[[PageOutline]] = static route = * see also wiki:TipAndDoc/network/iproute * wiki:TipAndDoc/network/vmtest#networkmap のネットワークを使用 = centos-inner = * see wiki:TipAndDoc/network/vmtest/ping#centos-inner-ubuntu-outer * 10.0.0.0/16に対するルートを設定するだけでよい == 失敗例 == * GWを指定しない例 * centos-inner ~]$ sudo route add -net 10.0.0.0/16 dev eth1 * centos-inner ~]$ route {{{ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 * 255.255.0.0 U 0 0 0 eth2 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0 }}} * centos-inner ~]$ ping 10.0.0.10 -c 1 {{{ PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. From 10.1.0.110 icmp_seq=1 Destination Host Unreachable --- 10.0.0.10 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms }}} * ルート削除 * centos-inner ~]$ sudo route del -net 10.0.0.0/16 dev eth1 == 正しい設定 == * GWを指定 * centos-inner ~]$ sudo route add -net 10.0.0.0/16 gw 10.1.0.254 dev eth1 * centos-inner ~]$ route {{{ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 * 255.255.0.0 U 0 0 0 eth2 10.0.0.0 10.1.0.254 255.255.0.0 UG 0 0 0 eth1 10.1.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0 }}} * centos-inner ~]$ ip route {{{ 192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.110 10.2.0.0/16 dev eth2 proto kernel scope link src 10.2.0.110 10.0.0.0/16 via 10.1.0.254 dev eth1 10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.110 169.254.0.0/16 dev eth2 scope link default via 192.168.50.1 dev eth0 }}} * 同じ作用を持つコマンド例 * sudo route add -net 10.0.0.0/16 gw 10.1.0.254 * sudo route add -net 10.0.0.0 netmask 255.255.0.0 gw 10.1.0.254 * sudo ip route add 10.0.0.0/16 via 10.1.0.254 * => wiki:TipAndDoc/network/iproute === 結果 === * centos-inner ~]$ ping 10.0.0.10 -c 1 {{{ PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=7.59 ms --- 10.0.0.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.595/7.595/7.595/0.000 ms }}} 1. centos-inner:eth1 {{{ 23:30:59.173104 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.177896 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64 }}} 1. ubuntu-router:eth1 {{{ 23:30:59.228193 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.231724 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 23:30:59.229467 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.231524 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64 }}} 1. ubuntu-outer:eth1 {{{ 23:30:59.230167 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.230345 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64 }}} === 不十分な点 === * パケットの往路と復路が異なったまま * see also wiki:TipAndDoc/network/vmtest/ping#ubuntu-outerrouterubuntu-inner-AB * iprouteでruleを設定しないと解決できない * ubuntu-outer <=(router)=> centos-inner * パケット経路 1. ubuntu-outer:eth1 1. router:eth0 1. router:eth2 1. centos-inner:eth2 1. centos-inner:eth1 1. router:eth1 1. router:eth0 1. ubuntu-outer:eth1 * ubuntu-outer:~$ ping 10.2.0.110 -c 1 {{{ PING 10.2.0.110 (10.2.0.110) 56(84) bytes of data. 64 bytes from 10.2.0.110: icmp_seq=1 ttl=63 time=3.79 ms --- 10.2.0.110 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.792/3.792/3.792/0.000 ms }}} 1. ubuntu-outer:eth1 {{{ 03:31:52.084210 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 03:31:52.087987 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 03:31:52.086225 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 03:31:52.088104 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64 }}} 1. ubuntu-router:eth2 {{{ 03:31:52.086987 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 }}} 1. centos-inner:eth2 {{{ 03:31:51.922144 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 }}} 1. centos-inner:eth1 {{{ 03:31:51.924352 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64 }}} 1. ubuntu-router:eth1 {{{ 03:31:52.088093 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64 }}} = centos-outer = * 上記のようにcentos-inner側のみ設定しても、centos-outerのGW設定が正しくないので通信できない * centos-inner -> 10.0.0.20(centos-outer) * 100% packet loss * centos-outer ~]$ sudo route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.0.0.254 * centos-outer ~]$ route {{{ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.40.0 * 255.255.255.0 U 0 0 0 eth0 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default 192.168.40.1 0.0.0.0 UG 0 0 0 eth0 }}} * centos-inner ~]$ ping 10.0.0.20 -c 1 {{{ PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data. 64 bytes from 10.0.0.20: icmp_seq=1 ttl=63 time=11.2 ms --- 10.0.0.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.297/11.297/11.297/0.000 ms }}} 1. centos-inner:eth1 {{{ 02:37:22.195583 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.201576 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64 }}} 1. ubuntu-router:eth1 {{{ 02:37:22.301243 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.310362 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 02:37:22.304480 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.310159 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 02:37:22.012423 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.013349 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64 }}} * 同様に、10.2.0.0/16側のルート設定も必要 * ubuntu-inner-AB:~$ ping 10.0.0.20 -c 1 => loss 1. centos-outer:eth1 {{{ 02:41:53.171490 IP 10.2.0.30 > 10.0.0.20: ICMP echo request, id 9759, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 02:41:53.172303 IP 10.0.0.20 > 10.2.0.30: ICMP echo reply, id 9759, seq 1, length 64 }}} * centos-outer ~]$ sudo route add -net 10.2.0.0/16 gw 10.0.0.254 * centos-outer ~]$ route {{{ Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.40.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default 192.168.40.1 0.0.0.0 UG 0 0 0 eth0 }}} * centos-outer ~]$ ip route {{{ 192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.20 10.2.0.0/16 via 10.0.0.254 dev eth1 10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.20 10.1.0.0/16 via 10.0.0.254 dev eth1 169.254.0.0/16 dev eth1 scope link default via 192.168.40.1 dev eth0 }}} * これで正常に通信できるようになる = static route + IP MASQUERADE = * see also wiki:TipAndDoc/network/vmtest/masquerade#needroute * centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE * これでWANと通信できるようになる * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. 64 bytes from 202.12.27.33: icmp_seq=1 ttl=238 time=16.5 ms --- 202.12.27.33 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.543/16.543/16.543/0.000 ms }}} == DNS == * /etc/resolv.conf {{{ nameserver 130.158.XY.ZZ5 nameserver 130.158.XY.ZZ6 }}} * 何故か名前解決できない * ubuntu-router:~$ ping www.coins.tsukuba.ac.jp -c 1 {{{ ping: unknown host www.coins.tsukuba.ac.jp }}} * ubuntu-router:eth0 {{{ 03:00:02.915007 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.918149 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:02.920515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.922796 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:02.925276 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.928189 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:07.924515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 }}} * centos-outer ~]$ sudo iptables -L {{{ Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited }}} * おそらくreject-with icmp-host-prohibitedがネックなのだが、とりあえずfilterをflushして対応(FW無効と同義なので注意) * centos-outer ~]$ sudo iptables -F * centos-outer ~]$ sudo iptables -L {{{ Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination }}} * これで名前解決も出来るようになった * ubuntu-inner-BB:~$ host M.ROOT-SERVERS.NET. {{{ M.ROOT-SERVERS.NET has address 202.12.27.33 M.ROOT-SERVERS.NET has IPv6 address 2001:dc3::35 }}}