在我们的一个数据中心,我们有一台 Debian 机器充当路由器。从这个网络,我们无法访问 192.168.100.0/24 网络上的任何机器。例如,192.168.100.0/24 网络上的网关是 192.168.100.10。从这个网络 192.168.200.0/24 无法访问此网关。
网络配置如下
/etc/网络/接口
auto lo eth0 eth1
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 77.xx.xx.xx
netmask 255.255.255.240
gateway 77.xx.xx.xx
# The internal network interface
iface eth1 inet static
address 192.168.200.20
netmask 255.255.255.0
iface eth1.100 inet static
address 192.168.100.1
netmask 255.255.255.0
iface tun0 inet static
address 10.254.254.1
netmask 255.255.255.252
pointopoint 10.254.254.2
显示ifconfig以下内容
eth0 Link encap:Ethernet HWaddr 00:13:21:ae:d7:23
inet addr:77.xx.xx.xx Bcast:77.xx.xx.xx Mask:255.255.255.240
inet6 addr: fe80::213:21ff:feae:d723/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:136897619 errors:7 dropped:0 overruns:0 frame:56
TX packets:35219565 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:106904749360 (99.5 GiB) TX bytes:4700046351 (4.3 GiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 00:13:21:ae:d7:22
inet addr:192.168.200.20 Bcast:192.168.200.255 Mask:255.255.255.0
inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25456278 errors:0 dropped:0 overruns:0 frame:0
TX packets:51273676 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2910299307 (2.7 GiB) TX bytes:71434605655 (66.5 GiB)
Interrupt:26
eth1.100 Link encap:Ethernet HWaddr 00:13:21:ae:d7:22
inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::213:21ff:feae:d722/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1350 (1.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8057 errors:0 dropped:0 overruns:0 frame:0
TX packets:8057 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:678439 (662.5 KiB) TX bytes:678439 (662.5 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.200.200 P-t-P:192.168.0.201 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1486 Metric:1
RX packets:16438 errors:0 dropped:0 overruns:0 frame:0
TX packets:31312 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1281863 (1.2 MiB) TX bytes:14955384 (14.2 MiB)
我尝试手动添加以下其中一条路线,但没有成功。
route add -net 192.168.100.0 netmask 255.255.255.0 dev eth1
route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.20 dev eth1
ip route add 192.168.100.0/24 via 192.168.200.20 dev eth1
路由正在添加,但作用不大。网络 192.168.100.0/24 仍然无法访问。
什么ip 路由显示和路线-n节目
root@dc-dc:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.201 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
77.xx.xx.xx 0.0.0.0 255.255.255.240 U 0 0 0 eth0
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 77.xx.xx.xx 0.0.0.0 UG 0 0 0 eth0
root@dc-dc:~# ip route show
192.168.0.201 dev ppp0 proto kernel scope link src 192.168.200.200
77.xx.xx.xx/28 dev eth0 proto kernel scope link src 77.xx.xx.xx
192.168.200.0/24 dev eth1 proto kernel scope link src 192.168.200.20
default via 77.xx.xx.xx dev eth0
端口转发已启用
root@dc-dc:~# cat /proc/sys/net/ipv4/ip_forward
1
iptables 的输出
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 220.xx.xx.2 0.0.0.0/0
57 2964 ACCEPT tcp -- eth0 * 194.xx.xx.0/24 0.0.0.0/0 tcp dpt:22
108K 6495K ACCEPT tcp -- eth0 * 194.xx.xx.0/24 0.0.0.0/0 tcp dpt:1723
52M 71G ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14M 724M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4407 427K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
26M 38G ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
415 19592 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
249 11776 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
5 180 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 0
14351 1193K ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
14092 845K ACCEPT all -- eth0 * 194.xx.xx.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 ACCEPT 112 -- * * 0.0.0.0/0 0.0.0.0/0
16173 1376K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 616 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
21M 31G ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
10M 1573M ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0
138K 20M ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
146K 202M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 89.xx.xx.xx 127.0.0.1 udp spt:53
0 0 ACCEPT udp -- * * 83.xx.xx.xx 127.0.0.1 udp spt:53
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
43M 41G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 112 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
root@dc-dc:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 121K packets, 12M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1715 packets, 112K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any any 10.254.254.0/24 anywhere
0 0 MASQUERADE all -- any ppp0 anywhere anywhere
0 0 SNAT all -- any eth0 anywhere 212.159.203.234 to:194.50.96.11
58671 3659K MASQUERADE all -- any eth0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 28351 packets, 1945K bytes)
pkts bytes target prot opt in out source destination
知道我可以尝试什么吗?提前谢谢
答案1
是否连接到其他网络,因此路由器本身可以正常工作?
你确定回复的路由也设置正确了吗?如果你只为一个方向设置网关,这还不够,你还必须确保相反方向的路由有效。
例如:
服务器 A 连接到路由器 A,然后连接到服务器 B。假设两台服务器都有一个默认网关,该网关不是路由器 A,而是其他路由器。现在,如果您告诉服务器 A 它到服务器 B 的路由是通过路由器 A,这还不够。您还需要告诉服务器 B 它到服务器 A 的路由是通过路由器 A。否则,来自服务器 A 的数据包可能会到达服务器 B,但服务器 B 不知道如何回复或使用错误的路由器进行回复。
答案2
看起来接口“eth1.100”是用 vconfig 或类似命令创建的。这意味着该接口将表现得好像被标记为 VLAN 100,并且从该接口传输的任何数据包都将添加 802.1Q VLAN 标记。我怀疑这是因为接口名称是“eth1.100”而不是“eth1:100”。
您实际上想要的可能只是多宿主。首先使用命令“vconfig rem eth1.100”删除接口“eth1.100”,然后通过发出命令“ifconfig eth1 add 192.168.100.1”将 192.168.100.1 添加到 eth1。
希望这可以解决您的问题。