使用linux系统做路由转发

使用linux系统(PC机)做路由转发

关键字：linux,Fedora,route,iptables,ip_forward

　　最近做网络实验，在实验过程中需要用到linux的转发功能，但是遇到一些问题，在请教了linux网络技术的网友后终于把它解决了，解决了之后我开始总结之前失败的原因，并将历程写成博文，供以后遇到这类问题的各位朋友参考借鉴。

　　1、网络拓扑

　　网络拓扑如下所示，我们在这里用到了三台机子做实验，分别是①、④、⑦号机，使用①号机ping⑦号机，④号机作为路由转发。

　　2、错误的路由配置

　　首先我们使用如下的配置方法，配置这三台机子的路由表：

　　1）在①号机种配置如下，让目的网段是10.0.4.0/24的从eth1端口出去

route  add -net 10.0.4.0/24 dev eth1

　　在①号机的查看路由表输入如下命令：

route -n

　　①号机的路由表的结果如下：

　　2）在⑦号机使用同样方法配置路由，结果如下：

　　3）在4号机配置路由转发功能，即将/etc/sysctl.conf文件里面的net.ipv4.ip_forward的值置1：

　　4）所有的配置已经完成，我们在①号机ping④号机

ping  10.0.4.3

　　结果如下，即ping 不通：

PING 10.0.4.3 (10.0.4.3) 56(84) bytes of data.
From 10.0.1.3 icmp_seq=2 Destination Host Unreachable
From 10.0.1.3 icmp_seq=3 Destination Host Unreachable
From 10.0.1.3 icmp_seq=4 Destination Host Unreachable
From 10.0.1.3 icmp_seq=6 Destination Host Unreachable
From 10.0.1.3 icmp_seq=7 Destination Host Unreachable
From 10.0.1.3 icmp_seq=8 Destination Host Unreachable

　　这里为了方便研究，把①号机的eth1配置放出来

eth1      Link encap:Ethernet  HWaddr 00:16:EC:AF:CB:CB
          inet addr:10.0.1.3  Bcast:10.255.255.255  Mask:255.255.255.0
          inet6 addr: fe80::216:ecff:feaf:cbcb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4564 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6688 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:459463 (448.6 KiB)  TX bytes:546633 (533.8 KiB)
          Interrupt:23 Base address:0x6000 

　　在①号机ping 的同时，我在④号机抓eth1包，结果如下：

[[email protected]~]# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:44.388614 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:45.391014 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:47.387821 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:48.391220 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:49.392621 00:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 10.0.4.3 tell 10.0.1.3, length 46

　　可见①号一直在寻找配有10.0.4.3 IP的机子的mac地址，即一直在发arp包。但是路由器（④号机）默认是不转发arp报文的，所有①号机永远也ping不通⑦号机。

　　3、正确的配置

　　在①号机种配置路由，命令如下：

route add -net 10.0.4.0/24 gw 10.0.1.2

　　这时候①号机的路由表：

[[email protected] ~]#
[[email protected] ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.4.0        10.0.1.2        255.255.255.0   UG    0      0        0 eth1
10.0.5.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.99.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0
0.0.0.0         192.168.99.1    0.0.0.0         UG    0      0        0 eth0

　　同样的方法配置⑦号机的路由表

[email protected]:~# route -n
内核 IP 路由表
目标            网关            子网掩码        标志  跃点   引用  使用 接口
0.0.0.0         192.168.99.1    0.0.0.0         UG    0      0        0 eth0
10.0.1.0        10.0.4.2        255.255.255.0   UG    0      0        0 eth1
10.0.4.0        0.0.0.0         255.255.255.0   U     1      0        0 eth1
10.0.7.0        0.0.0.0         255.255.255.0   U     1      0        0 eth2
192.168.99.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0

　　下面再进行ping测试，在①号机ping⑦号机，结果能够ping通。在这里我们问了方便分析,首先列出各网卡的MAC地址

①号机 eth1:HWaddr 00:16:EC:AF:CB:CB
④号机 eth1:HWaddr 40:61:86:32:8F:0B
④号机 eth4:HWaddr 40:61:86:32:8F:0E
⑦号机 eth1:HWaddr 00:25:90:93:40:79

　　④号机eth1抓包如下：

[[email protected] ~]# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:26.809445 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:26.810723 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:27.811847 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:27.813136 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:28.813248 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:28.814551 40:61:86:32:8f:0b > 00:16:ec:af:cb:cb, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64
16:02:29.814648 00:16:ec:af:cb:cb > 40:61:86:32:8f:0b, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 4, length 64

　　④号机eth4抓包如下：

[email protected] ~]# tcpdump -i eth4 -enn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:26.809460 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:26.810715 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:27.811853 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:27.813130 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:28.813255 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:28.814545 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64

　　⑦号机eth1抓包如下：

[email protected]:~# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:27.222853 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:27.222867 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:28.225226 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:28.225237 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:29.226638 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:29.226649 00:25:90:93:40:79 > 40:61:86:32:8f:0e, ethertype IPv4 (0x0800), length 98: 10.0.4.3 > 10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64
16:02:30.228059 40:61:86:32:8f:0e > 00:25:90:93:40:79, ethertype IPv4 (0x0800), length 98: 10.0.1.3 > 10.0.4.3: ICMP echo request, id 8079, seq 4, length 64

　　从抓取的包中我们不难看出，①号机在ping ⑦号机时，由于其中路由表配置了通过四号机的eth1（10.0.1.2）地址，这个地址对应的mac①号机已经缓存了，所有没有进行arp广播就直接开始发送ICMP包，并且目的ip是⑦号机，目的MAC是④号机的eth1的，之后在④号机路由中又将目的MAC变成了④号机的eth4的，目的ip不变，回来的过程相仿。

　　4、结论

　　由于linux路由器默认不转发arp报文到,所有若像”错误的配置“那样配置路由，①号机一直处在询问目的MAC的阶段而无法让路由器④号机转发数据包，所有我们可以通过”正确的配置“那样配置路由让①号机使用④号机eth1的MAC出去，然后再一步一步转发。或者通过”错误的配置“那样配置路由，然后在④号机中使用arp代理，从而让①号机获得⑦号机的MAC，从而从发送arp报文阶段到发送ICMP包阶段。