使用 Ubuntu 服务器 20.04 作为路由器 - 客户端无互联网

使用 Ubuntu 服务器 20.04 作为路由器 - 客户端无互联网

我正在尝试将 Ubuntu 盒子设置为小型路由器。它有两个 NIC 并连接到交换机。我遵循以下指南:https://medium.com/@exesse/how-to-make-a-simple-router-gateway-from-ubuntu-server-18-04-lts-fd40b7bfec9

服务器已连接到互联网,DHCP 服务器运行良好 - IP 地址分配给客户端计算机(Windows 和 Ubuntu),我能够通过 SSH 进入服务器。但是,客户端无法访问互联网。让我在下面发布一些信息。

接口:

imarques@felix-cs:~$ ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp4s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:08:a1:97:21:2e brd ff:ff:ff:ff:ff:ff
    inet 192.168.215.95/24 brd 192.168.215.255 scope global dynamic enp4s2
       valid_lft 63882sec preferred_lft 63882sec
    inet6 fe80::208:a1ff:fe97:212e/64 scope link 
       valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:18:8b:16:a3:41 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::218:8bff:fe16:a341/64 scope link 
       valid_lft forever preferred_lft forever

enp4s2服务器上的互联网连接是否正常enp2s0是连接到交换机并应该与客户端共享互联网访问的 NIC。

网络计划:

imarques@felix-cs:~$ cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp4s2:
      dhcp4: yes
    enp2s0:
      dhcp4: no
      addresses: [10.42.0.1/24]

DCHP 服务器:

imarques@felix-cs:~$ cat /etc/default/isc-dhcp-server 
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid

# Additional options to start dhcpd with.
#   Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#   Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp2s0"
INTERFACESv6=""

imarques@felix-cs:~$ cat /etc/dhcp/dhcpd.conf
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 10.42.0.255;
authorative;
subnet 10.42.0.0 netmask 255.255.255.0 {
 range 10.42.0.20 10.42.0.100;
  option routers 10.42.0.1;
  option domain-name-servers 10.42.0.1;
    }

IP 转发:

imarques@felix-cs:~$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

IPtables 规则:

imarques@felix-cs:~$ cat /etc/iptables/rules.v4 
# Generated by iptables-save v1.8.4 on Fri Nov 27 16:43:56 2020
*filter
:INPUT ACCEPT [195:13486]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [166:13592]
COMMIT
# Completed on Fri Nov 27 16:43:56 2020
# Generated by iptables-save v1.8.4 on Fri Nov 27 16:43:56 2020
*nat
:PREROUTING ACCEPT [21:2246]
:INPUT ACCEPT [9:1593]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 27 16:43:56 2020

这种情况已经持续了好几天了,我四处查看,但所有说明似乎都很相似。有什么想法吗?

######################################################

编辑(2020/12/15)并感谢Doug Smythies:

从服务器 ping 操作:

imarques@felix-cs:~$ ping -c 4 www.sapo.pt
PING www.sapo.pt (213.13.146.142) 56(84) bytes of data.
64 bytes from sapo.pt (213.13.146.142): icmp_seq=1 ttl=242 time=14.9 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=2 ttl=242 time=12.9 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=3 ttl=242 time=13.5 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=4 ttl=242 time=13.0 ms

--- www.sapo.pt ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 12.855/13.578/14.927/0.813 ms

imarques@felix-cs:~$ ping -c 4 213.13.146.142
PING 213.13.146.142 (213.13.146.142) 56(84) bytes of data.
64 bytes from 213.13.146.142: icmp_seq=1 ttl=242 time=13.4 ms
64 bytes from 213.13.146.142: icmp_seq=2 ttl=242 time=12.9 ms
64 bytes from 213.13.146.142: icmp_seq=3 ttl=242 time=12.9 ms
64 bytes from 213.13.146.142: icmp_seq=4 ttl=242 time=12.9 ms

--- 213.13.146.142 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 12.890/13.018/13.369/0.203 ms

从客户端 ping 操作:

imarques@client07:~$ ping -c 4 www.sapo.pt
ping: www.sapo.pt: Name or service not known

imarques@client07:~$ ping -c 4 213.13.146.142
PING 213.13.146.142 (213.13.146.142) 56(84) bytes of data.

--- 213.13.146.142 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

tcpdump生成大量输出...我在从客户端 ping 同一个 IP 时尝试了它:

imarques@felix-cs:~$ sudo tcpdump -i enp4s2 | grep 10.42
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:40:31.865636 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 1, length 64
10:40:32.866201 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 2, length 64
10:40:33.890199 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 3, length 64
10:40:34.914199 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 4, length 64
10:40:35.938194 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 5, length 64
10:40:36.962194 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 6, length 64
10:40:37.986188 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 7, length 64
10:40:39.010196 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 8, length 64
10:40:40.034196 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 9, length 64
10:40:41.058192 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 10, length 64

iptables信息:

imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 15969 packets, 1077775 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 15501 packets, 1031506 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1166 packets, 112828 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1269 packets, 118672 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       2      120 MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0        
       
imarques@felix-cs:~$ sudo iptables -xnvL
Chain INPUT (policy ACCEPT 89829 packets, 4283290 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 1774 packets, 289508 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 159993 packets, 37244234 bytes)
    pkts      bytes target     prot opt in     out     source               destination    

抱歉,但我不知道如何检查 MASQUERADE 数据包计数器...

###########################################################################

第二次编辑(2020/12/15)。重新启动了服务器和客户端。

从客户端(10.42.0.94)ping 213.13.146.142时:

imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 2375 packets, 155967 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 2292 packets, 150880 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 25 packets, 1564 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 50 packets, 3008 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       1       60 MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0           
imarques@felix-cs:~$ sudo tcpdump -tttt -n -vvv -i  enp2s0 host 213.13.146.142
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-12-15 16:02:07.170117 IP (tos 0x0, ttl 64, id 13547, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 1, length 64
2020-12-15 16:02:08.176165 IP (tos 0x0, ttl 64, id 13620, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 2, length 64
2020-12-15 16:02:09.200188 IP (tos 0x0, ttl 64, id 13856, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 3, length 64
2020-12-15 16:02:10.224214 IP (tos 0x0, ttl 64, id 13971, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 4, length 64
2020-12-15 16:02:11.248242 IP (tos 0x0, ttl 64, id 14165, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 5, length 64
2020-12-15 16:02:12.272264 IP (tos 0x0, ttl 64, id 14275, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 6, length 64
2020-12-15 16:02:13.296286 IP (tos 0x0, ttl 64, id 14530, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 7, length 64
2020-12-15 16:02:14.320323 IP (tos 0x0, ttl 64, id 14641, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 8, length 64
2020-12-15 16:02:15.344341 IP (tos 0x0, ttl 64, id 14737, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 9, length 64
2020-12-15 16:02:16.368366 IP (tos 0x0, ttl 64, id 14801, offset 0, flags [DF], proto ICMP (1), length 84)
    10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 10, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 3198 packets, 210191 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 3081 packets, 203146 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 25 packets, 1564 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 58 packets, 3456 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       1       60 MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0           

答案1

你的 NAT(网络地址转换)规则是倒退的。
这:

-A POSTROUTING -o enp2s0 -j MASQUERADE

应该:

-A POSTROUTING -o enp4s2 -j MASQUERADE

顺便说一句,我假设您当前的 iptables 规则集只是开始,最终您将添加一些防火墙类型的东西。实际上,由于您的服务器和实际互联网之间必须有另一个路由器,因此它不那么重要。

相关内容