我在托管一些无头 VirtualBox 虚拟机的系统上进行转发时遇到问题。我没有更改任何内容,但配置已停止工作。虚拟机在自己的子网上有 IP 地址,我必须将其路由到自己。因此主机有它的 IP 和网关,以及一个由虚拟机用作网关的别名。
主机配置:
root@greece:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0c:c4:7a:02:5d:36
inet addr:192.99.46.35 Bcast:192.99.46.255 Mask:255.255.255.0
inet6 addr: 2607:5300:60:5123::/64 Scope:Global
inet6 addr: fe80::ec4:7aff:fe02:5d36/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31246 errors:0 dropped:35 overruns:0 frame:0
TX packets:5818 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:30002593 (28.6 MiB) TX bytes:3268821 (3.1 MiB)
Memory:fb920000-fb940000
eth0:0 Link encap:Ethernet HWaddr 0c:c4:7a:02:5d:36
inet addr:198.50.241.112 Bcast:198.50.241.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Memory:fb920000-fb940000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2191 errors:0 dropped:0 overruns:0 frame:0
TX packets:2191 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2781224 (2.6 MiB) TX bytes:2781224 (2.6 MiB)
root@greece:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.99.46.254 0.0.0.0 UG 0 0 0 eth0
192.99.46.0 * 255.255.255.0 U 0 0 0 eth0
198.50.241.0 * 255.255.255.0 U 0 0 0 eth0
root@greece:~# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1088 987K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 84 ACCEPT all -- * * 198.50.241.0/24 0.0.0.0/0
1 60 ACCEPT all -- * * 0.0.0.0/0 198.50.241.0/24
1 72 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
40 13120 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 ctstate NEW
40 13120 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy ACCEPT 109 packets, 7776 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 854 packets, 1879K bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
root@greece:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
这个配置应该可以工作。我可以从虚拟机访问主机的主 IP (192.99.46.35)。当我尝试 ping 主机网关 (192.99.46.254) 时,我得到了一个有趣的响应。
root@minecraft:~# ping -c 2 192.99.46.254
PING 192.99.46.254 (192.99.46.254) 56(84) bytes of data.
From 198.50.241.112: icmp_seq=1 Redirect Host(New nexthop: 192.99.46.254)
64 bytes from 192.99.46.254: icmp_req=1 ttl=254 time=47.1 ms
--- 192.99.46.254 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1002ms
rtt min/avg/max/mdev = 47.134/47.134/47.134/0.000 ms
root@minecraft:~# ping -c 2 192.99.46.254
PING 192.99.46.254 (192.99.46.254) 56(84) bytes of data.
From 198.50.241.115 icmp_seq=1 Destination Host Unreachable
From 198.50.241.115 icmp_seq=2 Destination Host Unreachable
--- 192.99.46.254 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1011ms
pipe 2
它响应重定向主机,然后主机无法访问。据我所知,它应该有效。配置没有改变。来宾虚拟机的配置非常简单......
root@minecraft:~# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:8e:9b:2b
inet addr:198.50.241.115 Bcast:198.50.241.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe8e:9b2b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:750 errors:0 dropped:0 overruns:0 frame:0
TX packets:336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:79663 (77.7 KiB) TX bytes:30405 (29.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4405 (4.3 KiB) TX bytes:4405 (4.3 KiB)
root@minecraft:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 198.50.241.112 0.0.0.0 UG 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth0
注意:刷新 IP 表并将输入策略设置为接受不会改变任何内容。这不是 NAT 配置,客人有正确的互联网地址。
答案1
解决这个问题很简单,只需从我的主机禁用 ICMP 重定向即可。我不知道为什么它在运行很长时间没有问题后开始发送它们。不过,可以通过 sysctl 进行一些简单的更改来避免该问题。
root@greece:~# sysctl -w net/ipv4/conf/eth0/accept_redirects=0
net.ipv4.conf.eth0.accept_redirects = 0
root@greece:~# sysctl -w net/ipv4/conf/eth0/send_redirects=0
net.ipv4.conf.eth0.send_redirects = 0
这些更改可以反映在 /etc/sysctl.conf 中,并防止这种情况发生。