브리지에 연결된 Ubuntu 22.04 netns 및 veth가 게이트웨이를 ping할 수 없습니다.

브리지에 연결된 Ubuntu 22.04 netns 및 veth가 게이트웨이를 ping할 수 없습니다.

안녕하세요 여러분, 이것은 아마도 제가 놓친 어리석은 일일지도 모르지만 VPN에 대한 네트워크 네임스페이스를 설정하는 데 문제가 있습니다. 이상한 점은 이 스크립트/설정이 실행 중이었지만 지난 몇 주 동안 갑자기 중지되었다는 것입니다.

모든 일반 트래픽에 사용하려는 서버에 고정 IP가 설정된 이더넷 인터페이스가 있습니다. 그런 다음 브리지를 기본 장치로 사용하고 가상 이더넷을 통해 VPN을 동일한 브리지에 연결했습니다. 어떤 이유로 VPN 인터페이스가 ARP 요청에 성공적으로 응답할 수 있지만 게이트웨이를 ping할 수 없어 인터넷에 연결할 수 없습니다. 라우팅 문제인 것 같지만 알 수 없는 것 같습니다.

네트워크 계획

# Let NetworkManager manage all devices on this system
network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0:
      dhcp4: false
      addresses:
        - 192.168.0.54/24

  bridges:
    br0:
      interfaces:
        - enp3s0
      routes:
      - to: default
        via: 192.168.0.1
      - to: 192.168.0.0/24
      nameservers:
        addresses: [1.1.1.1, 8.8.8.8]

VPN 네트워크 네임스페이스를 설정하는 스크립트:

ip link add vpn0 type veth peer name vpn1

ip link set dev vpn0 master br0

ip netns add vpn

ip link set vpn1 netns vpn

ip link set dev vpn0 promisc on
ip link set vpn0 up

ip netns exec vpn ip link set lo up
ip netns exec vpn ip link set vpn1 up

ip netns exec vpn ip address add 192.168.0.53/24 dev vpn1
ip netns exec vpn ip route add default via 192.168.0.1 dev vpn1

VPN 주소/라우팅

root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: vpn1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 06:9e:19:5a:a4:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.53/24 scope global vpn1
       valid_lft forever preferred_lft forever
    inet6 fe80::49e:19ff:fe5a:a4a5/64 scope link
       valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev vpn1
192.168.0.0/24 dev vpn1 proto kernel scope link src 192.168.0.53

일반 주소/경로

root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 88:d7:f6:78:91:72 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.54/24 brd 192.168.0.255 scope global enp3s0
       valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e6:3d:5a:ce:a9:fb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::e43d:5aff:fece:a9fb/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:19:80:3c:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: vpn0@if5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
    link/ether 66:2c:f9:35:3d:0e brd ff:ff:ff:ff:ff:ff link-netns vpn
    inet6 fe80::642c:f9ff:fe35:3d0e/64 scope link
       valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev br0 proto static onlink
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev br0 proto static scope link
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.54

VPN 네임스페이스에서 핑(arp는 해결된 것 같지만 게이트웨이에 ping을 보낼 수 없습니다)

root@sam-server:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3066ms

root@sam-server:~# ping 192.168.0.54
PING 192.168.0.54 (192.168.0.54) 56(84) bytes of data.
64 bytes from 192.168.0.54: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from 192.168.0.54: icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from 192.168.0.54: icmp_seq=3 ttl=64 time=0.052 ms
^C
--- 192.168.0.54 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.037/0.047/0.052/0.007 ms
root@sam-server:~# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.1              ether   b0:95:75:8c:fe:80   C                     vpn1
192.168.0.54             ether   e6:3d:5a:ce:a9:fb   C                     vpn1
root@sam-server:~#

이것이 충분한 정보였기를 바라며 필요하다면 더 게시할 수 있습니다.

답변1

내 질문에 대한 답을 찾았습니다. 그것은 매우 간단하다는 것이 밝혀졌습니다. 기본적으로 2주 전에 설치했는데 Docker이 사실을 몰랐는데 Docker가 엉망으로 만들었습니다 iptables.

root@sam-server:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP) <----------- PROBLEM IS HERE
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Docker 자동 설정으로 인해 FORWARDDROP패킷이 인터페이스로 전달되지 않습니다. ARPiptables의 영향을 받지 않으니 괜찮을 것 같습니다 .

해결 방법은 다음을 수락하도록 정책을 재설정하는 것입니다.iptables --policy FORWARD ACCCEPT

관련 정보