现在有 A B C 三台机器,A 机器为 10.167.72.3 ,B 机器为 10.154.2.200 ,C 机器为 10.154.2.234 。原本状态下 A 能够 ssh 登录到 B C 两台机器。 现在 B 机器能够访问外网,C 机器不能,想让 B 机器作为 C 机器的网关进行转发。B 机器进行了如下配制
vi /etc/sysctl.conf
net.ipv4.ip_forward=1
# 转发内网流量
firewall-cmd --add-masquerade --permanent
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o em1 -j MASQUERADE -s 10.154.2.0/24
# 允许域名解析,不开启只能通过 IP 访问外网
firewall-cmd --zone=public --permanent --add-port=53/udp
firewall-cmd --zone=public --permanent --add-port=53/tcp
firewall-cmd --reload
将 C 机器的网关由 10.154.2.1 改为 10.154.2.200 后,A 机器能够 ping 通 C 机器,但是不能 ssh 进去,只能先 ssh 进去 B 机器再进入 C 机器,A 机器也无法访问 C 机器的 http 服务,但是 B 机器可以访问。这种情况该如何排查问题?
1
CnpPt 2022-12-28 17:22:59 +08:00
「 A 机器能够 ping 通 C 机器,但是不能 ssh 进去」 tcpdump 抓包看下?
|
2
A01514035 OP C 机器运行`python3 -m http.server`,并运行 sudo tcpdump -i eno1 -nn port 8000
作为网关的 B(10.154.2.200)机器访问 C 机器(10.154.2.234)正常,结果如下 ``` 17:35:18.319189 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [S], seq 1022809144, win 29200, options [mss 1460,sackOK,TS val 4086006647 ecr 0,nop,wscale 7], length 0 17:35:18.319234 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [S.], seq 499408436, ack 1022809145, win 65160, options [mss 1460,sackOK,TS val 2485038435 ecr 4086006647,nop,wscale 7], length 0 17:35:18.319388 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [.], ack 1, win 229, options [nop,nop,TS val 4086006647 ecr 2485038435], length 0 17:35:18.319489 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [P.], seq 1:83, ack 1, win 229, options [nop,nop,TS val 4086006647 ecr 2485038435], length 82 17:35:18.319502 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [.], ack 83, win 509, options [nop,nop,TS val 2485038435 ecr 4086006647], length 0 17:35:18.321021 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [P.], seq 1:157, ack 83, win 509, options [nop,nop,TS val 2485038436 ecr 4086006647], length 156 17:35:18.321059 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [.], seq 157:1605, ack 83, win 509, options [nop,nop,TS val 2485038436 ecr 4086006647], length 1448 17:35:18.321103 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [FP.], seq 1605:1814, ack 83, win 509, options [nop,nop,TS val 2485038436 ecr 4086006647], length 209 17:35:18.321222 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [.], ack 157, win 237, options [nop,nop,TS val 4086006649 ecr 2485038436], length 0 17:35:18.321222 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [.], ack 1815, win 263, options [nop,nop,TS val 4086006649 ecr 2485038436], length 0 17:35:18.321884 IP 10.154.2.200.57190 > 10.154.2.234.8000: Flags [F.], seq 83, ack 1815, win 263, options [nop,nop,TS val 4086006649 ecr 2485038436], length 0 17:35:18.321904 IP 10.154.2.234.8000 > 10.154.2.200.57190: Flags [.], ack 84, win 509, options [nop,nop,TS val 2485038437 ecr 4086006649], length 0 ``` A 机器(10.167.72.3)访问会没有返回一直卡住,tcpdump 结果如下 ``` 17:35:33.596370 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [SEW], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273571770 ecr 0,sackOK,eol], length 0 17:35:33.596411 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860178821 ecr 3273571770,nop,wscale 7], length 0 17:35:34.596902 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [S], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273572771 ecr 0,sackOK,eol], length 0 17:35:34.596934 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860179821 ecr 3273571770,nop,wscale 7], length 0 17:35:35.598628 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [S], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273573772 ecr 0,sackOK,eol], length 0 17:35:35.598658 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860180823 ecr 3273571770,nop,wscale 7], length 0 17:35:36.599368 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [S], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273574774 ecr 0,sackOK,eol], length 0 17:35:36.599397 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860181824 ecr 3273571770,nop,wscale 7], length 0 17:35:37.603445 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860182828 ecr 3273571770,nop,wscale 7], length 0 17:35:37.606353 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [S], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273575774 ecr 0,sackOK,eol], length 0 17:35:37.606382 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860182831 ecr 3273571770,nop,wscale 7], length 0 17:35:38.606193 IP 10.167.72.3.50474 > 10.154.2.234.8000: Flags [S], seq 2154563866, win 65535, options [mss 1360,nop,wscale 6,nop,nop,TS val 3273576774 ecr 0,sackOK,eol], length 0 17:35:38.606224 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860183831 ecr 3273571770,nop,wscale 7], length 0 17:35:40.611531 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860185836 ecr 3273571770,nop,wscale 7], length 0 17:35:44.739471 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860189964 ecr 3273571770,nop,wscale 7], length 0 17:35:52.931435 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860198156 ecr 3273571770,nop,wscale 7], length 0 17:36:09.059518 IP 10.154.2.234.8000 > 10.167.72.3.50474: Flags [S.E], seq 3472988495, ack 2154563867, win 65160, options [mss 1460,sackOK,TS val 3860214284 ecr 3273571770,nop,wscale 7], length 0 ``` |
3
Insa 2022-12-28 20:42:40 +08:00
直接用 iptables 吧,试试这个 https://blog.51cto.com/u_11451275/3225436
|
4
defunct9 2022-12-28 21:11:22 +08:00 via iPhone
开 ssh ,让我上去看看
|
8
Insa 2022-12-28 22:05:37 +08:00
|
9
A01514035 OP @Insa #8 对,C 机器(更改了网关的机器)能够访问外网。但是原来同在 10 局域网内的 A 机器能够直接访问 C 机器,设置完以后只能通过 B 机器(作为网关的机器)访问 C 机器。C 机器自己使用是没有任何问题的。而且 A 机器之后也能 ping 通 C 机器,但是无法访问 C 机器的 http 服务也无法 ssh 直接登入 C 机器。
|
11
defunct9 2022-12-29 08:12:43 +08:00 via iPhone
B 关了 firewall ,只打开包转发
|
12
julyclyde 2022-12-29 08:45:05 +08:00
猜:
不对称路由 rp_filter |
13
qakito 2022-12-29 09:53:24 +08:00
拓扑应该是类似 A(10.167.72.3) <----> (10.167.x.x)网关(10.168.x.x) <---> (10.168.x.x)B(10.154.2.200) <-->(10.154.2.234)C 这种吧?
你在机器 B 上开启了 NAT 后,机器 C 的地址对 A 已经不可见了 |
15
basncy 2022-12-29 22:51:10 +08:00
C 改了网关后, A 机器能够 ping 通 C 机器,但 TCP 不通. 因为 ping 包只有源地址, 目的地址; 而 TCP 包是五元组.
你不知道 A 和 C 的原网关是怎么配置 ping 和 tcp 策略的. 如果 C 的原网关做了 Hairpin NAT, 那回程包就不会到达 A. 你期待的去程:A->A 网关->B->C 实际的去程:A->A 网关->C 原网关->C |
16
A01514035 OP 解决了,是因为我需要在修改了网关的机器上添加一条路由, 也就是在 C 机器添加
ip route add 10.0.0.0/8 via 10.154.2.1 详细的情况看这里 https://blog.hifool.cn/posts/centos-gateway/ |