因此我尝试使用 iproute 设置路由,以便某个客户端子网可以通过另一个接口访问受防火墙保护的互联网上行链路。
该服务器有四个接口:
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:e6:7a:9e brd ff:ff:ff:ff:ff:ff
inet 10.20.30.1/16 brd 10.20.255.255 scope global enp2s0f0
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fee6:7a9e/64 scope link
valid_lft forever preferred_lft forever
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a0:36:9f:e6:7a:9f brd ff:ff:ff:ff:ff:ff
inet 10.132.128.70/26 brd 10.132.128.127 scope global enp2s0f1
valid_lft forever preferred_lft forever
inet6 fe80::a236:9fff:fee6:7a9f/64 scope link
valid_lft forever preferred_lft forever
4: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:00:d1:ce brd ff:ff:ff:ff:ff:ff
inet 10.132.128.71/26 brd 10.132.128.127 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe00:d1ce/64 scope link
valid_lft forever preferred_lft forever
5: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether ac:1f:6b:00:d1:cf brd ff:ff:ff:ff:ff:ff
inet 172.16.10.1/21 brd 172.16.15.255 scope global eno2
valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe00:d1cf/64 scope link
valid_lft forever preferred_lft forever
客户端可以连接到 10.20.0.0/16 子网并通过 DHCP 获取 IP 地址。然后,它们应该能够通过接口 enp2s0f1 访问互联网。此接口是受防火墙保护的互联网上行链路,网关位于 10.132.128.65。我无法控制防火墙。
路由规则和表格如下:
本地表:
broadcast 10.20.0.0 dev enp2s0f0 proto kernel scope link src 10.20.30.1
local 10.20.30.1 dev enp2s0f0 proto kernel scope host src 10.20.30.1
broadcast 10.20.255.255 dev enp2s0f0 proto kernel scope link src 10.20.30.1
broadcast 10.132.128.64 dev eno1 proto kernel scope link src 10.132.128.71
broadcast 10.132.128.64 dev enp2s0f1 proto kernel scope link src 10.132.128.70
local 10.132.128.70 dev enp2s0f1 proto kernel scope host src 10.132.128.70
local 10.132.128.71 dev eno1 proto kernel scope host src 10.132.128.71
broadcast 10.132.128.127 dev eno1 proto kernel scope link src 10.132.128.71
broadcast 10.132.128.127 dev enp2s0f1 proto kernel scope link src 10.132.128.70
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.16.0.0 dev tap0 proto kernel scope link src 172.16.0.66
local 172.16.0.66 dev tap0 proto kernel scope host src 172.16.0.66
broadcast 172.16.3.255 dev tap0 proto kernel scope link src 172.16.0.66
broadcast 172.16.8.0 dev eno2 proto kernel scope link src 172.16.10.1
local 172.16.10.1 dev eno2 proto kernel scope host src 172.16.10.1
broadcast 172.16.15.255 dev eno2 proto kernel scope link src 172.16.10.1
主表:
10.20.0.0/16 dev enp2s0f0 scope link src 10.20.30.1
10.132.128.64/26 dev eno1 proto kernel scope link src 10.132.128.71
10.132.128.64/26 dev enp2s0f1 proto kernel scope link src 10.132.128.70
172.16.0.0/22 dev tap0 proto kernel scope link src 172.16.0.66
172.16.8.0/21 dev eno2 proto kernel scope link src 172.16.10.1
表默认值:
default via 10.132.128.65 dev eno1 onlink
我尝试设置这样的路线:
echo 200 clients >> /etc/iproute2/rt_tables
ip rule add from 10.20.0.0/16 lookup clients
ip route add default via 10.132.128.70 dev enp2s0f1 table clients
ip route flush cache
但那没用。所以我一直试图将路由规则改为
from 10.20.30.1 lookup clients
//and
from iif enp2s0f0 lookup clients
但我仍然无法连接到接口。我测试了
ping -I enp2s0f0 10.132.128.70
由于规则似乎没问题,我尝试了不同的路线:
ip route add 10.20.0.0/16 dev enp2s0f0 table clients
ip route add 10.132.128.64/26 via 10.132.128.65 dev enp2s0f1 table clients
ip route add 10.132.128.64/26 via 10.20.30.1 dev enp2s0f1 table clients
ip route add default 10.20.0.0/16 via 10.132.128.65 dev enp2s0f1 table clients
你可能已经猜到了,现在我只是把自己搞糊涂了。如果我理解正确的话,它的工作原理如下:
ip route add {source_network} via {gateway} dev {output_device} table clients
或者我搞错了?还有一件事是,当我做
ip route get 10.132.128.65 // where we want to end up
结果是
10.132.128.65 dev eno1 src 10.132.128.71
cache
因此,默认表中的路由似乎覆盖了客户端表的规则......但客户端表规则处于活动状态,因为客户端表中的更改会改变 10.20.0.0/16 网络中客户端的连接性。
如果缺少某些信息,我会很乐意提供。
提前致谢!
答案1
您的以下配置似乎没问题:
echo 200 clients >> /etc/iproute2/rt_tables
ip rule add from 10.20.0.0/16 lookup clients
ip route add default via 10.132.128.70 dev enp2s0f1 table clients
我假设您正在测试路由器上的 ping 操作,而不是客户端上的 ping 操作。那么您的 ping 命令ping -I enp2s0f0 10.132.128.70
就是错误的。实际上,10.132.128.70 是一个本地地址(路由器的地址)。然后,icmp 请求将保持本地状态,不会发送到 enp2s0f1 或 eno1。
相反,你可以尝试
ping -I enp2s0f0 10.132.128.65
根据防火墙的不同,您可能会看到或看不到 ping/icmp 回复,但您至少可以检查数据包是否通过正确的接口 (enp2s0f1) 发送。要确保:您可以使用tcpdump:
tcpdump -i enp2s0f1 ip host 10.132.128.65