%20%E6%97%B6%E6%9F%90%E4%BA%9B%E5%9C%B0%E5%9D%80%E5%AE%8C%E5%85%A8%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE.png)
我有一个有两个 IP 地址的服务器。主 IP 地址是 81.21.136.5。后来我用 添加了 81.21.136.8 ifconfig eth0:1 81.21.136.8 up。
一切正常。除了某些地址无法访问。我无法从我的服务器访问这些地址,并且这些机器无法以类似的方式访问我的服务器。如果我eth0:1删除ifconfig eth0:1 down
说实话,我不知道出了什么问题。
首先,让我向您展示一个到随机工作地址的“正常”(缩写)跟踪路由:
[~]# traceroute arp242.net
traceroute to arp242.net (94.142.245.225), 30 hops max, 40 byte packets
1 son-er-dc1.signet.nl (81.21.136.254) 0.681 ms 0.540 ms 0.820 ms
2 ams-er8-sara.v92.signet.nl (217.21.246.50) 12.668 ms 14.177 ms 14.856 ms
3 amsix.true.nl (195.69.144.171) 1.973 ms 2.212 ms 2.208 ms
[...etc...]
现在跟踪路由到一个“损坏的”地址:
[~]# traceroute 81.204.228.205
traceroute to 81.204.228.205 (81.204.228.205), 30 hops max, 40 byte packets
1 vps-aragorn0.signet.nl (81.21.136.8) 3002.364 ms !H 3002.368 ms !H 3002.067 ms !H
第一步从 81.21.136.8 开始。为什么?为什么只针对(据我所知)这一特定地址块?
eth0:1这是将状态设置为关闭后到同一“损坏”地址的(完整)跟踪路由:
[~]# traceroute 81.204.228.205
traceroute to 81.204.228.205 (81.204.228.205), 30 hops max, 40 byte packets
1 son-er-dc1.signet.nl (81.21.136.254) 0.610 ms 0.791 ms 0.842 ms
2 ams-er8-sara.v92.signet.nl (217.21.246.50) 2.169 ms 3.123 ms 3.996 ms
3 iawxsrt-rt2.bb21.wxs.nl (195.69.144.62) 4.554 ms 4.554 ms 4.508 ms
4 nl-rt-dc2-gsi-cr01b.kpn.net (213.75.64.187) 4.351 ms nl-rt-dc2-isp-cr01a.wxs.nl (213.75.64.25) 4.425 ms nl-rt-dc2-gsi-cr01b.kpn.net (213.75.64.23) 4.207 ms
5 nl-asd-dc2-gsi-cr01a.kpn.net (213.75.64.67) 4.499 ms 4.983 ms 4.499 ms
6 213.75.14.140 (213.75.14.140) 4.983 ms nl-asd-dc2-gsi-br01a.kpn.net (213.75.14.1) 4.499 ms nl-asd-dc2-isp-bb21.wxs.nl (213.75.14.76) 4.983 ms
7 iawxsrt-dc2-acc04.wxs.nl (213.75.1.70) 4.983 ms 213.75.1.14 (213.75.1.14) 4.951 ms 213.75.1.62 (213.75.1.62) 4.685 ms
任何建议都将非常感谢!
有关系统配置的一些信息:
[~]% uname -a
Linux vps-aragorn0 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
[/etc]% cat /etc/issue
CentOS release 5.6 (Final)
Kernel \r on an \m
[~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
81.21.136.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
81.0.0.0 * 255.0.0.0 U 0 0 0 eth0
default son-er-dc1.sign 0.0.0.0 UG 0 0 0 eth0
[~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2844
8 ACCEPT tcp -- 80.246.203.133 0.0.0.0/0 tcp dpt:3306
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
num target prot opt source destination
[~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 52:54:00:23:6C:9F
inet addr:81.21.136.5 Bcast:81.21.136.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:63276899 errors:0 dropped:1113 overruns:0 frame:0
TX packets:28898565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6736496489 (6.2 GiB) TX bytes:30255467302 (28.1 GiB)
Interrupt:10 Base address:0xa000
eth0:1 Link encap:Ethernet HWaddr 52:54:00:23:6C:9F
inet addr:81.21.136.8 Bcast:81.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4656156 errors:0 dropped:0 overruns:0 frame:0
TX packets:4656156 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7034068633 (6.5 GiB) TX bytes:7034068633 (6.5 GiB)
答案1
你的路由表中有以下内容:
81.0.0.0 * 255.0.0.0 U 0 0 0 eth0
为 上的 IP 地址指定正确的网络掩码eth0:0,否则它似乎使用/8网络掩码,因此每个到以 81 开头的 IP 地址的连接都将被视为在同一个广播域内,并且请求将不会被发送到默认网关,而是尝试进行连接,就好像它与您的网络接口位于同一区域一样。
将 IP 地址的网络掩码更改为eth0:0正确的网络掩码即可解决此问题。