我正在尝试将 Ubuntu 盒子设置为小型路由器。它有两个网卡并连接到一个交换机。我正在关注本指南:https ://medium.com/@exesse/how-to-make-a-simple-router-gateway-from-ubuntu-server-18-04-lts-fd40b7bfec9
服务器已连接到 Internet,并且 DHCP 服务器工作正常 - IP 地址归属于客户端计算机(Windows 和 Ubuntu),我能够通过 SSH 连接到服务器。但是,客户端无法访问 Internet。让我在下面发布一些信息。
接口:
imarques@felix-cs:~$ ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:08:a1:97:21:2e brd ff:ff:ff:ff:ff:ff
inet 192.168.215.95/24 brd 192.168.215.255 scope global dynamic enp4s2
valid_lft 63882sec preferred_lft 63882sec
inet6 fe80::208:a1ff:fe97:212e/64 scope link
valid_lft forever preferred_lft forever
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:18:8b:16:a3:41 brd ff:ff:ff:ff:ff:ff
inet 10.42.0.1/24 brd 10.42.0.255 scope global enp2s0
valid_lft forever preferred_lft forever
inet6 fe80::218:8bff:fe16:a341/64 scope link
valid_lft forever preferred_lft forever
enp4s2是服务器上的 Internet 连接,而enp2s0是连接到交换机并应该与客户端共享 Internet 访问的 NIC。
网络计划:
imarques@felix-cs:~$ cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp4s2:
dhcp4: yes
enp2s0:
dhcp4: no
addresses: [10.42.0.1/24]
DCHP 服务器:
imarques@felix-cs:~$ cat /etc/default/isc-dhcp-server
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPDv4_PID=/var/run/dhcpd.pid
#DHCPDv6_PID=/var/run/dhcpd6.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="enp2s0"
INTERFACESv6=""
imarques@felix-cs:~$ cat /etc/dhcp/dhcpd.conf
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 10.42.0.255;
authorative;
subnet 10.42.0.0 netmask 255.255.255.0 {
range 10.42.0.20 10.42.0.100;
option routers 10.42.0.1;
option domain-name-servers 10.42.0.1;
}
IP转发:
imarques@felix-cs:~$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
IPtables 规则:
imarques@felix-cs:~$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.4 on Fri Nov 27 16:43:56 2020
*filter
:INPUT ACCEPT [195:13486]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [166:13592]
COMMIT
# Completed on Fri Nov 27 16:43:56 2020
# Generated by iptables-save v1.8.4 on Fri Nov 27 16:43:56 2020
*nat
:PREROUTING ACCEPT [21:2246]
:INPUT ACCEPT [9:1593]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp2s0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 27 16:43:56 2020
这种情况已经有几天了,我环顾四周,但所有说明似乎都相似。有任何想法吗?
################################################# ####
编辑 (2020/12/15) 并感谢 Doug Smythies:
从服务器 ping:
imarques@felix-cs:~$ ping -c 4 www.sapo.pt
PING www.sapo.pt (213.13.146.142) 56(84) bytes of data.
64 bytes from sapo.pt (213.13.146.142): icmp_seq=1 ttl=242 time=14.9 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=2 ttl=242 time=12.9 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=3 ttl=242 time=13.5 ms
64 bytes from sapo.pt (213.13.146.142): icmp_seq=4 ttl=242 time=13.0 ms
--- www.sapo.pt ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 12.855/13.578/14.927/0.813 ms
imarques@felix-cs:~$ ping -c 4 213.13.146.142
PING 213.13.146.142 (213.13.146.142) 56(84) bytes of data.
64 bytes from 213.13.146.142: icmp_seq=1 ttl=242 time=13.4 ms
64 bytes from 213.13.146.142: icmp_seq=2 ttl=242 time=12.9 ms
64 bytes from 213.13.146.142: icmp_seq=3 ttl=242 time=12.9 ms
64 bytes from 213.13.146.142: icmp_seq=4 ttl=242 time=12.9 ms
--- 213.13.146.142 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 12.890/13.018/13.369/0.203 ms
从客户端ping:
imarques@client07:~$ ping -c 4 www.sapo.pt
ping: www.sapo.pt: Name or service not known
imarques@client07:~$ ping -c 4 213.13.146.142
PING 213.13.146.142 (213.13.146.142) 56(84) bytes of data.
--- 213.13.146.142 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms
tcpdump生成大量输出...我在从客户端 ping 相同 IP 时尝试过:
imarques@felix-cs:~$ sudo tcpdump -i enp4s2 | grep 10.42
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:40:31.865636 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 1, length 64
10:40:32.866201 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 2, length 64
10:40:33.890199 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 3, length 64
10:40:34.914199 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 4, length 64
10:40:35.938194 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 5, length 64
10:40:36.962194 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 6, length 64
10:40:37.986188 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 7, length 64
10:40:39.010196 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 8, length 64
10:40:40.034196 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 9, length 64
10:40:41.058192 IP 10.42.0.94 > sapo.pt: ICMP echo request, id 21362, seq 10, length 64
iptables信息:
imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 15969 packets, 1077775 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 15501 packets, 1031506 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1166 packets, 112828 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1269 packets, 118672 bytes)
pkts bytes target prot opt in out source destination
2 120 MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
imarques@felix-cs:~$ sudo iptables -xnvL
Chain INPUT (policy ACCEPT 89829 packets, 4283290 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 1774 packets, 289508 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 159993 packets, 37244234 bytes)
pkts bytes target prot opt in out source destination
对不起,但我不知道如何检查 MASQUERADE 数据包计数器...
################################################# #########################
第二次编辑(2020/12/15)。重新启动服务器和客户端。
从客户端(10.42.0.94)ping 213.13.146.142 时:
imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 2375 packets, 155967 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2292 packets, 150880 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25 packets, 1564 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 50 packets, 3008 bytes)
pkts bytes target prot opt in out source destination
1 60 MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
imarques@felix-cs:~$ sudo tcpdump -tttt -n -vvv -i enp2s0 host 213.13.146.142
tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-12-15 16:02:07.170117 IP (tos 0x0, ttl 64, id 13547, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 1, length 64
2020-12-15 16:02:08.176165 IP (tos 0x0, ttl 64, id 13620, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 2, length 64
2020-12-15 16:02:09.200188 IP (tos 0x0, ttl 64, id 13856, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 3, length 64
2020-12-15 16:02:10.224214 IP (tos 0x0, ttl 64, id 13971, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 4, length 64
2020-12-15 16:02:11.248242 IP (tos 0x0, ttl 64, id 14165, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 5, length 64
2020-12-15 16:02:12.272264 IP (tos 0x0, ttl 64, id 14275, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 6, length 64
2020-12-15 16:02:13.296286 IP (tos 0x0, ttl 64, id 14530, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 7, length 64
2020-12-15 16:02:14.320323 IP (tos 0x0, ttl 64, id 14641, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 8, length 64
2020-12-15 16:02:15.344341 IP (tos 0x0, ttl 64, id 14737, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 9, length 64
2020-12-15 16:02:16.368366 IP (tos 0x0, ttl 64, id 14801, offset 0, flags [DF], proto ICMP (1), length 84)
10.42.0.94 > 213.13.146.142: ICMP echo request, id 1625, seq 10, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
imarques@felix-cs:~$ sudo iptables -t nat -xnvL
Chain PREROUTING (policy ACCEPT 3198 packets, 210191 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3081 packets, 203146 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 25 packets, 1564 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 58 packets, 3456 bytes)
pkts bytes target prot opt in out source destination
1 60 MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
您的 NAT(网络地址转换)规则是向后的。
这个:
应该:
顺便说一句,我假设您当前的 iptables 规则集只是开始,最终您将添加一些防火墙类型的东西。实际上,由于您的服务器和实际互联网之间必须有另一个路由器,因此它的重要性要小得多。