在我的场景中,我有以下 2 台 debian 服务器:第一台是我的主 openvpn 服务器,它有 2 个 NICS 活动 eth0(172.25.156.146)和 eth3(172.26.16.1) - 第二台服务器也有 2 个 NICS 活动 eth0 172.26.16.16 和 eth1 10.77.144.75。两台服务器都直接连接到 172.26.16.0/24。
我的局域网中的一些服务/服务器只能从第二台服务器访问(因此是直接连接),为了使这些内部服务器/服务可以从主服务器(172.25.156.146)访问,已启用以下规则:
在主服务器上:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 172.25.156.145 0.0.0.0 UG 0 0 0 eth0
10.77.144.0 172.26.16.16 255.255.255.0 UG 0 0 0 eth3 # internal servers range
10.250.250.0 0.0.0.0 255.255.255.0 U 0 0 0 tap3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.16.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
172.17.17.0 0.0.0.0 255.255.255.0 U 0 0 0 tap5
172.25.132.0 172.25.156.145 255.255.255.128 UG 0 0 0 eth0
172.25.156.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 #route back
到第二台服务器
172.31.249.0 0.0.0.0 255.255.255.0 U 0 0 0 tap4
192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 tap6
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap6
192.168.88.0 192.168.88.2 255.255.255.0 UG 0 0 0 tun0
192.168.88.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.200.0 192.168.200.1 255.255.255.0 UG 0 0 0 tap2
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 tap2
192.168.200.100 192.168.200.1 255.255.255.255 UGH 0 0 0 tap2
/proc/sys/net/ipv4/ip_forward = 1
iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
pkts bytes target prot opt in out source destination
252 15593 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.128.0/24 ctstate NEW
1671K 742M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- tun0 eth0 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 10.77.128.0/24 ctstate NEW
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.88.0/24 10.77.120.0/24 ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
在第二台服务器上
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.0.0 10.77.144.1 255.0.0.0 UG 0 0 0 eth1
10.77.144.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # towards the internal servers
172.25.132.0 10.77.144.1 255.255.255.128 UG 0 0 0 eth1
172.26.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # route back to the main server
192.168.88.0 172.26.16.1 255.255.255.0 UG 0 0 0 eth0
iptables 规则:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2330 127K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
41784 2293K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 840 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
947 149K DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4346 833K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 512 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 state NEW
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10620 879K ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
pkts bytes target prot opt in out source destination
并且已启用 IP 转发。
问题:我无法从主服务器 ping 通内部服务器,但我可以从第二台服务器 ping 通。任何帮助都将不胜感激。
答案1
下面解决了上述问题(如果在第二台服务器上执行):
root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –