我有一個帶有一些公有子網路和一個私有子網路的 AWS VPC,如下圖所示。
- 兩個實例都可以連接到網際網路(實例A連接透過NAT網關實例)
- NAT網關可以 ping 和追蹤網際網路上的主機以及其他子網路上的實例
- 實例A可以平NAT網關以及其子網路和其他子網路中的其他實例
這NAT網關是一個 Ubuntu 16.04 (t2.micro) 實例,由我配置。它不是託管 AWS NAT 網關。它可以完美地作為 VPC 內所有其他主機以及 D-NAT(對於某些私人 Apache 伺服器)的網關,並充當 SSH 堡壘。
問題是實例A無法 ping 或追蹤網際網路上的主機。我已經嘗試過/檢查過:
- 路由表
- 安全群組
- IP表規則
- 核心參數
安全群組
NAT GATEWAY
Outbound:
* all traffic allowed
Inbound:
* SSH from 192.168.0.0/16 (VPN network)
* HTTP/S from 172.20.0.0/16 (allowing instances to connect to the internet)
* HTTP/S from 0.0.0.0/0 (allowing clients to access internal Apache servers through D-NAT)
* ALL ICMP V4 from 0.0.0.0/0
INSTANCE A
Outbound:
* all traffic allowed
Inbound:
* SSH from NAT GATEWAY SG
* HTTP/S from 172.20.0.0/16 (public internet throught D-NAT)
* ALL ICMP V4 from 0.0.0.0/0
路由表
PUBLIC SUBNET
172.20.0.0/16: local
0.0.0.0/0: igw-xxxxx (AWS internet gateway attached to VPC)
PRIVATE SUBNET
0.0.0.0/0: eni-xxxxx (network interface of the NAT gateway)
172.20.0.0/16: local
iptables規則
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# iptables -tnat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
核心參數
net.ipv4.conf.all.accept_redirects = 0 # tried 1 too
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0 # tried 1 too
net.ipv4.conf.eth0.accept_redirects = 0 # tried 1 too
net.ipv4.conf.eth0.secure_redirects = 1
net.ipv4.conf.eth0.send_redirects = 0 # tried 1 too
net.ipv4.ip_forward = 1
來自實例 A 的範例追蹤路由
感謝 @hargut 指出有關使用 UDP 的追蹤路由的詳細資訊(並且我的 SG 不允許這樣做)。因此,將其與-I
ICMP 選項一起使用:
# traceroute -I 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 ip-172-20-16-10.ec2.internal (172.20.16.10) 0.670 ms 0.677 ms 0.700 ms
2 * * *
3 * * *
...
答案1
Linux/Unix 追蹤路由使用 UDP 進行標準請求。您的安全群組不允許 UDP 入站資料包。
從追蹤路由手冊頁:
In the modern network environment the traditional traceroute methods can not be always applicable, because of widespread use of firewalls. Such firewalls filter the "unlikely" UDP ports, or even ICMP echoes. To solve this, some additional tracerouting methods are implemented (including tcp), see LIST OF AVAILABLE METHODS below. Such methods try to use particular protocol and source/destination port, in order to bypass firewalls (to be seen by firewalls just as a start of allowed type of a network session)
https://linux.die.net/man/8/traceroute
請參閱將-I
追蹤路由模式切換到基於 ICMP 的追蹤的 tracerout 選項。