使用linux系統做路由轉發使用linux系統(PC機)做路由轉發
關鍵字:linux,Fedora,route,iptables,ip_forward
最近做網絡實驗����,在實驗過程中需要用到linux的轉發功能,但是遇到一些問題,在請教了linux網絡技術的網友后終于把它解決了,解決了之后我開始總結之前失敗的原因,并將歷程寫成博文��,供以后遇到這類問題的各位朋友參考借鑒�����。
1�����、網絡拓撲
網絡拓撲如下所示,我們在這里用到了三臺機子做實驗�����,分別是①����、④、⑦號機�,使用①號機ping⑦號機�,④號機作為路由轉發���。
2�����、錯誤的路由配置
首先我們使用如下的配置方法���,配置這三臺機子的路由表:
1)在①號機種配置如下���,讓目的網段是10.0.4.0/24的從eth1端口出去
route add -net 10.0.4.0/24 dev eth1
在①號機的查看路由表輸入如下命令:
route -n
?��、偬枡C的路由表的結果如下:
2)在⑦號機使用同樣方法配置路由���,結果如下:
3)在4號機配置路由轉發功能���,即將/etc/sysctl.conf文件里面的net.ipv4.ip_forward的值置1:
4)所有的配置已經完成���,我們在①號機ping④號機
ping 10.0.4.3
結果如下���,即ping 不通:
PING 10.0.4.3 (10.0.4.3) 56(84) bytes of data.From 10.0.1.3 icmp_seq=2 Destination Host UnreachableFrom 10.0.1.3 icmp_seq=3 Destination Host UnreachableFrom 10.0.1.3 icmp_seq=4 Destination Host UnreachableFrom 10.0.1.3 icmp_seq=6 Destination Host UnreachableFrom 10.0.1.3 icmp_seq=7 Destination Host UnreachableFrom 10.0.1.3 icmp_seq=8 Destination Host Unreachable
這里為了方便研究����,把①號機的eth1配置放出來
eth1 Link encap:Ethernet HWaddr 00:16:EC:AF:CB:CB inet addr:10.0.1.3 Bcast:10.255.255.255 Mask:255.255.255.0 inet6 addr: fe80::216:ecff:feaf:cbcb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4564 errors:0 dropped:0 overruns:0 frame:0 TX packets:6688 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:459463 (448.6 KiB) TX bytes:546633 (533.8 KiB) Interrupt:23 Base address:0x6000
在①號機ping 的同時�����,我在④號機抓eth1包��,結果如下:
[root@h4~]# tcpdump -i eth1 -enntcpdump: verbose output supPRessed, use -v or -vv for full protocol decodelistening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes15:26:44.388614 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 4615:26:45.391014 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 4615:26:47.387821 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 4615:26:48.391220 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 4615:26:49.392621 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46
可見①號一直在尋找配有10.0.4.3 IP的機子的mac地址,即一直在發arp包�����。但是路由器(④號機)默認是不轉發arp報文的���,所有①號機永遠也ping不通⑦號機�����。
3����、正確的配置
在①號機種配置路由�,命令如下:
route add -net 10.0.4.0/24 gw 10.0.1.2
這時候①號機的路由表:
[root@h1 ~]# [root@h1 ~]# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface10.0.4.0 10.0.1.2 255.255.255.0 UG 0 0 0 eth110.0.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth210.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1192.168.99.0 0.0.0.0 255.255.255.0 U 1 0 0 eth00.0.0.0 192.168.99.1 0.0.0.0 UG 0 0 0 eth0
同樣的方法配置⑦號機的路由表
root@h7:~# route -n內核 IP 路由表目標 網關 子網掩碼 標志 躍點 引用 使用 接口0.0.0.0 192.168.99.1 0.0.0.0 UG 0 0 0 eth010.0.1.0 10.0.4.2 255.255.255.0 UG 0 0 0 eth110.0.4.0 0.0.0.0 255.255.255.0 U 1 0 0 eth110.0.7.0 0.0.0.0 255.255.255.0 U 1 0 0 eth2192.168.99.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
下面再進行ping測試�����,在①號機ping⑦號機�,結果能夠ping通���。在這里我們問了方便分析,首先列出各網卡的MAC地址
①號機 eth1:HWaddr 00:16:EC:AF:CB:CB④號機 eth1:HWaddr 40:61:86:32:8F:0B ④號機 eth4:HWaddr 40:61:86:32:8F:0E⑦號機 eth1:HWaddr 00:25:90:93:40:79
?����、芴枡Ceth1抓包如下:
[root@h4 ~]# tcpdump -i eth1 -enntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes16:02:26.809445 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 6416:02:26.810723 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 6416:02:27.811847 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 6416:02:27.813136 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 6416:02:28.813248 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 6416:02:28.814551 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 6416:02:29.814648 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 4, length 64
?��、芴枡Ceth4抓包如下:
root@h4 ~]# tcpdump -i eth4 -enntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes16:02:26.809460 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 6416:02:26.810715 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 6416:02:27.811853 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 6416:02:27.813130 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 6416:02:28.813255 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 6416:02:28.814545 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64
?、咛枡Ceth1抓包如下:
root@h7:~# tcpdump -i eth1 -enntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes16:02:27.222853 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 6416:02:27.222867 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 6416:02:28.225226 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 6416:02:28.225237 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 6416:02:29.226638 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 6416:02:29.226649 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 6416:02:30.228059 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 4, length 64
從抓取的包中我們不難看出�,①號機在ping ⑦號機時,由于其中路由表配置了通過四號機的eth1(10.0.1.2)地址,這個地址對應的mac①號機已經緩存了��,所有沒有進行arp廣播就直接開始發送ICMP包��,并且目的ip是⑦號機���,目的MAC是④號機的eth1的����,之后在④號機路由中又將目的MAC變成了④號機的eth4的�,目的ip不變,回來的過程相仿��。
4�����、結論
由于linux路由器默認不轉發arp報文到,所有若像”錯誤的配置“那樣配置路由�����,①號機一直處在詢問目的MAC的階段而無法讓路由器④號機轉發數據包,所有我們可以通過”正確的配置“那樣配置路由讓①號機使用④號機eth1的MAC出去,然后再一步一步轉發?��;蛘咄ㄟ^”錯誤的配置“那樣配置路由,然后在④號機中使用arp代理,從而讓①號機獲得⑦號機的MAC���,從而從發送arp報文階段到發送ICMP包階段。
