为什么 iptables SNAT 无助于回答 vlan 标记子网上的 ARP?

tag-icon tag-icon iptables routing vlan ubuntu-14.04 arp
为什么 iptables SNAT 无助于回答 vlan 标记子网上的 ARP?

我正在使用 iptables SNAT 在 Linux 机器上设置“路由器”,它应该对 2 个子网进行 NAT。一个未标记的子网 10.0.10.0/24,另一个是 vlan 标记的子网 172.16.0.0/24。两个子网都来自 Linux 机器上接口 em2 的交换机,接口 em1 连接到互联网。拓扑如下所示:

                                                     linux box
  client                                 switch      |--------|
  |-----|  eth1 untagged: 10.0.10.4/24   |----|      |        |
  |     |--------------------------------|    |------|em2  em1|----- internet
  |_____|  eth1 vid 103:  172.16.0.4/24  |____|      |        |
                                                     |________|

我使用以下命令来设置 iptables。

iptables -F
iptables -F -t nat
iptables -F -t mangle

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING  -o em1 -j SNAT --to-source 137.58.251.244

执行这些 iptables 命令后,客户端机器可以通过未标记的子网 ping 外部世界,但 vlan 标记的子网将会失败。

[root@bootstrap ~]# ping 91.189.88.141 -I eth1 -c 1
PING 91.189.88.141 (91.189.88.141) from 10.0.10.7 eth1: 56(84) bytes of data.
64 bytes from 91.189.88.141: icmp_seq=1 ttl=39 time=38.5 ms

--- 91.189.88.141 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 38ms
rtt min/avg/max/mdev = 38.521/38.521/38.521/0.000 ms


[root@bootstrap ~]# ping 91.189.88.141 -I eth1.103 -c 1
PING 91.189.88.141 (91.189.88.141) from 172.16.0.4 eth1.103: 56(84) bytes of data.
From 172.16.0.4 icmp_seq=1 Destination Host Unreachable

--- 91.189.88.141 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 3004ms

如果我们检查 Linux 机器,似乎 arp 请求来自接口 em2,但是 iptables 没有响应 apr 请求。

root@vRAN-244:~# tcpdump -i em2 -ne -vvv host 91.189.88.141
tcpdump: WARNING: em2: no IPv4 address assigned
tcpdump: listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
15:00:37.304824 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 103, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42
15:00:38.306651 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 103, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42
15:00:39.308640 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 103, p 0, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42

3 packets captured
4 packets received by filter
0 packets dropped by kernel
root@vRAN-244:~# tcpdump -i em2.103 -ne -vvv host 91.189.88.141
tcpdump: WARNING: em2.103: no IPv4 address assigned
tcpdump: listening on em2.103, link-type EN10MB (Ethernet), capture size 65535 bytes
15:00:46.308651 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42
15:00:47.310633 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42
15:00:49.307858 00:25:90:54:22:ce > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 56: Ethernet (len 6), IPv4 (len 4), Request who-has 91.189.88.141 tell 172.16.0.4, length 42

我是否遗漏了 iptables 规则中的任何内容?

相关内容