我想在 CENTOS6.4(X86 框架,3 个 NIC,一个是板载 realtek 的,另外两个是 intel 网卡)上从一个 NIC 发送数据并由另一个 NIC 接收。
首先,我在两个intel NIC上配置了intel nic ip:(eth0) 192.168.1.1/24和(eth1) 192.168.1.2/24。
其次,我通过以下命令添加路由:
# route add -host 192.168.1.1 dev eth1
# route add -host 192.168.1.2 dev eth0
第三,我在/etc/sysctl.conf 中启用了 accept_local:
net.ipv4.conf.eth0.accept_local = 1
net.ipv4.conf.eth1.accept_local = 1
而且我还禁用了 iptables 和 SElinux。我重新启动系统,然后使用电线连接 eth0 和 eth1,然后我这样测试:
#ping 192.168.1.1 -I eth1
返回的消息:
"From 192.168.1.2 icmp_seq=xx Destination Host Unreachable"
我错过了什么吗?
最佳答案
尝试设置 sysctl -w net.ipv4.conf.all.rp_filter=2
引用https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
accept_local - BOOLEAN
Accept packets with local source addresses. In combination
with suitable routing, this can be used to direct packets
between two local interfaces over the wire and have them
accepted properly.
rp_filter must be set to a non-zero value in order for
accept_local to have an effect.
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.
关于linux - accept_local 不起作用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15339018/