Context Navigation

← Previous Change
Wiki History
Next Change →

route

Timestamp:: Jun 26, 2009 4:21:49 AM (15 years ago)
Author:: mitty
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

TipAndDoc/VM/network/route

                       v1
+[[PageOutline]]
+ = static route =
+ * see also wiki:TipAndDoc/network/iproute
+ * wiki:TipAndDoc/network/vmtest#networkmap のネットワークを使用
+ = centos-inner =
+ * see wiki:TipAndDoc/network/vmtest/ping#centos-inner-ubuntu-outer
+ * 10.0.0.0/16に対するルートを設定するだけでよい
+ == 失敗例 ==
+ * GWを指定しない例
+ * centos-inner ~]$ sudo route add -net 10.0.0.0/16 dev eth1
+ * centos-inner ~]$ route
+{{{
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+.168.50.0    *               255.255.255.0   U     0      0        0 eth0
+.2.0.0        *               255.255.0.0     U     0      0        0 eth2
+.0.0.0        *               255.255.0.0     U     0      0        0 eth1
+.1.0.0        *               255.255.0.0     U     0      0        0 eth1
+.254.0.0     *               255.255.0.0     U     0      0        0 eth2
+default         192.168.50.1    0.0.0.0         UG    0      0        0 eth0
+}}}
+ * centos-inner ~]$ ping 10.0.0.10 -c 1
+{{{
+PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
+From 10.1.0.110 icmp_seq=1 Destination Host Unreachable
+--- 10.0.0.10 ping statistics ---
+packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
+}}}
+ * ルート削除
+   * centos-inner ~]$ sudo route del -net 10.0.0.0/16 dev eth1
+ == 正しい設定 ==
+ * GWを指定
+ * centos-inner ~]$ sudo route add -net 10.0.0.0/16 gw 10.1.0.254 dev eth1
+ * centos-inner ~]$ route
+{{{
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+.168.50.0    *               255.255.255.0   U     0      0        0 eth0
+.2.0.0        *               255.255.0.0     U     0      0        0 eth2
+.0.0.0        10.1.0.254      255.255.0.0     UG    0      0        0 eth1
+.1.0.0        *               255.255.0.0     U     0      0        0 eth1
+.254.0.0     *               255.255.0.0     U     0      0        0 eth2
+default         192.168.50.1    0.0.0.0         UG    0      0        0 eth0
+}}}
+ * centos-inner ~]$ ip route
+{{{
+.168.50.0/24 dev eth0  proto kernel  scope link  src 192.168.50.110
+.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.110
+.0.0.0/16 via 10.1.0.254 dev eth1
+.1.0.0/16 dev eth1  proto kernel  scope link  src 10.1.0.110
+.254.0.0/16 dev eth2  scope link
+default via 192.168.50.1 dev eth0
+}}}
+ * 同じ作用を持つコマンド例
+   * sudo route add -net 10.0.0.0/16 gw 10.1.0.254
+   * sudo route add -net 10.0.0.0 netmask 255.255.0.0 gw 10.1.0.254
+   * sudo ip route add 10.0.0.0/16 via 10.1.0.254
+     * => wiki:TipAndDoc/network/iproute
+ === 結果 ===
+ * centos-inner ~]$ ping 10.0.0.10 -c 1
+{{{
+PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
+bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=7.59 ms
+--- 10.0.0.10 ping statistics ---
+packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 7.595/7.595/7.595/0.000 ms
+}}}
+. centos-inner:eth1
+{{{
+:30:59.173104 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
+:30:59.177896 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
+}}}
+. ubuntu-router:eth1
+{{{
+:30:59.228193 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
+:30:59.231724 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
+}}}
+. ubuntu-router:eth0
+{{{
+:30:59.229467 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
+:30:59.231524 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
+}}}
+. ubuntu-outer:eth1
+{{{
+:30:59.230167 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
+:30:59.230345 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
+}}}
+ === 不十分な点 ===
+ * パケットの往路と復路が異なったまま
+   * see also wiki:TipAndDoc/network/vmtest/ping#ubuntu-outerrouterubuntu-inner-AB
+   * iprouteでruleを設定しないと解決できない
+ * ubuntu-outer <=(router)=> centos-inner
+ * パケット経路
+. ubuntu-outer:eth1
+. router:eth0
+. router:eth2
+. centos-inner:eth2
+. centos-inner:eth1
+. router:eth1
+. router:eth0
+. ubuntu-outer:eth1
+ * ubuntu-outer:~$ ping 10.2.0.110 -c 1
+{{{
+PING 10.2.0.110 (10.2.0.110) 56(84) bytes of data.
+bytes from 10.2.0.110: icmp_seq=1 ttl=63 time=3.79 ms
+--- 10.2.0.110 ping statistics ---
+packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 3.792/3.792/3.792/0.000 ms
+}}}
+. ubuntu-outer:eth1
+{{{
+:31:52.084210 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
+:31:52.087987 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
+}}}
+. ubuntu-router:eth0
+{{{
+:31:52.086225 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
+:31:52.088104 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
+}}}
+. ubuntu-router:eth2
+{{{
+:31:52.086987 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
+}}}
+. centos-inner:eth2
+{{{
+:31:51.922144 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
+}}}
+. centos-inner:eth1
+{{{
+:31:51.924352 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
+}}}
+. ubuntu-router:eth1
+{{{
+:31:52.088093 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
+}}}
+ = centos-outer =
+ * 上記のようにcentos-inner側のみ設定しても、centos-outerのGW設定が正しくないので通信できない
+   * centos-inner -> 10.0.0.20(centos-outer)
+     * 100% packet loss
+ * centos-outer ~]$ sudo route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.0.0.254
+ * centos-outer ~]$ route
+{{{
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+.168.40.0    *               255.255.255.0   U     0      0        0 eth0
+.0.0.0        *               255.255.0.0     U     0      0        0 eth1
+.1.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
+.254.0.0     *               255.255.0.0     U     0      0        0 eth1
+default         192.168.40.1    0.0.0.0         UG    0      0        0 eth0
+}}}
+ * centos-inner ~]$ ping 10.0.0.20 -c 1
+{{{
+PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
+bytes from 10.0.0.20: icmp_seq=1 ttl=63 time=11.2 ms
+--- 10.0.0.20 ping statistics ---
+packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 11.297/11.297/11.297/0.000 ms
+}}}
+. centos-inner:eth1
+{{{
+:37:22.195583 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
+:37:22.201576 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
+}}}
+. ubuntu-router:eth1
+{{{
+:37:22.301243 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
+:37:22.310362 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
+}}}
+. ubuntu-router:eth0
+{{{
+:37:22.304480 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
+:37:22.310159 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
+}}}
+. centos-outer:eth1
+{{{
+:37:22.012423 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
+:37:22.013349 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
+}}}
+ * 同様に、10.2.0.0/16側のルート設定も必要
+   * ubuntu-inner-AB:~$ ping 10.0.0.20 -c 1 => loss
+. centos-outer:eth1
+{{{
+:41:53.171490 IP 10.2.0.30 > 10.0.0.20: ICMP echo request, id 9759, seq 1, length 64
+}}}
+. centos-outer:eth0
+{{{
+:41:53.172303 IP 10.0.0.20 > 10.2.0.30: ICMP echo reply, id 9759, seq 1, length 64
+}}}
+   * centos-outer ~]$ sudo route add -net 10.2.0.0/16 gw 10.0.0.254
+   * centos-outer ~]$ route
+{{{
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
+.168.40.0    *               255.255.255.0   U     0      0        0 eth0
+.2.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
+.0.0.0        *               255.255.0.0     U     0      0        0 eth1
+.1.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
+.254.0.0     *               255.255.0.0     U     0      0        0 eth1
+default         192.168.40.1    0.0.0.0         UG    0      0        0 eth0
+}}}
+   * centos-outer ~]$ ip route
+{{{
+.168.40.0/24 dev eth0  proto kernel  scope link  src 192.168.40.20
+.2.0.0/16 via 10.0.0.254 dev eth1
+.0.0.0/16 dev eth1  proto kernel  scope link  src 10.0.0.20
+.1.0.0/16 via 10.0.0.254 dev eth1
+.254.0.0/16 dev eth1  scope link
+default via 192.168.40.1 dev eth0
+}}}
+   * これで正常に通信できるようになる
+ = static route + IP MASQUERADE =
+ * see also wiki:TipAndDoc/network/vmtest/masquerade#needroute
+ * centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+   * これでWANと通信できるようになる
+   * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+bytes from 202.12.27.33: icmp_seq=1 ttl=238 time=16.5 ms
+--- 202.12.27.33 ping statistics ---
+packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 16.543/16.543/16.543/0.000 ms
+}}}
+ == DNS ==
+ * /etc/resolv.conf
+{{{
+nameserver 130.158.XY.ZZ5
+nameserver 130.158.XY.ZZ6
+}}}
+ * 何故か名前解決できない
+ * ubuntu-router:~$ ping www.coins.tsukuba.ac.jp -c 1
+{{{
+ping: unknown host www.coins.tsukuba.ac.jp
+}}}
+   * ubuntu-router:eth0
+{{{
+:00:02.915007 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
+:00:02.918149 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
+:00:02.920515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
+:00:02.922796 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
+:00:02.925276 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
+:00:02.928189 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
+:00:07.924515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
+}}}
+ * centos-outer ~]$ sudo iptables -L
+{{{
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+RH-Firewall-1-INPUT  all  --  anywhere             anywhere
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination
+RH-Firewall-1-INPUT  all  --  anywhere             anywhere
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+Chain RH-Firewall-1-INPUT (2 references)
+target     prot opt source               destination
+ACCEPT     all  --  anywhere             anywhere
+ACCEPT     icmp --  anywhere             anywhere            icmp any
+ACCEPT     esp  --  anywhere             anywhere
+ACCEPT     ah   --  anywhere             anywhere
+ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
+ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
+ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
+ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
+ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
+REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
+}}}
+   * おそらくreject-with icmp-host-prohibitedがネックなのだが、とりあえずfilterをflushして対応(FW無効と同義なので注意)
+   * centos-outer ~]$ sudo iptables -F
+     * centos-outer ~]$ sudo iptables -L
+{{{
+Chain INPUT (policy ACCEPT)
+target     prot opt source               destination
+Chain FORWARD (policy ACCEPT)
+target     prot opt source               destination
+Chain OUTPUT (policy ACCEPT)
+target     prot opt source               destination
+Chain RH-Firewall-1-INPUT (0 references)
+target     prot opt source               destination
+}}}
+   * これで名前解決も出来るようになった
+   * ubuntu-inner-BB:~$ host M.ROOT-SERVERS.NET.
+{{{
+M.ROOT-SERVERS.NET has address 202.12.27.33
+M.ROOT-SERVERS.NET has IPv6 address 2001:dc3::35
+}}}