主页 / user-1002597

Neppomuk's questions

Martin Hope
Neppomuk
Asked: 2023-07-30 23:37:28 +0800 CST
  • 5

在充当防火墙的 SOHO 服务器上重新安装 OpenSuSE Leap 15.5 后,内部网络 (169.254.164.0/24) 上的计算机除了 ping 之外无法访问互联网上的任何主机。但没有任何有意义的流量,甚至 DNS,都不起作用。

服务器的一个网卡(eth0)挂在DSL Router上,而eth1连接到内部网络的交换机。IPv4转发已开启:net.ipv4.ip_forward = 1

这是服务器的网络配置:

valen:~ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN grou
p default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP gr
oup default qlen 1000
    link/ether 14:dd:a9:d4:1e:70 brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    inet 192.168.178.41/24 brd 192.168.178.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP gr
oup default qlen 1000
    link/ether 14:dd:a9:d4:1e:71 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 169.254.164.1/24 brd 169.254.164.255 scope global eth1
       valid_lft forever preferred_lft forever

valen:~ # ip route show
default via 192.168.178.1 dev eth0 proto dhcp
169.254.164.0/24 dev eth1 proto kernel scope link src 169.254.164.1
192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.41

valen:~ # iptables -t nat -nv -L >> netconfig.txt
Chain PREROUTING (policy ACCEPT 41 packets, 2456 bytes)
 pkts bytes target prot opt in out source dest
ination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source dest
ination

Chain OUTPUT (policy ACCEPT 12 packets, 909 bytes)
 pkts bytes target prot opt in out source dest
ination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source dest
ination
   12 909 MASQUERADE all -- * eth0 0.0.0.0/0 0.0
.0.0/0
    0 0 LOG all -- * eth0 0.0.0.0/0 0.0.
0.0/0 LOG flags 0 level 7 prefix "MASQUERADE: "

valen:~ # iptables -L -v
Chain INPUT (policy ACCEPT 496 packets, 40562 bytes)
 pkts bytes target prot opt in out source dest
ination

Chain FORWARD (policy ACCEPT 36 packets, 2276 bytes)
 pkts bytes target prot opt in out source dest
ination
    0 0 LOG all -- eth0 any anywhere anyw
here LOG level debug prefix "FORWARD: "
   36 2276 LOG all -- eth1 any anywhere anyw
here LOG level debug prefix "FORWARD: "

Chain OUTPUT (policy ACCEPT 307 packets, 43133 bytes)
 pkts bytes target prot opt in out source dest
ination

valen:~ # dmesg | grep MASQUERADE | tail -25
[ 5040.328157] x_tables: ip_tables: MASQUERADE target: used from hooks P
REROUTING, but only usable from POSTROUTING

valen:~ # iptables-save -c
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*nat
:PREROUTING ACCEPT [271:12228]
:INPUT ACCEPT [3:180]
:OUTPUT ACCEPT [188:13601]
:POSTROUTING ACCEPT [0:0]
[188:13601] -A POSTROUTING -o eth0 -j MASQUERADE
[0:0] -A POSTROUTING -o eth0 -j LOG --log-prefix "MASQUERADE: " --log-le
vel 7
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*mangle
:PREROUTING ACCEPT [1055426:82517132]
:INPUT ACCEPT [1055140:82499096]
:FORWARD ACCEPT [286:18036]
:OUTPUT ACCEPT [197144:2649496105]
:POSTROUTING ACCEPT [197178:2649498961]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*raw
:PREROUTING ACCEPT [1055426:82517132]
:OUTPUT ACCEPT [197145:2649496485]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*security
:INPUT ACCEPT [1054928:82491464]
:FORWARD ACCEPT [34:2856]
:OUTPUT ACCEPT [197146:2649496917]
COMMIT
# Completed on Sun Jul 30 22:21:59 2023
# Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023
*filter
:INPUT ACCEPT [129181:24309644]
:FORWARD ACCEPT [96:5856]
:OUTPUT ACCEPT [95693:121943383]
[0:0] -A FORWARD -i eth0 -j LOG --log-prefix "FORWARD: " --log-level 7
[96:5856] -A FORWARD -i eth1 -j LOG --log-prefix "FORWARD: " --log-level
 7
COMMIT
# Completed on Sun Jul 30 22:21:59 2023

其中一个客户端的设置方式如下:

╭─jacek@epica ~
╰─➤ ip addr show
                                  2 ↵
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN grou
p default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast sta
te UP group default qlen 1000
    link/ether b4:2e:99:c6:e9:9f brd ff:ff:ff:ff:ff:ff
    altname enp7s0
    inet 169.254.164.5/24 brd 169.254.164.255 scope global eth0
       valid_lft forever preferred_lft forever
╭─jacek@epica ~
╰─➤ ip route show
default via 169.254.164.1 dev eth0
169.254.164.0/24 dev eth0 proto kernel scope link src 169.254.164.5

我可以从客户端 ping 任何外部主机(例如 8.8.8.8),但除此之外的任何主机都不起作用,甚至 DNS 查询也不起作用。然后服务器上的系统日志显示传出流量,但没有任何传入流量:

[12810.381486] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:
c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.8.8 LEN=57 TOS=0x00 PREC=0x00 T
TL=63 ID=47287 DF PROTO=UDP SPT=51059 DPT=53 LEN=37
[12810.381551] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:
c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.4.4 LEN=57 TOS=0x00 PREC=0x00 T
TL=63 ID=31354 DF PROTO=UDP SPT=42060 DPT=53 LEN=37

这是怎么回事?

更新:tcpdump工具在 ping 时显示正常流量8.8.8.8,但是当尝试提供主机名作为www.nwzonline.de目标时,我看不到来自 DNS 服务器的任何响应:

valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8' and icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length
 262144 bytes
22:14:57.356849 IP (tos 0x0, ttl 64, id 63021, offset 0, flags [DF], pro
to ICMP (1), length 84)
    169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 1, length 64
22:14:57.370168 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
 ICMP (1), length 84)
    8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 1, length 64
22:14:58.358802 IP (tos 0x0, ttl 64, id 63032, offset 0, flags [DF], pro
to ICMP (1), length 84)
    169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 2, length 64
22:14:58.372195 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
 ICMP (1), length 84)
    8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 2, length 64
22:14:59.360447 IP (tos 0x0, ttl 64, id 63211, offset 0, flags [DF], pro
to ICMP (1), length 84)
    169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 3, length 64
22:14:59.373668 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
 ICMP (1), length 84)
    8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 3, length 64
22:15:00.362346 IP (tos 0x0, ttl 64, id 63238, offset 0, flags [DF], pro
to ICMP (1), length 84)
    169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 4, length 64
22:15:00.375229 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
 ICMP (1), length 84)
    8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 4, length 64
22:15:01.364456 IP (tos 0x0, ttl 64, id 63472, offset 0, flags [DF], pro
to ICMP (1), length 84)
    169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 5, length 64
22:15:01.377348 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto
 ICMP (1), length 84)
    8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 5, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8'
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length
 262144 bytes
22:17:33.070802 IP (tos 0x0, ttl 64, id 10602, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.33703 > 8.8.8.8.53: 8530+ A? www.nwzonline.de. (34)
22:17:33.070803 IP (tos 0x0, ttl 64, id 10603, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.33703 > 8.8.8.8.53: 63569+ AAAA? www.nwzonline.de. (34
)
22:17:33.071009 IP (tos 0x0, ttl 64, id 61652, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.34979 > 8.8.8.8.53: 8530+ A? www.nwzonline.de. (34)
22:17:33.071010 IP (tos 0x0, ttl 64, id 61653, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.34979 > 8.8.8.8.53: 63569+ AAAA? www.nwzonline.de. (34
)
22:17:38.076881 IP (tos 0x0, ttl 64, id 18807, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.42033 > 8.8.8.8.53: 14966+ A? www.nwzonline.de. (34)
22:17:38.076881 IP (tos 0x0, ttl 64, id 18808, offset 0, flags [DF], pro
to UDP (17), length 62)
    169.254.164.5.42033 > 8.8.8.8.53: 6003+ AAAA? www.nwzonline.de. (34)
22:17:38.077121 IP (tos 0x0, ttl 64, id 1207, offset 0, flags [DF], prot
o UDP (17), length 62)
    169.254.164.5.40930 > 8.8.8.8.53: 14966+ A? www.nwzonline.de. (34)
22:17:38.077122 IP (tos 0x0, ttl 64, id 1208, offset 0, flags [DF], prot
o UDP (17), length 62)
    169.254.164.5.40930 > 8.8.8.8.53: 6003+ AAAA? www.nwzonline.de. (34)
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

设置net.netfilter.nf_conntrack_helper = 1也没有帮助。

iptables