无法通过 eth0 ping eth1

我有两台安装了 CentOS 7 的虚拟机。每台虚拟机都有两个网卡和两个 IP 地址。

VM1的ip配置：

    eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:0b:03:33 brd ff:ff:ff:ff:ff:ff
    inet 172.255.255.5/30 brd 172.255.255.7 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::4f07:27f6:5839:d257/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
    eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:4b:2f:58 brd ff:ff:ff:ff:ff:ff
    inet 10.11.111.254/21 brd 10.11.111.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::d64c:aeee:1111:16d5/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

VM1的路由：

10.11.104.0/21 dev eth1 proto kernel scope link src 10.111.111.254 metric 101
172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.5 metric 100

VM2的ip配置：

   eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:7a:3c:e7 brd ff:ff:ff:ff:ff:ff
    inet 172.255.255.6/30 brd 172.255.255.7 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::35e3:6bb7:918e:6bca/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
   eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:25:38:9a brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.210/24 brd 10.10.1.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::5ec3:f912:51a5:761c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

VM2的路由：

10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.210 metric 101
172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.6 metric 100

我可以从 VM1（172.255.255.5,10.11.111.254）ping 到 172.255.255.6，也可以从 VM2（172.255.255.6, 10.10.1.210）ping 到 172.255.255.5。

问题是，我想从 VM1（172.255.255.5,10.11.111.254）ping 到 10.10.1.210，因此我在 VM1 中添加了一条路由

ip route add 10.10.1.210 via 172.255.255.6

因此VM1的路由是：

10.10.1.210 via 172.255.255.6 dev eth0
10.11.104.0/21 dev eth1 proto kernel scope link src 10.111.111.254 metric 101
172.255.255.4/30 dev eth0 proto kernel scope link src 172.255.255.5 metric 100

但是我仍然无法从 VM1 ping 通 10.10.1.210。

那么，我错在哪里了？

顺便说一句，我已经在所有机器上禁用了 SELinux 和防火墙。

1. ip路由获取10.10.1.210：

   10.10.1.210 via 172.255.255.6 dev eth0 src 172.255.255.5 cache

2. VM1 上的 tcpdump -e -nn -i eth0‘icmp’：

   20:47:00.147549 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 48, length 64 20:47:01.147541 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 49, length 64 20:47:02.147543 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 50, length 64 20:47:03.147551 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 51, length 64

3. VM1，iptables-save -c：

   *security
   :INPUT ACCEPT [5440:12841065]
   :FORWARD ACCEPT [2:144]
   :OUTPUT ACCEPT [28968:2491805]
   COMMIT
   # Completed on Mon May 20 20:48:08 2019
   # Generated by iptables-save v1.4.21 on Mon May 20 20:48:08 2019
   *raw
   :PREROUTING ACCEPT [5456:12843525]
   :OUTPUT ACCEPT [28969:2491905]
   COMMIT
   # Completed on Mon May 20 20:48:08 2019
   # Generated by iptables-save v1.4.21 on Mon May 20 20:48:08 2019
   *mangle
   :PREROUTING ACCEPT [5456:12843525]
   :INPUT ACCEPT [5440:12841065]
   :FORWARD ACCEPT [2:144]
   :OUTPUT ACCEPT [28969:2491905]
   :POSTROUTING ACCEPT [28970:2491949]
   COMMIT
   # Completed on Mon May 20 20:48:08 2019
   # Generated by iptables-save v1.4.21 on Mon May 20 20:48:08 2019
   *filter
   :INPUT ACCEPT [5440:12841065]
   :FORWARD ACCEPT [2:144]
   :OUTPUT ACCEPT [28968:2491805]
   COMMIT
   # Completed on Mon May 20 20:48:08 2019
   # Generated by iptables-save v1.4.21 on Mon May 20 20:48:08 2019
   *nat
   :PREROUTING ACCEPT [41:6031]
   :INPUT ACCEPT [26:3643]
   :OUTPUT ACCEPT [196:139164]
   :POSTROUTING ACCEPT [197:139236]
   COMMIT
   # Completed on Mon May 20 20:48:08 2019```
   

4. VM2，iptables-save -c：

   *nat
   :PREROUTING ACCEPT [151:139500]
   :INPUT ACCEPT [136:137067]
   :OUTPUT ACCEPT [126:76110]
   :POSTROUTING ACCEPT [126:76110]
   COMMIT
   # Completed on Mon May 20 20:51:19 2019
   # Generated by iptables-save v1.4.21 on Mon May 20 20:51:19 2019
   *filter
   :INPUT ACCEPT [22121:14364143]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [21468:1823390]
   COMMIT
   # Completed on Mon May 20 20:51:19 2019```
   

5. VM2 上的 tcpdump -e -nn -i eth0‘icmp’

   20:53:50.348475 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 459, length 64 20:53:50.348501 fa:16:3e:7a:3c:e7 > fa:16:3e:0b:03:33, ethertype IPv4 (0x0800), length 98: 10.10.1.210 > 172.255.255.5: ICMP echo reply, id 4116, seq 459, length 64 20:53:51.348443 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 460, length 64 20:53:51.348501 fa:16:3e:7a:3c:e7 > fa:16:3e:0b:03:33, ethertype IPv4 (0x0800), length 98: 10.10.1.210 > 172.255.255.5: ICMP echo reply, id 4116, seq 460, length 64 20:53:52.348432 fa:16:3e:0b:03:33 > fa:16:3e:7a:3c:e7, ethertype IPv4 (0x0800), length 98: 172.255.255.5 > 10.10.1.210: ICMP echo request, id 4116, seq 461, length 64 20:53:52.348456 fa:16:3e:7a:3c:e7 > fa:16:3e:0b:03:33, ethertype IPv4 (0x0800), length 98: 10.10.1.210 > 172.255.255.5: ICMP echo reply, id 4116, seq 461, length 64