Debian 服务器 - 客户端无法在接口 (eth0-wlan0)/子网之间 ping 通

tag-icon tag-icon linux networking wireless-networking iptables ping
Debian 服务器 - 客户端无法在接口 (eth0-wlan0)/子网之间 ping 通

我无法在接口/子网之间 ping 通客户端,例如,无法从连接到 eth0 的 Mac (10.42.0.82) ping 通连接到 wlan0 的 Android (10.42.1.150)。

笔记:我可以从所有设备访问互联网。

如何转发这些设备之间的连接?

以下是我的网络的简要绘图:

在此处输入图片描述

Debian 服务器有 3 个接口:

  • WLAN1(192.168.1.25)- 互联网访问
  • eth0(10.42.0.1) - 客户端 10.42.0.0/24
  • wlan0(10.42.1.0) - 客户端 10.42.1.0/24
  • 除此之外,Debian Server 上还运行着 OpenVPN,因此(tun0 也存在)*

Mac 的输出:

ping 192.168.150

PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 fc85   0 0000  3f  01 68e8 10.42.0.82  10.42.1.150 

Request timeout for icmp_seq 0
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6410   0 0000  3f  01 015e 10.42.0.82  10.42.1.150

Debian 的输出:

从 Mac ping Android 时转储数据包:

tcpdump -i eth0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:50:25.884193 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 0, length 64
12:50:25.884420 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 4212 unreachable, length 92
12:50:26.889535 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 1, length 64
12:50:26.889806 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 64299 unreachable, length 92
12:50:27.892862 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 2, length 64
12:50:27.893158 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 60917 unreachable, length 92
12:50:28.897111 IP 10.42.0.82 > 10.42.1.190: ICMP echo request, id 52703, seq 3, length 64
12:50:28.897405 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.190 protocol 1 port 56949 unreachable, length 92

tcpdump -i wlan0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

...安静...

netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan1
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.42.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.42.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan1

ip route

default via 192.168.1.1 dev wlan1 proto dhcp src 192.168.1.25 metric 601 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.1 metric 100 
10.42.1.0/24 dev wlan0 proto kernel scope link src 10.42.1.1 metric 600 
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.25 metric 601

iptables-save

# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*filter
:INPUT ACCEPT [6046:607118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10078:1146969]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*nat
:PREROUTING ACCEPT [3107:427832]
:INPUT ACCEPT [826:76600]
:OUTPUT ACCEPT [1808:145801]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o wlan1 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

cat /proc/sys/net/ipv4/ip_forward

1

感谢您提供的任何建议,帮助我找到理想的解决方案!

答案1

  1. 您的 NAT 规则非常可疑。我建议如下:

iptables -t nat -F&&iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE - 删除所有 NAT 规则并仅使用 NAT 进行 WAN 通信(wlan1)

  1. 您可能使用了错误的 IP 地址来 ping。请在 ping Android 设备之前再次检查其 IP。我可以从 ping 输出中看到 192.168.1.150,从 eth0 的流量捕获中看到 192.168.1.190。流量捕获表明服务器不知道任何 IP 为 192.168.1.190 的设备,因此带有该目的地的数据包被拒绝。

相关内容