我有一个问题,即专用网络流量在非常特定的情况下不会被伪装。
网络是一组使用该10.1.0.0/18网络的 VMware 来宾。
有问题的主机是10.1.4.20 255.255.192.0,它配置使用的唯一网关是10.1.63.254。网关服务器$vpnGatewayAddress应该伪装所有出站流量并通过 转发$outerGatewayAddress,但由于某种原因,10.1.4.20最终偶尔会出现$outerGatewayAddress在其路由缓存中,如下所示:
ip -s route show cache 199.16.156.40
199.16.156.40 from 10.1.4.20 via $outerGatewayAddress dev eth0
cache used 149 age 17sec ipid 0x9e49
199.16.156.40 via $outerGatewayAddress dev eth0 src 10.1.4.20
cache used 119 age 11sec ipid 0x9e49
该问题仅出现在 api.twitter.com 上
刷新缓存后,我可以再次 ping 它,并且缓存看起来很正常:
ip route flush cache 199.16.156.40
ping api.twitter.com
PING api.twitter.com (199.16.156.40) 56(84) bytes of data.
64 bytes from 199.16.156.40: icmp_req=1 ttl=247 time=93.4 ms
ip -s route show cache 199.16.156.40
199.16.156.40 from 10.1.4.20 via 10.1.63.254 dev eth0
cache age 3sec
199.16.156.40 via 10.1.63.254 dev eth0 src 10.1.4.20
cache used 2 age 2sec
应用程序服务器的网络信息(无 lo):
ip a
eth0 Link encap:Ethernet HWaddr 00:50:56:a4:48:20
inet addr:10.1.4.20 Bcast:10.1.63.255 Mask:255.255.192.0
inet6 addr: fe80::250:56ff:fea4:4820/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1523222895 errors:0 dropped:407 overruns:0 frame:0
TX packets:1444207934 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1524116772058 (1.5 TB) TX bytes:565691877505 (565.6 GB)
VPN 网关的网络信息(也没有 lo):
eth0 Link encap:Ethernet HWaddr 00:50:56:a4:56:e9
inet addr:$vpnGatewayAddress Bcast:$broadcastAddress Mask:255.255.255.192
inet6 addr: fe80::250:56ff:fea4:56e9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7030472688 errors:0 dropped:1802 overruns:0 frame:0
TX packets:6959026084 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7777330931859 (7.7 TB) TX bytes:7482143729162 (7.4 TB)
eth0:0 Link encap:Ethernet HWaddr 00:50:56:a4:56:e9
inet addr:10.1.63.254 Bcast:10.1.63.255 Mask:255.255.192.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:1 Link encap:Ethernet HWaddr 00:50:56:a4:56:e9
inet addr:10.1.127.254 Bcast:10.1.127.255 Mask:255.255.192.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.1.1 P-t-P:10.8.1.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:477047415 errors:0 dropped:0 overruns:0 frame:0
TX packets:833650386 errors:0 dropped:101834 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:89948688258 (89.9 GB) TX bytes:1050533566879 (1.0 TB)
eth0 通向外部世界,tun0 通向应用服务器所在的虚拟机的 openvpn 网络。
ip r对于 VPN 网关:
default via $outerGatewayAddress dev eth0 metric 100
10.1.0.0/18 dev eth0 proto kernel scope link src 10.1.63.254
10.1.64.0/18 dev eth0 proto kernel scope link src 10.1.127.254
10.8.1.0/24 via 10.8.1.2 dev tun0
10.8.1.2 dev tun0 proto kernel scope link src 10.8.1.1
10.9.0.0/28 via 10.8.1.2 dev tun0
$addressEndingWithAZero/26 dev eth0 proto kernel scope link src $vpnGatewayAddress
ip r在应用程序服务器上:
default via 10.1.63.254 dev eth0 metric 100
10.1.0.0/18 dev eth0 proto kernel scope link src 10.1.4.20
防火墙规则:
Chain PREROUTING (policy ACCEPT 380M packets, 400G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 127M packets, 9401M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1876K packets, 137M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 223M packets, 389G bytes)
pkts bytes target prot opt in out source destination
32M 1921M MASQUERADE all -- * eth0 10.1.0.0/17 0.0.0.0/0
重定向配置:
sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 1
sysctl net.ipv4.conf.eth0.send_redirects
net.ipv4.conf.eth0.send_redirects = 1
sysctl net.ipv4.conf.tun0.send_redirects
net.ipv4.conf.tun0.send_redirects = 1
为什么化装舞会有时会失败?我怎样才能防止这种情况发生?
答案1
正如评论中所讨论的,问题似乎是 VPN 网关错误地将 ICMP 重定向发送到应用程序服务器,因为将 sysctl 设置net.ipv4.conf.all.send_redirects和/或设置net.ipv4.conf.eth0.send_redirects为 0 似乎已经解决了问题。
我不知道为什么 VPN 网关会告诉应用程序服务器通过外部网关,如果不通过 VPN 服务器,应用程序服务器就无法到达该外部网关。