我有一个 AWS VPC,其中包含一些公共子网和一个私有子网,如下图所示。
- 两个实例都可以连接到互联网(实例 A通过连接NAT网关实例)
- NAT网关可以 ping 和 traceroute 互联网上的主机以及其他子网上的实例
- 实例 A可以 pingNAT网关以及其子网和其他子网中的其他实例
这NAT网关是一个由我配置的 Ubuntu 16.04 (t2.micro) 实例。它不是托管的 AWS NAT 网关。它完美地充当了 VPC 内所有其他主机的网关,以及 D-NAT(用于某些私有 Apache 服务器)的网关,并且还充当了 SSH 堡垒。
问题是实例 A无法 ping 或跟踪互联网上的主机。我已经尝试/检查过:
- 路由表
- 安全组
- IPTABLES 规则
- 内核参数
安全组
NAT GATEWAY
Outbound:
* all traffic allowed
Inbound:
* SSH from 192.168.0.0/16 (VPN network)
* HTTP/S from 172.20.0.0/16 (allowing instances to connect to the internet)
* HTTP/S from 0.0.0.0/0 (allowing clients to access internal Apache servers through D-NAT)
* ALL ICMP V4 from 0.0.0.0/0
INSTANCE A
Outbound:
* all traffic allowed
Inbound:
* SSH from NAT GATEWAY SG
* HTTP/S from 172.20.0.0/16 (public internet throught D-NAT)
* ALL ICMP V4 from 0.0.0.0/0
路由表
PUBLIC SUBNET
172.20.0.0/16: local
0.0.0.0/0: igw-xxxxx (AWS internet gateway attached to VPC)
PRIVATE SUBNET
0.0.0.0/0: eni-xxxxx (network interface of the NAT gateway)
172.20.0.0/16: local
Iptables 规则
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# iptables -tnat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
内核参数
net.ipv4.conf.all.accept_redirects = 0 # tried 1 too
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0 # tried 1 too
net.ipv4.conf.eth0.accept_redirects = 0 # tried 1 too
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.send_redirects = 0 # tried 1 too
net.ipv4.ip_forward = 1
来自实例 A 的跟踪路由示例
感谢 @hargut 指出有关使用 UDP 的 traceroute 的详细信息(我的 SG 不允许这样做)。因此,将其与-I
ICMP 选项一起使用:
# traceroute -I 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 ip-172-20-16-10.ec2.internal (172.20.16.10) 0.670 ms 0.677 ms 0.700 ms
2 * * *
3 * * *
...
答案1
Linux/Unix traceroute 使用 UDP 进行标准请求。您的安全组不允许 UDP 入站数据包。
来自 traceroute 手册页:
In the modern network environment the traditional traceroute methods can not be always applicable, because of widespread use of firewalls. Such firewalls filter the "unlikely" UDP ports, or even ICMP echoes. To solve this, some additional tracerouting methods are implemented (including tcp), see LIST OF AVAILABLE METHODS below. Such methods try to use particular protocol and source/destination port, in order to bypass firewalls (to be seen by firewalls just as a start of allowed type of a network session)
https://linux.die.net/man/8/traceroute
查看-I
tracerout 选项,将 traceroute 模式切换为基于 ICMP 的跟踪。