안녕하세요 여러분, 이것은 아마도 제가 놓친 어리석은 일일지도 모르지만 VPN에 대한 네트워크 네임스페이스를 설정하는 데 문제가 있습니다. 이상한 점은 이 스크립트/설정이 실행 중이었지만 지난 몇 주 동안 갑자기 중지되었다는 것입니다.
모든 일반 트래픽에 사용하려는 서버에 고정 IP가 설정된 이더넷 인터페이스가 있습니다. 그런 다음 브리지를 기본 장치로 사용하고 가상 이더넷을 통해 VPN을 동일한 브리지에 연결했습니다. 어떤 이유로 VPN 인터페이스가 ARP 요청에 성공적으로 응답할 수 있지만 게이트웨이를 ping할 수 없어 인터넷에 연결할 수 없습니다. 라우팅 문제인 것 같지만 알 수 없는 것 같습니다.
네트워크 계획
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
dhcp4: false
addresses:
- 192.168.0.54/24
bridges:
br0:
interfaces:
- enp3s0
routes:
- to: default
via: 192.168.0.1
- to: 192.168.0.0/24
nameservers:
addresses: [1.1.1.1, 8.8.8.8]
VPN 네트워크 네임스페이스를 설정하는 스크립트:
ip link add vpn0 type veth peer name vpn1
ip link set dev vpn0 master br0
ip netns add vpn
ip link set vpn1 netns vpn
ip link set dev vpn0 promisc on
ip link set vpn0 up
ip netns exec vpn ip link set lo up
ip netns exec vpn ip link set vpn1 up
ip netns exec vpn ip address add 192.168.0.53/24 dev vpn1
ip netns exec vpn ip route add default via 192.168.0.1 dev vpn1
VPN 주소/라우팅
root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: vpn1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 06:9e:19:5a:a4:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.0.53/24 scope global vpn1
valid_lft forever preferred_lft forever
inet6 fe80::49e:19ff:fe5a:a4a5/64 scope link
valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev vpn1
192.168.0.0/24 dev vpn1 proto kernel scope link src 192.168.0.53
일반 주소/경로
root@sam-server:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
link/ether 88:d7:f6:78:91:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.54/24 brd 192.168.0.255 scope global enp3s0
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e6:3d:5a:ce:a9:fb brd ff:ff:ff:ff:ff:ff
inet6 fe80::e43d:5aff:fece:a9fb/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:19:80:3c:94 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: vpn0@if5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 66:2c:f9:35:3d:0e brd ff:ff:ff:ff:ff:ff link-netns vpn
inet6 fe80::642c:f9ff:fe35:3d0e/64 scope link
valid_lft forever preferred_lft forever
root@sam-server:~# ip route
default via 192.168.0.1 dev br0 proto static onlink
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev br0 proto static scope link
192.168.0.0/24 dev enp3s0 proto kernel scope link src 192.168.0.54
VPN 네임스페이스에서 핑(arp는 해결된 것 같지만 게이트웨이에 ping을 보낼 수 없습니다)
root@sam-server:~# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3066ms
root@sam-server:~# ping 192.168.0.54
PING 192.168.0.54 (192.168.0.54) 56(84) bytes of data.
64 bytes from 192.168.0.54: icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from 192.168.0.54: icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from 192.168.0.54: icmp_seq=3 ttl=64 time=0.052 ms
^C
--- 192.168.0.54 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.037/0.047/0.052/0.007 ms
root@sam-server:~# arp
Address HWtype HWaddress Flags Mask Iface
192.168.0.1 ether b0:95:75:8c:fe:80 C vpn1
192.168.0.54 ether e6:3d:5a:ce:a9:fb C vpn1
root@sam-server:~#
이것이 충분한 정보였기를 바라며 필요하다면 더 게시할 수 있습니다.
답변1
내 질문에 대한 답을 찾았습니다. 그것은 매우 간단하다는 것이 밝혀졌습니다. 기본적으로 2주 전에 설치했는데 Docker이 사실을 몰랐는데 Docker가 엉망으로 만들었습니다 iptables.
root@sam-server:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP) <----------- PROBLEM IS HERE
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Docker 자동 설정으로 인해 FORWARD내 DROP패킷이 인터페이스로 전달되지 않습니다. ARPiptables의 영향을 받지 않으니 괜찮을 것 같습니다 .
해결 방법은 다음을 수락하도록 정책을 재설정하는 것입니다.iptables --policy FORWARD ACCCEPT