今天在公司遇到了一件很怪的事, 狀況是這樣子的
從 C 機器可以 ping 的到 A, 但 A 就是無法 ping 回 C
而且和 C 機器在同一個網段的機器 D 就沒這個問題
仔細請教公司的網路大師後, 才找到為什麼
網路架構如下
172.16.x.x ──── 172.16.x.x
A B
│ 192.168.x.x ────── 192.168.x.x
│ C
│ 172.16.x.x
│ │
└───────────────────────────────────┘
有三台機器
A eth0 172.16.x.x
B eth0 172.16.x.x
eth1 192.168.x.x
C eth0 192.168.x.x
eth1 172.16.x.x
原因就出在第三台機器為了方便, 所以在 eth1 多接了一條網路到直接通到 172.16.x.x 的網段, 從 172.16.x.x ping 192.168.x.x 時, 走的是上面的的路線, 而當 C 要回應時, 則因為有更適合的路, 所以要走下面那段路
但在一些安全性考量之下, 這樣的行為是被擋掉的, 回去的路必須要跟來的路相同, 如果要接受這樣的行為, 則必須要把 reverse-path filter 關掉
pjack@ubuntu:~$ cat /etc/sysctl.conf | grep filter # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # net.ipv4.conf.default.rp_filter=1 # 改設成 0 net.ipv4.conf.default.rp_filter=0 # net.ipv4.conf.all.rp_filter=1 # 改設成 0 net.ipv4.conf.all.rp_filter=0 pjack@ubuntu:~$ sudo sysctl -p net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.all.rp_filter=0 pjack@ubuntu:~$ sysctl -a | grep rp_filter net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.br1.rp_filter = 0 net.ipv4.conf.br1.arp_filter = 0 net.ipv4.conf.br0.rp_filter = 0 net.ipv4.conf.br0.arp_filter = 0 pjack@ubuntu:~$ sudo /etc/init.d/networking restart
重新設定後果然就通了, 利用 tcpdump 來看封包
# 先看 eth0 進來的封包, 有看到 ICMP wistor@wistor-001:~$ sudo tcpdump -i eth0 -n icmp tcpdump: WARNING: eth0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:22:11.379560 IP 172.16.123.1 > 192.168.200.83: ICMP echo request, id 1, seq 334, length 40 11:22:16.006429 IP 172.16.123.1 > 192.168.200.83: ICMP echo request, id 1, seq 335, length 40 11:22:20.507438 IP 172.16.123.1 > 192.168.200.83: ICMP echo request, id 1, seq 336, length 40 # 也看看 eth1 出去的封包, 有看到 ICMP wistor@wistor-001:~$ sudo tcpdump -i eth1 -n icmp tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 11:41:33.586354 IP 192.168.200.83 > 172.16.123.1: ICMP echo reply, id 1, seq 573, length 40 11:41:34.589350 IP 192.168.200.83 > 172.16.123.1: ICMP echo reply, id 1, seq 574, length 40 11:41:35.592638 IP 192.168.200.83 > 172.16.123.1: ICMP echo reply, id 1, seq 575, length 40 11:41:36.596761 IP 192.168.200.83 > 172.16.123.1: ICMP echo reply, id 1, seq 576, length 40 tcpdump 使用 example
http://www.rationallyparanoid.com/articles/tcpdump.html
沒有留言:
張貼留言