我有一个Ubuntu 12.04(最终测试版,最新版)服务器,带有两个配置的网络接口:
root@mac:/home/sysadm# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1e:4f:28:fd:7b
inet addr:172.18.8.10 Bcast:172.18.8.255 Mask:255.255.255.0
inet6 addr: fe80::21e:4fff:fe28:fd7b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3362 errors:0 dropped:0 overruns:0 frame:0
TX packets:8561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:273506 (273.5 KB) TX bytes:3174766 (3.1 MB)
Interrupt:38 Memory:dc000000-dc012800
eth4 Link encap:Ethernet HWaddr 00:02:c9:09:a4:c8
inet addr:xxx.yy.4.235 Bcast:xxx.yy.5.255 Mask:255.255.254.0
inet6 addr: fe80::202:c9ff:fe09:a4c8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59277 errors:0 dropped:52 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5138237 (5.1 MB) TX bytes:6462 (6.4 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1412 errors:0 dropped:0 overruns:0 frame:0
TX packets:1412 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:107356 (107.3 KB) TX bytes:107356 (107.3 KB)
root@mac:/home/sysadm# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.18.8.254 0.0.0.0 UG 100 0 0 eth0
xxx.yy.4.0 0.0.0.0 255.255.254.0 U 0 0 0 eth4
172.18.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
如您所见,eth0位于172.18.8.0/24网络(“8-net”)上,eth4位于xxx.yy.4.0 / 23网络(“4-net”)上.这两个网络都通过路由器连接.许多机器都在两个网络上(一次一个),并且能够毫无问题地进行通信.当4-net上的第二台机器试图与172.18.8.10通话时,数据包似乎被丢弃. SSH尝试的tcpdump如下:
root@mac:/home/sysadm# ufw allow from any to any port 1022 Rule added Rule added (v6) root@mac:/home/sysadm# sshd -de -p 1022 sshd re-exec requires execution with an absolute path root@mac:/home/sysadm# which sshd /usr/sbin/sshd root@mac:/home/sysadm# /usr/sbin/sshd -de -p 1022 debug1: sshd version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: read PEM private key done: type RSA debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: private host key: #1 type 2 DSA debug1: read PEM private key done: type ECDSA debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-256 debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-256 debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-de' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='1022' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 1022 on 0.0.0.0. Server listening on 0.0.0.0 port 1022. debug1: Bind to port 1022 on ::. Server listening on :: port 1022. ^Z [1]+ Stopped /usr/sbin/sshd -de -p 1022 root@mac:/home/sysadm# bg [1]+ /usr/sbin/sshd -de -p 1022 & root@mac:/home/sysadm# tcpdump -nvlli eth0 'host xxx.yy.4.29' tcpdump: listening on eth0,link-type EN10MB (Ethernet),capture size 65535 bytes 18:16:33.370081 IP (tos 0x0,ttl 63,id 29087,offset 0,flags [DF],proto TCP (6),length 60) xxx.yy.4.29.42667 > 172.18.8.10.1022: Flags [S],cksum 0xdc29 (correct),seq 107513294,win 14600,options [mss 1460,sackOK,TS val 3473994833 ecr 0,nop,wscale 7],length 0 18:16:36.369860 IP (tos 0x0,id 29088,cksum 0xd071 (correct),TS val 3473997833 ecr 0,length 0 18:16:42.369300 IP (tos 0x0,id 29089,cksum 0xb901 (correct),TS val 3474003833 ecr 0,length 0
为了完整性:
root@mac:/home/sysadm# ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 1022 ALLOW Anywhere 22 ALLOW Anywhere (v6) 1022 ALLOW Anywhere (v6)
进行连接的节点会超时.其他协议也受到影响. Echo请求超时.但是,8-net上的节点和不是4-net的所有其他网络都能够完美地进行通信.日志不显示任何内容.其他“UFW BLOCK”条目存在于/ var / log / syslog中,但不存在相关的条目.
简而言之,一台机器有两个接口,网络8上的eth0和网络4上的eth4.来自网络4的其他节点不能与eth0通信,但来自所有其他网络的节点都可以.逻辑上的反面也适用:网络8节点试图与eth4体验超时.这是一个功能还是一个bug?我不应该期望能够与具有两个接口的机器上的逻辑错误接口通话吗?
如果重要,这是戴尔PowerEdge R900. eth0是集成端口“NetXtreme II BCM5708千兆以太网”,eth4是Mellanox Technologies的附加卡“MT26448 [ConnectX EN 10GigE,PCIe 2.0 5GT / s]”上的两个端口之一.
编辑:禁用防火墙时问题仍然存在. tcpdump仍然显示进入的数据包(回应请求),没有响应被发送出去.
编辑:更多输出:这是涉及远程主机’xxx.yy.4.29’的eth4流量转储.从xxx.yy.4.29开始,我发现了172.18.8.10和xxx.yy.4.235.这是输出.
root@mac:/home/sysadm# tcpdump -nvlli eth4 'host xxx.yy.4.29'
tcpdump: listening on eth4,capture size 65535 bytes
20:25:04.401449 ARP,Ethernet (len 6),IPv4 (len 4),Request who-has xxx.yy.4.235 tell xxx.yy.4.29,length 46
20:25:04.401492 ARP,Reply xxx.yy.4.235 is-at 00:02:c9:09:a4:c8,length 28
20:25:04.401647 IP (tos 0x0,ttl 64,id 0,proto ICMP (1),length 84)
xxx.yy.4.29 > xxx.yy.4.235: ICMP echo request,id 32312,seq 1,length 64
20:25:04.401706 IP (tos 0x0,id 42264,flags [none],length 84)
xxx.yy.4.235 > xxx.yy.4.29: ICMP echo reply,length 64
20:25:05.401200 IP (tos 0x0,seq 2,length 64
20:25:05.401211 IP (tos 0x0,id 42265,length 64
20:25:09.402234 ARP,Request who-has xxx.yy.4.29 tell xxx.yy.4.235,length 28
20:25:09.402383 ARP,Reply xxx.yy.4.29 is-at 78:2b:cb:90:95:98,length 46
20:25:09.402747 ARP,length 46
编辑:这只是一台测试机器.我无法想象一个真实世界的场景,我需要通过4-net接口路由8-net通信.我可以看到这将是一个众所周知的问题,解决方案的好处是不值得解决问题的努力.
解决方法
你在这里看到的是
reverse path filtering.内核正在丢弃数据包,因为它们似乎来自“错误的”接口.要检查RPF是否已启用,请运行cat / proc / sys / net / ipv4 / conf / eth0 / rp_filter(对于eth4也是如此).要禁用它,请将0回显到thoses文件中.
即使禁用了RPF,你的路由也会有点奇怪,就像@NathanG所说的那样(响应数据包会出现一个不同于它们的接口).如果您的路由器不是太聪明(即没有RPF或其他欺骗保护),这应该仍然有效.
你需要正确设置它是基于源地址的一些policy routing(即告诉内核根据源地址不同地路由数据包).我们通过设置多个路由表,然后添加一些规则来选择要使用的表来完成此操作.
首先,命名一些表(您只需要执行一次).
echo "14 net4" >> /etc/iproute2/rt_tables echo "18 net8" >> /etc/iproute2/rt_tables
然后添加到这些新表的路由(我假设这台机器可以通过eth0或eth4上的路由器访问Internet).
ip route add xx.yy.4.0/23 dev eth4 table net4 ip route add default via xx.yy.4.1 table net4 ip route add 172.18.8.0/24 dev eth0 table net8 ip route add default via 172.18.8.254 table net8
最后添加一些规则,根据数据包的源地址选择合适的表.
ip rule add from xx.yy.4.0/23 lookup net4 ip rule add from 172.18.8.0/24 lookup net8
