Iptables

IP路由不工作

  • January 21, 2016

我為我的虛擬機配置了網橋。VM 可以 ping 主機,但無法從 Internet ping 任何東西。我的配置:

# ip route
default via 192.168.1.100 dev wlp3s0 
192.168.1.0/24 dev wlp3s0  proto kernel  scope link  src 192.168.1.106  metric 600 
192.168.10.0/24 dev br0  proto kernel  scope link  src 192.168.10.1 


# brctl show br0
bridge name     bridge id               STP enabled     interfaces
br0             8000.7a19fd532c51       no              tap0

配置

# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.10.1  netmask 255.255.255.0  broadcast 192.168.10.255
       inet6 fe80::7819:fdff:fe53:2c51  prefixlen 64  scopeid 0x20<link>
       ether 7a:19:fd:53:2c:51  txqueuelen 1000  (Ethernet)
       RX packets 1206  bytes 110944 (108.3 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 296  bytes 28842 (28.1 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
enp2s0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
       ether 44:a8:42:ea:5e:fb  txqueuelen 1000  (Ethernet)
       RX packets 0  bytes 0 (0.0 B)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 0  bytes 0 (0.0 B)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
       inet 127.0.0.1  netmask 255.0.0.0
       inet6 ::1  prefixlen 128  scopeid 0x10<host>
       loop  txqueuelen 0  (Local Loopback)
       RX packets 1348  bytes 249670 (243.8 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 1348  bytes 249670 (243.8 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       ether fe:3f:76:37:c2:8a  txqueuelen 500 (Ethernet)
       RX packets 547  bytes 57652 (56.3 KiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 229  bytes 21306 (20.8 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 192.168.1.106  netmask 255.255.255.0  broadcast 192.168.1.255
       inet6 fe80::5ee0:c5ff:fe04:ec  prefixlen 64  scopeid 0x20<link>
       ether 5c:e0:c5:04:00:ec  txqueuelen 1000  (Ethernet)
       RX packets 5061  bytes 3500576 (3.3 MiB)
       RX errors 0  dropped 0  overruns 0  frame 0
       TX packets 4400  bytes 684177 (668.1 KiB)
       TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IP 表

# Generated by iptables-save v1.4.21 on Wed Jan 20 03:24:28 2016
*nat
:PREROUTING ACCEPT [6064:511451]
:INPUT ACCEPT [12:3105]
:OUTPUT ACCEPT [2082:136342]
:POSTROUTING ACCEPT [771:53334]
-A POSTROUTING -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 20 03:24:28 2016
# Generated by iptables-save v1.4.21 on Wed Jan 20 03:24:28 2016
*mangle
:PREROUTING ACCEPT [25489:10605237]
:INPUT ACCEPT [18617:10028011]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19284:2260048]
:POSTROUTING ACCEPT [19284:2260048]
COMMIT
# Completed on Wed Jan 20 04:20:44 2016
# Generated by iptables-save v1.4.21 on Wed Jan 20 04:20:44 2016
*filter
:INPUT ACCEPT [28:3026]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22:1683]
-A FORWARD -i br0 -o wlp3s0 -j ACCEPT
-A FORWARD -i wlp3s0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jan 20 04:20:44 2016

ip轉發:

# cat /proc/sys/net/ipv4/ip_forward
1

br0 上的 TCPDUMP

# tcpdump -i br0
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
03:28:56.847387 IP wordpress.dev > google.pl: ICMP echo request, id 1630, seq 2616, length 64
03:28:57.855523 IP wordpress.dev > google.pl: ICMP echo request, id 1630, seq 2617, length 64

wlp3s0 上的 TCPDUMP - 沒有來自 br0 的數據包

更新

我通過啟用 systemct enable systemd-networkd 和 systemct enable iptables 來創建我的網橋。當我“手動”創建我的橋時,一切正常。

/etc/systemd/network/LocalBridge.netdev

[NetDev]
Name=br0
Kind=bridge

/etc/systemd/network/LocalBridge.network

[Match]
Name=br0

[Network]
Address=192.168.10.1/24

/etc/systemd/system/iptables.service.d/10iptables.conf

[Service]
Environment="IPTABLES_INIT=/var/lib/iptables/init-IPv4.rules"
Environment="IP6TABLES_INIT=/var/lib/iptables/init-IPv6.rules"
Environment="COUNTERS=yes"

/var/lib/iptables/init-IPv4.rules 與上面的“IP TABLES”部分相同。未使用 /var/lib/iptables/init-IPv6.rules

有什麼想法有什麼問題嗎?或者如何使用 systemd 在系統啟動時正確配置初始橋接?

我認為 systemd-networkd 只是在啟動時創建介面的東西,但它看起來更像。它有自己的路由解決方案,不應該與我需要用於管理無線網路的 NetworkManager 一起使用。Systemd-networkd 專為靜態連接到網路的伺服器或電腦而設計。

現在我決定不使用 systemd-networkd。我更好的解決方案是在 NetworkManager 中創建網橋以自動創建。

問題解決了。

您的過濾器表在 FORWARD 中缺少一些重要的行。

-A FORWARD -i wlp3s0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wlp3s0 -j ACCEPT

僅僅因為您在核心中打開了網橋和 IP 轉發,並不意味著流量會神奇地四處移動並獲得 NAT’d。iptables 需要知道如何處理流量。

如果您仍然遇到問題,我會先添加這些行,然後再進一步排除故障。

引用自:https://unix.stackexchange.com/questions/256447

相關問答

Networking

具有自定義邏輯的橋接器/路由器

  • November 17, 2014
檢視問答
Iptables

VPN介面和別名介面之間的路由

  • February 23, 2022
檢視問答
Debian

如何訪問 Linux 機器內的 VM?

  • January 15, 2022
檢視問答
Linux

多個子網之間的路由

  • December 3, 2021
檢視問答
Networking

如何將訪客掛接到“tun”介面

  • October 23, 2021
檢視問答
Networking

虛擬網關 iptables

  • September 29, 2021
檢視問答