100 netmask 255.255.255.0 broadcast 10.0.4.255
inet6 fe80::3f:c2ff:fe84:c930 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 1497 bytes 125307 (122.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1198 bytes 120891 (118.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.3.102 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::ff:4ff:fefb:9a86 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 88 bytes 5003 (4.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 105 bytes 6414 (6.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 416 (416.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 416 (416.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
这是机器A:
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t mangle -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TEE all -- anywhere anywhere TEE gw:ip-10-0-3-102.ec2.internal
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ip 路由显示表全部:
default via 10.0.3.1 dev eth0
10.0.3.0/24 dev eth0 proto kernel scope link src 10.0.3.100
169.254.0.0/16 dev eth0 scope link metric 1002
broadcast 10.0.3.0 dev eth0 table local proto kernel scope link src 10.0.3.100
local 10.0.3.100 dev eth0 table local proto kernel scope host src 10.0.3.100
broadcast 10.0.3.255 dev eth0 table local proto kernel scope link src 10.0.3.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::c0:a5ff:fe89:d238 dev lo table local proto unspec metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
如果配置:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.3.100 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::c0:a5ff:fe89:d238 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 8096 bytes 4591057 (4.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6275 bytes 521551 (509.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 416 (416.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 416 (416.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
我正在尝试获取从机器 A (eth0) 到机器 B (eth1) 的所有流量的副本,同时仍然使用机器 B (eth0) 来访问互联网(现在可以使用)。我认为这是一个路由问题,但我找不到问题,大多数搜索似乎都涉及防火墙问题(参见 iptables)、网络掩码(它们匹配)和路由问题(我找不到问题)。
mangle 表似乎在递增计数,因此正在复制数据包,但 tcpdump 显示机器 B (eth1) 没有收到数据包。这就是最终目标^
/etc/sysconfig/网络:
NETWORKING=yes
GATEWAYDEV=eth0
/etc/sysconfig/network-scripts/ifcfg-eth1:
DEVICE=eth1
NAME=eth1
HWADDR=02:ff:04:fb:9a:86
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
NM_CONTROLLED=no
IPADDR=10.0.3.102
NETMASK=255.255.255.128
/etc/sysconfig/network-scripts/route-eth1:
default via 10.0.3.1 dev eth1 table 1000
10.0.3.102 dev eth1 table 1000
/etc/sysconfig/network-scripts/rule-eth1:
from 10.0.3.102 lookup 1000
to 10.0.3.102 lookup 1000
答案1
我解决了这个问题。这是一个未正确设置的 AWS 安全组并阻止了入口。 ip 规则从“from 10.0.3.102”更改为“from 10.0.3.100”。其余的设置是正确的。