双 IP 转发不起作用

双 IP 转发不起作用

在我的场景中,我有以下 2 台 debian 服务器:第一台是我的主 openvpn 服务器,它有 2 个 NICS 活动 eth0(172.25.156.146)和 eth3(172.26.16.1) - 第二台服务器也有 2 个 NICS 活动 eth0 172.26.16.16 和 eth1 10.77.144.75。两台服务器都直接连接到 172.26.16.0/24。

我的局域网中的一些服务/服务器只能从第二台服务器访问(因此是直接连接),为了使这些内部服务器/服务可以从主服务器(172.25.156.146)访问,已启用以下规则:

在主服务器上:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.25.156.145  0.0.0.0         UG        0 0          0 eth0
10.77.144.0     172.26.16.16    255.255.255.0   UG        0 0          0 eth3 # internal servers range
10.250.250.0    0.0.0.0         255.255.255.0   U         0 0          0 tap3
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.16.0     0.0.0.0         255.255.255.0   U         0 0          0 tap1
172.17.17.0     0.0.0.0         255.255.255.0   U         0 0          0 tap5
172.25.132.0    172.25.156.145  255.255.255.128 UG        0 0          0 eth0
172.25.156.144  0.0.0.0         255.255.255.248 U         0 0          0 eth0
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3 #route back 

到第二台服务器

172.31.249.0    0.0.0.0         255.255.255.0   U         0 0          0 tap4
192.168.0.0     192.168.0.1     255.255.255.0   UG        0 0          0 tap6
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 tap6
192.168.88.0    192.168.88.2    255.255.255.0   UG        0 0          0 tun0
192.168.88.2    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.200.0   192.168.200.1   255.255.255.0   UG        0 0          0 tap2
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 tap2
192.168.200.100 192.168.200.1   255.255.255.255 UGH       0 0          0 tap2


/proc/sys/net/ipv4/ip_forward = 1

iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  252 15593 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.128.0/24       ctstate NEW
1671K  742M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      10.77.128.0/24       ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

在第二台服务器上

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.0        10.77.144.1     255.0.0.0       UG        0 0          0 eth1
10.77.144.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1 # towards the internal servers
172.25.132.0    10.77.144.1     255.255.255.128 UG        0 0          0 eth1
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0 # route back to the main server
192.168.88.0    172.26.16.1     255.255.255.0   UG        0 0          0 eth0

iptables 规则:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:telnet state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2330  127K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
41784 2293K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   14   840 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  947  149K DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4346  833K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   512 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23 state NEW
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
10620  879K ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination    

并且已启用 IP 转发。

问题:我无法从主服务器 ping 通内部服务器,但我可以从第二台服务器 ping 通。任何帮助都将不胜感激。

答案1

下面解决了上述问题(如果在第二台服务器上执行):

root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –

相关内容