Version 5 (modified by mitty, 15 years ago) (diff) |
---|
static route
- see also wiki:TipAndDoc/network/iproute
- ../ のネットワークを使用
centos-inner
- see ping
- 10.0.0.0/16に対するルートを設定するだけでよい
失敗例
- GWを指定しない例
- centos-inner ~]$ sudo route add -net 10.0.0.0/16 dev eth1
- centos-inner ~]$ route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 * 255.255.0.0 U 0 0 0 eth2 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
- centos-inner ~]$ ping 10.0.0.10 -c 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. From 10.1.0.110 icmp_seq=1 Destination Host Unreachable --- 10.0.0.10 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
- ルート削除
- centos-inner ~]$ sudo route del -net 10.0.0.0/16 dev eth1
正しい設定
- GWを指定
- centos-inner ~]$ sudo route add -net 10.0.0.0/16 gw 10.1.0.254 dev eth1
- centos-inner ~]$ route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.50.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 * 255.255.0.0 U 0 0 0 eth2 10.0.0.0 10.1.0.254 255.255.0.0 UG 0 0 0 eth1 10.1.0.0 * 255.255.0.0 U 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth2 default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
- centos-inner ~]$ ip route
192.168.50.0/24 dev eth0 proto kernel scope link src 192.168.50.110 10.2.0.0/16 dev eth2 proto kernel scope link src 10.2.0.110 10.0.0.0/16 via 10.1.0.254 dev eth1 10.1.0.0/16 dev eth1 proto kernel scope link src 10.1.0.110 169.254.0.0/16 dev eth2 scope link default via 192.168.50.1 dev eth0
- 同じ作用を持つコマンド例
- sudo route add -net 10.0.0.0/16 gw 10.1.0.254
- sudo route add -net 10.0.0.0 netmask 255.255.0.0 gw 10.1.0.254
- sudo ip route add 10.0.0.0/16 via 10.1.0.254
結果
- centos-inner ~]$ ping 10.0.0.10 -c 1
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data. 64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=7.59 ms --- 10.0.0.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 7.595/7.595/7.595/0.000 ms
- centos-inner:eth1
23:30:59.173104 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.177896 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
- ubuntu-router:eth1
23:30:59.228193 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.231724 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
- ubuntu-router:eth0
23:30:59.229467 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.231524 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
- ubuntu-outer:eth1
23:30:59.230167 IP 10.1.0.110 > 10.0.0.10: ICMP echo request, id 36879, seq 1, length 64 23:30:59.230345 IP 10.0.0.10 > 10.1.0.110: ICMP echo reply, id 36879, seq 1, length 64
- centos-inner:eth1
不十分な点
- ubuntu-outer <=(router)=> centos-inner
- パケット経路
- ubuntu-outer:eth1
- router:eth0
- router:eth2
- centos-inner:eth2
- centos-inner:eth1
- router:eth1
- router:eth0
- ubuntu-outer:eth1
- ubuntu-outer:~$ ping 10.2.0.110 -c 1
PING 10.2.0.110 (10.2.0.110) 56(84) bytes of data. 64 bytes from 10.2.0.110: icmp_seq=1 ttl=63 time=3.79 ms --- 10.2.0.110 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.792/3.792/3.792/0.000 ms
- ubuntu-outer:eth1
03:31:52.084210 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 03:31:52.087987 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
- ubuntu-router:eth0
03:31:52.086225 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64 03:31:52.088104 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
- ubuntu-router:eth2
03:31:52.086987 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
- centos-inner:eth2
03:31:51.922144 IP 10.0.0.10 > 10.2.0.110: ICMP echo request, id 14881, seq 1, length 64
- centos-inner:eth1
03:31:51.924352 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
- ubuntu-router:eth1
03:31:52.088093 IP 10.2.0.110 > 10.0.0.10: ICMP echo reply, id 14881, seq 1, length 64
- ubuntu-outer:eth1
centos-outer
- 上記のようにcentos-inner側のみ設定しても、centos-outerのGW設定が正しくないので通信できない
- centos-inner -> 10.0.0.20(centos-outer)
- 100% packet loss
- centos-inner -> 10.0.0.20(centos-outer)
- centos-outer ~]$ sudo route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.0.0.254
- centos-outer ~]$ route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.40.0 * 255.255.255.0 U 0 0 0 eth0 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default 192.168.40.1 0.0.0.0 UG 0 0 0 eth0
- centos-inner ~]$ ping 10.0.0.20 -c 1
PING 10.0.0.20 (10.0.0.20) 56(84) bytes of data. 64 bytes from 10.0.0.20: icmp_seq=1 ttl=63 time=11.2 ms --- 10.0.0.20 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 11.297/11.297/11.297/0.000 ms
- centos-inner:eth1
02:37:22.195583 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.201576 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
- ubuntu-router:eth1
02:37:22.301243 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.310362 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
- ubuntu-router:eth0
02:37:22.304480 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.310159 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
- centos-outer:eth1
02:37:22.012423 IP 10.1.0.110 > 10.0.0.20: ICMP echo request, id 36626, seq 1, length 64 02:37:22.013349 IP 10.0.0.20 > 10.1.0.110: ICMP echo reply, id 36626, seq 1, length 64
- centos-inner:eth1
- 同様に、10.2.0.0/16側のルート設定も必要
- ubuntu-inner-AB:~$ ping 10.0.0.20 -c 1 => loss
- centos-outer:eth1
02:41:53.171490 IP 10.2.0.30 > 10.0.0.20: ICMP echo request, id 9759, seq 1, length 64
- centos-outer:eth0
02:41:53.172303 IP 10.0.0.20 > 10.2.0.30: ICMP echo reply, id 9759, seq 1, length 64
- centos-outer:eth1
- centos-outer ~]$ sudo route add -net 10.2.0.0/16 gw 10.0.0.254
- centos-outer ~]$ route
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.40.0 * 255.255.255.0 U 0 0 0 eth0 10.2.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 10.0.0.0 * 255.255.0.0 U 0 0 0 eth1 10.1.0.0 10.0.0.254 255.255.0.0 UG 0 0 0 eth1 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default 192.168.40.1 0.0.0.0 UG 0 0 0 eth0
- centos-outer ~]$ ip route
192.168.40.0/24 dev eth0 proto kernel scope link src 192.168.40.20 10.2.0.0/16 via 10.0.0.254 dev eth1 10.0.0.0/16 dev eth1 proto kernel scope link src 10.0.0.20 10.1.0.0/16 via 10.0.0.254 dev eth1 169.254.0.0/16 dev eth1 scope link default via 192.168.40.1 dev eth0
- これで正常に通信できるようになる
- ubuntu-inner-AB:~$ ping 10.0.0.20 -c 1 => loss
static route + IP MASQUERADE
- see also masquerade
- centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- これでWANと通信できるようになる
- ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1
PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. 64 bytes from 202.12.27.33: icmp_seq=1 ttl=238 time=16.5 ms --- 202.12.27.33 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.543/16.543/16.543/0.000 ms
DNS
- /etc/resolv.conf
nameserver 130.158.XY.ZZ5 nameserver 130.158.XY.ZZ6
- 何故か名前解決できない
- ubuntu-router:~$ ping www.coins.tsukuba.ac.jp -c 1
ping: unknown host www.coins.tsukuba.ac.jp
- ubuntu-router:eth0
03:00:02.915007 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.918149 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:02.920515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.922796 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:02.925276 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ5 unreachable - admin prohibited, length 77 03:00:02.928189 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77 03:00:07.924515 IP 10.0.0.20 > 10.0.0.254: ICMP host 130.158.XY.ZZ6 unreachable - admin prohibited, length 77
- ubuntu-router:eth0
- centos-outer ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- おそらくreject-with icmp-host-prohibitedがネックなのだが、とりあえずfilterをflushして対応(FW無効と同義なので注意)
- centos-outer ~]$ sudo iptables -F
- centos-outer ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination
- centos-outer ~]$ sudo iptables -L
- これで名前解決も出来るようになった
- ubuntu-inner-BB:~$ host M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET has address 202.12.27.33 M.ROOT-SERVERS.NET has IPv6 address 2001:dc3::35