Linux

無法在非預設界面上 ping 多宿主 Linux 機器

  • January 29, 2015

我有一個帶有一組介面的多宿主 Ubuntu 伺服器,其中包括:

eth2: 10.10.0.131/24
eth3: 10.20.0.2/24

預設介面為 eth2,網關為 10.10.0.1。路由表如下所示:

root@c220-1:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.10.0.1       0.0.0.0         UG        0 0          0 eth2
10.10.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth2
10.20.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
10.30.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.40.0.0       0.0.0.0         255.255.0.0     U         0 0          0 eth1

從一個單獨的網路 ( 192.168.3.5/24) 我可以通過 eth2 介面(具有預設網關的那個)訪問這台機器,但不能通過 eth3 介面。我可以毫無問題地從同一網路(10.20.0.1)上的路由器 ping eth3 介面。

如果我從 192.168.3.5 ping 10.10.0.131,數據包會到達機器,但它不會發送任何回复:

c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 0, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 1, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 2, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 3, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 4, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 5, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 6, length 64
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 98: 192.168.3.5 > 10.20.0.2: ICMP echo request, id 5451, seq 7, length 64

如果我從同一網路上的路由器 (10.20.0.1) ping,伺服器會正確回复:

c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80
c4:c8:80:90:22:eb > 73:10:73:e4:10:06, IPv4, length 114: 10.20.0.1 > 10.20.0.2: ICMP echo request, id 28899, seq 2932, length 80
73:10:73:e4:10:06 > c4:c8:80:90:22:eb, IPv4, length 114: 10.20.0.2 > 10.20.0.1: ICMP echo reply, id 28899, seq 2932, length 80

請注意,根據這個類似問題中的答案,我在所有介面上都關閉了 rp_filter,但這並不能解決問題:

$ for i in eth0 eth1 eth2 eth3 all default
> do
> cat /proc/sys/net/ipv4/conf/$i/rp_filter
> done
0
0
0
0
0
0

問題是,由於預設路由是通過 eth2,即使請求是在 eth3 上收到的,ping 響應也會通過 eth2 發送。(如果您使用 tcpdump eth2,您應該會看到正在發送的響應。)可能有一些設備正在丟棄數據包,因為它們所在網路的源 IP 無效。您需要一些源策略路由才能將響應發送到接收它們的介面。

  1. 創建一個新的路由表(只需要做一次):
echo 13 eth3 >> /etc/iproute2/rt_tables
  1. 為這個新表添加一條預設路由到 eth3:
ip route add default via 10.20.0.1 table eth3
  1. 添加策略規則以將此新表用於源地址為 eth3 的 IP 的數據包:
ip rule add from 10.20.0.2 lookup eth3

引用自:https://serverfault.com/questions/487891

相關問答

Linux

Linux 路由器 - 如何向 LAN 客戶端發送 icmp 不可達消息

  • September 4, 2011
檢視問答
Linux

為什麼網路堆棧忽略來自非預設介面的 icmp 回复?

  • October 23, 2009
檢視問答
Linux

Linux充當路由器 - 埠轉發

  • July 21, 2021
檢視問答
Linux

設置與我的網關不同的地址

  • June 15, 2021
檢視問答
Linux

RTNETLINK 回答:高山路由器中存在文件

  • May 21, 2021
檢視問答
Linux

linux上兩個網路之間的路由?

  • March 24, 2021
檢視問答