V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
Aumujun
V2EX  ›  Linux

[求助] 服务器不回包

  •  
  •   Aumujun ·
    None · 2022-09-24 19:01:00 +08:00 · 1604 次点击
    这是一个创建于 778 天前的主题,其中的信息可能已经有所发展或是发生改变。

    eno1 网卡: 192.168.224.75/24 gateway 192.168.224.1
    eno2 网卡: 192.168.224.78/24 gateway 192.168.224.1

    注:192.168.224.0/24 这个网段中的其他服务器可以和 75 ,78 通信,除了这台服务器,其他服务器都是正常的。

    当两张网卡默认存在于 net namespace 1 中时,两个 IP 都 ping 不通,tcpdump 抓包内容:

    [root@xxx ~]# tcpdump -i eno1 -vnn net 192.168.94.6
    tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:45:13.245791 IP (tos 0x0, ttl 126, id 28955, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.75: ICMP echo request, id 1, seq 1705, length 40
    18:45:17.937767 IP (tos 0x0, ttl 126, id 28956, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.75: ICMP echo request, id 1, seq 1706, length 40
    18:45:22.953575 IP (tos 0x0, ttl 126, id 28957, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.75: ICMP echo request, id 1, seq 1707, length 40
    18:45:27.938774 IP (tos 0x0, ttl 126, id 28958, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.75: ICMP echo request, id 1, seq 1708, length 40
    

    当我将 eno2 网卡移动到 eno2_ns 这个 net namespace 中,并配置同样的 IP 掩码 网关,这时 ping 通了; tcpdump 抓包正常:

    eno2_ns 配置命令:

    ip netns add eno2_ns
    ip link set eno2 netns eno2_ns
    ip netns exec eno2_ns ip addr add 192.168.224.78/24 dev eno2
    ip netns exec eno2_ns ip link set eno2 up
    ip netns exec eno2_ns ip route add default via 192.168.224.1 dev eno2
    
    [root@xxx ~]# ip netns exec eno2_ns tcpdump -i eno2 -vnn net 192.168.94.0/24
    tcpdump: listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:42:20.825581 IP (tos 0x0, ttl 126, id 43528, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.78: ICMP echo request, id 1, seq 1702, length 40
    18:42:20.825607 IP (tos 0x0, ttl 64, id 25682, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.224.78 > 192.168.94.6: ICMP echo reply, id 1, seq 1702, length 40
    18:42:21.828006 IP (tos 0x0, ttl 126, id 43529, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.78: ICMP echo request, id 1, seq 1703, length 40
    18:42:21.828029 IP (tos 0x0, ttl 64, id 25975, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.224.78 > 192.168.94.6: ICMP echo reply, id 1, seq 1703, length 40
    18:42:22.839668 IP (tos 0x0, ttl 126, id 43530, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.94.6 > 192.168.224.78: ICMP echo request, id 1, seq 1704, length 40
    18:42:22.839693 IP (tos 0x0, ttl 64, id 26840, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.224.78 > 192.168.94.6: ICMP echo reply, id 1, seq 1704, length 40
    

    我的 iptables 规则(没有手动加入过任何 rule )

    [root@slave1 ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    DOCKER-USER  all  --  anywhere             anywhere            
    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    DOCKER     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    DOCKER     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    DOCKER     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    DOCKER     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    ACCEPT     all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain DOCKER (4 references)
    target     prot opt source               destination         
    
    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    target     prot opt source               destination         
    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
    RETURN     all  --  anywhere             anywhere            
    
    Chain DOCKER-ISOLATION-STAGE-2 (4 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    RETURN     all  --  anywhere             anywhere            
    
    Chain DOCKER-USER (1 references)
    target     prot opt source               destination         
    RETURN     all  --  anywhere             anywhere   
    

    这是 eno1 ( 75 )的路由表,默认 net namespace

    [root@xxx ~]# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.224.1   0.0.0.0         UG    103    0        0 eno1
    172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
    172.31.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-365a3019eb39
    192.168.48.0    0.0.0.0         255.255.240.0   U     0      0        0 br-f1d200423436
    192.168.80.0    0.0.0.0         255.255.240.0   U     0      0        0 br-1a27f3be7f55
    192.168.224.0   0.0.0.0         255.255.255.0   U     103    0        0 eno1
    

    问题 1. 这是否可以断定为这台服务器配置不恰当引起的? 问题 2. 如果是配置不当引起,还可以从哪方面入手?

    choury
        1
    choury  
       2022-09-24 20:41:29 +08:00
    你这个抓包……连 arp 报文啥的都不抓,除了能说明对端没回应还能看出个啥?
    另外,看 iptables 的规则为啥不把统计信息也列出来呢?
    还有为什么 FORWARD 链的默认策略是 DROP ?
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1600 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 16:51 · PVG 00:51 · LAX 08:51 · JFK 11:51
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.