Debian 服务器 - 客户端无法在接口/子网之间 ping 通

Debian 服务器 - 客户端无法在接口/子网之间 ping 通

我无法在接口/子网之间 ping 通客户端,例如,无法从连接到 eth0 的 Mac (10.42.0.82) ping 通连接到 wlan0 的 Android (10.42.1.150)。

笔记:我可以从所有设备访问互联网。

注意编辑#1:Android 已连接并唤醒,如果我通过 Mac 上的 wlan0 连接,我可以 ping 设备 - 这并不能解决我的问题。

如何转发这些设备之间的连接?

以下是我的网络的简要绘图:

在此处输入图片描述

Debian 服务器有 3 个接口:

  • WLAN1(192.168.1.25)- 互联网访问
  • eth0(10.42.0.1) - 客户端 10.42.0.0/24
  • wlan0(10.42.1.0) - 客户端 10.42.1.0/24
  • 除此之外,Debian Server 上还运行着 OpenVPN,因此(tun0 也存在)*

Mac 的输出:

ping 192.168.150

PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 fc85   0 0000  3f  01 68e8 10.42.0.82  10.42.1.150 

Request timeout for icmp_seq 0
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6410   0 0000  3f  01 015e 10.42.0.82  10.42.1.150 

Debian 的输出:

从 Mac ping Android 时转储数据包:

tcpdump -i eth0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:57:03.887954 IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 2813, seq 0, length 64
15:57:03.888133 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 16598 unreachable, length 92
15:57:04.893099 IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 2813, seq 1, length 64
15:57:04.893431 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 11180 unreachable, length 92

tcpdump -i wlan0 -c 10 -n icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

...安静...

追踪路由

traceroute 10.42.1.150-eth0 网关响应

traceroute to 10.42.1.150 (10.42.1.150), 64 hops max, 52 byte packets
 1  machine (10.42.0.1)  0.988 ms  0.661 ms  0.757 ms
 2  machine (10.42.0.1)  0.803 ms  0.865 ms  0.712 ms

根据评论的要求进行编辑: sudo tcpdump -nni eth0 -i any -n 'icmp or arp'

16:24:22.960833 eth0  In  IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 0, length 64
16:24:22.961074 eth0  Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 8729 unreachable, length 92
16:24:23.680270 wlan0 In  ARP, Request who-has 10.42.0.1 tell 10.42.1.150, length 28
16:24:23.680339 wlan0 Out ARP, Reply 10.42.0.1 is-at 74:e5:43:29:9b:4e, length 28
16:24:23.961291 eth0  In  IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 1, length 64
16:24:23.961542 eth0  Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 8423 unreachable, length 92
16:24:24.963007 eth0  In  IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 2, length 64
16:24:24.963261 eth0  Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 6743 unreachable, length 92

arp -a

mac.lan (10.42.0.82) at 00:e0:4c:68:09:6c [ether] on eth0
workstation.lan (10.42.0.212) at 4c:cc:6a:8e:cf:70 [ether] on eth0
a2.lan (10.42.1.150) at 8e:0f:d2:95:50:41 [ether] on wlan0
? (192.168.1.1) at 6c:5a:b0:0c:ff:f4 [ether] on wlan1
? (192.168.1.90) at <incomplete> on wlan1
espd.lan (10.42.1.190) at 5c:cf:7f:68:00:92 [ether] on wlan0
? (192.168.1.158) at e0:dc:ff:08:e4:cc [ether] on wlan1
? (192.168.1.155) at 58:fb:84:3f:77:cb [ether] on wlan1
? (192.168.1.53) at d0:3c:1f:37:85:57 [ether] on wlan1

netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan1
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.42.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.42.1.0       0.0.0.0         255.255.255.0   U         0 0          0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan1

ip route

default via 192.168.1.1 dev wlan1 proto dhcp src 192.168.1.25 metric 601 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.1 metric 100 
10.42.1.0/24 dev wlan0 proto kernel scope link src 10.42.1.1 metric 600 
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.25 metric 601 

iptables-save

# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*filter
:INPUT ACCEPT [6046:607118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10078:1146969]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov  9 12:38:09 2022
*nat
:PREROUTING ACCEPT [3107:427832]
:INPUT ACCEPT [826:76600]
:OUTPUT ACCEPT [1808:145801]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o wlan1 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
COMMIT
# Completed on Wed Nov  9 12:38:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

iptables-legacy-save- 旧版 iptables 为空

# Generated by iptables-save v1.8.8 on Fri Nov 11 16:59:47 2022
*nat
:PREROUTING ACCEPT [321648:59396444]
:INPUT ACCEPT [130230:10386836]
:OUTPUT ACCEPT [299654:30414342]
:POSTROUTING ACCEPT [228403:20881622]
COMMIT
# Completed on Fri Nov 11 16:59:47 2022

ip rule list

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

cat /proc/sys/net/ipv4/ip_forward

1

更多转发日志:

sudo sysctl -a | grep '\.forw'

net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan1.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan1.forwarding = 1

&

sysctl net.inet.ip.forwarding
sysctl: cannot stat /proc/sys/net/inet/ip/forwarding: No such file or directory

ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.42.0.1  netmask 255.255.255.0  broadcast 10.42.0.255
        inet6 fe80::4c6d:de50:a3d1:cbe  prefixlen 64  scopeid 0x20<link>
        ether 30:85:a9:11:cb:df  txqueuelen 1000  (Ethernet)
        RX packets 307275  bytes 47966154 (45.7 MiB)
        RX errors 0  dropped 9  overruns 0  frame 0
        TX packets 510676  bytes 566627587 (540.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 1  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 35262  bytes 7210507 (6.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35262  bytes 7210507 (6.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::a28:40b6:7db3:b6e1  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 4323  bytes 546964 (534.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3912  bytes 1024431 (1000.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.42.1.1  netmask 255.255.255.0  broadcast 10.42.1.255
        inet6 fe80::59ba:e291:f2f9:628b  prefixlen 64  scopeid 0x20<link>
        ether 74:e5:43:29:9b:4e  txqueuelen 1000  (Ethernet)
        RX packets 40418  bytes 7657042 (7.3 MiB)
        RX errors 0  dropped 16  overruns 0  frame 0
        TX packets 63120  bytes 25176738 (24.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.25  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::501b:a922:3efd:94ba  prefixlen 64  scopeid 0x20<link>
        ether d0:37:45:f5:f2:ae  txqueuelen 1000  (Ethernet)
        RX packets 608317  bytes 646981557 (617.0 MiB)
        RX errors 0  dropped 223  overruns 0  frame 0
        TX packets 374790  bytes 72410599 (69.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

从 Android 执行 ping 操作:

在此处输入图片描述

感谢您提供的任何建议,帮助我找到理想的解决方案!

答案1

事实上,您收到的回复是这样的:

PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 fc85   0 0000  3f  01 68e8 10.42.0.82  10.42.1.150 

意味着 10.42.0.1 正在丢弃(并通知)它无法传送数据包。

eth0如果您只是想弄清楚&之间的转发,那么这里有很多额外的细节不一定相关wlan0,但我想这是公平的,因为您一直在根据评论进行更新并试图弄清楚。

在我看来,一切或多或少都符合 iptables 规则,这些规则:

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT

似乎只有 4 条规则,但有 4 条重复 - 您可能应该删除重复的规则以减少混淆。

然而,最奇怪的部分是你有这个:-A FORWARD -j ACCEPT,从逻辑上讲我认为这应该意味着只接受所有要转发的流量,这应该是你想要的,但显然这并没有发生。

我认为这样的规则通常不被使用,你可以尝试用以下方式代替它:

-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT

看看会发生什么?

另外,如果你尝试反向 ping,你会看到什么?例如:10.42.1.150 --> 10.42.0.82 你可以使用类似Ping工具, 或者平与网去尝试一下。

相关内容