Networking

CentOS 偽裝網路與 iptables 客戶端未連接:無法 ping

  • December 10, 2013

我是一個新手系統管理員,在一個帶有 CentOS 伺服器的系統上工作,該系統使用同樣執行 CentOS 的客戶端機器偽裝流量。桌子上的東西搞砸了,我的客戶不再有網際網路連接。

我試圖讓ping請求作為第一步工作,並確定了流量失敗的地方,但我對配置的了解不夠,不知道下一步該做什麼。對於更有經驗的系統管理員,快速瀏覽一下我的表格是否會發現任何異常?


ping 失敗。

  1. 伺服器。

IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP"
  1. 客戶。

» IP=98.139.183.24; ping $IP
PING 98.139.183.24 (98.139.183.24) 56(84) bytes of data
  1. 伺服器。

對於正常操作,我應該會看到響應,這讓我懷疑主節點上的 iptable 配置有問題。

注意:b6映射到10.0.2.6in /etc/hosts

» IP=98.139.183.24 ; _ tcpdump -i any "dst host $IP or src host $IP"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:07:38.553547 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64
20:07:38.553580 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 1, length 64
20:07:39.552969 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64
20:07:39.552983 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 2, length 64
20:07:40.552963 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64
20:07:40.552975 IP b6 > ir2.fp.vip.bf1.yahoo.com: ICMP echo request, id 3120, seq 3, length 64
^C
6 packets captured
6 packets received by filter

配置。

注意:我已將其修改為對我有用的配置,以便將來可能幫助任何有相同問題的人。

伺服器。

ip地址

~ » ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: p2p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
   link/ether 90:e2:ba:21:b8:10 brd ff:ff:ff:ff:ff:ff
   inet 10.0.1.0/8 brd 10.255.255.255 scope global p2p1
   inet6 fe80::92e2:baff:fe21:b810/64 scope link 
      valid_lft forever preferred_lft forever
3: p2p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
   link/ether 90:e2:ba:21:b8:11 brd ff:ff:ff:ff:ff:ff
   inet <ext IP>/24 brd <ext ip prefix>.255 scope global p2p2
   inet6 2001:468:c80:2106:92e2:baff:fe21:b811/64 scope global dynamic 
      valid_lft 2591809sec preferred_lft 604609sec
   inet6 fe80::92e2:baff:fe21:b811/64 scope link 
      valid_lft forever preferred_lft forever
4: p2p3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether 90:e2:ba:21:b8:14 brd ff:ff:ff:ff:ff:ff
5: p2p4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether 90:e2:ba:21:b8:15 brd ff:ff:ff:ff:ff:ff
6: em1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether d4:ae:52:99:8c:29 brd ff:ff:ff:ff:ff:ff
7: em2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
   link/ether d4:ae:52:99:8c:2a brd ff:ff:ff:ff:ff:ff

ip路由

~ » ip route
<ext ip prefix>.0/24 dev p2p2  proto kernel  scope link  src <ext ip>
<prefix 1>.0.0/16 dev p2p1  scope link  metric 1002 
<prefix 1>.0.0/16 dev p2p2  scope link  metric 1003 
10.0.0.0/8 dev p2p1  proto kernel  scope link  src 10.0.1.0 
default via <ext ip prefix>.1 dev p2p2  proto static

iptables。

~ » _ iptables -t filter -L -v -n
Chain INPUT (policy ACCEPT 3715K packets, 531M bytes)
pkts bytes target     prot opt in     out     source               destination         
 76M  111G fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
151M  183G ACCEPT     all  --  p2p2   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 38M 6612M ACCEPT     all  --  p2p1   *       0.0.0.0/0            0.0.0.0/0           
1604K  101M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
1923  142K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
755K   62M ACCEPT     all  --  p2p1   p2p2    0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  p2p2   p2p1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 171M packets, 35G bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-SSH (1 references)
pkts bytes target     prot opt in     out     source               destination         
 76M  111G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 

 ~ » _ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 1733K packets, 974M bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1722K packets, 973M bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 10956 packets, 892K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1989K packets, 201M bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2001K packets, 202M bytes)
pkts bytes target     prot opt in     out     source               destination     

~ » _ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 26992 packets, 6507K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes)
pkts bytes target     prot opt in     out     source               destination         
532K   54M  MASQUERADE  all  --  *      p2p2       10.0.0.0/8           0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 3229 packets, 394K bytes)
pkts bytes target     prot opt in     out     source               destination

ipforward:是的

» 貓 /proc/sys/net/ipv4/ip_forward 1

» 貓 /etc/sysctl.conf | grep ip_forward net.ipv4.ip_forward = 1

客戶:10.0.2.6

ip地址

~ » ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
   link/ether 18:03:73:0d:89:15 brd ff:ff:ff:ff:ff:ff
   inet 10.0.2.6/8 brd 10.0.0.255 scope global em1
   inet6 fe80::1a03:73ff:fe0d:8915/64 scope link 
      valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
   link/ether 18:03:73:0d:89:17 brd ff:ff:ff:ff:ff:ff

ip路由。

~ » ip route
<prefix 1>.0.0/16 dev em1  scope link  metric 1002 
10.0.0.0/8 dev em1  proto kernel  scope link  src 10.0.2.6 
default via 10.0.1.0 dev em1

iptables。

» _ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
~ » _ iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
~ » _ iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

從 tcpdump 的輸出看,數據包被轉發到目的地,但沒有回复。這並不奇怪,因為您的 POSTROUTING 鏈中的規則被破壞了:

Chain POSTROUTING (policy ACCEPT 10234 packets, 954K bytes)
pkts bytes target     prot opt in     out     source               destination         
532K   54M            all  --  *      *       10.0.0.0/8           0.0.0.0/0 

缺少規則的目標。這應該是“SNAT”或“MASQUERADE”。沒有這個,數據包的源地址將不會被重寫。這將導致被 ping 的伺服器回复10.0.2.6(不可路由)而不是伺服器 IP。

引用自:https://serverfault.com/questions/558332