أنا أستخدم DO لاستضافة خادم الإنتاج الخاص بي. أقوم حاليًا ببناء بيئة DR وأواجه مشكلات في إعادة توجيه حركة المرور. لقد استخدمت نفس النوع من التكوينات من بيئة الإنتاج ، وهي تعمل بشكل جيد (حتى أنني حاولت استنساخ VM يغير IP ولديها نفس المشكلة كتثبيت جديد) يستقبل الخادم حزمًا على eth1 ، لكنه لا يرسلها. (كما هو مفترض في eth0 ، على سياسة IPsec)

معلومات خادم DR-VPN أدناه (يرجى ملاحظة أن البيانات معقمة)

[email protected]:~# ip a
eth0: 20.99.90.5/20
eth1: 10.10.0.2/20

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
vpn-to-DR[1]: ESTABLISHED 46 minutes ago, 20.99.90.5[20.99.90.5]...x1.xx3.x.xx4[x1.xx3.x.xx4]
vpn-to-env{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0ac5230_i 0b8674b3_o
vpn-to-env{1}: 10.10.0.3/32 === x1.xx3.x.x9/32

هذه هي إعدادات iptable

[email protected]:~# iptables-save
*filter
:INPUT ACCEPT [3881983:1293276786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3858285:672322166]
-A FORWARD -s 10.10.0.0/16 -d x1.xx3.x.x9/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s x1.xx3.x.x9/32 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [1266750:71807552]
:INPUT ACCEPT [1259384:71241122]
:OUTPUT ACCEPT [38114:4106963]
:POSTROUTING ACCEPT [38115:4107047]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth1 -j MASQUERADE

لقد قمت بتكوينه للقيام بإعادة التوجيه

sudo sysctl -a | grep net.ipv4.conf.*.forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0

معلومات إضافية عن طريق إجراء تتبع على IPtables

########## production
[6814683.211912] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.211979] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212037] TRACE: filter:FORWARD:rule:3 IN=eth1 OUT=eth0 MAC=52:68: SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212053] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.132.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1

[email protected]_PROD:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
3 MASQUERADE udp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
4 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16
5 MASQUERADE all -- 10.13.0.0/16 0.0.0.0/0

[email protected]_PROD:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.13.0.0/16 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.13.0.0/16 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.13.0.0/16 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.13.0.0/16 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[email protected]_PROD:~#

والتتبع من د

######## DR
[ 3152.620125] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620202] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620265] TRACE: filter:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=c2:6251: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620283] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.108.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[email protected]:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
3 MASQUERADE udp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
4 MASQUERADE all -- 10.10.0.0/20 0.0.0.0/0

[email protected]:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.10.0.0/20 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.10.0.0/20 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.10.0.0/20 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.10.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
no answer