Linux反向过滤导致网卡无法从外网ping通
现象
Cloud2有两块网卡,分别是172.31.196.2和172.31.192.202
某次重启后,办公机(172.25.167.34)可以与172.31.196.2通,但是与172.31.192.202不通。
检查路由表没有问题。cloud2与192网段的机器是通的,即同一网段是相通的。
[root@cloud2 ~]# ip route
default via 172.31.196.254 dev br-ex
169.254.0.0/16 dev ens9f0 scope link metric 1006
169.254.0.0/16 dev ens4f0 scope link metric 1008
169.254.0.0/16 dev br-int scope link metric 1011
169.254.0.0/16 dev br-ex scope link metric 1013
172.31.192.0/24 dev ens4f0 scope link src 172.31.192.202
172.31.196.0/24 dev br-ex proto kernel scope link src 172.31.196.2
分析
首先检查cloud2是否收到了办公机的ping请求:
[root@cloud2 ~]# tcpdump -i ens4f0 |grep ICMP
15:01:14.105506 IP 172.25.167.34 > cloud2: ICMP echo request, id 1, seq 24348, length 40
15:01:19.106165 IP 172.25.167.34 > cloud2: ICMP echo request, id 1, seq 24349, length 40
Cloud2 收到请求,但是不reply。
反向路径过滤简介:
Linux的rp_filter用于实现反向过滤技术,也即uRPF,它验证反向数据包的流向,以避免伪装IP攻击。如一个自称是外网的请求,它的IP却是属于内网,这时就很可能是网络欺诈。它和Linux的策略路由很容易发生冲突,其本质原因在于,uRPF技术强制规定了一个反向包的“方向”,而实际的路由是没有方向的。
解决
临时法:
# echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter
# echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
永久法:
修改/etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
RHEL6和RHEL7的rp_filter介绍
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet’s source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.