无法从路由器 ping 通特定接口:(sendmsg:操作不允许)

tag-icon tag-icon iptables router ping arch-linux
无法从路由器 ping 通特定接口:(sendmsg:操作不允许)

我有一个运行 Arch Linux 的路由器,但遇到了一个奇怪的问题,这可能表明配置错误。以下是我的设置:

  • LAN 接口:intern1
  • WAN 接口:extern1
  • LAN地址:192.168.11.11/24
  • WAN 地址:DHCP

我可以 ping WAN 接口上的任何内容而没有任何错误:

> ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=2.78 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=2.60 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=2.87 ms

但是,我无法 ping 通 LAN 上的另一个地址(192.168.11.39 是 LAN 上的服务器):

> ping 192.168.11.39

PING 192.168.11.39 (192.168.11.39) 56(84) bytes of data.
From 192.168.11.11 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.11 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Operation not permitted
From 192.168.11.11 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Operation not permitted

其他类似问题似乎指向防火墙问题。我尝试将过滤表中的所有链更改为“接受默认策略”,但没有效果。我应该补充一点,除了这个 ping 问题之外,路由器可以正常工作;LAN 上的设备可以访问 WAN 和 LAN 上的任何设备,并 ping LAN 上的另一个设备。

顺便说一下,我发现这个问题是因为我正在尝试在这个路由器上设置 OpenVPN,但我无法从任何 VPN 客户端 ping 通 LAN 上的任何内容。我认为这可能与此有关。这里的所有操作都是在没有启用 VPN 的情况下完成的,以消除可能造成混淆的变量。

有谁知道这可能是什么原因造成的?

其他可能重要的信息

路由表:

> ip route

default via 45.17.160.1 dev extern1 proto dhcp src 45.17.163.240 metric 1024 
45.17.160.0/22 dev extern1 proto kernel scope link src 45.17.163.240 
45.17.160.1 dev extern1 proto dhcp scope link src 45.17.163.240 metric 1024 
192.168.11.0/24 dev intern1 proto kernel scope link src 192.168.11.11

iptables 规则(最小示例):

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:net_dnat - [0:0]

# potentially DNAT all incoming packets
-A PREROUTING -i extern1 -j net_dnat

# make all LAN-WAN traffic appear as if it came from this router
-A POSTROUTING -s 192.168.11.0/24 -o extern1 -j MASQUERADE

# make all VPN traffic appear as if it came from this router
-A POSTROUTING -s 10.8.0.0/24 -o intern1 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o extern1 -j MASQUERADE

# DNAT table for port forwards on LAN
-A net_dnat -m comment --comment "SSH" -p tcp -m tcp --dport 39022 -j DNAT --to-destination 192.168.11.39:39022
-A net_dnat -m comment --comment "HTTP" -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.11.39:80
-A net_dnat -m comment --comment "HTTPS" -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.11.39:443
-A net_dnat -m comment --comment "IMAP" -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.11.39:143
-A net_dnat -m comment --comment "IMAPS" -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.11.39:993
-A net_dnat -m comment --comment "WOL" -p udp -m udp --dport 39009 -j DNAT --to-destination 192.168.11.254:39009
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

systemd-networkd 配置:

> cat /etc/systemd/network/intern1.network

[Match]
Name=intern1

[Network]
Address=192.168.11.11/24
IPForward=ipv4

> cat /etc/systemd/network/intern1.network

[Match]
Name=extern1

[Network]
DHCP=ipv4
IPForward=ipv4

编辑1

路由策略:

> ip rule ls
0:     from all lookup local
32766: from all lookup main
32767: from all lookup default

192.168.11.39 的 ARP 条目:

> ip n ls 192.168.11.39
192.168.11.39 dev intern1 lladdr f8:32:e4:9b:b9:55 REACHABLE

192.168.11.39 的路由查找:

> ip route get 192.168.11.39
192.168.11.39 dev intern1 src 192.168.11.11 uid 1000 
    cache

编辑2

完整过滤表:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:localhost-LAN - [0:0]
:localhost-WAN - [0:0]
:localhost-VPN - [0:0]
:VPN-localhost - [0:0]
:LAN-localhost - [0:0]
:WAN-localhost - [0:0]
:LAN-VPN - [0:0]
:LAN-WAN - [0:0]
:WAN-LAN - [0:0]
:WAN-VPN - [0:0]
:LAN-forward - [0:0]
:WAN-forward - [0:0]
:VPN-forward - [0:0]
:reject - [0:0]

-A INPUT -i intern1 -j LAN-localhost
-A INPUT -i extern1 -j WAN-localhost
-A INPUT -i tun0 -j VPN-localhost
-A INPUT -i lo -j ACCEPT
-A INPUT -g reject

-A FORWARD -i extern1 -j WAN-forward
-A FORWARD -i intern1 -j LAN-forward
-A FORWARD -i tun0 -j VPN-forward
-A FORWARD -g reject

-A OUTPUT -o extern1 -j localhost-WAN
-A OUTPUT -o intern1 -j localhost-LAN
-A OUTPUT -o tun0 -j localhost-VPN
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -g reject

-A LAN-forward -o extern1 -j ACCEPT
-A LAN-forward -o tun0 -j LAN-VPN

-A WAN-forward -o intern1 -j WAN-LAN
-A WAN-forward -o tun0 -j WAN-VPN

-A VPN-forward -o intern1 -j ACCEPT
-A VPN-forward -o extern1 -j ACCEPT

-A WAN-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-LAN -m comment --comment "SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT
-A WAN-LAN -m comment --comment "HTTP" -d 192.168.11.39/32 -p tcp -m tcp --dport 80 -m conntrack --ctorigdstport 80 -j ACCEPT
-A WAN-LAN -m comment --comment "HTTPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 443 -m conntrack --ctorigdstport 443 -j ACCEPT
-A WAN-LAN -m comment --comment "IMAP" -d 192.168.11.39/32 -p tcp -m tcp --dport 143 -m conntrack --ctorigdstport 143 -j ACCEPT
-A WAN-LAN -m comment --comment "IMAPS" -d 192.168.11.39/32 -p tcp -m tcp --dport 993 -m conntrack --ctorigdstport 993 -j ACCEPT
-A WAN-LAN -m comment --comment "WOL" -d 192.168.11.254/32 -p udp -m udp --dport 39009 -m conntrack --ctorigdstport 39009 -j ACCEPT
-A WAN-LAN -j DROP

-A localhost-LAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A localhost-LAN -m comment --comment "Local DHCP" -p udp -m udp --dport 67:68 -j ACCEPT
-A localhost-LAN -m comment --comment "Local SSH" -d 192.168.11.39/32 -p tcp -m tcp --dport 39022 -m conntrack --ctorigdstport 39022 -j ACCEPT
-A localhost-LAN -g reject

-A LAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LAN-VPN -j DROP

-A WAN-VPN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-VPN -j DROP

-A localhost-VPN -j ACCEPT

-A localhost-WAN -j ACCEPT

-A LAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LAN-localhost -m comment --comment "LAN OpenVPN" -p udp --dport 21194 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DHCP" -p udp -m udp --dport 67:68 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN SSH" -p tcp --dport 29022 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DNS (zone transfer)" -p tcp --dport 53 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN DNS" -p udp -m udp --dport 53 -j ACCEPT
-A LAN-localhost -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A LAN-localhost -g reject

-A WAN-localhost -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A WAN-localhost -m comment --comment "WAN OpenVPN" -p udp --dport 21194 -j ACCEPT
-A WAN-localhost -m comment --comment "WAN SSH" -p tcp --dport 29022 -j ACCEPT
-A WAN-localhost -m comment --comment "WAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A WAN-localhost -j DROP

-A VPN-localhost -j ACCEPT

-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
COMMIT

答案1

解决方案

这实际上是防火墙问题。我错误地认为在“INPUT/OUTPUT/FORWARD”链上使用 ACCEPT 作为默认策略会使过滤表中所有剩余的链无效​​,这让我认为这不是防火墙问题

实际上,当没有匹配项时,默认策略最后才应用,但在这种情况下,“localhost-LAN​​”链拦截了传出的 ping 并应用了“拒绝”。在“拒绝”目标之前添加此内容可解决问题:

-A localhost-LAN -m comment --comment "LAN Ping" -p icmp -m icmp --icmp-type 8 -j ACCEPT

现在可以向 LAN 进行传出 ping 操作了 :)

相关内容