我无法在接口/子网之间 ping 通客户端,例如,无法从连接到 eth0 的 Mac (10.42.0.82) ping 通连接到 wlan0 的 Android (10.42.1.150)。
笔记:我可以从所有设备访问互联网。
注意编辑#1:Android 已连接并唤醒,如果我通过 Mac 上的 wlan0 连接,我可以 ping 设备 - 这并不能解决我的问题。
如何转发这些设备之间的连接?
以下是我的网络的简要绘图:
Debian 服务器有 3 个接口:
- WLAN1(192.168.1.25)- 互联网访问
- eth0(10.42.0.1) - 客户端 10.42.0.0/24
- wlan0(10.42.1.0) - 客户端 10.42.1.0/24
- 除此之外,Debian Server 上还运行着 OpenVPN,因此(tun0 也存在)*
Mac 的输出:
ping 192.168.150
PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 fc85 0 0000 3f 01 68e8 10.42.0.82 10.42.1.150
Request timeout for icmp_seq 0
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 6410 0 0000 3f 01 015e 10.42.0.82 10.42.1.150
Debian 的输出:
从 Mac ping Android 时转储数据包:
tcpdump -i eth0 -c 10 -n icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:57:03.887954 IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 2813, seq 0, length 64
15:57:03.888133 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 16598 unreachable, length 92
15:57:04.893099 IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 2813, seq 1, length 64
15:57:04.893431 IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 11180 unreachable, length 92
tcpdump -i wlan0 -c 10 -n icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...安静...
追踪路由
traceroute 10.42.1.150
-eth0 网关响应
traceroute to 10.42.1.150 (10.42.1.150), 64 hops max, 52 byte packets
1 machine (10.42.0.1) 0.988 ms 0.661 ms 0.757 ms
2 machine (10.42.0.1) 0.803 ms 0.865 ms 0.712 ms
根据评论的要求进行编辑:
sudo tcpdump -nni eth0 -i any -n 'icmp or arp'
16:24:22.960833 eth0 In IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 0, length 64
16:24:22.961074 eth0 Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 8729 unreachable, length 92
16:24:23.680270 wlan0 In ARP, Request who-has 10.42.0.1 tell 10.42.1.150, length 28
16:24:23.680339 wlan0 Out ARP, Reply 10.42.0.1 is-at 74:e5:43:29:9b:4e, length 28
16:24:23.961291 eth0 In IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 1, length 64
16:24:23.961542 eth0 Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 8423 unreachable, length 92
16:24:24.963007 eth0 In IP 10.42.0.82 > 10.42.1.150: ICMP echo request, id 51712, seq 2, length 64
16:24:24.963261 eth0 Out IP 10.42.0.1 > 10.42.0.82: ICMP 10.42.1.150 protocol 1 port 6743 unreachable, length 92
arp -a
mac.lan (10.42.0.82) at 00:e0:4c:68:09:6c [ether] on eth0
workstation.lan (10.42.0.212) at 4c:cc:6a:8e:cf:70 [ether] on eth0
a2.lan (10.42.1.150) at 8e:0f:d2:95:50:41 [ether] on wlan0
? (192.168.1.1) at 6c:5a:b0:0c:ff:f4 [ether] on wlan1
? (192.168.1.90) at <incomplete> on wlan1
espd.lan (10.42.1.190) at 5c:cf:7f:68:00:92 [ether] on wlan0
? (192.168.1.158) at e0:dc:ff:08:e4:cc [ether] on wlan1
? (192.168.1.155) at 58:fb:84:3f:77:cb [ether] on wlan1
? (192.168.1.53) at d0:3c:1f:37:85:57 [ether] on wlan1
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan1
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.42.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.42.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
ip route
default via 192.168.1.1 dev wlan1 proto dhcp src 192.168.1.25 metric 601
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.1 metric 100
10.42.1.0/24 dev wlan0 proto kernel scope link src 10.42.1.1 metric 600
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.25 metric 601
iptables-save
# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov 9 12:38:09 2022
*filter
:INPUT ACCEPT [6046:607118]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10078:1146969]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i wlan1 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Wed Nov 9 12:38:09 2022
# Generated by iptables-save v1.8.8 (nf_tables) on Wed Nov 9 12:38:09 2022
*nat
:PREROUTING ACCEPT [3107:427832]
:INPUT ACCEPT [826:76600]
:OUTPUT ACCEPT [1808:145801]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o wlan1 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 192.168.1.25
COMMIT
# Completed on Wed Nov 9 12:38:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
iptables-legacy-save
- 旧版 iptables 为空
# Generated by iptables-save v1.8.8 on Fri Nov 11 16:59:47 2022
*nat
:PREROUTING ACCEPT [321648:59396444]
:INPUT ACCEPT [130230:10386836]
:OUTPUT ACCEPT [299654:30414342]
:POSTROUTING ACCEPT [228403:20881622]
COMMIT
# Completed on Fri Nov 11 16:59:47 2022
ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
cat /proc/sys/net/ipv4/ip_forward
1
更多转发日志:
sudo sysctl -a | grep '\.forw'
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan1.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan1.forwarding = 1
&
sysctl net.inet.ip.forwarding
sysctl: cannot stat /proc/sys/net/inet/ip/forwarding: No such file or directory
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.42.0.1 netmask 255.255.255.0 broadcast 10.42.0.255
inet6 fe80::4c6d:de50:a3d1:cbe prefixlen 64 scopeid 0x20<link>
ether 30:85:a9:11:cb:df txqueuelen 1000 (Ethernet)
RX packets 307275 bytes 47966154 (45.7 MiB)
RX errors 0 dropped 9 overruns 0 frame 0
TX packets 510676 bytes 566627587 (540.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 1 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 35262 bytes 7210507 (6.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35262 bytes 7210507 (6.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::a28:40b6:7db3:b6e1 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 4323 bytes 546964 (534.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3912 bytes 1024431 (1000.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.42.1.1 netmask 255.255.255.0 broadcast 10.42.1.255
inet6 fe80::59ba:e291:f2f9:628b prefixlen 64 scopeid 0x20<link>
ether 74:e5:43:29:9b:4e txqueuelen 1000 (Ethernet)
RX packets 40418 bytes 7657042 (7.3 MiB)
RX errors 0 dropped 16 overruns 0 frame 0
TX packets 63120 bytes 25176738 (24.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.25 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::501b:a922:3efd:94ba prefixlen 64 scopeid 0x20<link>
ether d0:37:45:f5:f2:ae txqueuelen 1000 (Ethernet)
RX packets 608317 bytes 646981557 (617.0 MiB)
RX errors 0 dropped 223 overruns 0 frame 0
TX packets 374790 bytes 72410599 (69.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
从 Android 执行 ping 操作:
感谢您提供的任何建议,帮助我找到理想的解决方案!
答案1
事实上,您收到的回复是这样的:
PING 10.42.1.150 (10.42.1.150): 56 data bytes
92 bytes from machine (10.42.0.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 fc85 0 0000 3f 01 68e8 10.42.0.82 10.42.1.150
意味着 10.42.0.1 正在丢弃(并通知)它无法传送数据包。
eth0
如果您只是想弄清楚&之间的转发,那么这里有很多额外的细节不一定相关wlan0
,但我想这是公平的,因为您一直在根据评论进行更新并试图弄清楚。
在我看来,一切或多或少都符合 iptables 规则,这些规则:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -i tun0 -o wlan1 -j ACCEPT
-A FORWARD -i wlan1 -o tun0 -j ACCEPT
似乎只有 4 条规则,但有 4 条重复 - 您可能应该删除重复的规则以减少混淆。
然而,最奇怪的部分是你有这个:-A FORWARD -j ACCEPT
,从逻辑上讲我认为这应该意味着只接受所有要转发的流量,这应该是你想要的,但显然这并没有发生。
我认为这样的规则通常不被使用,你可以尝试用以下方式代替它:
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
看看会发生什么?
另外,如果你尝试反向 ping,你会看到什么?例如:10.42.1.150 --> 10.42.0.82
你可以使用类似Ping工具,平, 或者平与网去尝试一下。