Iptables
專用網路上第二個介面的 NAT
我為我的兩個網路介面配置了以下內容。
eth1 10.93.90.1(生產網路)
eth0 192.160.0.1(私有網路/Labb 網路)
我想用 NAT 配置 eth0,這樣我就可以通過 eth1 與生產網路進行通信。
這是我嘗試過的:
root@10.93.90.1 # echo 1 > /proc/sys/net/ipv4/ip_forward root@10.93.90.1 # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE root@10.93.90.1 # iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT root@10.93.90.1 # iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT但是ip地址為192.168.0.236的eth0介面連接的節點無法與生產網路(10.0.0.0)上的其他節點通信。但是它可以與主機通信:
root@192.168.0.236 # ping 10.93.90.1 10.93.90.1 is alive!但不是生產網路上的任何其他主機:
root@192.168.0.236 # ping 10.93.89.1 No response from 10.93.89.1當我從主機本身 ping 時,這工作正常:
root@10.93.90.1 # ping 10.93.89.1 PING 10.93.89.1 (10.93.89.1) 56(84) bytes of data.我在這裡錯過了什麼嗎?還是僅使用 NAT 無法做到這一點?
更新 1
主機 eth1 (10.93.90.1) 的路由表:
root@10.93.90.1 # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default fafne-vlan93.se 0.0.0.0 UG 0 0 0 eth1 10.93.0.0 * 255.255.0.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0主機 eth0 (192.168.0.236) 的路由表
root@192.168.0.236 # ip route list default via 192.168.0.1 dev eth0 default dev eth0 scope link metric 99 169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.221.167 169.254.0.0/16 dev eth0 scope link metric 99 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.236更新 2
我更改了以下規則:
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT到:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT我還添加了以下規則來調試 ping:
iptables -I FORWARD -j LOG --log-prefix 'SNOOP_'這是我從 192.168.0.236 ping 到 10.93.89.1 時記錄的內容:
Apr 1 09:14:44 lnxchrispet kernel: [2415274.711664] SNOOP_IN=eth0 OUT=eth1 MAC=90:e2:ba:3c:87:c4:ac:cc:8e:37:47:a6:08:00 SRC=192.168.0.236 DST=10.93.89.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=9639 DF PROTO=ICMP TYPE=8 CODE=0 ID=0 SEQ=0 Apr 1 09:14:44 lnxchrispet kernel: [2415274.711935] SNOOP_IN=eth1 OUT=eth0 MAC=7c:05:07:0e:36:03:70:54:d2:7c:45:be:08:00 SRC=10.93.89.1 DST=192.168.0.236 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=58826 PROTO=ICMP TYPE=0 CODE=0 ID=0 SEQ=0更新 3
這是所有為 nat 載入的核心模組:
root@10.93.90.1 # lsmod |grep nat iptable_nat 12928 1 nf_nat 18231 2 iptable_nat,ipt_MASQUERADE nf_conntrack_ipv4 14078 3 nf_nat,iptable_nat nf_conntrack 52720 5 nf_conntrack_ipv4,nf_nat,iptable_nat,ipt_MASQUERADE,xt_state ip_tables 22042 2 iptable_nat,iptable_filter x_tables 19118 6 ip_tables,iptable_nat,ipt_MASQUERADE,iptable_filter,xt_state,ipt_LOG這個模組好像不見了,有關係嗎?
nf_nat_ipv4我試圖載入它,但我似乎沒有工作:
root@10.93.90.1 # modprobe -v nf_nat_ipv4 root@10.93.90.1 # lsmod |grep nat iptable_nat 12928 1 nf_nat 18231 2 iptable_nat,ipt_MASQUERADE nf_conntrack_ipv4 14078 3 nf_nat,iptable_nat nf_conntrack 52720 5 nf_conntrack_ipv4,nf_nat,iptable_nat,ipt_MASQUERADE,xt_state ip_tables 22042 2 iptable_nat,iptable_filter x_tables 19118 6 ip_tables,iptable_nat,ipt_MASQUERADE,iptable_filter,xt_state,ipt_LOG更新 4
似乎有些不對勁,缺少有關 NAT 的模組:
root@10.93.90.1 # ls -l /lib/modules/3.2.0-4-amd64/kernel/net/netfilter total 1076 drwxr-xr-x 2 root root 4096 Mar 4 06:42 ipset drwxr-xr-x 2 root root 4096 Mar 4 06:42 ipvs -rw-r--r-- 1 root root 10416 Feb 29 18:10 nf_conntrack_amanda.ko -rw-r--r-- 1 root root 4336 Feb 29 18:10 nf_conntrack_broadcast.ko -rw-r--r-- 1 root root 14440 Feb 29 18:10 nf_conntrack_ftp.ko -rw-r--r-- 1 root root 67360 Feb 29 18:10 nf_conntrack_h323.ko -rw-r--r-- 1 root root 12944 Feb 29 18:10 nf_conntrack_irc.ko -rw-r--r-- 1 root root 116096 Feb 29 18:10 nf_conntrack.ko -rw-r--r-- 1 root root 5552 Feb 29 18:10 nf_conntrack_netbios_ns.ko -rw-r--r-- 1 root root 32528 Feb 29 18:10 nf_conntrack_netlink.ko -rw-r--r-- 1 root root 14416 Feb 29 18:10 nf_conntrack_pptp.ko -rw-r--r-- 1 root root 16672 Feb 29 18:10 nf_conntrack_proto_dccp.ko -rw-r--r-- 1 root root 11912 Feb 29 18:10 nf_conntrack_proto_gre.ko -rw-r--r-- 1 root root 15192 Feb 29 18:10 nf_conntrack_proto_sctp.ko -rw-r--r-- 1 root root 8992 Feb 29 18:10 nf_conntrack_proto_udplite.ko -rw-r--r-- 1 root root 10664 Feb 29 18:10 nf_conntrack_sane.ko -rw-r--r-- 1 root root 36480 Feb 29 18:10 nf_conntrack_sip.ko -rw-r--r-- 1 root root 6352 Feb 29 18:10 nf_conntrack_snmp.ko -rw-r--r-- 1 root root 10240 Feb 29 18:10 nf_conntrack_tftp.ko -rw-r--r-- 1 root root 11400 Feb 29 18:10 nfnetlink.ko -rw-r--r-- 1 root root 20120 Feb 29 18:10 nfnetlink_log.ko -rw-r--r-- 1 root root 18920 Feb 29 18:10 nfnetlink_queue.ko -rw-r--r-- 1 root root 4952 Feb 29 18:10 nf_tproxy_core.ko -rw-r--r-- 1 root root 44016 Feb 29 18:10 x_tables.ko -rw-r--r-- 1 root root 6904 Feb 29 18:10 xt_addrtype.ko -rw-r--r-- 1 root root 7688 Feb 29 18:10 xt_AUDIT.ko -rw-r--r-- 1 root root 4912 Feb 29 18:10 xt_CHECKSUM.ko -rw-r--r-- 1 root root 4384 Feb 29 18:10 xt_CLASSIFY.ko -rw-r--r-- 1 root root 5440 Feb 29 18:10 xt_cluster.ko -rw-r--r-- 1 root root 4144 Feb 29 18:10 xt_comment.ko -rw-r--r-- 1 root root 5480 Feb 29 18:10 xt_connbytes.ko -rw-r--r-- 1 root root 8776 Feb 29 18:10 xt_connlimit.ko -rw-r--r-- 1 root root 6560 Feb 29 18:10 xt_connmark.ko -rw-r--r-- 1 root root 6272 Feb 29 18:10 xt_CONNSECMARK.ko -rw-r--r-- 1 root root 7032 Feb 29 18:10 xt_conntrack.ko -rw-r--r-- 1 root root 4400 Feb 29 18:10 xt_cpu.ko -rw-r--r-- 1 root root 7232 Feb 29 18:10 xt_CT.ko -rw-r--r-- 1 root root 6376 Feb 29 18:10 xt_dccp.ko -rw-r--r-- 1 root root 4352 Feb 29 18:10 xt_devgroup.ko -rw-r--r-- 1 root root 5448 Feb 29 18:10 xt_dscp.ko -rw-r--r-- 1 root root 6176 Feb 29 18:10 xt_DSCP.ko -rw-r--r-- 1 root root 4704 Feb 29 18:10 xt_esp.ko -rw-r--r-- 1 root root 17592 Feb 29 18:10 xt_hashlimit.ko -rw-r--r-- 1 root root 5280 Feb 29 18:10 xt_helper.ko -rw-r--r-- 1 root root 4472 Feb 29 18:10 xt_hl.ko -rw-r--r-- 1 root root 5896 Feb 29 18:10 xt_HL.ko -rw-r--r-- 1 root root 10888 Feb 29 18:10 xt_IDLETIMER.ko -rw-r--r-- 1 root root 4848 Feb 29 18:10 xt_iprange.ko -rw-r--r-- 1 root root 5672 Feb 29 18:10 xt_ipvs.ko -rw-r--r-- 1 root root 8168 Feb 29 18:10 xt_LED.ko -rw-r--r-- 1 root root 4456 Feb 29 18:10 xt_length.ko -rw-r--r-- 1 root root 6480 Feb 29 18:10 xt_limit.ko -rw-r--r-- 1 root root 4200 Feb 29 18:10 xt_mac.ko -rw-r--r-- 1 root root 4936 Feb 29 18:10 xt_mark.ko -rw-r--r-- 1 root root 5144 Feb 29 18:10 xt_multiport.ko -rw-r--r-- 1 root root 4536 Feb 29 18:10 xt_NFLOG.ko -rw-r--r-- 1 root root 6080 Feb 29 18:10 xt_NFQUEUE.ko -rw-r--r-- 1 root root 4792 Feb 29 18:10 xt_NOTRACK.ko -rw-r--r-- 1 root root 9536 Feb 29 18:10 xt_osf.ko -rw-r--r-- 1 root root 4272 Feb 29 18:10 xt_owner.ko -rw-r--r-- 1 root root 5192 Feb 29 18:10 xt_physdev.ko -rw-r--r-- 1 root root 4224 Feb 29 18:10 xt_pkttype.ko -rw-r--r-- 1 root root 5896 Feb 29 18:10 xt_policy.ko -rw-r--r-- 1 root root 5120 Feb 29 18:10 xt_quota.ko -rw-r--r-- 1 root root 5960 Feb 29 18:10 xt_rateest.ko -rw-r--r-- 1 root root 8968 Feb 29 18:10 xt_RATEEST.ko -rw-r--r-- 1 root root 4072 Feb 29 18:10 xt_realm.ko -rw-r--r-- 1 root root 20136 Feb 29 18:10 xt_recent.ko -rw-r--r-- 1 root root 5432 Feb 29 18:10 xt_sctp.ko -rw-r--r-- 1 root root 6856 Feb 29 18:10 xt_SECMARK.ko -rw-r--r-- 1 root root 10432 Feb 29 18:10 xt_set.ko -rw-r--r-- 1 root root 8704 Feb 29 18:10 xt_socket.ko -rw-r--r-- 1 root root 5056 Feb 29 18:10 xt_state.ko -rw-r--r-- 1 root root 5232 Feb 29 18:10 xt_statistic.ko -rw-r--r-- 1 root root 5088 Feb 29 18:10 xt_string.ko -rw-r--r-- 1 root root 5024 Feb 29 18:10 xt_tcpmss.ko -rw-r--r-- 1 root root 8496 Feb 29 18:10 xt_TCPMSS.ko -rw-r--r-- 1 root root 5616 Feb 29 18:10 xt_TCPOPTSTRIP.ko -rw-r--r-- 1 root root 6376 Feb 29 18:10 xt_tcpudp.ko -rw-r--r-- 1 root root 9216 Feb 29 18:10 xt_TEE.ko -rw-r--r-- 1 root root 6024 Feb 29 18:10 xt_time.ko -rw-r--r-- 1 root root 10848 Feb 29 18:10 xt_TPROXY.ko -rw-r--r-- 1 root root 4184 Feb 29 18:10 xt_TRACE.ko -rw-r--r-- 1 root root 5176 Feb 29 18:10 xt_u32.ko目前核心是 Debian Wheezy 系統上的 3.2.0-4-amd64
root@10.93.90.1 # uname -r 3.2.0-4-amd64 root@10.93.90.1 # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.9 (wheezy) Release: 7.9 Codename: wheezy我將嘗試安裝 wheezy-backports 核心 3.16.0-0.bpo.4-amd64。
更新 5
我可以在啟動 wheezy-backports 核心 3.16.0-0.bpo.4-amd64 後載入正確的模組
root@10.93.90.1 # uname -r 3.16.0-0.bpo.4-amd64 root@10.93.90.1 # modprobe -v iptable_nat insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/x_tables.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/nf_conntrack.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/nf_nat.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/iptable_nat.ko root@10.93.90.1 # lsmod |grep nat iptable_nat 12646 1 ip_tables 25967 2 iptable_filter,iptable_nat nf_nat_ipv4 12912 1 iptable_nat nf_nat 18159 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat nf_conntrack 91426 6 ipt_MASQUERADE,nf_nat,xt_state,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
因此,Debian Wheezy 安裝似乎有一個錯誤的核心,或者它沒有完全支持 NAT。它缺少一個特定的核心模組,
nf_nat_ipv4. 可以在這裡看到:root@10.93.90.1 # lsmod |grep nat iptable_nat 12928 1 nf_nat 18231 2 iptable_nat,ipt_MASQUERADE nf_conntrack_ipv4 14078 3 nf_nat,iptable_nat nf_conntrack 52720 5 nf_conntrack_ipv4,nf_nat,iptable_nat,ipt_MASQUERADE,xt_state ip_tables 22042 2 iptable_nat,iptable_filter x_tables 19118 6 ip_tables,iptable_nat,ipt_MASQUERADE,iptable_filter,xt_state,ipt_LOG安裝 3.16.0-0.bpo.4-amd64 核心
Debian Wheezy 的預設核心是
3.2.0-4-amd64. 所以我安裝了 wheezy-backports kernel3.16.0-0.bpo.4-amd64。root@10.93.90.1 # apt-get update root@10.93.90.1 # apt-get install linux-image-3.16.0-0.bpo.4-amd64 linux-headers-3.16.0-0.bpo.4-all-amd64 The following packages have unmet dependencies: linux-image-3.16.0-0.bpo.4-amd64 : Depends: initramfs-tools (>= 0.110~) but it is not going to be installed E: Unable to correct problems, you have held broken packages.APT 抱怨無法將正確的 initramfs-tools 包安裝為依賴項。所以我不得不從 wheezy-backports 拳頭安裝它:
root@10.93.90.1 # apt-get -t wheezy-backports install initramfs-tools然後我可以安裝
3.16.0-0.bpo.4-amd64核心:root@10.93.90.1 # apt-get install linux-image-3.16.0-0.bpo.4-amd64 linux-headers-3.16.0-0.bpo.4-all-amd64然後我重新啟動系統並繼續載入 NAT 核心模組。
載入 NAT 核心模組
我首先檢查我是否載入了正確的核心:
root@10.93.90.1 # uname -r 3.16.0-0.bpo.4-amd64系統目前正在執行反向移植核心。然後我繼續載入 NAT 核心模組:
root@10.93.90.1 # modprobe -v iptable_nat insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/x_tables.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/nf_conntrack.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/netfilter/nf_nat.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/nf_nat_ipv4.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/3.16.0-0.bpo.4-amd64/kernel/net/ipv4/netfilter/iptable_nat.ko root@10.93.90.1 # lsmod |grep nat iptable_nat 12646 1 ip_tables 25967 2 iptable_filter,iptable_nat nf_nat_ipv4 12912 1 iptable_nat nf_nat 18159 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat nf_conntrack 91426 6 ipt_MASQUERADE,nf_nat,xt_state,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4測試 NAT
然後我再次配置了 ip 轉發和 NAT,因為它在啟動後消失了:
root@10.93.90.1 # echo 1 > /proc/sys/net/ipv4/ip_forward root@10.93.90.1 # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE然後我測試從 192.168.0.236 ping 並且它工作:
root@192.168.0.236 # ping 10.93.89.1 10.93.89.1 is alive!結論
問題是無法載入正確的 NAT 核心模組,為了解決這個問題,我必須從 wheezy-backports 安裝核心並載入 NAT 核心模組。