在充当防火墙的 SOHO 服务器上重新安装 OpenSuSE Leap 15.5 后,内部网络 (169.254.164.0/24) 上的计算机除了 ping 之外无法访问互联网上的任何主机。但没有任何有意义的流量,甚至 DNS,都不起作用。
服务器的一个网卡(eth0)挂在DSL Router上,而eth1连接到内部网络的交换机。IPv4转发已开启:net.ipv4.ip_forward = 1
这是服务器的网络配置:
valen:~ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN grou
p default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP gr
oup default qlen 1000
link/ether 14:dd:a9:d4:1e:70 brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 192.168.178.41/24 brd 192.168.178.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP gr
oup default qlen 1000
link/ether 14:dd:a9:d4:1e:71 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 169.254.164.1/24 brd 169.254.164.255 scope global eth1
valid_lft forever preferred_lft forever
valen:~ # ip route show
default via 192.168.178.1 dev eth0 proto dhcp
169.254.164.0/24 dev eth1 proto kernel scope link src 169.254.164.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.41
valen:~ # iptables -t nat -nv -L >> netconfig.txt
Chain PREROUTING (policy ACCEPT 41 packets, 2456 bytes)
pkts bytes target prot opt in out source dest
ination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source dest
ination
Chain OUTPUT (policy ACCEPT 12 packets, 909 bytes)
pkts bytes target prot opt in out source dest
ination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source dest
ination
12 909 MASQUERADE all -- * eth0 0.0.0.0/0 0.0
.0.0/0
0 0 LOG all -- * eth0 0.0.0.0/0 0.0.
0.0/0 LOG flags 0 level 7 prefix "MASQUERADE: "
valen:~ # iptables -L -v
Chain INPUT (policy ACCEPT 496 packets, 40562 bytes)
pkts bytes target prot opt in out source dest
ination
Chain FORWARD (policy ACCEPT 36 packets, 2276 bytes)
pkts bytes target prot opt in out source dest
ination
0 0 LOG all -- eth0 any anywhere anyw
here LOG level debug prefix "FORWARD: "
36 2276 LOG all -- eth1 any anywhere anyw
here LOG level debug prefix "FORWARD: "
Chain OUTPUT (policy ACCEPT 307 packets, 43133 bytes)
pkts bytes target prot opt in out source dest
ination
valen:~ # dmesg | grep MASQUERADE | tail -25
[ 5040.328157] x_tables: ip_tables: MASQUERADE target: used from hooks P
REROUTING, but only usable from POSTROUTING
valen:~ # iptables-save -c
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*nat
:PREROUTING ACCEPT [271:12228]
:INPUT ACCEPT [3:180]
:OUTPUT ACCEPT [188:13601]
:POSTROUTING ACCEPT [0:0]
[188:13601] -A POSTROUTING -o eth0 -j MASQUERADE
[0:0] -A POSTROUTING -o eth0 -j LOG --log-prefix "MASQUERADE: " --log-le
vel 7
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*mangle
:PREROUTING ACCEPT [1055426:82517132]
:INPUT ACCEPT [1055140:82499096]
:FORWARD ACCEPT [286:18036]
:OUTPUT ACCEPT [197144:2649496105]
:POSTROUTING ACCEPT [197178:2649498961]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*raw
:PREROUTING ACCEPT [1055426:82517132]
:OUTPUT ACCEPT [197145:2649496485]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*security
:INPUT ACCEPT [1054928:82491464]
:FORWARD ACCEPT [34:2856]
:OUTPUT ACCEPT [197146:2649496917]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*filter
:INPUT ACCEPT [129181:24309644]
:FORWARD ACCEPT [96:5856]
:OUTPUT ACCEPT [95693:121943383]
[0:0] -A FORWARD -i eth0 -j LOG --log-prefix "FORWARD: " --log-level 7
[96:5856] -A FORWARD -i eth1 -j LOG --log-prefix "FORWARD: " --log-level
7
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
其中一个客户端的设置方式如下:
╭─jacek@epica ~
╰─➤ ip addr show
2 ↵
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN grou
p default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast sta
te UP group default qlen 1000
link/ether b4:2e:99:c6:e9:9f brd ff:ff:ff:ff:ff:ff
altname enp7s0
inet 169.254.164.5/24 brd 169.254.164.255 scope global eth0
valid_lft forever preferred_lft forever
╭─jacek@epica ~
╰─➤ ip route show
default via 169.254.164.1 dev eth0
169.254.164.0/24 dev eth0 proto kernel scope link src 169.254.164.5
我可以从客户端 ping 任何外部主机(例如 8.8.8.8),但除此之外的任何主机都不起作用,甚至 DNS 查询也不起作用。然后服务器上的系统日志显示传出流量,但没有任何传入流量:
[12810.381486] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:
c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.8.8 LEN=57 TOS=0x00 PREC=0x00 T
TL=63 ID=47287 DF PROTO=UDP SPT=51059 DPT=53 LEN=37
[12810.381551] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:
c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.4.4 LEN=57 TOS=0x00 PREC=0x00 T
TL=63 ID=31354 DF PROTO=UDP SPT=42060 DPT=53 LEN=37
这是怎么回事?
更新:该tcpdump工具在 ping 时显示正常流量8.8.8.8,但是当尝试提供主机名作为www.nwzonline.de目标时,我看不到来自 DNS 服务器的任何响应:
valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8' and icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length
262144 bytes
22:14:57.356849 IP (tos 0x0, ttl 64, id 63021, offset 0, flags [DF], pro
to ICMP (1), length 84)
169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 1, length 64
22:14:57.370168 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
ICMP (1), length 84)
8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 1, length 64
22:14:58.358802 IP (tos 0x0, ttl 64, id 63032, offset 0, flags [DF], pro
to ICMP (1), length 84)
169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 2, length 64
22:14:58.372195 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
ICMP (1), length 84)
8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 2, length 64
22:14:59.360447 IP (tos 0x0, ttl 64, id 63211, offset 0, flags [DF], pro
to ICMP (1), length 84)
169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 3, length 64
22:14:59.373668 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
ICMP (1), length 84)
8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 3, length 64
22:15:00.362346 IP (tos 0x0, ttl 64, id 63238, offset 0, flags [DF], pro
to ICMP (1), length 84)
169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 4, length 64
22:15:00.375229 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
ICMP (1), length 84)
8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 4, length 64
22:15:01.364456 IP (tos 0x0, ttl 64, id 63472, offset 0, flags [DF], pro
to ICMP (1), length 84)
169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 5, length 64
22:15:01.377348 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
ICMP (1), length 84)
8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 5, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length
262144 bytes
22:17:33.070802 IP (tos 0x0, ttl 64, id 10602, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.33703 > 8.8.8.8.53: 8530+ A? www.nwzonline.de. (34)
22:17:33.070803 IP (tos 0x0, ttl 64, id 10603, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.33703 > 8.8.8.8.53: 63569+ AAAA? www.nwzonline.de. (34
)
22:17:33.071009 IP (tos 0x0, ttl 64, id 61652, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.34979 > 8.8.8.8.53: 8530+ A? www.nwzonline.de. (34)
22:17:33.071010 IP (tos 0x0, ttl 64, id 61653, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.34979 > 8.8.8.8.53: 63569+ AAAA? www.nwzonline.de. (34
)
22:17:38.076881 IP (tos 0x0, ttl 64, id 18807, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.42033 > 8.8.8.8.53: 14966+ A? www.nwzonline.de. (34)
22:17:38.076881 IP (tos 0x0, ttl 64, id 18808, offset 0, flags [DF], pro
to UDP (17), length 62)
169.254.164.5.42033 > 8.8.8.8.53: 6003+ AAAA? www.nwzonline.de. (34)
22:17:38.077121 IP (tos 0x0, ttl 64, id 1207, offset 0, flags [DF], prot
o UDP (17), length 62)
169.254.164.5.40930 > 8.8.8.8.53: 14966+ A? www.nwzonline.de. (34)
22:17:38.077122 IP (tos 0x0, ttl 64, id 1208, offset 0, flags [DF], prot
o UDP (17), length 62)
169.254.164.5.40930 > 8.8.8.8.53: 6003+ AAAA? www.nwzonline.de. (34)
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
设置net.netfilter.nf_conntrack_helper = 1也没有帮助。
我使用 shorewall 包来处理这类事情,这使得创建规则变得非常容易。
我创建接口、策略、masq、规则文件,并将 shorewall.conf 修改为 ip_forward=1。一切都非常顺利,并且具有与您提供的相同的网络配置。
试一试。最好的问候,
HeCSa。
编辑:
你好,我们又见面了!
让我根据我的配置向您展示一个示例。
我有两个网络接口,一个面向互联网,另一个面向内部网络。ip a 输出如下:
root@bastion:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:32:55:0c brd ff:ff:ff:ff:ff:ff inet 192.168.0.20/24 brd 192.168.0.255 scope global ens3 valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe32:550c/64 scope link valid_lft forever preferred_lft forever 3: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 52:54:00:93:6e:49 brd ff:ff:ff:ff:ff:ff inet 10.100.119.1/24 brd 10.100.119.255 scope global ens9 valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe93:6e49/64 scope link valid_lft forever preferred_lft foreverens3 面向互联网,ens9 面向内部网络。
安装了 shorewall 软件包。所有配置文件都在
/etc/shorewall策略中:
fw all ACCEPT info wan all DROP info lan all ACCEPT infozones:
fw firewall wan ipv4 lan ipv4shorewall.conf(仅更改了以下行):
IP_FORWARDING=Yesinterfaces:
wan ens3 lan ens9masq:
ens3:0.0.0.0/0 10.100.119.0/0rules:ACCEPT wan fw tcp 22 - - # External SSH if needed ACCEPT lan wan icmp 8 - - # ping ACCEPT lan fw icmp 8 - - # ping ACCEPT lan wan udp 53 - - # dns queries ACCEPT lan wan tcp 80 - - # http ACCEPT lan wan tcp 443 - - # https然后启用并启动了shorewall:
systemctl enable shorewall systemctl start shorewall重新启动后,一切正常。
希望能帮助到你!
最好的问候,
HeCSa。
尝试按照以下步骤操作:
ip route get 8.8.8.8 from 169.254.164.1 iif eth0通过网关上的命令检查路由的正确性。它应该显示一些通过 eth0 接口的有效路由。iptables-save -c并将其粘贴到问题中。它确实有助于理解您的规则集。tcpdump -ni eth1 'ip host 8.8.8.8' and icmp——我想它会给你展示一些有趣的东西。