使用 netplan 将桥接连接配置为集线器

tag-icon tag-icon networking bridge netplan
使用 netplan 将桥接连接配置为集线器

我当前的问题触及了我的基本网络技能的极限。

简而言之:我通过连接路由器和媒体中心的网线“接入”了一台具有多个网络接口的服务器。我尝试以透明的方式实现这一点。

网络拓扑结构为:

Other machine (192.168.0.2) -- Router (192.168.0.1) -- Media center (192.168.0.3)

现在是:

Other machine (192.168.0.2) -- Router (192.168.0.1) -- New server (192.168.0.4) -- Media center (192.168.0.3)

我在服务器上建立了桥接连接,就像在 netplan 上一样:

network:
  version: 2
  ethernets:
    eno1:
      dhcp4: no
    eno2:
      dhcp4: no
  bridges:
    br0:
      interfaces: [eno1, eno2]
      addresses: [192.168.0.4/24]
      gateway4: 192.168.0.1
      nameservers:
        search: []
        addresses: [192.168.0.2]

新服务器(192.168.0.4)可以 ping 和 ssh 到媒体中心(192.168.0.3)和路由器或网络的其余部分(例如 192.168.0.2)。

媒体中心 (192.168.0.3) 可以 ping 和 ssh 新服务器 (192.168.0.4),但不能 ping 和 ssh 路由器或网络的其余部分。相反,路由器和网络的其余部分无法与媒体中心 (192.168.0.3) 通信。

我可以通过定义来实现我想要做的事情吗netplan 配置中的路由(但我在这里有点不够深入,所以欢迎帮助),或者这种拓扑结构是否不可能实现,因为我必须以某种方式将新服务器定义为网络中每台机器路由中媒体中心的网关?

额外细节 :

me@newserver:~$ ip -br link
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 
eno1             UP             00:22:19:cc:db:0c <BROADCAST,MULTICAST,UP,LOWER_UP> 
eno2             UP             00:22:19:cc:db:0e <BROADCAST,MULTICAST,UP,LOWER_UP> 
eno3             DOWN           00:22:19:cc:db:10 <BROADCAST,MULTICAST> 
eno4             DOWN           00:22:19:cc:db:12 <BROADCAST,MULTICAST> 
br0              UP             76:1b:8c:b8:3a:15 <BROADCAST,MULTICAST,UP,LOWER_UP> 
docker0          DOWN           02:42:17:43:24:12 <NO-CARRIER,BROADCAST,MULTICAST,UP> 
me@newserver:~$ ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
eno1             UP             
eno2             UP             
eno3             DOWN           
eno4             DOWN           
br0              UP             192.168.0.4/24 fe80::741b:8cff:feb8:3a15/64 
docker0          DOWN           172.17.0.1/16 fe80::42:17ff:fe43:2412/64 
me@newserver:~$ cat /proc/net/arp 
IP address       HW type     Flags       HW address            Mask     Device
192.168.0.21     0x1         0x2         44:8a:5b:f1:d5:fb     *        br0
192.168.0.3      0x1         0x2         b8:27:eb:da:cb:20     *        br0
192.168.0.1      0x1         0x2         a0:1b:29:7d:d9:73     *        br0
192.168.0.2      0x1         0x2         d4:9a:20:c2:c8:c8     *        br0
me@newserver:~$ bridge link
2: eno1 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 
3: eno2 state UP : <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19 
me@newserver:~$ sudo iptables-save -c
# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019
*nat
:PREROUTING ACCEPT [213193:40208006]
:INPUT ACCEPT [3463:1018938]
:OUTPUT ACCEPT [766:58537]
:POSTROUTING ACCEPT [766:58537]
:DOCKER - [0:0]
[45:2724] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[1:60] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Jan 27 10:52:29 2019
# Generated by iptables-save v1.6.1 on Sun Jan 27 10:52:29 2019
*filter
:INPUT ACCEPT [44978969:67464645682]
:FORWARD DROP [130478:14923761]
:OUTPUT ACCEPT [23637250:1293021280]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[130478:14923761] -A FORWARD -j DOCKER-USER
[130478:14923761] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[130478:14923761] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[130478:14923761] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Jan 27 10:52:29 2019
me@newserver:~$ sudo bridge monitor
a0:1b:29:7d:d9:74 dev eno1 master br0 
a0:1b:29:7d:d9:72 dev eno1 master br0 
Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale
Deleted 78:67:d7:21:56:34 dev eno1 master br0 stale
78:67:d7:21:56:34 dev eno1 master br0 
a0:1b:29:7d:d9:74 dev eno1 master br0 
dev br0 port eno1 grp ff02::fb temp 
Deleted a0:1b:29:7d:d9:72 dev eno1 master br0 stale
Deleted 30:07:4d:3e:2f:bb dev eno1 master br0 stale
98:b6:e9:cd:fb:4a dev eno1 master br0 
Deleted a0:1b:29:7d:d9:74 dev eno1 master br0 stale
Deleted dev br0 port eno1 grp ff02::fb temp 
Deleted dev br0 port br0 grp ff02::fb temp

bridge-netfilter没有安装,而且据我所知没有过滤(基本上是全新安装 + docker)

答案1

确实可以实现这样的网络设置,并且 netplan 配置正确。问题实际上来自 iptable,它丢弃了通过网桥的数据包​​。有关此问题的更多详细信息,请参见此处

解决办法很简单,就是在桥上接受数据包:

me@newserver:~$ sudo iptables -A FORWARD -p all -i br0 -j ACCEPT

(并使更改永久生效:

me@newserver:~# iptables-save > /etc/iptables/rules.v4

相关内容