化装舞会有时不起作用

化装舞会有时不起作用

我有一个问题,即专用网络流量在非常特定的情况下不会被伪装。

网络是一组使用该10.1.0.0/18网络的 VMware 来宾。

有问题的主机是10.1.4.20 255.255.192.0,它配置使用的唯一网关是10.1.63.254。网关服务器$vpnGatewayAddress应该伪装所有出站流量并通过 转发$outerGatewayAddress,但由于某种原因,10.1.4.20最终偶尔会出现$outerGatewayAddress在其路由缓存中,如下所示:

ip -s route show cache 199.16.156.40
199.16.156.40 from 10.1.4.20 via $outerGatewayAddress dev eth0
    cache  used 149 age 17sec ipid 0x9e49
199.16.156.40 via $outerGatewayAddress dev eth0  src 10.1.4.20
    cache  used 119 age 11sec ipid 0x9e49

该问题仅出现在 api.twitter.com 上

刷新缓存后,我可以再次 ping 它,并且缓存看起来很正常:

ip route flush cache 199.16.156.40

ping api.twitter.com
PING api.twitter.com (199.16.156.40) 56(84) bytes of data.
64 bytes from 199.16.156.40: icmp_req=1 ttl=247 time=93.4 ms

ip -s route show cache 199.16.156.40
199.16.156.40 from 10.1.4.20 via 10.1.63.254 dev eth0
    cache  age 3sec
199.16.156.40 via 10.1.63.254 dev eth0  src 10.1.4.20
    cache  used 2 age 2sec

应用程序服务器的网络信息(无 lo):

ip a

eth0      Link encap:Ethernet  HWaddr 00:50:56:a4:48:20
          inet addr:10.1.4.20  Bcast:10.1.63.255  Mask:255.255.192.0
          inet6 addr: fe80::250:56ff:fea4:4820/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1523222895 errors:0 dropped:407 overruns:0 frame:0
          TX packets:1444207934 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1524116772058 (1.5 TB)  TX bytes:565691877505 (565.6 GB)

VPN 网关的网络信息(也没有 lo):

 eth0      Link encap:Ethernet  HWaddr 00:50:56:a4:56:e9
           inet addr:$vpnGatewayAddress  Bcast:$broadcastAddress  Mask:255.255.255.192
           inet6 addr: fe80::250:56ff:fea4:56e9/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:7030472688 errors:0 dropped:1802 overruns:0 frame:0
           TX packets:6959026084 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:7777330931859 (7.7 TB)  TX bytes:7482143729162 (7.4 TB)

 eth0:0    Link encap:Ethernet  HWaddr 00:50:56:a4:56:e9
           inet addr:10.1.63.254  Bcast:10.1.63.255  Mask:255.255.192.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 eth0:1    Link encap:Ethernet  HWaddr 00:50:56:a4:56:e9
           inet addr:10.1.127.254  Bcast:10.1.127.255  Mask:255.255.192.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.8.1.1  P-t-P:10.8.1.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
           RX packets:477047415 errors:0 dropped:0 overruns:0 frame:0
           TX packets:833650386 errors:0 dropped:101834 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:89948688258 (89.9 GB)  TX bytes:1050533566879 (1.0 TB)

eth0 通向外部世界,tun0 通向应用服务器所在的虚拟机的 openvpn 网络。

ip r对于 VPN 网关:

default via $outerGatewayAddress dev eth0  metric 100
10.1.0.0/18 dev eth0  proto kernel  scope link  src 10.1.63.254
10.1.64.0/18 dev eth0  proto kernel  scope link  src 10.1.127.254
10.8.1.0/24 via 10.8.1.2 dev tun0
10.8.1.2 dev tun0  proto kernel  scope link  src 10.8.1.1
10.9.0.0/28 via 10.8.1.2 dev tun0
$addressEndingWithAZero/26 dev eth0  proto kernel  scope link  src $vpnGatewayAddress

ip r在应用程序服务器上:

default via 10.1.63.254 dev eth0  metric 100
10.1.0.0/18 dev eth0  proto kernel  scope link  src 10.1.4.20

防火墙规则:

Chain PREROUTING (policy ACCEPT 380M packets, 400G bytes) 
pkts bytes target prot opt in out source destination 

Chain INPUT (policy ACCEPT 127M packets, 9401M bytes) 
pkts bytes target prot opt in out source destination 

Chain OUTPUT (policy ACCEPT 1876K packets, 137M bytes) 
pkts bytes target prot opt in out source destination 

Chain POSTROUTING (policy ACCEPT 223M packets, 389G bytes) 
pkts bytes target prot opt in out source destination 

32M 1921M MASQUERADE all -- * eth0 10.1.0.0/17 0.0.0.0/0

重定向配置:

sysctl net.ipv4.conf.all.send_redirects
net.ipv4.conf.all.send_redirects = 1
sysctl net.ipv4.conf.eth0.send_redirects
net.ipv4.conf.eth0.send_redirects = 1
sysctl net.ipv4.conf.tun0.send_redirects
net.ipv4.conf.tun0.send_redirects = 1

为什么化装舞会有时会失败?我怎样才能防止这种情况发生?

答案1

正如评论中所讨论的,问题似乎是 VPN 网关错误地将 ICMP 重定向发送到应用程序服务器,因为将 sysctl 设置net.ipv4.conf.all.send_redirects和/或设置net.ipv4.conf.eth0.send_redirects为 0 似乎已经解决了问题。

我不知道为什么 VPN 网关会告诉应用程序服务器通过外部网关,如果不通过 VPN 服务器,应用程序服务器就无法到达该外部网关。

相关内容