A 머신에서 B 머신으로 패킷을 복사하려고 합니다. 머신 A에서 머신 B를 핑하면 핑 응답을 받습니다. 컴퓨터 B에서 컴퓨터 A를 ping할 때 응답이 없습니다. 머신 A에는 1개의 네트워크 인터페이스가 있습니다. 머신 B에는 두 개의 네트워크 인터페이스가 있습니다. eth0은 머신 A와 다른 서브넷에 있고, eth1은 머신 A와 동일한 서브넷에 있습니다.
머신 B(eth1)는 10.0.3.1(게이트웨이)을 ping할 수 있지만 10.0.3.100(머신 A)은 ping할 수 없습니다.
두 머신 모두 AWS에서 실행되고 있습니다.
이것은 머신 B입니다(ping이 작동하지 않음).
SELinux가 허용으로 설정되었습니다.
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
IP 라우팅 표시 테이블 모두:
default via 10.0.3.1 dev eth1 table 1000
10.0.3.102 dev eth1 table 1000 scope link
default via 10.0.4.1 dev eth0
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.102
10.0.4.0/24 dev eth0 proto kernel scope link src 10.0.4.100
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
broadcast 10.0.3.0 dev eth1 table local proto kernel scope link src 10.0.3.102
local 10.0.3.102 dev eth1 table local proto kernel scope host src 10.0.3.102
broadcast 10.0.3.255 dev eth1 table local proto kernel scope link src 10.0.3.102
broadcast 10.0.4.0 dev eth0 table local proto kernel scope link src 10.0.4.100
local 10.0.4.100 dev eth0 table local proto kernel scope host src 10.0.4.100
broadcast 10.0.4.255 dev eth0 table local proto kernel scope link src 10.0.4.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 mtu 9001 pref medium
fe80::/64 dev eth1 proto kernel metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::3f:c2ff:fe84:c930 dev lo table local proto unspec metric 0 pref medium
local fe80::ff:4ff:fefb:9a86 dev lo table local proto unspec metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 mtu 9001 pref medium
ff00::/8 dev eth1 table local metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
IP 규칙 표시 테이블 1000:
32764: from all to 10.0.3.102 lookup 1000
32765: from 10.0.3.102 lookup 1000
구성된 경우:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.4.100 netmask 255.255.255.0 broadcast 10.0.4.255
inet6 fe80::3f:c2ff:fe84:c930 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 1497 bytes 125307 (122.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1198 bytes 120891 (118.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.3.102 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::ff:4ff:fefb:9a86 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 88 bytes 5003 (4.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 105 bytes 6414 (6.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 416 (416.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 416 (416.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
이것은 기계 A입니다:
iptables -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t mangle -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
TEE all -- anywhere anywhere TEE gw:ip-10-0-3-102.ec2.internal
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
IP 라우팅 표시 테이블 모두:
default via 10.0.3.1 dev eth0
10.0.3.0/24 dev eth0 proto kernel scope link src 10.0.3.100
169.254.0.0/16 dev eth0 scope link metric 1002
broadcast 10.0.3.0 dev eth0 table local proto kernel scope link src 10.0.3.100
local 10.0.3.100 dev eth0 table local proto kernel scope host src 10.0.3.100
broadcast 10.0.3.255 dev eth0 table local proto kernel scope link src 10.0.3.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::c0:a5ff:fe89:d238 dev lo table local proto unspec metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 mtu 9001 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
구성된 경우:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 10.0.3.100 netmask 255.255.255.0 broadcast 10.0.3.255
inet6 fe80::c0:a5ff:fe89:d238 prefixlen 64 scopeid 0x20<link>
ether someMac txqueuelen 1000 (Ethernet)
RX packets 8096 bytes 4591057 (4.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6275 bytes 521551 (509.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 416 (416.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 416 (416.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
머신 B(eth0)를 사용하여 인터넷에 액세스하는 동안 머신 A(eth0)에서 머신 B(eth1)로 모든 트래픽의 복사본을 가져오려고 합니다(지금은 작동합니다). 라우팅 문제인 것 같지만 문제를 찾을 수 없습니다. 대부분의 검색에는 방화벽 문제(iptables 참조), 넷마스크(일치) 및 라우팅 문제(문제를 찾을 수 없음)가 포함된 것 같습니다.
mangle 테이블이 카운트를 증가시키는 것 같아서 패킷이 복사되고 있지만 tcpdump는 머신 B(eth1)가 패킷을 수신하지 않고 있음을 보여줍니다. 이것이 최종 목표입니다^^
/etc/sysconfig/네트워크:
NETWORKING=yes
GATEWAYDEV=eth0
/etc/sysconfig/network-scripts/ifcfg-eth1:
DEVICE=eth1
NAME=eth1
HWADDR=02:ff:04:fb:9a:86
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
NM_CONTROLLED=no
IPADDR=10.0.3.102
NETMASK=255.255.255.128
/etc/sysconfig/network-scripts/route-eth1:
default via 10.0.3.1 dev eth1 table 1000
10.0.3.102 dev eth1 table 1000
/etc/sysconfig/network-scripts/rule-eth1:
from 10.0.3.102 lookup 1000
to 10.0.3.102 lookup 1000
답변1
이 문제를 해결했습니다. 이는 올바르게 설정되지 않아 진입을 차단하고 있는 AWS 보안 그룹입니다. IP 규칙이 "10.0.3.102에서"에서 "10.0.3.100에서"로 변경되었습니다. 나머지 설정은 맞습니다.