나는 almalinux 8을 실행하고 있으며 내 가상 머신은 3개의 네트워크 인터페이스에 연결되어 있습니다.
`[root@puppetmaster ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d1:2f:93 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
valid_lft 80482sec preferred_lft 80482sec
inet6 fe80::a00:27ff:fed1:2f93/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e4:53:8a brd ff:ff:ff:ff:ff:ff
inet 192.168.128.2/24 brd 192.168.128.255 scope global noprefixroute enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fee4:538a/64 scope link
valid_lft forever preferred_lft forever
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:c5:47:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s9
valid_lft 69570sec preferred_lft 69570sec
inet6 fe80::a00:27ff:fec5:47fa/64 scope link
valid_lft forever preferred_lft forever`
이제 모든 네트워크 트래픽 enp0s8을 enp0s9. 그래서 iptables를 통해 시도해 보았습니다. 이를 위해 다음 명령을 실행했습니다.
[root@puppetmaster ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@puppetmaster ~]# iptables -t nat -A POSTROUTING --out-interface enp0s9 -j MASQUERADE
root@puppetmaster ~]# iptables -A FORWARD --in-interface enp0s8 -j ACCEPT
이것은 iptables의 출력입니다.
[root@puppetmaster ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@puppetmaster ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
하지만 여전히 ping을 할 수 없습니다.
감사해요
인트라넷에서 ping을 보낼 수 있어야 합니다.
- - - - 편집하다- - - - - - - - -
다른 VM을 설정하고 기본 경로를 추가했습니다.
[root@websrv ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d1:2f:93 brd ff:ff:ff:ff:ff:ff
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:f0:16:bd brd ff:ff:ff:ff:ff:ff
inet 192.168.128.10/24 brd 192.168.128.255 scope global noprefixroute enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fef0:16bd/64 scope link
valid_lft forever preferred_lft forever
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:ca:35:bd brd ff:ff:ff:ff:ff:ff
[root@websrv ~]# ip route
default via 192.168.128.2 dev enp0s8
192.168.128.0/24 dev enp0s8 proto kernel scope link src 192.168.128.10 metric 101
그러나 ping을 시도하면 dns 요청에 대한 응답이 반환되지만 icmp 요청에 대한 응답은 반환되지 않습니다.
[root@websrv ~]# ping google.com
PING google.com (142.250.192.110) 56(84) bytes of data.
^C
--- google.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2074ms
답변1
나는 이것을 알아 냈습니다. nat 서버에서 기본 경로는 iptables nat 테이블에 정의한 인터페이스의 다른 인터페이스입니다. 목록에서 기본 경로를 제거했으며 서버에 ping을 보낼 수 있습니다. 또 다른 접근 방식은 라우팅 테이블을 변경하지 않고 유지하고 iptables의 인터페이스를 변경하는 것입니다. 나는 그것을 두 가지 방법으로 모두 처리할 수 있습니다.