Problema com a configuração do servidor gateway no Centos 7

1

Estou tentando configurar um host com o Centos 7 e uma interface de rede (eth0) como um gateway.

O problema é que o Gateway pode encaminhar o pacote, receber a resposta, mas falha ao enviar a resposta ao Host:

Host --> Gateway --> Destination --> Gateway -/-> Host

Na verdade, eu posso ver no tcpdump que o Gateway está enviando resposta, mas o host não está recebendo.

tcpdump para nc -v 192.168.253.113 22 request:

  • Anfitrião:

    12:10:22.038563 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
    12:10:23.040527 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0
    
  • Gateway:

    12:10:22.038972 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
    12:10:22.039017 22:22:22:22:22:22 > 33:33:33:33:33:33, ethertype IPv4 (0x0800), length 74: 10.0.0.19.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259369415 ecr 0,nop,wscale 9], length 0
    12:10:22.140408 33:33:33:33:33:33 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.19.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584010 ecr 259369415,nop,wscale 10], length 0
    12:10:22.140427 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.47.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584010 ecr 259369415,nop,wscale 10], length 0
    12:10:23.040940 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0
    12:10:23.040958 22:22:22:22:22:22 > 33:33:33:33:33:33, ethertype IPv4 (0x0800), length 74: 10.0.0.19.21739 > 192.168.253.113.ssh: Flags [S], seq 3208534021, win 29200, options [mss 1460,sackOK,TS val 259370418 ecr 0,nop,wscale 9], length 0
    12:10:23.141986 33:33:33:33:33:33 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.19.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584260 ecr 259369415,nop,wscale 10], length 0
    12:10:23.141998 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 192.168.253.113.ssh > 10.0.0.47.21739: Flags [S.], seq 2142167154, ack 3208534022, win 28480, options [mss 1436,sackOK,TS val 2418584260 ecr 259369415,nop,wscale 10], length 0
    

Quando eu tento a mesma solicitação com o Gateway como destino ( nc -v 10.0.0.19 22 ), tudo funciona bem:

  • Anfitrião:

    12:16:46.222903 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [S], seq 725877336, win 29200, options [mss 1460,sackOK,TS val 259753600 ecr 0,nop,wscale 9], length 0
    12:16:46.224050 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [S.], seq 3167329297, ack 725877337, win 28960, options [mss 1460,sackOK,TS val 96976164 ecr 259753600,nop,wscale 9], length 0
    12:16:46.224104 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 1, win 58, options [nop,nop,TS val 259753601 ecr 96976164], length 0
    12:16:46.232678 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 87: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [P.], seq 1:22, ack 1, win 57, options [nop,nop,TS val 96976173 ecr 259753601], length 21
    12:16:46.232731 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 22, win 58, options [nop,nop,TS val 259753610 ecr 96976173], length 0
    12:16:49.692764 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [F.], seq 1, ack 22, win 58, options [nop,nop,TS val 259757070 ecr 96976173], length 0
    12:16:49.693905 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 66: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [F.], seq 22, ack 2, win 57, options [nop,nop,TS val 96979634 ecr 259757070], length 0
    12:16:49.693938 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 23, win 58, options [nop,nop,TS val 259757071 ecr 96979634], length 0
    
  • Gateway:

    12:16:46.223731 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 74: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [S], seq 725877336, win 29200, options [mss 1460,sackOK,TS val 259753600 ecr 0,nop,wscale 9], length 0
    12:16:46.223793 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 74: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [S.], seq 3167329297, ack 725877337, win 28960, options [mss 1460,sackOK,TS val 96976164 ecr 259753600,nop,wscale 9], length 0
    12:16:46.224401 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 1, win 58, options [nop,nop,TS val 259753601 ecr 96976164], length 0
    12:16:46.232728 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 87: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [P.], seq 1:22, ack 1, win 57, options [nop,nop,TS val 96976173 ecr 259753601], length 21
    12:16:46.233033 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 22, win 58, options [nop,nop,TS val 259753610 ecr 96976173], length 0
    12:16:49.693106 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [F.], seq 1, ack 22, win 58, options [nop,nop,TS val 259757070 ecr 96976173], length 0
    12:16:49.693928 22:22:22:22:22:22 > 11:11:11:11:11:11, ethertype IPv4 (0x0800), length 66: 10.0.0.19.ssh > 10.0.0.47.46354: Flags [F.], seq 22, ack 2, win 57, options [nop,nop,TS val 96979634 ecr 259757070], length 0
    12:16:49.694218 11:11:11:11:11:11 > 22:22:22:22:22:22, ethertype IPv4 (0x0800), length 66: 10.0.0.47.46354 > 10.0.0.19.ssh: Flags [.], ack 23, win 58, options [nop,nop,TS val 259757071 ecr 96979634], length 0
    

Eu também posso fazer o mesmo do Gateway ao Host.

Eu não tenho ideia do que pode estar errado. É a configuração do meu Gateway:

Rotas:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     100    0        0 eth0

Iptables no gateway (salvo usando iptables-save ):

*filter
:INPUT ACCEPT [46:4191]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38:11217]
-A FORWARD -i eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [19:1044]
:INPUT ACCEPT [13:684]
:OUTPUT ACCEPT [10:1312]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

O que eu fiz é:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo FORWARD_IPV4=true >> /etc/sysconfig/network
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT
    
por sebaszw 12.10.2017 / 15:35

1 resposta

0

Não vejo você definir rotas específicas para o host remoto.

Para permitir que um host alcance o host remoto (presumivelmente, ele está em uma rede diferente), ele precisa de uma rota para chegar lá. E o próprio host remoto precisa saber como voltar a esse host, que precisa de uma rota para retornar à rede em que o host local permanece.

Se o host remoto estiver em uma rede como 10.0.5.0/24 com o gateway remoto em 10.0.5.1. E o seu gateway local é: 10.0.3.1 e sua rede local é: 10.0.3.0/24. Adicionando uma rota staic no host local: ip route add 10.0.5.0/24 via 10.0.3.1

E adicione outra rota estática ao host remoto:

ip route add 10.0.3.0/24 via 10.0.5.1

É assim que configuro minha rede com uma situação semelhante à sua.

    
por 15.10.2017 / 18:20