我有一台 Linux 机器,上面设置了 3 个网络接口,连接到 3 个不同的网络,每个网络都有自己的子网。从高层次上讲,我试图实现每个网络上的设备与其他网络上的设备之间的通信。
3个网络接口的配置如下:
eth0 “WAN 端口”
eth0 是一个相当标准的接口,配置为 DHCP 客户端并连接到具有 DHCP 服务器并提供互联网网关的上游网络。
IP:192.168.100.105/24(网络上的 DHCP 服务器分配的地址)
eth1 “LAN 端口”
eth1 已配置为 DHCP 服务器,并充当小型 LAN 的网关。已使用以下命令配置接口:
nmcli c add con-name eth1-dhcp-server type ethernet ifname eth1 ipv4.method shared ipv6.method ignore ipv4.addresses 10.79.0.1
IP:10.79.0.1/24
wlan0 “WiFi AP”
wlan0 的配置与 eth1 类似,提供小型 LAN,但使用 WiFi 接入点。接入点、DHCP 服务器和静态 IP 的设置命令如下:
nmcli d wifi hotspot ifname wlan0 ssid <ss_id> password <password>
nmcli c modify Hotspot connection.autoconnect yes ipv4.addresses 10.80.0.1
IP:10.80.0.1/24
Ping 测试设置
为了测试跨网络通信,我将以下设备连接到每个网络。
| 设备 | 网络(由Linux机器的网络接口识别) | 知识产权 |
|---|---|---|
| PC1 | eth0 | 192.168.100.145 |
| PC2 | eth1 | 10.79.0.77 |
| PC3 | wlan0 | 10.80.0.16 |
Ping 测试结果
PC1(192.168.100.145):
ping 10.79.0.77✕ 失败
ping 10.80.0.16✓ 成功
PC2 (10.79.0.77):
ping 192.168.100.145✓ 成功
ping 10.80.0.16✓ 成功
PC3 (10.80.0.16):
ping 192.168.100.145✓ 成功
ping 10.79.0.77✕ 失败
本次测试的结果表明了一些积极的结果,成功路由了目的地为 192.168.100.0/24 和 10.80.0.0/24 的数据包,但未能路由到 10.79.0.0/24。
故障排除尝试
在努力尝试成功路由所有数据包之后,我仍然没有取得什么进展。然而,我发现了一个有趣的发现,它与修改 10.80.0.0/24 路由的路由度量有关,将其从 150 更改为 101(低于 10.79.0.0/24 路由)。这会改变 ping 行为,以便目的地为 10.79.0.0/24 的数据包可以成功路由,而现在 10.80.0.0/24 则不能。将它们设置为相同的度量并不能使它们都正常工作,所以我不确定这里是否有相关的永久修复...
原始路由表:
$ ip route
default via 192.168.100.1 dev eth0 proto dhcp metric 100
10.79.0.0/24 dev eth1 proto kernel scope link src 10.79.0.1 metric 101
10.80.0.0/24 dev wlan0 proto kernel scope link src 10.80.0.1 metric 150
169.254.0.0/16 dev eth0 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.105 metric 100
修改后的路由表:
$ ip route
default via 192.168.100.1 dev eth0 proto dhcp metric 100
10.79.0.0/24 dev eth1 proto kernel scope link src 10.79.0.1 metric 101
10.80.0.0/24 dev wlan0 proto kernel scope link src 10.80.0.1 metric 100 ** reduced from 150
169.254.0.0/16 dev eth0 scope link metric 1000
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.105 metric 100
有没有人对这里发生的事情有透彻的了解?甚至有一个解决方案!
谢谢参观。
答案1
我想我终于弄清楚了这个问题,它与 iptable 规则有关。我应该知道的。
我注意到我的 iptable 中有REJECT带有 的策略。这与我从失败的 ping 中收到的响应reject-with icmp-port-unreachable相符。Destination Port Unreachable
您可以在此处查看原始 iptables 输出:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 10.79.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.79.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 10.80.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.80.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我已改变顺序,使得REJECT all-- anywhere anywhere reject-with icmp-port-unreachable规则位于所有10.79.0.0/24和10.80.0.0/24规则之下。
一旦我相应地更改了 iptables,一切似乎都正常工作了!更新后的 iptables:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 10.79.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.79.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 10.80.0.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 10.80.0.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我还要感谢@user1686 的投入和提供的一些有用建议!