我在 CentOS 版本 5.4(最終版)x86_64 機器(Linux 2.6.18-164.el5 #1 SMP)上建立了一個 Linux PPPoE 伺服器。我也成功建立了PPPoE連線。但是,客戶端使用 ppp 介面 ping 到伺服器失敗,而伺服器可以成功 ping 用戶端。
伺服器 ppp IP:10.0.0.1 用戶端 ppp IP:10.67.15.111
伺服器端的 PPP 介面:
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.0.1 P-t-P:10.67.15.111 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:513 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:42304 (41.3 KiB) TX bytes:130 (130.0 b)
伺服器上的 Tcpdump 列印傳出 ping 請求和來自客戶端的傳入回應。
# tcpdump -i ppp0 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
21:37:12.218177 IP 10.0.0.1 > 10.67.15.111: ICMP echo request, id
30999, seq 1, length 64
0x0000: 4500 0054 0000 4000 4001 16f7 0a00 0001 E..T..@.@.......
0x0010: 0a43 0f6f 0800 2d54 7917 0001 b019 b352 .C.o..-Ty......R
0x0020: 0000 0000 2c54 0300 0000 0000 1011 1213 ....,T..........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
21:37:12.222904 IP 10.67.15.111 > 10.0.0.1: ICMP echo reply, id 30999,
seq 1, length 64
0x0000: 4500 0054 af93 0000 4001 a763 0a43 0f6f [email protected]
0x0010: 0a00 0001 0000 3554 7917 0001 b019 b352 ......5Ty......R
0x0020: 0000 0000 2c54 0300 0000 0000 1011 1213 ....,T..........
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
伺服器上的 Tcpdump 列印傳入的 ping 請求,但未發送任何回應
21:38:06.942359 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id
13435, seq 2, length 64
0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@[email protected]
0x0010: 0a00 0001 0800 4c41 347b 0002 a04d d6f3 ......LA4{...M..
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
21:38:07.946344 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id
13435, seq 3, length 64
0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@[email protected]
0x0010: 0a00 0001 0800 f1e1 347b 0003 a05d 3142 ........4{...]1B
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
21:38:08.958344 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id
13435, seq 4, length 64
0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@[email protected]
0x0010: 0a00 0001 0800 881b 347b 0004 a06c 9af8 ........4{...l..
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
我只配置了 PPPD 和 PPPoE 伺服器相關的配置。有人可以幫忙嗎,我沒有啟用任何防火牆選項。
檢查兩個連結後:
http://www.trickylinux.net/disable-ping-response-linux.html
cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
https://unix.stackexchange.com/questions/44596/what-prevents-a-machine-from-responding-to-pings
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
#
#
# setenforce 0
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
# system-config-securitylevel-tui
#
#
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: targeted
# system-config-securitylevel-tui
#
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 21
Policy from config file: targeted
# vi system-config-securitylevel
# system-config-securitylevel
#
#
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 21
Policy from config file: targeted
也可以根據 MadHatter 的評論找到我目前的防火牆設定。
iptables -L -n -v
Chain INPUT (policy ACCEPT 16472 packets, 12M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
4186 352K DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain FORWARD (policy DROP 90 packets, 5400 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17307 packets, 2685K bytes)
pkts bytes target prot opt in out source destination
經過一些相同的命令後,我注意到有很多掉落。
iptables -L -n -v
Chain INPUT (policy ACCEPT 18176 packets, 13M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
4934 414K DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain FORWARD (policy DROP 90 packets, 5400 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19179 packets, 3241K bytes)
pkts bytes target prot opt in out source destination
是否需要任何明確防火牆規則來回應傳入的 ping 請求。
提前致謝。 -穆魯甘
答案1
你可能會說你“沒有啟用任何防火牆選項”,但是就在那裡,鏈中的第四條規則INPUT是一條在所有接口上丟棄所有(入站)ICMP 類型 8 ( echo-request) 的行ppp。它甚至有一個很好的、大的、不斷增長的數據包計數,讓您知道它正在執行它的操作工作。
嘗試iptables -D INPUT 4一下伺服器。
回答上面的結束問題:不。不需要明確的防火牆規則來回應 PING 請求。但是,您需要停止明確地將它們丟在地板上。