我是一名新手系统管理员,正在使用 CentOS 服务器伪装流量的系统,客户端机器也运行 CentOS。表格有些混乱,我的客户端不再有互联网连接。
我正尝试让ping请求正常工作,并已确定流量失败的位置,但我对配置了解不够,不知道下一步该怎么做。对于更有经验的系统管理员来说,快速浏览一下我的表格是否能发现任何异常?
Ping 失败。
1.服务器。
IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP"
2. 客户端。
» IP=98.139.183.24; ping $IP
PING 98.139.183.24 (98.139.183.24) 56(84) bytes of data
3.服务器。
对于正常操作,我应该看到响应,这让我怀疑主节点上的 iptable 配置有问题。
注意:在 中b6映射到。10.0.2.6/etc/hosts
» IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:07:38.553547 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64
20:07:38.553580 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64
20:07:39.552969 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64
20:07:39.552983 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64
20:07:40.552963 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64
20:07:40.552975 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64
^C
6 packets captured
6 packets received by filter
配置。
注意:我已将其修改为适合我的配置,以便将来能够帮助任何遇到同样问题的人。
服务器。
IP 地址
~ » ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: p2p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 90:e2:ba:21:b8:10 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.0/8 brd 10.255.255.255 scope global p2p1
inet6 fe80::92e2:baff:fe21:b810/64 scope link
valid_lft forever preferred_lft forever
3: p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 90:e2:ba:21:b8:11 brd ff:ff:ff:ff:ff:ff
inet <ext IP>/24 brd <ext ip prefix>.255 scope global p2p2
inet6 2001:468:c80:2106:92e2:baff:fe21:b811/64 scope global dynamic
valid_lft 2591809sec preferred_lft 604609sec
inet6 fe80::92e2:baff:fe21:b811/64 scope link
valid_lft forever preferred_lft forever
4: p2p3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 90:e2:ba:21:b8:14 brd ff:ff:ff:ff:ff:ff
5: p2p4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 90:e2:ba:21:b8:15 brd ff:ff:ff:ff:ff:ff
6: em1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether d4:ae:52:99:8c:29 brd ff:ff:ff:ff:ff:ff
7: em2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether d4:ae:52:99:8c:2a brd ff:ff:ff:ff:ff:ff
路由
~ » ip route
<ext ip prefix>.0/24 dev p2p2 proto kernel scope link src <ext ip>
<prefix 1>.0.0/16 dev p2p1 scope link metric 1002
<prefix 1>.0.0/16 dev p2p2 scope link metric 1003
10.0.0.0/8 dev p2p1 proto kernel scope link src 10.0.1.0
default via <ext ip prefix>.1 dev p2p2 proto static
iptables。
~ » _ iptables -t filter -L -v -n
Chain INPUT (policy ACCEPT 3715K packets, 531M bytes)
pkts bytes target prot opt in out source destination
76M 111G fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
151M 183G ACCEPT all -- p2p2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
38M 6612M ACCEPT all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
1604K 101M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1923 142K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
755K 62M ACCEPT all -- p2p1 p2p2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- p2p2 p2p1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 171M packets, 35G bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
76M 111G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
~ » _ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 1733K packets, 974M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1722K packets, 973M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 10956 packets, 892K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1989K packets, 201M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2001K packets, 202M bytes)
pkts bytes target prot opt in out source destination
~ » _ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 26992 packets, 6507K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes)
pkts bytes target prot opt in out source destination
532K 54M MASQUERADE all -- * p2p2 10.0.0.0/8 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3229 packets, 394K bytes)
pkts bytes target prot opt in out source destination
ipforward:是
» cat /proc/sys/net/ipv4/ip_forward 1
» cat /etc/sysctl.conf | grep ip_forward net.ipv4.ip_forward = 1
客户:10.0.2.6。
IP 地址
~ » ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 18:03:73:0d:89:15 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.6/8 brd 10.0.0.255 scope global em1
inet6 fe80::1a03:73ff:fe0d:8915/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 18:03:73:0d:89:17 brd ff:ff:ff:ff:ff:ff
IP 路由。
~ » ip route
<prefix 1>.0.0/16 dev em1 scope link metric 1002
10.0.0.0/8 dev em1 proto kernel scope link src 10.0.2.6
default via 10.0.1.0 dev em1
iptables。
» _ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
~ » _ iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
~ » _ iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
答案1
从 tcpdump 的输出来看,数据包已转发到目的地,但没有回复。这并不奇怪,因为您的 POSTROUTING 链中的规则被破坏了:
Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes)
pkts bytes target prot opt in out source destination
532K 54M all -- * * 10.0.0.0/8 0.0.0.0/0
缺少规则的目标。该目标可能应该是“SNAT”或“MASQUERADE”。如果没有该目标,数据包的源地址将不会被重写。这将导致被 ping 的服务器回复10.0.2.6(不可路由)而不是服务器 IP。
答案2
如果我理解正确的话:这个问题有两个方面
1:您想要通过 pat/route 的盒子没有配置 iptables masquardade。在 pat/masq'ing internet facinf 路由器上:
iptbales -A PORTROUTING -t NAT -o eth0 -j MASQUARADE
echo 1 > /proc/sys/net/ip4v/ip_forward
2) 客户端希望所有流量都显示为来自远程伪装路由器,因此所有客户端都必须使用此互联网路由器作为其默认网关。客户端可以让所有流量都显示为来自那里,但它们需要一条路由告诉它们这样做,必须为客户端设置一条默认路由,告诉他们将流量发送到那里\
ip route del default
ip route add default via ip-of-masq'ing-router
答案3
我无法发表评论来要求澄清您的问题,所以我会把这些问题放在这里。无论如何,您没有提供足够的信息来回答这个问题。我怀疑您的伪装不起作用,但不能确定。
首先,tcpdump 的输出中有一个名称“b6”,那是什么?由于我不认为这是互联网上的名称,所以可能是您的私有 IP 地址泄露到了互联网上,如果这是真的,您的 MASQUERADE 就不起作用了。无论如何,最好使用选项 -n,这样 IP 地址就不会转换为 DNS 名称,因为在这种情况下 DNS 名称毫无意义。
接下来,您的 iptables 列表不完整。使用选项 -v 转储其他信息将大有帮助。因为使用该选项,我可以确认或反驳您的私有 IP 地址泄露到互联网的假设。此外,使用 -n 选项不执行反向 DNS 查询。
最后,您从路由表中删除了 IP 地址,并且没有解释您的拓扑。这样一来,您也删除了可能有助于调试问题的潜在信息。
另外,题外话,ip 命令比 ifconfig/route 组合更适合 Linux。