Вопросы Теги

Proxmox IPv4 ເສັ້ນທາງພາຍໃນບໍ່ເຮັດວຽກ

ມື້ວານນີ້ຂ້ອຍໄດ້ຮູ້ວ່າ ໜຶ່ງ ໃນບັນຈຸ LXC ຂອງຂ້ອຍຢູ່ໃນ server Proxmox ຈຳ ເປັນຕ້ອງເຂົ້າເຖິງ github.com, ດັ່ງນັ້ນຂ້ອຍຕ້ອງໄດ້ເພີ່ມການສະ ໜັບ ສະ ໜູນ IPv4 (ແທ້ໆ Github?). ຂ້ອຍໄດ້ເພີ່ມ sub / 29 subnet ເຂົ້າໃນເຄືອຂ່າຍພາຍໃນທີ່ຢູ່ເບື້ອງຫລັງ vmbr0 interface. ເຖິງຢ່າງໃດກໍ່ຕາມ, ການໄປກັບການຫຸ້ມຫໍ່ກັບໄປທີ່ພາຊະນະບໍ່ໄດ້ຜົນ. ດຽວກັນນີ້ແມ່ນຄວາມຈິງ ສຳ ລັບການເຊື່ອມຕໍ່ຈາກພາຍນອກ, ແນ່ນອນ.

ເຖິງຢ່າງໃດກໍ່ຕາມ, ຂ້ອຍໄດ້ເຮັດແບບນີ້ໃນຫລາຍໆເຊີບເວີ Proxmox ໃນອະດີດແລ້ວ. ບໍ່ເຄີຍມີປັນຫາ. ເຊັ່ນດຽວກັນ, IPv6 ແມ່ນເຮັດວຽກໂດຍບໍ່ມີບັນຫາຫຍັງເລີຍ. ແລະ AFAICT ຂ້ອຍມີການຕັ້ງຄ່າດຽວກັນຢ່າງ ໜ້ອຍ 2 ເຄື່ອງແມ່ຂ່າຍອື່ນທີ່ມີລະບົບຍ່ອຍ IPv4 ທີ່ແຕກຕ່າງກັນ. ມີ IP XY163.146 ທີ່ຖືກມອບ ໝາຍ ໃນອິນເຕີເຟດ eth0 ຂອງມັນ: 

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address X.Y.163.146
    netmask 255.255.255.248
    gateway X.Y.163.145

ການເຮັດວຽກເຄືອຂ່າຍພື້ນຖານ. Proxmox (.145) ສາມາດ ping ບັນຈຸ (.146), ຖັງສາມາດ ping hypervisor ໄດ້.

ດຽວນີ້ເມື່ອ pinging github.com ຈາກພາຊະນະ, ຂ້ອຍສາມາດຟັງດ້ວຍ tcpdump ໃນ enp35s0 ຂອງ Proxmox server. ຂ້ອຍເຫັນວ່າ ຄຳ ຮ້ອງຂໍຂອງ ICMP ອອກໄປແລະ ຄຳ ຕອບຈະເຂົ້າມາ (Github.com ແມ່ນຢູ່ທີ່ 140.82).118.3): 

11:54:35.131596 IP X.Y.163.146 > 140.82.118.3: ICMP echo request, id 1204, seq 5, length 64
11:54:35.143779 IP 140.82.118.3 > X.Y.163.146: ICMP echo reply, id 1204, seq 5, length 64

ແຕ່ຟັງໃນອິນເຕີເຟດ vmbr0, ຂ້ອຍເຫັນພຽງຊຸດອອກ. ນັ້ນ ໝາຍ ຄວາມວ່າການກັບໄປໃຊ້ເຄືອຂ່າຍພາຍໃນບໍ່ໄດ້ເຮັດວຽກ.

ສຳ ລັບຈຸດປະສົງການທົດສອບຂ້ອຍຢຸດ pve-firewall. iptables ມີລັກສະນະແບບນີ້: 

Chain PREROUTING (policy ACCEPT 18825 packets, 6190K bytes)
 pkts bytes target     prot opt in     out     source               destination         
19953 6512K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain INPUT (policy ACCEPT 16343 packets, 6057K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 200 packets, 16320 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  200 16320 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 14420 packets, 5998K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 14620 packets, 6015K bytes)
 pkts bytes target     prot opt in     out     source               destination         
14659 6027K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

ທຸກຢ່າງອື່ນແມ່ນເປົ່າແລະນະໂຍບາຍແມ່ນ ACCEPT.

ການສົ່ງຕໍ່ຕໍ່ IPv4 ຖືກເປີດໃຊ້, ແນ່ນອນ. 

cat /proc/sys/net/ipv4/ip_forward
1

ມີໃຜສາມາດເຫັນສິ່ງທີ່ຂ້ອຍຫາຍໄປໄດ້ບໍ?

/ ແກ້ໄຂ: ຂ້ອຍໄດ້ເພີ່ມກົດລະບຽບ ສຳ ລັບຕ່ອງໂສ້ທັງ ໝົດ:

ກົດລະບຽບທີ່ສອດຄ້ອງກັນ: 

iptables -t mangle -A PREROUTING -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "MANGLE:PREROUTING:IN:GITHUB"
iptables -t mangle -A FORWARD -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "MANGLE:FORWARD:IN:GITHUB"
iptables -t mangle -A POSTROUTING -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "MANGLE:POSTROUTING:IN:GITHUB"
iptables -t nat -A PREROUTING -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "NAT:PREROUTING:IN:GITHUB"
iptables -t filter -A FORWARD -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "FILTER:FORWARD:IN:GITHUB"
iptables -t nat -A POSTROUTING -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "NAT:POSTROUTING:IN:GITHUB"
iptables -t raw -A PREROUTING -s 140.82.0.0/16 -p icmp -j LOG --log-prefix "RAW:PREROUTING:IN:GITHUB"

iptables -t mangle -A PREROUTING -s X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:PREROUTING:OUT:PASSBOLT"
iptables -t mangle -A FORWARD -s X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:FORWARD:OUT:PASSBOLT"
iptables -t mangle -A POSTROUTING -s X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:POSTROUTING:OUT:PASSBOLT"
iptables -t nat -A PREROUTING -s X.Y.163.146 -p icmp -j LOG --log-prefix "NAT:PREROUTING:OUT:PASSBOLT"
iptables -t filter -A FORWARD -s X.Y.163.146 -p icmp -j LOG --log-prefix "FILTER:FORWARD:OUT:PASSBOLT"
iptables -t nat -A POSTROUTING -s X.Y.163.146 -p icmp -j LOG --log-prefix "NAT:POSTROUTING:OUT:PASSBOLT"
iptables -t raw -A PREROUTING -s X.Y.163.146 -p icmp -j LOG --log-prefix "RAW:PREROUTING:OUT:PASSBOLT"

iptables -t mangle -A PREROUTING -d X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:PREROUTING:IN:PASSBOLT"
iptables -t mangle -A FORWARD -d X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:FORWARD:IN:PASSBOLT"
iptables -t mangle -A POSTROUTING -d X.Y.163.146 -p icmp -j LOG --log-prefix "MANGLE:POSTROUTING:IN:PASSBOLT"
iptables -t nat -A PREROUTING -d X.Y.163.146 -p icmp -j LOG --log-prefix "NAT:PREROUTING:IN:PASSBOLT"
iptables -t filter -A FORWARD -d X.Y.163.146 -p icmp -j LOG --log-prefix "FILTER:FORWARD:IN:PASSBOLT"
iptables -t nat -A POSTROUTING -d X.Y.163.146 -p icmp -j LOG --log-prefix "NAT:POSTROUTING:IN:PASSBOLT"
iptables -t raw -A PREROUTING -d X.Y.163.146 -p icmp -j LOG --log-prefix "RAW:PREROUTING:IN:PASSBOLT"

ຜົນຜະລິດ ສຳ ລັບ ໜຶ່ງ ປິງແມ່ນ: 

Mar  5 15:35:39 proxmox kernel: [18347.757914] RAW:PREROUTING:OUT:LXC IN=fwbr1005i0 OUT= PHYSIN=veth1005i0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.758170] MANGLE:PREROUTING:OUT:LXC IN=fwbr1005i0 OUT= PHYSIN=veth1005i0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.758426] MANGLE:FORWARD:OUT:LXC IN=fwbr1005i0 OUT=fwbr1005i0 PHYSIN=veth1005i0 PHYSOUT=fwln1005i0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.758686] FILTER:FORWARD:OUT:LXC IN=fwbr1005i0 OUT=fwbr1005i0 PHYSIN=veth1005i0 PHYSOUT=fwln1005i0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.758963] MANGLE:POSTROUTING:OUT:LXC IN= OUT=fwbr1005i0 PHYSIN=veth1005i0 PHYSOUT=fwln1005i0 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.759189] RAW:PREROUTING:OUT:LXC IN=vmbr0 OUT= PHYSIN=fwpr1005p0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.759416] MANGLE:PREROUTING:OUT:LXC IN=vmbr0 OUT= PHYSIN=fwpr1005p0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.759642] MANGLE:FORWARD:OUT:LXC IN=vmbr0 OUT=enp35s0 PHYSIN=fwpr1005p0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.761541] FILTER:FORWARD:OUT:LXC TIN=vmbr0 OUT=enp35s0 PHYSIN=fwpr1005p0 MAC=2a:d5:27:f3:e7:23:d6:fb:c7:cc:e2:b0:08:00 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.761791] MANGLE:POSTROUTING:OUT:LXC IN= OUT=enp35s0 PHYSIN=fwpr1005p0 SRC=X.Y.163.146 DST=140.82.118.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=53622 DF PROTO=ICMP TYPE=8 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.773606] RAW:PREROUTING:IN:GITHUB IN=enp35s0 OUT= MAC=a8:a1:59:0e:aa:e7:80:7f:f8:79:1c:96:08:00 SRC=140.82.118.4 DST=X.Y.163.146 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=34871 PROTO=ICMP TYPE=0 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.773831] RAW:PREROUTING:IN:LXC IN=enp35s0 OUT= MAC=a8:a1:59:0e:aa:e7:80:7f:f8:79:1c:96:08:00 SRC=140.82.118.4 DST=X.Y.163.146 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=34871 PROTO=ICMP TYPE=0 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.774051] MANGLE:PREROUTING:IN:GITHUB IN=enp35s0 OUT= MAC=a8:a1:59:0e:aa:e7:80:7f:f8:79:1c:96:08:00 SRC=140.82.118.4 DST=X.Y.163.146 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=34871 PROTO=ICMP TYPE=0 CODE=0 ID=2554 SEQ=1 
Mar  5 15:35:39 proxmox kernel: [18347.774288] MANGLE:PREROUTING:IN:LXC IN=enp35s0 OUT= MAC=a8:a1:59:0e:aa:e7:80:7f:f8:79:1c:96:08:00 SRC=140.82.118.4 DST=X.Y.163.146 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=34871 PROTO=ICMP TYPE=0 CODE=0 ID=2554 SEQ=1

ສະນັ້ນມັນເບິ່ງຄືວ່າ "MANGLE : PREROUTING: IN: LXC "ກົດລະບຽບແມ່ນເກີດຂື້ນ. ແຕ່ເປັນຫຍັງແພັກບໍ່ມາຮອດໃນວົງຈອນ FORWARD? ພຽງແຕ່ໃນກໍລະນີທີ່ຂ້ອຍຍັງໄດ້ເພີ່ມກົດລະບຽບ ສຳ ລັບຕ່ອງໂສ້ INPUT. ບໍ່ມີການເຂົ້າມາທີ່ນັ້ນເຊັ່ນກັນ. ມັນເບິ່ງຄືວ່າແພັກເກັດຖືກລຸດລົງໂດຍບໍ່ມີການແຈ້ງເຕືອນ / ກົດລະບຽບ?!

0
задан 5 March 2020 в 16:41
1 ответ

Спасибо всем, кто подумал об этом.

Итак, исправление было echo 1> / proc / sys / net / ipv4 / conf / enp35s0 / forwarding . Может кто-нибудь объяснить, почему?

0
ответ дан 30 March 2020 в 01:31

Теги

Похожие вопросы