测试Linux配置路由转发功能。
参考
- 手把手带你将 Linux 主机配置为静态路由器
- tcpdump详解&实战
环境
操作系统
Centos7.9
网络环境
1. 三台主机的网卡 enp0s5 均在 10.211.55.0/24 网段,且网络可以通讯
- centos7-18的IP 10.211.55.18,作为路由服务端
- centos7-10的IP 10.211.55.10,作为子网连接端
- centos7-22的IP 10.211.55.22,作为子网连接端
2. 两台子网连接端配置子网IP
- 主机centos7-10 网卡enp0s5配置子网 192.168.10.100/32(子网一个IP)
- 主机centos7-22 网卡enp0s5配置子网 172.16.1.200/32(子网一个IP)
3. 配置子网连接端的静态路由
- 主机centos7-10(192.168.10.100/32),增加访问 172.16.1.200/32 的静态路由
- 主机centos7-22(172.16.1.200/32),增加访问 192.168.10.100/32 的静态路由
4. 开启路由服务端的路由转发功能
- 主机centos7-18(10.211.55.18), 配置访问 192.168.10.100 和 172.16.1.200的静态路由
- 主机centos7-18(10.211.55.18),开启路由转发功能,实现192.168.10.100/32 与 172.16.1.200/32 之间通讯。
测试步骤
1. 配置主机centos7-10
- 配置子网IP 192.168.10.100
[root@centos7-10 ~]# ip addr add 192.168.10.100 dev enp0s5
[root@centos7-10 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:ae:b6:41 brd ff:ff:ff:ff:ff:ff
inet 10.211.55.10/24 brd 10.211.55.255 scope global noprefixroute dynamic enp0s5
valid_lft 1743sec preferred_lft 1743sec
inet 192.168.10.100/32 scope global enp0s5
valid_lft forever preferred_lft forever
inet6 fdb2:2c26:f4e4:0:cd1f:12f3:4076:6d89/64 scope global noprefixroute dynamic
valid_lft 2591943sec preferred_lft 604743sec
inet6 fe80::7e0c:1902:e1ca:4324/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- 配置访问 172.16.1.200 的静态路由
[root@centos7-10 ~]# ip route 172.16.1.200 via 10.211.55.18 dev enp0s5
[root@centos7-10 ~]# ip route
default via 10.211.55.1 dev enp0s5 proto dhcp metric 100
10.211.55.0/24 dev enp0s5 proto kernel scope link src 10.211.55.10 metric 100
172.16.1.200 via 10.211.55.18 dev enp0s5
192.168.10.100 dev enp0s5 proto kernel scope link src 192.168.10.100 metric 100
[root@centos7-10 ~]#
2. 配置主机centos7-22
- 配置子网IP 172.16.1.200
[root@centos7-22 ~]# ip addr add 172.16.1.200 dev enp0s5
[root@centos7-22 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:44:79:a5 brd ff:ff:ff:ff:ff:ff
inet 10.211.55.22/24 brd 10.211.55.255 scope global noprefixroute dynamic enp0s5
valid_lft 1605sec preferred_lft 1605sec
inet 172.16.1.200/32 scope global enp0s5
valid_lft forever preferred_lft forever
inet6 fdb2:2c26:f4e4:0:233e:38df:2cbd:cec1/64 scope global noprefixroute dynamic
valid_lft 2591809sec preferred_lft 604609sec
inet6 fe80::7e0c:1902:e1ca:4324/64 scope link tentative noprefixroute dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::567a:248b:5e94:5d19/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- 配置访问 192.168.10.100 的静态路由
[root@centos7-22 ~]# ip route add 192.168.10.100 via 10.211.55.18 dev enp0s5
[root@centos7-22 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:44:79:a5 brd ff:ff:ff:ff:ff:ff
inet 10.211.55.22/24 brd 10.211.55.255 scope global noprefixroute dynamic enp0s5
valid_lft 1565sec preferred_lft 1565sec
inet 172.16.1.200/32 scope global enp0s5
valid_lft forever preferred_lft forever
inet6 fdb2:2c26:f4e4:0:233e:38df:2cbd:cec1/64 scope global noprefixroute dynamic
valid_lft 2591768sec preferred_lft 604568sec
inet6 fe80::7e0c:1902:e1ca:4324/64 scope link tentative noprefixroute dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::567a:248b:5e94:5d19/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3. 配置主机centos7-18
- 配置访问 192.168.10.100 和 172.16.1.200 的静态路由
[root@centos7-18 ~]# ip route add 192.168.10.100 via 10.211.55.10 dev enp0s5
[root@centos7-18 ~]# ip route add 172.16.1.200 via 10.211.55.22 dev enp0s5
[root@centos7-18 ~]# ip route
default via 10.211.55.1 dev enp0s5
10.211.55.0/24 dev enp0s5 proto kernel scope link src 10.211.55.18
172.16.1.200 via 10.211.55.22 dev enp0s5
192.168.10.100 via 10.211.55.10 dev enp0s5
// 查看主机centos7-18的IP配置
[root@centos7-18 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:1c:42:60:87:b2 brd ff:ff:ff:ff:ff:ff
inet 10.211.55.18/24 brd 10.211.55.255 scope global enp0s5
valid_lft forever preferred_lft forever
inet6 fdb2:2c26:f4e4:0:21c:42ff:fe60:87b2/64 scope global mngtmpaddr dynamic
valid_lft 2591430sec preferred_lft 604230sec
inet6 fe80::21c:42ff:fe60:87b2/64 scope link
valid_lft forever preferred_lft forever
4. 路由转发测试
4.1 关闭路由转发测试
- centos7-18设置 net.ipv4.ip_forward = 0,关闭路由转发功能
- centos7-10测试 Ping 172.16.1.200,网络不通
// 设置 net.ipv4.ip_forward = 0,关闭路由转发功能
[root@centos7-18 ~]# sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
// 测试 192.168.10.100 Ping 172.16.1.200,网络不通
[root@centos7-10 ~]# ping 172.16.1.200 -c5
PING 172.16.1.200 (172.16.1.200) 56(84) bytes of data.
--- 172.16.1.200 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4017ms
[root@centos7-10 ~]#
4.2 开启路由转发测试
- centos7-18设置 net.ipv4.ip_forward = 1,开启路由转发功能
- centos7-10测试 Ping 172.16.1.200,网络通
// 设置 net.ipv4.ip_forward = 1,开启路由转发功能
[root@centos7-18 ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
// 测试 192.168.10.100 Ping 172.16.1.200,网络通
[root@centos7-10 ~]# ping 172.16.1.200 -c5
PING 172.16.1.200 (172.16.1.200) 56(84) bytes of data.
64 bytes from 172.16.1.200: icmp_seq=1 ttl=64 time=0.850 ms
From 10.211.55.18: icmp_seq=2 Redirect Host(New nexthop: 10.211.55.22)
64 bytes from 172.16.1.200: icmp_seq=2 ttl=64 time=0.752 ms
From 10.211.55.18: icmp_seq=3 Redirect Host(New nexthop: 10.211.55.22)
64 bytes from 172.16.1.200: icmp_seq=3 ttl=64 time=0.729 ms
From 10.211.55.18: icmp_seq=4 Redirect Host(New nexthop: 10.211.55.22)
64 bytes from 172.16.1.200: icmp_seq=4 ttl=64 time=0.471 ms
From 10.211.55.18: icmp_seq=5 Redirect Host(New nexthop: 10.211.55.22)
64 bytes from 172.16.1.200: icmp_seq=5 ttl=64 time=0.779 ms
--- 172.16.1.200 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4011ms
rtt min/avg/max/mdev = 0.471/0.716/0.850/0.130 ms
[root@centos7-10 ~]#
- 主机centos7-18 tcpdump抓包结果
- tcpdump -nn -e -i enp0s5 host not 10.211.55.2 and icmp
抓包排除ssh客户端 10.211.55.2
-nn 两个 n 表示不解析域名和端口
-e 在输出行打印出数据链路层的头部信息
-i 抓指定接口(网卡)的数据包
- tcpdump -nn -e -i enp0s5 host not 10.211.55.2 and icmp
[root@centos7-18 ~]# tcpdump -nn -e -i enp0s5 host not 10.211.55.2 and icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s5, link-type EN10MB (Ethernet), capture size 262144 bytes
// 00:1c:42:ae:b6:41(centos7-10 enp0s5)> 00:1c:42:60:87:b2(centos7-18 enp0s5)
19:59:52.186950 00:1c:42:ae:b6:41 > 00:1c:42:60:87:b2, ethertype IPv4 (0x0800), length 98: 10.211.55.10 > 172.16.1.200: ICMP echo request, id 2040, seq 1, length 64
// 00:1c:42:60:87:b2(centos7-18 enp0s5)> 00:1c:42:44:79:a5(centos7-22 enp0s5)
19:59:52.187068 00:1c:42:60:87:b2 > 00:1c:42:44:79:a5, ethertype IPv4 (0x0800), length 98: 10.211.55.10 > 172.16.1.200: ICMP echo request, id 2040, seq 1, length 64
// 00:1c:42:44:79:a5(centos7-22 enp0s5)> 00:1c:42:ae:b6:41(centos7-10 enp0s5)
19:59:52.187364 00:1c:42:44:79:a5 > 00:1c:42:ae:b6:41, ethertype IPv4 (0x0800), length 98: 172.16.1.200 > 10.211.55.10: ICMP echo reply, id 2040, seq 1, length 64
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
总结
Linux 通过IP Forward 功能进行路由转发,根据已有路由配置信息把包送到合适的网络接口。
