同じサブネット内のLinuxネットワーク名前空間にpingできません
これが問題の簡単な要約です。同じサブネット内のLinuxネットワーク名前空間と通信できません。ヘッドレスサーバーでUbuntu14.04.1LTSを実行しています。私はこれを約1週間トラブルシューティングしてきましたので、ご回答いただきありがとうございます。
最初から:(下部のtcpdump)
em1とem2の2つの物理インターフェイスがあります。 br0とbr1の2つのブリッジを作成しました。最初のブリッジbr0には、外部インターフェイスem1が含まれています。 2番目のブリッジbr1には、内部インターフェイスem2とveth0が含まれています(以下に示すように、vpnという名前のネットワーク名前空間でveth1にリンクされています)。
cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# Bridge setup
auto br0 em1
iface br0 inet dhcp
bridge_ports em1
auto br1 em2 veth0
iface br1 inet static
address 10.0.0.1
network 10.0.0.0
netmask 255.255.255.0
broadcast 10.0.0.255
bridge_ports em2 veth0
# pre and post up
pre-up ip link add name veth0 type veth peer name veth1
pre-up ip netns add vpn
pre-up ip link set veth1 netns vpn
post-up ip netns exec vpn ip link set dev lo up
post-up ip netns exec vpn ip link set dev veth1 up
post-up ip netns exec vpn ip addr add 10.0.0.254/24 broadcast 10.0.0.255 dev veth1
post-up ip netns exec vpn ip route add default via 10.0.0.1
このサーバーをルーティングに使用しています。これが私のnat.shで、すべてのブートを実行します。
echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
EXTIF="br0"
INTIF="br1"
#INTIF2="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------------"
echo -en "ip_tables, "
$MODPROBE ip_tables
echo -en "nf_conntrack, "
$MODPROBE nf_conntrack
echo -en "nf_conntrack_ftp, "
$MODPROBE nf_conntrack_ftp
echo -en "nf_conntrack_irc, "
$MODPROBE nf_conntrack_irc
echo -en "iptable_nat, "
$MODPROBE iptable_nat
echo -en "nf_nat_ftp, "
$MODPROBE nf_nat_ftp
echo "----------------------------------------------------------------------"
echo -e " Done loading modules.\n"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " Clearing any existing rules and setting default policy.."
iptables-restore <<-EOF
*nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -j ACCEPT
-A FORWARD -j LOG
COMMIT
EOF
echo -e "\nrc.firewall-iptables v$FWVER done.\n"
ネットワーク上のすべてのデバイスは、このサーバーからのアドレスを持ち、同じサブネット上にあります。すべてが完全に相互に通信しています。私の唯一の問題は、他のすべてのようにサーバーからのアドレスとサブネットを持っていても、ネットワーク名前空間vpn内のveth1に到達できず、Googleにpingを送信できることです。
たとえば、アドレスが10.0.0.4の私のラップトップから。コマンドping 10.0.0.1が機能し、ping 10.0.0.3(My Xbox)が機能します。ただし、ping 10.0.0.254は、他のすべてと同じネットワーク上にある場合でも機能しません。
ここにいくつかの追加情報があります:
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
cat /proc/sys/net/ipv4/ip_forward
1
ifconfig
br0 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1d
inet addr:71.95.217.302 Bcast:255.255.255.255 Mask:255.255.254.0
inet6 addr: fe80::21e:67ff:fead:9e1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57249 errors:0 dropped:0 overruns:0 frame:0
TX packets:17297 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13724815 (13.7 MB) TX bytes:2606039 (2.6 MB)
br1 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1e
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::21e:67ff:fead:9e1e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17716 errors:0 dropped:0 overruns:0 frame:0
TX packets:18625 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2382424 (2.3 MB) TX bytes:11990075 (11.9 MB)
em1 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1d
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:58804 errors:0 dropped:0 overruns:0 frame:0
TX packets:17304 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14632304 (14.6 MB) TX bytes:2606465 (2.6 MB)
Memory:b1200000-b1280000
em2 Link encap:Ethernet HWaddr 00:1e:67:ad:9e:1e
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17636 errors:0 dropped:0 overruns:0 frame:0
TX packets:20125 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2639201 (2.6 MB) TX bytes:12086082 (12.0 MB)
Memory:b1100000-b1180000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4775 errors:0 dropped:0 overruns:0 frame:0
TX packets:4775 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:939016 (939.0 KB) TX bytes:939016 (939.0 KB)
veth0 Link encap:Ethernet HWaddr 4e:99:98:cc:48:6d
inet6 addr: fe80::4c99:98ff:fecc:486d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:75 errors:0 dropped:0 overruns:0 frame:0
TX packets:1902 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6799 (6.7 KB) TX bytes:140261 (140.2 KB)
brctl show br0
bridge name bridge id STP enabled interfaces
br0 8000.001e67ad9e1d no em1
brctl show br1
bridge name bridge id STP enabled interfaces
br1 8000.001e67ad9e1e no em2
veth0
ip route
default via 71.95.216.1 dev br0
10.0.0.0/24 dev br1 proto kernel scope link src 10.0.0.1
71.95.216.0/23 dev br0 proto kernel scope link src 71.95.217.302
route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 71-95-216-1.sta 0.0.0.0 UG 0 0 0 br0
10.0.0.0 * 255.255.255.0 U 0 0 0 br1
71.95.216.0 * 255.255.254.0 U 0 0 0 br0
ip netns exec vpn ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
veth1 Link encap:Ethernet HWaddr 3e:0a:b5:c6:f4:07
inet addr:10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::3c0a:b5ff:fec6:f407/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1987 errors:0 dropped:0 overruns:0 frame:0
TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:146530 (146.5 KB) TX bytes:6799 (6.7 KB)
ip netns exec vpn ip route
default via 10.0.0.1 dev veth1
10.0.0.0/24 dev veth1 proto kernel scope link src 10.0.0.254
ip netns exec vpn route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 0 0 0 veth1
10.0.0.0 * 255.255.255.0 U 0 0 0 veth1
ping 10.0.0.254の実行中に10.0.0.4からtcpdump -v -i br1 > fileを実行し、10.0.0.254のtcpdump出力ファイルをgrepしました。ここでtcpdump全体(長くはありません)を表示できます http://Pastebin.com/raw.php?i=Rs9dpw4V 。
21:07:55.648413 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.0.0.254 tell 10.0.0.4, length 46
21:07:55.648448 ARP, Ethernet (len 6), IPv4 (len 4), Reply 10.0.0.254 is-at 3e:0a:b5:c6:f4:07 (oui Unknown), length 28
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 0, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 1, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 2, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 3, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 4, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 5, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 6, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 7, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 8, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 9, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 10, length 64
10.0.0.4 > 10.0.0.254: ICMP echo request, id 11630, seq 11, length 64
不足している情報がありましたらお知らせください。
編集:
iptables -L -nv
Chain INPUT (policy ACCEPT 33M packets, 45G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 17439 packets, 3112K bytes)
pkts bytes target prot opt in out source destination
2640K 3411M ACCEPT all -- br0 br1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2470K 464M ACCEPT all -- br1 br0 0.0.0.0/0 0.0.0.0/0
17439 3112K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
Chain OUTPUT (policy ACCEPT 21M packets, 35G bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 280K packets, 30M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 187K packets, 22M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 198K packets, 13M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 58488 packets, 3569K bytes)
pkts bytes target prot opt in out source destination
222K 15M MASQUERADE all -- * br0 0.0.0.0/0 0.0.0.0/0
ip netns exec vpn arping -I veth1 -c 3 10.0.0.2
ARPING 10.0.0.2
60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=0 time=1.001 sec
60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=1 time=1.001 sec
60 bytes from 90:72:40:05:79:87 (10.0.0.2): index=2 time=1.001 sec
--- 10.0.0.2 statistics ---
arping -I br1 -c 3 10.0.0.254
ARPING 10.0.0.254
42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=0 time=1.001 sec
42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=1 time=1.001 sec
42 bytes from 3e:0a:b5:c6:f4:07 (10.0.0.254): index=2 time=1.001 sec
--- 10.0.0.254 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered (0 extra)
Sudo iptables -L | grep policyを実行すると、次のようになると想定します。
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy ACCEPT)
単にiptables --policy FORWARD ACCEPTを実行する場合。問題は解決されます。ただし、iptablesを正しく設定せずにサーバーを使用すると、危険な場合があります。したがって、iptablesの使用を開始するには、 this すばらしいガイドを参照することをお勧めします。