不同网络接口上的子网之间进行通信

tag-icon tag-icon linux networking routing
不同网络接口上的子网之间进行通信

我有一台 Linux 机器,上面设置了 3 个网络接口,连接到 3 个不同的网络,每个网络都有自己的子网。从高层次上讲,我试图实现每个网络上的设备与其他网络上的设备之间的通信。

3个网络接口的配置如下:

eth0 “WAN 端口”

eth0 是一个相当标准的接口,配置为 DHCP 客户端并连接到具有 DHCP 服务器并提供互联网网关的上游网络。

IP:192.168.100.105/24(网络上的 DHCP 服务器分配的地址)

eth1 “LAN 端口”

eth1 已配置为 DHCP 服务器,并充当小型 LAN 的网关。已使用以下命令配置接口:

nmcli c add con-name eth1-dhcp-server type ethernet ifname eth1 ipv4.method shared ipv6.method ignore ipv4.addresses 10.79.0.1

IP:10.79.0.1/24

wlan0 “WiFi AP”

wlan0 的配置与 eth1 类似,提供小型 LAN,但使用 WiFi 接入点。接入点、DHCP 服务器和静态 IP 的设置命令如下:

nmcli d wifi hotspot ifname wlan0 ssid <ss_id> password <password>
nmcli c modify Hotspot connection.autoconnect yes ipv4.addresses 10.80.0.1

IP:10.80.0.1/24

Ping 测试设置

为了测试跨网络通信,我将以下设备连接到每个网络。

设备 网络(由Linux机器的网络接口识别) 知识产权
PC1 eth0 192.168.100.145
PC2 eth1 10.79.0.77
PC3 wlan0 10.80.0.16

Ping 测试结果

PC1(192.168.100.145):

ping 10.79.0.77✕ 失败

ping 10.80.0.16✓ 成功

PC2 (10.79.0.77):

ping 192.168.100.145✓ 成功

ping 10.80.0.16✓ 成功

PC3 (10.80.0.16):

ping 192.168.100.145✓ 成功

ping 10.79.0.77✕ 失败

本次测试的结果表明了一些积极的结果,成功路由了目的地为 192.168.100.0/24 和 10.80.0.0/24 的数据包,但未能路由到 10.79.0.0/24。

故障排除尝试

在努力尝试成功路由所有数据包之后,我仍然没有取得什么进展。然而,我发现了一个有趣的发现,它与修改 10.80.0.0/24 路由​​的路由度量有关,将其从 150 更改为 101(低于 10.79.0.0/24 路由​​)。这会改变 ping 行为,以便目的地为 10.79.0.0/24 的数据包可以成功路由,而现在 10.80.0.0/24 则不能。将它们设置为相同的度量并不能使它们都正常工作,所以我不确定这里是否有相关的永久修复...

原始路由表:

$ ip route
default via 192.168.100.1 dev eth0 proto dhcp metric 100 
10.79.0.0/24 dev eth1 proto kernel scope link src 10.79.0.1 metric 101 
10.80.0.0/24 dev wlan0 proto kernel scope link src 10.80.0.1 metric 150
169.254.0.0/16 dev eth0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.105 metric 100

修改后的路由表:

$ ip route
default via 192.168.100.1 dev eth0 proto dhcp metric 100 
10.79.0.0/24 dev eth1 proto kernel scope link src 10.79.0.1 metric 101 
10.80.0.0/24 dev wlan0 proto kernel scope link src 10.80.0.1 metric 100 ** reduced from 150
169.254.0.0/16 dev eth0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.105 metric 100

有没有人对这里发生的事情有透彻的了解?甚至有一个解决方案!

谢谢参观。

答案1

我想我终于弄清楚了这个问题,它与 iptable 规则有关。我应该知道的。

我注意到我的 iptable 中有REJECT带有 的策略。这与我从失败的 ping 中收到的响应reject-with icmp-port-unreachable相符。Destination Port Unreachable

您可以在此处查看原始 iptables 输出:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.79.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.79.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             10.80.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.80.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

我已改变顺序,使得REJECT all-- anywhere anywhere reject-with icmp-port-unreachable规则位于所有10.79.0.0/2410.80.0.0/24规则之下。

一旦我相应地更改了 iptables,一切似乎都正常工作了!更新后的 iptables:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.79.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.79.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             10.80.0.0/24         state RELATED,ESTABLISHED
ACCEPT     all  --  10.80.0.0/24         anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

我还要感谢@user1686 的投入和提供的一些有用建议!

相关内容