前言
单位需要部署一台内部DNS服务器,该服务器需要双网卡双IP,一个用于提供单位内部DNS使用,另一个IP用于访问另一内网专线的一些DNS服务器对其指定域名进行转发解析。直接部署好DNS服务后,发现另一内网专线同网段用户无法访问该DNS服务器。
具体故障
DNS服务器网卡IP设定:
Eth0 IP:192.168.168.168/24 [单位内网DNS服务器IP]
Eth1 IP:10.0.0.2/24 [另一内网专线IP]
客户机A IP:10.0.0.3/24
客户机A设置网卡使用192.168.168.168作为DNS解析发现无法解析,设置为使用10.0.0.2作为DNS解析后可正常解析。
进一步分析检查发现:
10.0.0.3 -> 192.168.168.168 [无法通讯]
10.0.0.3 -> 10.0.0.2 [可正常通讯]
故障原因
这是因为Linux默认开启严格反向路由过滤导致
1
2
3
|
root@DNS:~$ sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.all.rp_filter
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
|
rp_filter参数说明
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against the FIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strict mode
to prevent IP spoofing from DDos attacks. If using asymmetric routing
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.
|
rp_filter参数具体含义:
- 0:不开启源检查
- 1:开启严格反向路径检查,对于每个传入的数据包检查其反向路径是否为最佳路径,如果不是最佳路径则丢弃该数据包。
- 2:开启松散反向路径检查,对于每个传入的数据包检查其反向路径是否可达,如果不可达则丢弃该数据包。
解决方法
临时配置,重启后失效:
1
2
|
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
|
永久配置,修改文件/etc/etc/sysctl.conf
添加或修改如下参数:
1
2
|
net.ipv4.conf.default.rp_filter=2
net.ipv4.conf.all.rp_filter=2
|
修改完文件后执行sysctl -p
应用配置文件