我已接到任务,设置一个网络,其中已为我的“公共 IP”10.200.3.2/28 设置网关。我要设置一个 gw/dhcp,它使用现有网关,在一个 vlan 接口 (eth0.2) 上指定 ip 地址,并使用 NAT 将流量从 172.16.0.0/25 发送到互联网,然后再返回伪装。
我首先尝试设置一个简单的 NAT,如下所示:
*nat
:POSTROUTING ACCEPT [0:0]
#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE
然后在第二台机器上设置 BIND9,只使用内部 ip(正向和反向),不使用任何视图或 acl。这很有效,我能够解决问题。然后我继续进行,最终到了现在这个地步。我无法使用 ping 或 nslookup 来解决问题,当我尝试使用例如“www.example.com”时,我得到了以下信息:
user@ns:~$ nslookup www.example.com
;; communications error to 172.16.0.2#53: timed out
;; Got SERVFAIL reply from 172.16.0.2, trying next server
;; communications error to 10.250.0.5#53: timed out
;; communications error to 10.250.0.5#53: timed out
;; no servers could be reached
状态显示:
Nov 24 22:23:46 ns.bedrift3.d3-101.usn named[2232]: network unreachable resolving 'ntp.ubuntu.com/AAAA/IN': 10.250.0.5#53
Nov 24 22:28:55 ns.example.com named[2232]: listening on IPv4 interface eno1, 172.16.0.2#53
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
我在这个领域还很新,感觉我已经尽了最大的努力,因此非常感谢任何反馈。
两台机器都在 ubuntu 22.04 LTS Server 上
Everything 网关 DHCP(172.16.0.1) 能够从 gw 解析(由于某种原因真的很慢)
user@gw:~$ ping google.com
PING google.com (172.217.21.174) 56(84) bytes of data.
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=1 ttl=52 time=10.5 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=2 ttl=52 time=10.3 ms
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=3 ttl=52 time=10.3 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=4 ttl=52 time=10.6 ms
user@gw:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 169.254.245.151/16 brd 169.254.255.255 scope link noprefixroute eth0
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether dc:a6:32:44:a2:1a brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 10.200.3.2/28 brd 10.200.3.15 scope global noprefixroute eth0.2
valid_lft forever preferred_lft forever
5: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/25 brd 172.16.0.127 scope global noprefixroute eth0.30
valid_lft forever preferred_lft forever
user@gw:~$ ip r
default via 10.200.3.1 dev eth0.2 proto static metric 401
10.200.3.0/28 dev eth0.2 proto kernel scope link src 10.200.3.2 metric 401
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.245.151 metric 100
172.16.0.0/25 dev eth0.30 proto kernel scope link src 172.16.0.1 metric 400
224.0.0.0/4 dev eth0 proto static scope link metric 100
/etc/ufw/before.rules
# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE
#Port forwarding
-A PREROUTING -i eth0.30 -p tcp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p udp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 1433 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 1433 -j DNAT --to-destination 172.16.0.3
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
dhcpd配置文件
option domain-name "example.com";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 172.16.0.0 netmask 255.255.255.128 {
option domain-name-servers 172.16.0.2, 10.250.0.5, 8.8.8.8;
option routers 172.16.0.1;
option broadcast-address 172.16.0.127;
}
host DNS {
hardware ethernet 18:03:73:28:00:35;
fixed-address 172.16.0.2;
}
host webserver {
hardware ethernet 00:25:64:E6:FD:CF;
fixed-address 172.16.0.3;
}
host safe-dhcp {
hardware ethernet DC:A6:32:44:A2:58;
fixed-address 172.16.0.4;
}
一切 ns(172.16.0.2)
user@ns:~$ ping google.com
ping: google.com: Temporary failure in name resolution
user@ns:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 18:03:73:28:00:35 brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 172.16.0.2/25 brd 172.16.0.127 scope global dynamic noprefixroute eno1
valid_lft 509sec preferred_lft 509sec
inet6 fe80::1a03:73ff:fe28:35/64 scope link
valid_lft forever preferred_lft forever
user@ns:~$ ip r
default via 172.16.0.1 dev eno1 proto dhcp metric 100
172.16.0.0/25 dev eno1 proto kernel scope link src 172.16.0.2 metric 100
DNS 文件
/etc/bind/named.conf.options 10.150.0.5 是一个经过实验室测试的 DNS 服务器。
options {
listen-on port 53 { localhost; 172.16.0.2; };
directory "/var/cache/bind";
allow-query { any; };
allow-transfer { any; };
forwarders { 10.250.0.5; };
forward only;
};
acl private { localhost; 172.16.0.0/25; 172.16.1.0/25; };
acl public { 10.100.7.0/24; 10.250.0.0/16; };
/etc/bind/named.conf.local
view private {
match-clients { private; };
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "example.com" IN {
type master;
file "/etc/bind/db.example.com";
allow-update { none; };
};
zone "3.200.10.in-addr.arpa" IN {
type master;
file "/etc/bind/db.10.200.3";
allow-update { none; };
};
};
view public {
match-clients { public; };
zone "example.com" IN {
type master;
file "/etc/bind/db.public.example.com";
allow-update { none; };
};
zone "0.16.172.in-addr.arpa" IN {
type master;
file "/etc/bind/db.172.16.0";
allow-update { none; };
};
};
/etc/bind/db.example.com
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
gw IN A 172.16.0.1
ns IN A 172.16.0.2
www IN A 172.16.0.3
mail IN A 172.16.0.3
safe IN A 172.16.0.4
@ IN MX 10 mail
/etc/bind/db.public.example.com
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
gw IN A 10.200.3.1
ns IN A 10.200.3.2
www IN A 10.200.3.2
mail IN A 10.200.3.2
safe IN A 10.200.3.2
@ IN MX 10 mail
/etc/bind/db.10.200.3
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
1 IN PTR gw.example.com.
2 IN PTR ns.example.com.
3 IN PTR www.example.com.
3 IN PTR mail.example.com.
4 IN PTR safe.example.com.
/etc/bind/db.172.16.0
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
1 IN PTR gw.example.com.
2 IN PTR ns.example.com.
3 IN PTR www.example.com.
3 IN PTR mail.example.com.
4 IN PTR safe.example.com.
答案1
似乎您的 DNS 服务器无法在 10.150.0.5 上访问,因为您将所有内容转发到 172.16.0.2。
您可以尝试将 iptables 规则中的 dns 转发更改为类似以下内容
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 10.150.0.5
我不确定这是否会起作用,因为您的设置中的所有配置文件都让我有点困惑。