服务器暂时连接了四张网卡,一张是内网,其他的分别连到三个不同的 ISP,其中两个是 NAT 的,另一个有公网 IP。
内部网络上的 PC 连接到 eth2r 上的内部 IP 地址,这也是默认网关、DNS 和 DHCP。但是,在某些情况下,例如速度测试,有特定于接口的 IP 地址。在服务器上,net.ipv4.conf.all.forwarding=1
因此通常发往不同接口的数据包到达目的地。我说通常是因为在新连接的接口上不会发生这种情况。例如,在内部网络中的客户端上,我可以 ping 连接到外部接口的路由器的 IP 地址:
ale@pcale:/home/moz$ ping -p deadbeef 192.168.4.254
PATTERN: 0xdeadbeef
PING 192.168.4.254 (192.168.4.254) 56(84) bytes of data.
64 bytes from 192.168.4.254: icmp_seq=1 ttl=63 time=0.608 ms
...
在服务器上我看到如下数据包:
574-north:share# tcpdump -vvvv -n -i any 'icmp[44]=0xde and icmp[45]=0xad and icmp[46]=0xbe and icmp[47]=0xef'
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:04:35.625247 eth2r In IP (tos 0x0, ttl 64, id 41892, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.4.254: ICMP echo request, id 22506, seq 49, length 64
13:04:35.625287 eth0r Out IP (tos 0x0, ttl 63, id 41892, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.4.1 > 192.168.4.254: ICMP echo request, id 22506, seq 49, length 64
13:04:35.625583 eth0r In IP (tos 0x0, ttl 64, id 59736, offset 0, flags [none], proto ICMP (1), length 84)
192.168.4.254 > 192.168.4.1: ICMP echo reply, id 22506, seq 49, length 64
13:04:35.625639 eth2r Out IP (tos 0x0, ttl 63, id 59736, offset 0, flags [none], proto ICMP (1), length 84)
192.168.4.254 > 172.25.197.111: ICMP echo reply, id 22506, seq 49, length 64
...
客户端连接到 eth2r,eth0r 是外部卡之一,服务器上配置了 192.168.4.1,远程地址为 192.168.4.245。具有公共 IP 的接口也会发生类似行为。
但是,其他 NAT 接口不转发:
ale@pcale:/home/moz$ ping -p deadbeef 192.168.1.254
PATTERN: 0xdeadbeef
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
^C
--- 192.168.1.254 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5107ms
192.168.1.254 是 eth1r 上配置的 IP。在服务器上,我只看到请求
13:05:25.398401 eth2r In IP (tos 0x0, ttl 64, id 48063, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 1, length 64
13:05:26.409254 eth2r In IP (tos 0x0, ttl 64, id 48189, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 2, length 64
13:05:27.432784 eth2r In IP (tos 0x0, ttl 64, id 48354, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 3, length 64
13:05:28.457115 eth2r In IP (tos 0x0, ttl 64, id 48520, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 4, length 64
13:05:29.480797 eth2r In IP (tos 0x0, ttl 64, id 48618, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 5, length 64
13:05:30.505181 eth2r In IP (tos 0x0, ttl 64, id 48823, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 192.168.1.254: ICMP echo request, id 34888, seq 6, length 64
此接口是服务器上当前的默认网关,因此,为了显示接口正常工作,如果我 ping 外部主机,它会通过那里。在客户端上:
ale@pcale:~/tmp$ ping -p deadbeef superuser.com
PATTERN: 0xdeadbeef
PING superuser.com (151.101.193.69) 56(84) bytes of data.
64 bytes from 151.101.193.69 (151.101.193.69): icmp_seq=1 ttl=58 time=2.65 ms
...
在服务器上:
13:56:34.098946 eth2r In IP (tos 0x0, ttl 64, id 9474, offset 0, flags [DF], proto ICMP (1), length 84)
172.25.197.111 > 151.101.193.69: ICMP echo request, id 9145, seq 1, length 64
13:56:34.098974 eth1r Out IP (tos 0x0, ttl 63, id 9474, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.1.254 > 151.101.193.69: ICMP echo request, id 9145, seq 1, length 64
13:56:34.101454 eth1r In IP (tos 0xc, ttl 59, id 15052, offset 0, flags [none], proto ICMP (1), length 84)
151.101.193.69 > 192.168.1.254: ICMP echo reply, id 9145, seq 1, length 64
13:56:34.101469 eth2r Out IP (tos 0xc, ttl 58, id 15052, offset 0, flags [none], proto ICMP (1), length 84)
151.101.193.69 > 172.25.197.111: ICMP echo reply, id 9145, seq 1, length 64
...
这是 Devuan chimaera(相当于 Debian bullseye)。三张卡(包括非转发卡)实际上是在一张带有四个 RJ45 的卡上。
编辑2在上图和下图中的路由表中插入 eth?r(不包括 ISP2)
$ ip route show
default via 192.168.1.1 dev eth1r proto static
172.25.197.0/24 dev eth2r proto kernel scope link src 172.25.197.1
192.168.1.0/24 dev eth1r proto kernel scope link src 192.168.1.254
192.168.4.0/24 dev eth0r proto kernel scope link src 192.168.4.1
$ ip route show table ISP1
default via 192.168.4.254 dev eth0r proto static
172.25.197.0/24 dev eth2r proto static scope link
192.168.1.0/24 dev eth1r proto static scope link src 192.168.1.254
192.168.4.0/24 dev eth0r proto static scope link src 192.168.4.1
$ ip route show table ISP3
default via 192.168.1.1 dev eth1r proto static
172.25.197.0/24 dev eth2r proto static scope link
192.168.1.0/24 dev eth1r proto static scope link src 192.168.1.254
192.168.4.0/24 dev eth0r proto static scope link src 192.168.4.1
编辑3ip 规则
# ip rule
0: from all lookup local
32760: from all oif eth1r lookup ISP3
32761: from all iif eth1r lookup ISP3
32762: from 192.168.1.0/24 lookup ISP3
32763: from all oif eth0r lookup ISP1
32764: from all iif eth0r lookup ISP1
32765: from 192.168.4.1 lookup ISP1
32766: from all lookup main
32767: from all lookup default
答案1
有几行几乎隐藏在 347 行 iptables 脚本中,如下所示:
iptables -A interna_addr -m conntrack --ctorigdst 192.168.4.1 -j RETURN
iptables -A interna_addr -m conntrack --ctorigdst 192.168.0.1 -j RETURN
iptables -A interna_addr -m conntrack --ctorigdst 192.168.0.0/16 -j DROP
我说几乎被隐藏(也)因为它们是用数字写的,不像其他脚本那样使用 shell 变量。它们是一系列行的一部分,旨在博贡过滤,这是我在几年前误解了一个建议之后写的,后来就忘了。
Bogon 过滤是应用于自治系统边界,当然不是应用于 ISP 连接。现在我要清除那些垃圾。