OpenSuSE Leap 15.5防火墙服务器仅允许内部网络Ping外部,DNS等其他流量无法通行的故障排查求助
2026-4-23
OpenSuSE Leap 15.5防火墙服务器仅允许内部网络Ping外部,DNS等其他流量无法通行的故障排查求助
我在SOHO服务器上重装了OpenSuSE Leap 15.5,这台服务器作为防火墙使用。现在内部网络(169.254.164.0/24)的机器只能Ping通外部主机,但DNS等其他有意义的流量都无法正常工作,甚至连DNS查询都不行。
服务器的网卡配置是:eth0连接DSL路由器,eth1连接内部网络交换机。已经开启了IPv4转发:net.ipv4.ip_forward = 1
服务器网络配置
网卡地址信息
valen:~ # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 14:dd:a9:d4:1e:70 brd ff:ff:ff:ff:ff:ff altname enp2s0 inet 192.168.178.41/24 brd 192.168.178.255 scope global eth0 valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 14:dd:a9:d4:1e:71 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 169.254.164.1/24 brd 169.254.164.255 scope global eth1 valid_lft forever preferred_lft forever
路由表信息
valen:~ # ip route show default via 192.168.178.1 dev eth0 proto dhcp 169.254.164.0/24 dev eth1 proto kernel scope link src 169.254.164.1 192.168.178.0/24 dev eth0 proto kernel scope link src 192.168.178.41
iptables NAT表规则
valen:~ # iptables -t nat -nv -L >> netconfig.txt Chain PREROUTING (policy ACCEPT 41 packets, 2456 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12 packets, 909 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 12 909 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "MASQUERADE: "
iptables Filter表规则
valen:~ # iptables -L -v Chain INPUT (policy ACCEPT 496 packets, 40562 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 36 packets, 2276 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- eth0 any anywhere anywhere LOG level debug prefix "FORWARD: " 36 2276 LOG all -- eth1 any anywhere anywhere LOG level debug prefix "FORWARD: " Chain OUTPUT (policy ACCEPT 307 packets, 43133 bytes) pkts bytes target prot opt in out source destination
dmesg相关日志
valen:~ # dmesg | grep MASQUERADE | tail -25 [ 5040.328157] x_tables: ip_tables: MASQUERADE target: used from hooks PREROUTING, but only usable from POSTROUTING
iptables-save完整规则
valen:~ # iptables-save -c # Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023 *nat :PREROUTING ACCEPT [271:12228] :INPUT ACCEPT [3:180] :OUTPUT ACCEPT [188:13601] :POSTROUTING ACCEPT [0:0] [188:13601] -A POSTROUTING -o eth0 -j MASQUERADE [0:0] -A POSTROUTING -o eth0 -j LOG --log-prefix "MASQUERADE: " --log-level 7 COMMIT # Completed on Sun Jul 30 22:21:59 2023 # Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023 *mangle :PREROUTING ACCEPT [1055426:82517132] :INPUT ACCEPT [1055140:82499096] :FORWARD ACCEPT [286:18036] :OUTPUT ACCEPT [197144:2649496105] :POSTROUTING ACCEPT [197178:2649498961] COMMIT # Completed on Sun Jul 30 22:21:59 2023 # Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023 *raw :PREROUTING ACCEPT [1055426:82517132] :OUTPUT ACCEPT [197145:2649496485] COMMIT # Completed on Sun Jul 30 22:21:59 2023 # Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023 *security :INPUT ACCEPT [1054928:82491464] :FORWARD ACCEPT [34:2856] :OUTPUT ACCEPT [197146:2649496917] COMMIT # Completed on Sun Jul 30 22:21:59 2023 # Generated by iptables-save v1.8.7 on Sun Jul 30 22:21:59 2023 *filter :INPUT ACCEPT [129181:24309644] :FORWARD ACCEPT [96:5856] :OUTPUT ACCEPT [95693:121943383] [0:0] -A FORWARD -i eth0 -j LOG --log-prefix "FORWARD: " --log-level 7 [96:5856] -A FORWARD -i eth1 -j LOG --log-prefix "FORWARD: " --log-level 7 COMMIT # Completed on Sun Jul 30 22:21:59 2023
内部客户端配置
以其中一台客户端为例:
╭─jacek@epica ~ ╰─➤ ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether b4:2e:99:c6:e9:9f brd ff:ff:ff:ff:ff:ff altname enp7s0 inet 169.254.164.5/24 brd 169.254.164.255 scope global eth0 valid_lft forever preferred_lft forever
╭─jacek@epica ~ ╰─➤ ip route show default via 169.254.164.1 dev eth0 169.254.164.0/24 dev eth0 proto kernel scope link src 169.254.164.5
故障现象补充
客户端可以Ping通外部主机(比如8.8.8.8),但其他操作都不行,连DNS查询都失败。服务器的syslog只显示 outgoing 流量,没有 incoming 流量:
[12810.381486] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.8.8 LEN=57 TOS=0x00 PREC=0x00 TTL=63 ID=47287 DF PROTO=UDP SPT=51059 DPT=53 LEN=37 [12810.381551] FORWARD: IN=eth1 OUT=eth0 MAC=14:dd:a9:d4:1e:71:b4:2e:99:c6:e9:9f:08:00 SRC=169.254.164.5 DST=8.8.4.4 LEN=57 TOS=0x00 PREC=0x00 TTL=63 ID=31354 DF PROTO=UDP SPT=42060 DPT=53 LEN=37
进一步排查(更新)
用tcpdump工具测试:
- Ping 8.8.8.8时流量正常,能看到往返包:
valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8' and icmp tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 22:14:57.356849 IP (tos 0x0, ttl 64, id 63021, offset 0, flags [DF], proto ICMP (1), length 84) 169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 1, length 64 22:14:57.370168 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 1, length 64 22:14:58.358802 IP (tos 0x0, ttl 64, id 63032, offset 0, flags [DF], proto ICMP (1), length 84) 169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 2, length 64 22:14:58.372195 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 2, length 64 22:14:59.360447 IP (tos 0x0, ttl 64, id 63211, offset 0, flags [DF], proto ICMP (1), length 84) 169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 3, length 64 22:14:59.373668 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 3, length 64 22:15:00.362346 IP (tos 0x0, ttl 64, id 63238, offset 0, flags [DF], proto ICMP (1), length 84) 169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 4, length 64 22:15:00.375229 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 4, length 64 22:15:01.364456 IP (tos 0x0, ttl 64, id 63472, offset 0, flags [DF], proto ICMP (1), length 84) 169.254.164.5 > 8.8.8.8: ICMP echo request, id 1, seq 5, length 64 22:15:01.377348 IP (tos 0x0, ttl 57, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 169.254.164.5: ICMP echo reply, id 1, seq 5, length 64 ^C 10 packets captured 10 packets received by filter 0 packets dropped by kernel
- 尝试查询域名(比如www.nwzonline.de)时,只能看到客户端发送的DNS请求,看不到DNS服务器的响应:
valen:~ # tcpdump -v -ni eth1 'ip host 8.8.8.8' tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes 22:17:33.070802 IP (tos 0x0, ttl 64, id 10602, offset 0, flags [DF], proto UDP (17), length 62) 169.254.164.5.33703 > 8.8.8.8.53: 8530+ A? www.nwzonline.de. (34) 22:17:33.070803 IP (tos 0x0, ttl 64, id 10603, offset 0, flags [DF], proto UDP (17), length 62) 169.254.164.5.33703 > 8.8.8.8.53:
