我有以下情况:
- eth0-默认网关(ip:172.28.183.100,gw:172.28.183.1)
- eth0 - 辅助网络连接(ip:172.28.171.2,gw:172.28.171.2)。
路由看起来是这样的:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.28.183.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.28.171.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
172.28.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
78.46.78.0 172.28.171.1 255.255.255.0 UG 0 0 0 eth2
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 172.28.183.1 0.0.0.0 UG 100 0 0 eth0
如您所见,78.46.78.0/24 有一条特殊路由 - 此流量应通过辅助网络 eth2 传输。
成功了。我可以与 78.46.78.0/24 中的机器建立任何类型的 tcp 连接。
但是,当我尝试对它们进行 mtr 时,我得到了奇怪的结果:
root@blob:~# mtr --report --report-cycles=5 78.46.78.198
HOST: blob Loss% Snt Last Avg Best Wrst StDev
1. 172.28.171.1 0.0% 5 0.6 0.6 0.5 0.6 0.0
2. ??? 100.0 5 0.0 0.0 0.0 0.0 0.0
在 tcpdump 输出中我看到返回的生存时间已超出的回复:
10:16:28.158888 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 59520, length 44
10:16:28.159363 IP 172.28.171.1 > 172.28.171.2: ICMP time exceeded in-transit, length 72
10:16:28.259153 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 59776, length 44
10:16:28.359546 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 60032, length 44
10:16:28.408129 IP 10.9.208.1 > 172.28.171.2: ICMP time exceeded in-transit, length 36
10:16:28.428193 IP 10.9.208.2 > 172.28.171.2: ICMP time exceeded in-transit, length 36
10:16:28.459953 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 60288, length 44
10:16:28.560260 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 60544, length 44
10:16:28.618138 IP 10.9.213.6 > 172.28.171.2: ICMP time exceeded in-transit, length 36
10:16:28.660678 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 60800, length 44
10:16:28.708130 IP 10.9.212.253 > 172.28.171.2: ICMP time exceeded in-transit, length 36
10:16:28.730193 IP 213.158.195.13 > 172.28.171.2: ICMP time exceeded in-transit, length 36
10:16:28.761086 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 61056, length 44
10:16:28.861380 IP 172.28.171.2 > 78.46.78.198: ICMP echo request, id 2092, seq 61312, length 44
10:16:28.938167 IP 213.248.89.153 > 172.28.171.2: ICMP time exceeded in-transit, length 36
但是,使用 mtr 上的 strace 我发现这些 ICMP 回复没有传送到 mtr!
我认为原因可能是 icmp 响应的源 ip 来自“错误”接口” - 即 ICMP 回复来自(例如)10.9.212.253(某个中间路由器),但这个 ip 应该通过 eth0 路由,而它到达 eth2。
这是合理的理由吗?我该怎么做才能让 mtr 在我的“特殊”网络上正常工作?
iptables 使用以下方式设置:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -A INPUT -j LOG --log-prefix 'IPTABLES: '
iptables -A FORWARD -j LOG --log-prefix 'IPTABLES: '
但是我没有看到任何带有 kern.log 的 icmp 相关包。
答案1
感谢 Rafał Ramocki - 解决方案很简单 - 您必须关闭 eth2 接口上的 rp_filter-ing:
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
来自内核文档:
rp_filter
---------
Integer value determines if a source validation should be made. 1 means yes, 0
means no. Disabled by default, but local/broadcast address spoofing is always
on.
If you set this to 1 on a router that is the only connection for a network to
the net, it will prevent spoofing attacks against your internal networks
(external addresses can still be spoofed), without the need for additional
firewall rules.
虽然它可以很好地防止欺骗攻击(至少是某些攻击),但如果您有更多的互联网连接,它肯定会损害某些功能。