紅聯Linux門戶
Linux幫助

使用Linux系統(PC機)做路由轉發

發布時間:2015-04-01 15:21:28來源:linux.cn作者:Linux中國

1、網絡拓撲
網絡拓撲如下所示,我們在這里用到了三臺機子做實驗,分別是①、④、⑦號機,使用①號機ping⑦號機,④號機作為路由轉發。
使用Linux系統(PC機)做路由轉發


2、錯誤的路由配置

首先我們使用如下的配置方法,配置這三臺機子的路由表:

1)在①號機種配置如下,讓目的網段是10.0.4.0/24的從eth1端口出去

route add -net 10.0.4.0/24 dev eth1

在①號機的查看路由表輸入如下命令:

route -n

①號機的路由表的結果如下:
使用Linux系統(PC機)做路由轉發

2)在⑦號機使用同樣方法配置路由,結果如下:
使用Linux系統(PC機)做路由轉發

3)在4號機配置路由轉發功能,即將/etc/sysctl.conf文件里面的net.ipv4.ip_forward的值置1:
使用Linux系統(PC機)做路由轉發

注:以上圖片上傳到紅聯Linux系統教程頻道中。

4)所有的配置已經完成,我們在①號機ping④號機

ping 10.0.4.3

結果如下,即ping 不通:

PING 10.0.4.3(10.0.4.3)56(84) bytes of data.
From10.0.1.3 icmp_seq=2DestinationHostUnreachable
From10.0.1.3 icmp_seq=3DestinationHostUnreachable
From10.0.1.3 icmp_seq=4DestinationHostUnreachable
From10.0.1.3 icmp_seq=6DestinationHostUnreachable
From10.0.1.3 icmp_seq=7DestinationHostUnreachable
From10.0.1.3 icmp_seq=8DestinationHostUnreachable

這里為了方便研究,把①號機的eth1配置放出來

eth1 Link encap:EthernetHWaddr00:16:EC:AF:CB:CB
inet addr:10.0.1.3Bcast:10.255.255.255Mask:255.255.255.0
inet6 addr: fe80::216:ecff:feaf:cbcb/64Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500Metric:1
RX packets:4564 errors:0 dropped:0 overruns:0 frame:0
TX packets:6688 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:459463(448.6KiB) TX bytes:546633(533.8KiB)
Interrupt:23Base address:0x6000

在①號機ping 的同時,我在④號機抓eth1包,結果如下:

[[email protected]~]# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
15:26:44.38861400:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60:Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:45.39101400:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60:Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:47.38782100:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60:Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:48.39122000:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60:Request who-has 10.0.4.3 tell 10.0.1.3, length 46
15:26:49.39262100:16:ec:af:cb:cb > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60:Request who-has 10.0.4.3 tell 10.0.1.3, length 46

可見①號一直在尋找配有10.0.4.3 IP的機子的mac地址,即一直在發arp包。但是路由器(④號機)默認是不轉發arp報文的,所有①號機永遠也ping不通⑦號機。


3、正確的配置

在①號機種配置路由,命令如下:

route add -net 10.0.4.0/24 gw 10.0.1.2

這時候①號機的路由表:

[[email protected] ~]#
[[email protected] ~]# route -n
Kernel IP routing table
DestinationGatewayGenmaskFlagsMetricRefUseIface
10.0.4.010.0.1.2255.255.255.0 UG 000 eth1
10.0.5.00.0.0.0255.255.255.0 U 000 eth2
10.0.1.00.0.0.0255.255.255.0 U 000 eth1
192.168.99.00.0.0.0255.255.255.0 U 100 eth0
0.0.0.0192.168.99.10.0.0.0 UG 000 eth0

同樣的方法配置⑦號機的路由表

[email protected]:~# route -n
內核 IP 路由表
目標網關子網掩碼標志躍點引用使用接口
0.0.0.0192.168.99.10.0.0.0 UG 000 eth0
10.0.1.010.0.4.2255.255.255.0 UG 000 eth1
10.0.4.00.0.0.0255.255.255.0 U 100 eth1
10.0.7.00.0.0.0255.255.255.0 U 100 eth2
192.168.99.00.0.0.0255.255.255.0 U 100 eth0

下面再進行ping測試,在①號機ping⑦號機,結果能夠ping通。在這里我們問了方便分析,首先列出各網卡的MAC地址

①號機 eth1:HWaddr00:16:EC:AF:CB:CB
④號機 eth1:HWaddr40:61:86:32:8F:0B
④號機 eth4:HWaddr40:61:86:32:8F:0E
⑦號機 eth1:HWaddr00:25:90:93:40:79

④號機eth1抓包如下:

[[email protected] ~]# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:26.80944500:16:ec:af:cb:cb >40:61:86:32:8f:0b, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:26.81072340:61:86:32:8f:0b>00:16:ec:af:cb:cb, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:27.81184700:16:ec:af:cb:cb >40:61:86:32:8f:0b, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:27.81313640:61:86:32:8f:0b>00:16:ec:af:cb:cb, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:28.81324800:16:ec:af:cb:cb >40:61:86:32:8f:0b, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:28.81455140:61:86:32:8f:0b>00:16:ec:af:cb:cb, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64
16:02:29.81464800:16:ec:af:cb:cb >40:61:86:32:8f:0b, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 4, length 64

④號機eth4抓包如下:

[email protected] ~]# tcpdump -i eth4 -enn
tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:26.80946040:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:26.81071500:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:27.81185340:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:27.81313000:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:28.81325540:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:28.81454500:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64

⑦號機eth1抓包如下:

[email protected]:~# tcpdump -i eth1 -enn
tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:02:27.22285340:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 1, length 64
16:02:27.22286700:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 1, length 64
16:02:28.22522640:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 2, length 64
16:02:28.22523700:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 2, length 64
16:02:29.22663840:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 3, length 64
16:02:29.22664900:25:90:93:40:79>40:61:86:32:8f:0e, ethertype IPv4(0x0800), length 98:10.0.4.3>10.0.1.3: ICMP echo reply, id 8079, seq 3, length 64
16:02:30.22805940:61:86:32:8f:0e>00:25:90:93:40:79, ethertype IPv4(0x0800), length 98:10.0.1.3>10.0.4.3: ICMP echo request, id 8079, seq 4, length 64

從抓取的包中我們不難看出,①號機在ping ⑦號機時,由于其中路由表配置了通過四號機的eth1(10.0.1.2)地址,這個地址對應的mac①號機已經緩存了,所有沒有進行arp廣播就直接開 始發送ICMP包,并且目的ip是⑦號機,目的MAC是④號機的eth1的,之后在④號機路由中又將目的MAC變成了④號機的eth4的,目的ip不變,回來的過程相仿。


4、結論

由于linux路由器默認不轉發arp報文到,所有若像”錯誤的配置“那樣配置路由,①號機一直處在詢問目的MAC的階段而無法讓路由器④號機轉發數據包,所有我們可以通過”正確的配置“那樣配置路由讓①號機使用④號機eth1的MAC出去,然后再一步一步轉發。或者通過”錯誤的配置“那樣配置路由,然后在 ④號機中使用arp代理,從而讓①號機獲得⑦號機的MAC,從而從發送arp報文階段到發送ICMP包階段。

601268股票行情中心