我有一个多宿主 Ubuntu 服务器,它有一组接口,包括:
eth2: 10.10.0.131/24
eth3: 10.20.0.2/24
默认接口是 eth2,网关是 10.10.0.1。路由表如下所示:
root@c220-1:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.10.0.1 0.0.0.0 UG 0 0 0 eth2
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.20.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.30.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.40.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
从单独的网络 ( 192.168.3.5/24) 我可以通过 eth2 接口(具有默认网关的接口)访问此计算机,但无法通过 eth3 接口访问。我可以从同一网络 (10.20.0.1) 上的路由器 ping eth3 接口,没有任何问题。
如果我从 192.168.3.5 ping 10.10.0.131,则数据包到达机器,但它不会发送任何回复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 0, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 1, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 2, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 3, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 4, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 5, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 6, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 7, length 64
如果我从同一网络上的路由器(10.20.0.1)ping ,服务器会正确回复:
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
请注意,根据这个答案类似问题,我已在所有接口上关闭了 rp_filter,但问题仍未解决:
$ for i in eth0 eth1 eth2 eth3 all default
> do
> cat /proc/sys/net/ipv4/conf/$i/rp_filter
> done
0
0
0
0
0
0
答案1
问题在于,由于默认路由是通过 eth2,因此即使请求是在 eth3 上接收的,ping 响应也会通过 eth2 发送。(如果您使用 tcpdump eth2,您应该会看到正在发送的响应。)那么可能有一些设备正在丢弃数据包,因为它们所在的网络的源 IP 无效。您需要一些源策略路由以便将响应从接收它们的接口发送出去。
创建一个新的路由表(只需做一次):
echo 13 eth3 >> /etc/iproute2/rt_tables为这个新表添加一条出站到 eth3 的默认路由:
ip route add default via 10.20.0.1 table eth3添加一条策略规则,将这个新表用于源地址为 eth3 的 IP 的数据包:
ip rule add from 10.20.0.2 lookup eth3
答案2
从单独的网络 (192.168.3.5/24),我可以通过 eth2 接口(具有默认网关的接口)访问此计算机,但无法通过 eth3 接口访问。我可以从同一网络 (10.20.0.1) 上的路由器 ping eth3 接口,没有任何问题。
听起来您缺少来自 10.30.0/24 子网的 192.168.3.5/24 路由。您应该添加网络图和来自每台设备的每个网络的跟踪路由。