wiki:TipAndDoc/VM/network/route

Version 2 (modified by mitty, 15 years ago) (diff)

--

static route

  • ../ のネットワークを使用

centos-inner

  • 10.0.0.0/16に対するルートを設定するだけでよい

失敗例

  • GWを指定しない例
  • centos-inner ~]$ sudo route add -net 10.0.0.0/16 dev eth1
  • centos-inner ~]$ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.50.0    *               255.255.255.0   U     0      0        0 eth0
    10.2.0.0        *               255.255.0.0     U     0      0        0 eth2
    10.0.0.0        *               255.255.0.0     U     0      0        0 eth1
    10.1.0.0        *               255.255.0.0     U     0      0        0 eth1
    169.254.0.0     *               255.255.0.0     U     0      0        0 eth2
    default         192.168.50.1    0.0.0.0         UG    0      0        0 eth0
    
  • centos-inner ~]$ ping 10.0.0.10 -c 1
    PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
    From 10.1.0.110 icmp_seq=1 Destination Host Unreachable
    
    --- 10.0.0.10 ping statistics ---
    1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
    
  • ルート削除
    • centos-inner ~]$ sudo route del -net 10.0.0.0/16 dev eth1

正しい設定

  • GWを指定
  • centos-inner ~]$ sudo route add -net 10.0.0.0/16 gw 10.1.0.254 dev eth1
  • centos-inner ~]$ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.50.0    *               255.255.255.0   U     0      0        0 eth0
    10.2.0.0        *               255.255.0.0     U     0      0        0 eth2
    10.0.0.0        10.1.0.254      255.255.0.0     UG    0      0        0 eth1
    10.1.0.0        *               255.255.0.0     U     0      0        0 eth1
    169.254.0.0     *               255.255.0.0     U     0      0        0 eth2
    default         192.168.50.1    0.0.0.0         UG    0      0        0 eth0
    
  • centos-inner ~]$ ip route
    192.168.50.0/24 dev eth0  proto kernel  scope link  src 192.168.50.110
    10.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.110
    10.0.0.0/16 via 10.1.0.254 dev eth1
    10.1.0.0/16 dev eth1  proto kernel  scope link  src 10.1.0.110
    169.254.0.0/16 dev eth2  scope link
    default via 192.168.50.1 dev eth0
    
  • 同じ作用を持つコマンド例
    • sudo route add -net 10.0.0.0/16 gw 10.1.0.254
    • sudo route add -net 10.0.0.0 netmask 255.255.0.0 gw 10.1.0.254
    • sudo ip route add 10.0.0.0/16 via 10.1.0.254

結果

  • centos-inner ~]$ ping 10.0.0.10 -c 1
    PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
    64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=7.59 ms
    
    --- 10.0.0.10 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 7.595/7.595/7.595/0.000 ms
    
    1. centos-inner:eth1
      23:30:59.173104 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
      23:30:59.177896 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
      
    2. ubuntu-router:eth1
      23:30:59.228193 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
      23:30:59.231724 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
      
    3. ubuntu-router:eth0
      23:30:59.229467 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
      23:30:59.231524 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
      
    4. ubuntu-outer:eth1
      23:30:59.230167 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64
      23:30:59.230345 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
      

不十分な点

  • パケットの往路と復路が異なったまま
    • see also ping
    • iprouteでruleを設定しないと解決できない
  • ubuntu-outer <=(router)=> centos-inner
  • パケット経路
    1. ubuntu-outer:eth1
    2. router:eth0
    3. router:eth2
    4. centos-inner:eth2
    5. centos-inner:eth1
    6. router:eth1
    7. router:eth0
    8. ubuntu-outer:eth1
  • ubuntu-outer:~$ ping 10.2.0.110 -c 1
    PING 10.2.0.110 (10.2.0.110) 56(84) bytes of data.
    64 bytes from 10.2.0.110: icmp_seq=1 ttl=63 time=3.79 ms
    
    --- 10.2.0.110 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 3.792/3.792/3.792/0.000 ms
    
    1. ubuntu-outer:eth1
      03:31:52.084210 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
      03:31:52.087987 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
      
    2. ubuntu-router:eth0
      03:31:52.086225 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
      03:31:52.088104 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
      
    3. ubuntu-router:eth2
      03:31:52.086987 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
      
    4. centos-inner:eth2
      03:31:51.922144 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
      
    5. centos-inner:eth1
      03:31:51.924352 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
      
    6. ubuntu-router:eth1
      03:31:52.088093 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
      

centos-outer

  • 上記のようにcentos-inner側のみ設定しても、centos-outerのGW設定が正しくないので通信できない
    • centos-inner -> 10.0.0.20(centos-outer)
      • 100% packet loss
  • centos-outer ~]$ sudo route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.0.0.254
  • centos-outer ~]$ route
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    192.168.40.0    *               255.255.255.0   U     0      0        0 eth0
    10.0.0.0        *               255.255.0.0     U     0      0        0 eth1
    10.1.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
    169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
    default         192.168.40.1    0.0.0.0         UG    0      0        0 eth0
    
  • centos-inner ~]$ ping 10.0.0.20 -c 1
    PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data.
    64 bytes from 10.0.0.20: icmp_seq=1 ttl=63 time=11.2 ms
    
    --- 10.0.0.20 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 11.297/11.297/11.297/0.000 ms
    
    1. centos-inner:eth1
      02:37:22.195583 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
      02:37:22.201576 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
      
    2. ubuntu-router:eth1
      02:37:22.301243 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
      02:37:22.310362 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
      
    3. ubuntu-router:eth0
      02:37:22.304480 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
      02:37:22.310159 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
      
    4. centos-outer:eth1
      02:37:22.012423 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64
      02:37:22.013349 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
      
  • 同様に、10.2.0.0/16側のルート設定も必要
    • ubuntu-inner-AB:~$ ping 10.0.0.20 -c 1 => loss
      1. centos-outer:eth1
        02:41:53.171490 IP 10.2.0.30 > 10.0.0.20: ICMP echo request, id 9759, seq 1, length 64
        
      2. centos-outer:eth0
        02:41:53.172303 IP 10.0.0.20 > 10.2.0.30: ICMP echo reply, id 9759, seq 1, length 64
        
    • centos-outer ~]$ sudo route add -net 10.2.0.0/16 gw 10.0.0.254
    • centos-outer ~]$ route
      Kernel IP routing table
      Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
      192.168.40.0    *               255.255.255.0   U     0      0        0 eth0
      10.2.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
      10.0.0.0        *               255.255.0.0     U     0      0        0 eth1
      10.1.0.0        10.0.0.254      255.255.0.0     UG    0      0        0 eth1
      169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
      default         192.168.40.1    0.0.0.0         UG    0      0        0 eth0
      
    • centos-outer ~]$ ip route
      192.168.40.0/24 dev eth0  proto kernel  scope link  src 192.168.40.20
      10.2.0.0/16 via 10.0.0.254 dev eth1
      10.0.0.0/16 dev eth1  proto kernel  scope link  src 10.0.0.20
      10.1.0.0/16 via 10.0.0.254 dev eth1
      169.254.0.0/16 dev eth1  scope link
      default via 192.168.40.1 dev eth0
      
    • これで正常に通信できるようになる

static route + IP MASQUERADE

  • centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    • これでWANと通信できるようになる
    • ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1
      PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
      64 bytes from 202.12.27.33: icmp_seq=1 ttl=238 time=16.5 ms
      
      --- 202.12.27.33 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 16.543/16.543/16.543/0.000 ms
      

DNS

  • /etc/resolv.conf
    nameserver 130.158.XY.ZZ5
    nameserver 130.158.XY.ZZ6
    
  • 何故か名前解決できない
  • ubuntu-router:~$ ping www.coins.tsukuba.ac.jp -c 1
    ping: unknown host www.coins.tsukuba.ac.jp
    
    • ubuntu-router:eth0
      03:00:02.915007 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
      03:00:02.918149 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
      03:00:02.920515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
      03:00:02.922796 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
      03:00:02.925276 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77
      03:00:02.928189 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
      03:00:07.924515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
      
  • centos-outer ~]$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp any
    ACCEPT     esp  --  anywhere             anywhere
    ACCEPT     ah   --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
    
    • おそらくreject-with icmp-host-prohibitedがネックなのだが、とりあえずfilterをflushして対応(FW無効と同義なので注意)
    • centos-outer ~]$ sudo iptables -F
      • centos-outer ~]$ sudo iptables -L
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        
        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination
        
        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        
        Chain RH-Firewall-1-INPUT (0 references)
        target     prot opt source               destination
        
    • これで名前解決も出来るようになった
    • ubuntu-inner-BB:~$ host M.ROOT-SERVERS.NET.
      M.ROOT-SERVERS.NET has address 202.12.27.33
      M.ROOT-SERVERS.NET has IPv6 address 2001:dc3::35