私のネットワークはDebianベースのゲートウェイを使用しています。これには4つのインターフェースがあります。
eth0
:動的(ISPに接続)eth1
:- IP 192.168.1.1
- スイッチに接続
- dnsmasqは、接続されたクライアントにIPアドレス(192.168.1。*)を割り当てます。
eth2
:- IP 192.168.2.1
- スイッチに接続
- dnsmasqは、接続されたクライアントにIPアドレス(192.168.2。*)を割り当てます。
wlan0
: 停止- IP 192.168.3.1
- APで活動
- dnsmasqは、接続されたクライアントにIPアドレス(192.168.3。*)を割り当てます。
両方のインターフェイスのいずれかを介して接続されたクライアントはインターネットにアクセスでき、ゲートウェイのサービスにアクセスできます。
- 192.168.3.111からping 192.168.1.1の操作
- 192.168.1.110 から ping 192.168.3.1 操作
顧客はできない他のサブネットのクライアントに連絡する:
- 192.168.3.111のPing 192.168.1.40は機能しません。
ip route
以下を表示します。
default via 80.0.0.1 dev eth0
80.0.0.0/24 dev eth0 proto kernel scope link src 80.0.0.7
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1 linkdown
192.168.3.0/24 dev wlan0 proto kernel scope link src 192.168.3.1
iptables
問題ではない
cat /proc/sys/net/ipv4/ip_forward
返品1
質問:すべての顧客を達成する方法は互いに連絡することができますいいえ各クライアントのネットワーク設定を調整しますか?
追加情報iptables-save -c
::
# Generated by iptables-save v1.6.0 on Sat Feb 2 19:03:01 2019
*mangle
:PREROUTING ACCEPT [7068132:2249036546]
:INPUT ACCEPT [6634829:1954826260]
:FORWARD ACCEPT [432992:294164216]
:OUTPUT ACCEPT [3915469:40516939510]
:POSTROUTING ACCEPT [4348507:40811115290]
COMMIT
# Completed on Sat Feb 2 19:03:01 2019
# Generated by iptables-save v1.6.0 on Sat Feb 2 19:03:01 2019
*nat
:PREROUTING ACCEPT [3681:370156]
:INPUT ACCEPT [1605:106410]
:OUTPUT ACCEPT [6748:465680]
:POSTROUTING ACCEPT [325:26525]
[171:12116] -A POSTROUTING -o eth0 -j MASQUERADE
[7374:521015] -A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 2 19:03:01 2019
# Generated by iptables-save v1.6.0 on Sat Feb 2 19:03:01 2019
*filter
:INPUT DROP [219:37927]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:garbage - [0:0]
[4503:318377] -A INPUT -i lo -j ACCEPT
[3186066:177042527] -A INPUT -i eth1 -j ACCEPT
[16:3840] -A INPUT -i eth2 -j ACCEPT
[523:97073] -A INPUT -i wlan0 -j ACCEPT
[2130075:1081232616] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[1312840:695988466] -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -d 192.168.3.130/32 -i eth0 -j REJECT --reject-with icmp-port-unreachable
[798:139319] -A INPUT -j garbage
[5797:6921736] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[5902:682788] -A FORWARD -i eth1 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth2 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o eth0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth0 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth2 -j ACCEPT
[0:0] -A FORWARD -i eth2 -o eth1 -j ACCEPT
[42490:6707236] -A FORWARD -i eth1 -o wlan0 -j ACCEPT
[42582:6765739] -A FORWARD -i wlan0 -o eth1 -j ACCEPT
[224512:260134799] -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[97009:7301815] -A FORWARD -i eth1 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i tun0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth2 -o tun0 -j ACCEPT
[0:0] -A FORWARD -i eth2 -o wlan0 -j ACCEPT
[0:0] -A FORWARD -i wlan0 -o eth2 -j ACCEPT
[7517:1453488] -A FORWARD -i wlan0 -o tun0 -j ACCEPT
[7178:4193761] -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -s 192.168.10.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
[0:0] -A FORWARD -j garbage
[0:0] -A OUTPUT -d 192.168.0.0/16 -o wlan0 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o wlan0 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[2131:982946] -A OUTPUT -d 192.168.0.0/16 -o eth1 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth1 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth2 -p tcp -m tcp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -d 192.168.0.0/16 -o eth2 -p udp -m udp --sport 9091 -m owner --uid-owner 109 -j ACCEPT
[1026585:1247589085] -A OUTPUT -o tun0 -m owner --uid-owner 109 -j ACCEPT
[218:15112] -A OUTPUT -o lo -m owner --uid-owner 109 -j ACCEPT
[0:0] -A OUTPUT -m owner --uid-owner 109 -j REJECT --reject-with icmp-port-unreachable
[4285:303265] -A OUTPUT -o lo -j ACCEPT
[643670:37873467432] -A OUTPUT -o eth1 -j ACCEPT
[16:3840] -A OUTPUT -o eth2 -j ACCEPT
[479:110432] -A OUTPUT -o wlan0 -j ACCEPT
[2230895:1393337874] -A OUTPUT -o eth0 -j ACCEPT
[7182:1129654] -A OUTPUT -o tun0 -j ACCEPT
[0:0] -A OUTPUT -j garbage
[0:0] -A garbage -p icmp -j LOG --log-prefix "DROP ICMP-Packet: "
[355:109444] -A garbage -p udp -j LOG --log-prefix "DROP UDP-Packet: "
[1022:131267] -A garbage -p tcp -j LOG --log-prefix "DROP TCP-Packet: "
COMMIT
# Completed on Sat Feb 2 19:03:01 2019
活性化tcpdump
時間:
ping 192.168.1.110
192.168.3.130から(100%パケット損失)ping 192.168.3.140
192.168.1.110から(0.0%パケット損失)- 192.168.3.140から192.168.1.40:5000にアクセス中(応答なし)
要約tcpdump
:
77136 パケットがキャプチャされました。
フィルタ
0によって受信された77363パケットカーネルによってドロップされたパケット
分析tcpdump
(フィルタリングされたICMPエントリ)
ping
192.168.3.130から192.168.1.40へ:
14:33:10.404428 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:11.443861 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:12.483868 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:13.523863 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:14.563859 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:15.603854 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:16.643855 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:17.683844 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:18.723842 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64
14:33:19.763853 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 10, length 64
wlan0
(インターフェースの該当項目サム- サブネット)ゲートウェイから:
14:33:10.506374 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:11.549063 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:12.589103 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:13.629124 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:14.669151 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:15.709198 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:16.749188 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:17.789169 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:18.829243 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64
eth1
(インターフェースの該当項目1- サブネット)ゲートウェイから:
14:33:10.506430 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 1, length 64
14:33:10.506703 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 1, length 64
14:33:11.549119 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 2, length 64
14:33:11.549373 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 2, length 64
14:33:12.589157 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 3, length 64
14:33:12.589431 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 3, length 64
14:33:13.629182 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 4, length 64
14:33:13.629458 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 4, length 64
14:33:14.669207 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 5, length 64
14:33:14.669486 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 5, length 64
14:33:15.709273 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 6, length 64
14:33:15.709547 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 6, length 64
14:33:16.749244 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 7, length 64
14:33:16.749522 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 7, length 64
14:33:17.789224 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 8, length 64
14:33:17.789496 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 8, length 64
14:33:18.829295 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 9, length 64
14:33:18.829574 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 9, length 64
14:33:19.869300 IP pizerow > 192.168.1.40: ICMP echo request, id 15599, seq 10, length 64
14:33:19.869576 IP 192.168.1.40 > pizerow: ICMP echo reply, id 15599, seq 10, length 64
tcpdump
iptablesファイアウォールなし
次のコマンドを実行します。
#!/bin/sh
iptables=/sbin/iptables
$iptables -F
$iptables -X
$iptables -Z
$iptables -t nat -F
$iptables -t nat -X
$iptables -t filter -F
$iptables -t mangle -F
$iptables -t mangle -X
echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
ping -c 5 192.168.1.40
192.168.3.130から:100%パケット損失
tcpdump
wlan0
ゲートウェイインターフェイスから:
16:04:15.653830 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 1, length 64
16:04:16.663534 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 2, length 64
16:04:17.705299 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 3, length 64
16:04:18.743570 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 4, length 64
16:04:19.783548 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 5, length 64
tcpdump
eth1
ゲートウェイインターフェイスから:
16:04:15.653895 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 1, length 64
16:04:15.654178 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 1, length 64
16:04:16.663579 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 2, length 64
16:04:16.663848 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 2, length 64
16:04:17.705391 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 3, length 64
16:04:17.705676 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 3, length 64
16:04:18.743631 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 4, length 64
16:04:18.743907 IP 192.168.1.40 > pizerow: ICMP echo reply, id 16003, seq 4, length 64
16:04:19.783596 IP pizerow > 192.168.1.40: ICMP echo request, id 16003, seq 5, length 64