我有一个网关 CentOS 7,当指定接口时,它的内部接口上的 ping 没有得到任何回复,这让我认为存在问题,但在 ping 工作时也无法在内部网络上 ping 任何东西。
ping 10.20.1.7 -I enp0s25
PING 10.20.1.7 (10.20.1.7) from 10.20.1.7 enp0s25: 56(84) bytes of data.
^C
--- 10.20.1.7 ping statistics ---
52 packets transmitted, 0 received, 100% packet loss, time 50999ms
无需指定接口即可工作
ping 10.20.1.7
PING 10.20.1.7 (10.20.1.7) 56(84) bytes of data.
64 bytes from 10.20.1.7: icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from 10.20.1.7: icmp_seq=2 ttl=64 time=0.029 ms
^C
--- 10.20.1.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.029/0.040/0.052/0.013 ms
或通过 ip 访问接口(感谢@Gerard H. Pille)
ping 10.20.1.7 -I 10.20.1.7
PING 10.20.1.7 (10.20.1.7) from 10.20.1.7 : 56(84) bytes of data.
64 bytes from 10.20.1.7: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 10.20.1.7: icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from 10.20.1.7: icmp_seq=3 ttl=64 time=0.040 ms
^C
--- 10.20.1.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.028/0.039/0.050/0.010 ms
ping 外部接口也有效
ping 192.168.111.247
PING 192.168.111.247 (192.168.111.247) 56(84) bytes of data.
64 bytes from 192.168.111.247: icmp_seq=1 ttl=64 time=5.13 ms
64 bytes from 192.168.111.247: icmp_seq=2 ttl=64 time=0.642 ms
64 bytes from 192.168.111.247: icmp_seq=3 ttl=64 time=0.395 ms
^C
--- 192.168.111.247 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.395/2.057/5.136/2.179 ms
我还验证了我可以ping从内部网络内的机器获取网关的内部和外部 IP
和
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:02:2a:df:3a:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.247/24 brd 192.168.111.255 scope global dynamic enp3s11
valid_lft 41978sec preferred_lft 41978sec
inet6 fe80::af94:9dd0:f4a9:8dcb/64 scope link
valid_lft forever preferred_lft forever
3: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:19:99:5d:91:46 brd ff:ff:ff:ff:ff:ff
inet 10.20.1.7/16 brd 10.20.255.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::219:99ff:fe5d:9146/64 scope link
valid_lft forever preferred_lft forever
enp0s25作为内部网络和
enp3s11作为外部接口
arp列出预期设备中的设备
arp
Address HWtype HWaddress Flags Mask Iface
192.168.111.160 ether 00:15:5d:0a:0b:25 C enp3s11
10.20.100.2 ether 2c:d4:44:a2:5a:4c C enp0s25
192.168.111.155 ether 90:1b:0e:6e:d1:3f C enp3s11
gateway ether 00:19:99:c5:f0:ad C enp3s11
10.20.1.102 (unvollständig) enp0s25
192.168.111.245 ether 00:19:99:7e:5d:81 C enp3s11
192.168.111.212 ether 52:54:00:d5:d3:6d C enp3s11
防火墙似乎已正确配置为不阻止 ICMP
firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp3s11
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo firewall-cmd --list-all --zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
以获得更完整的视图netstat -rn输出
netstat -rn
Kernel IP Routentabelle
Ziel Router Genmask Flags MSS Fenster irtt Iface
0.0.0.0 192.168.111.14 0.0.0.0 UG 0 0 0 enp3s11
10.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s25
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s25
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s11
编辑:
**这是一次徒劳无功的追逐,因为内部网络中的 IP 反复出现转录错误(实际:10.20.100.x 输入 10.20..104)...**
现在感觉相当愚蠢
这应该被关闭吗?
答案1
如果一台机器可以 ping 网关并得到响应,我会说网络没有完全损坏。我会考虑关闭防火墙,看看是否与此有关。
如果您收到回复,我暗示这是“当 ping 操作有效时”,那么这似乎不是与路由相关的问题。
我的建议是先彻底禁用防火墙,以排除防火墙故障。如果禁用防火墙会造成策略/安全问题,请考虑断开外部接口。
Br,马丁