无法访问网络 192.168.100.0/24

无法访问网络 192.168.100.0/24

在我们的一个数据中心,我们有一台 Debian 机器充当路由器。从这个网络,我们无法访问 192.168.100.0/24 网络上的任何机器。例如,192.168.100.0/24 网络上的网关是 192.168.100.10。从这个网络 192.168.200.0/24 无法访问此网关。

网络配置如下

/etc/网络/接口

auto lo eth0 eth1
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 77.xx.xx.xx
        netmask 255.255.255.240
        gateway 77.xx.xx.xx

# The internal network interface
iface eth1 inet static
        address 192.168.200.20
        netmask 255.255.255.0

iface eth1.100 inet static
        address 192.168.100.1
        netmask 255.255.255.0

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

显示ifconfig以下内容

eth0      Link encap:Ethernet  HWaddr 00:13:21:ae:d7:23  
          inet addr:77.xx.xx.xx  Bcast:77.xx.xx.xx  Mask:255.255.255.240
          inet6 addr: fe80::213:21ff:feae:d723/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:136897619 errors:7 dropped:0 overruns:0 frame:56
          TX packets:35219565 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:106904749360 (99.5 GiB)  TX bytes:4700046351 (4.3 GiB)
          Interrupt:25 

eth1      Link encap:Ethernet  HWaddr 00:13:21:ae:d7:22  
          inet addr:192.168.200.20  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:25456278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51273676 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2910299307 (2.7 GiB)  TX bytes:71434605655 (66.5 GiB)
          Interrupt:26 

eth1.100  Link encap:Ethernet  HWaddr 00:13:21:ae:d7:22  
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:1350 (1.3 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8057 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8057 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:678439 (662.5 KiB)  TX bytes:678439 (662.5 KiB)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.200.200  P-t-P:192.168.0.201  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1486  Metric:1
          RX packets:16438 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31312 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:1281863 (1.2 MiB)  TX bytes:14955384 (14.2 MiB)

我尝试手动添加以下其中一条路线,但没有成功。

route add -net 192.168.100.0 netmask 255.255.255.0 dev eth1

route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.20 dev eth1

ip route add 192.168.100.0/24 via 192.168.200.20 dev eth1

路由正在添加,但作用不大。网络 192.168.100.0/24 仍然无法访问。

什么ip 路由显示路线-n节目

root@dc-dc:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.201   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
77.xx.xx.xx     0.0.0.0         255.255.255.240 U     0      0        0 eth0
192.168.200.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         77.xx.xx.xx    0.0.0.0         UG    0      0        0 eth0

root@dc-dc:~# ip route show
192.168.0.201 dev ppp0  proto kernel  scope link  src 192.168.200.200 
77.xx.xx.xx/28 dev eth0  proto kernel  scope link  src 77.xx.xx.xx 
192.168.200.0/24 dev eth1  proto kernel  scope link  src 192.168.200.20 
default via 77.xx.xx.xx dev eth0 

端口转发已启用

root@dc-dc:~# cat /proc/sys/net/ipv4/ip_forward 
1

iptables 的输出

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       220.xx.xx.2         0.0.0.0/0           
   57  2964 ACCEPT     tcp  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           tcp dpt:22 
 108K 6495K ACCEPT     tcp  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           tcp dpt:1723 
  52M   71G ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  14M  724M ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
 4407  427K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  26M   38G ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
  415 19592 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
  249 11776 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
    5   180 ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 0 
14351 1193K ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
14092  845K ACCEPT     all  --  eth0   *       194.xx.xx.0/24       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.0/8         
    0     0 ACCEPT     112  --  *      *       0.0.0.0/0            0.0.0.0/0           
16173 1376K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   616 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           
  21M   31G ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
  10M 1573M ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
 138K   20M ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
 146K  202M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       89.xx.xx.xx          127.0.0.1           udp spt:53 
    0     0 ACCEPT     udp  --  *      *       83.xx.xx.xx        127.0.0.1           udp spt:53 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  43M   41G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     112  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0 

root@dc-dc:~# iptables -t nat -L -v 
Chain PREROUTING (policy ACCEPT 121K packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1715 packets, 112K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    any     10.254.254.0/24      anywhere            
    0     0 MASQUERADE  all  --  any    ppp0    anywhere             anywhere            
    0     0 SNAT       all  --  any    eth0    anywhere             212.159.203.234     to:194.50.96.11 
58671 3659K MASQUERADE  all  --  any    eth0    anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 28351 packets, 1945K bytes)
 pkts bytes target     prot opt in     out     source               destination 

知道我可以尝试什么吗?提前谢谢

答案1

是否连接到其他网络,因此路由器本身可以正常工作?

你确定回复的路由也设置正确了吗?如果你只为一个方向设置网关,这还不够,你还必须确保相反方向的路由有效。

例如:

服务器 A 连接到路由器 A,然后连接到服务器 B。假设两台服务器都有一个默认网关,该网关不是路由器 A,而是其他路由器。现在,如果您告诉服务器 A 它到服务器 B 的路由是通过路由器 A,这还不够。您还需要告诉服务器 B 它到服务器 A 的路由是通过路由器 A。否则,来自服务器 A 的数据包可能会到达服务器 B,但服务器 B 不知道如何回复或使用错误的路由器进行回复。

答案2

看起来接口“eth1.100”是用 vconfig 或类似命令创建的。这意味着该接口将表现得好像被标记为 VLAN 100,并且从该接口传输的任何数据包都将添加 802.1Q VLAN 标记。我怀疑这是因为接口名称是“eth1.100”而不是“eth1:100”。

您实际上想要的可能只是多宿主。首先使用命令“vconfig rem eth1.100”删除接口“eth1.100”,然后通过发出命令“ifconfig eth1 add 192.168.100.1”将 192.168.100.1 添加到 eth1。

希望这可以解决您的问题。

相关内容