{"id":711,"date":"2015-12-29T18:08:07","date_gmt":"2015-12-29T23:08:07","guid":{"rendered":"http:\/\/zhanxw.com\/blog\/?p=711"},"modified":"2015-12-29T18:08:07","modified_gmt":"2015-12-29T23:08:07","slug":"%e8%a7%a3%e5%86%b3%e4%b8%80%e4%b8%aa%e5%a5%87%e6%80%aa%e7%9a%84%e7%bd%91%e7%bb%9c%e8%bf%9e%e6%8e%a5%e9%94%99%e8%af%af","status":"publish","type":"post","link":"https:\/\/zhanxw.com\/blog\/2015\/12\/%e8%a7%a3%e5%86%b3%e4%b8%80%e4%b8%aa%e5%a5%87%e6%80%aa%e7%9a%84%e7%bd%91%e7%bb%9c%e8%bf%9e%e6%8e%a5%e9%94%99%e8%af%af\/","title":{"rendered":"\u89e3\u51b3\u4e00\u4e2a\u5947\u602a\u7684\u7f51\u7edc\u8fde\u63a5\u9519\u8bef"},"content":{"rendered":"

\u89e3\u51b3\u4e00\u4e2a\u5947\u602a\u7684\u7f51\u7edc\u8fde\u63a5\u9519\u8bef
\nSolve a strange network problem<\/p>\n

\u6211\u7684\u670d\u52a1\u5668bunny\u6700\u8fd1\u51fa\u73b0\u4e86\u4e00\u4e2a\u5947\u602a\u7684\u7f51\u7edc\u8fde\u63a5\u9519\u8bef\uff1a\u53ea\u6709\u53f0\u5f0f\u673a\u548c\u670d\u52a1\u5668\u80fd\u8fde\u63a5\u5230bunny\uff0c\u7b14\u8bb0\u672c\u5c31\u8fde\u4e0d\u4e0a\u3002
\n\u5047\u8bbe\u7f51\u7edcIP\u5982\u4e0b\uff1a<\/p>\n

A. \u670d\u52a1\u5668bunny\uff1a198.215.54.48 10G \u7f51\u7edc
\nB. \u670d\u52a1\u5668\uff1a 198.215.54.5 10G \u7f51\u7edc
\nC. \u670d\u52a1\u5668bronco: 129.112.7.169 1G \u7f51\u7edc
\nD. \u53f0\u5f0f\u673a\uff1a129.112.185.246 \u5c40\u57df\u7f51
\nE. \u7b14\u8bb0\u672c\uff1a172.17.157.121 \u65e0\u7ebf\u7f51<\/p>\n

\u73b0\u5728\u7684\u95ee\u9898\u662f\u53ef\u4ee5\u4eceB, C, D \u8fde\u63a5\u5230A\uff0c\u4f46\u4e0d\u80fd\u4eceE\u8fde\u63a5\u5230A\u3002<\/p>\n

\u89e3\u51b3\u601d\u8def\u5982\u4e0b\uff1a<\/p>\n

1. \u6000\u7591E->A\u7684\u8def\u7531\u6709\u95ee\u9898
\n<\/strong>
\n\u901a\u8fc7traceroute\uff0c\u53d1\u73b0E\u5230A\u7684\u6700\u540e\u4e00\u8df3\u662f\uff0a\uff0c\u72b6\u6001\u662fHost unavailable.
\n\u4f46\u8fdb\u4e00\u6b65\u53d1\u73b0E->B\uff0cA\u548cB\u5728\u540c\u4e00\u4e2a\u5b50\u7f51\uff0c\u56e0\u6b64E->A\u7684\u8def\u7531\u4e0d\u5927\u53ef\u80fd\u6709\u95ee\u9898<\/p>\n

2. \u68c0\u67e5A\u7684\u9632\u706b\u5899\u8bbe\u7f6e<\/strong><\/p>\n

\u5148\u5173\u95ed\u6240\u6709\u9632\u706b\u5899\uff0c\u7528\uff1a<\/p>\n

ufw disable
\n<\/code>
\n\u4f46E\u4ecd\u7136\u4e0d\u80fd\u8fdeA<\/p>\n

3. \u68c0\u67e5A\u7684\u8def\u7531<\/strong><\/p>\n

> route -n
\nKernel IP routing table
\nDestination Gateway Genmask Flags Metric Ref Use Iface
\n0.0.0.0 198.215.54.254 0.0.0.0 UG 0 0 0 em1
\n172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
\n192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 em4
\n198.215.54.0 0.0.0.0 255.255.255.0 U 0 0 0 em1<\/p>\n

> ip route --list
\nip rule list
\n0: from all lookup local
\n32766: from all lookup main
\n32767: from all lookup default
\n<\/code><\/p>\n

\u4ed4\u7ec6\u68c0\u67e5\u53d1\u73b0172.17.0.0\u8fd9\u4e2a\u8def\u7531\u6709\u95ee\u9898\uff1a\u56e0\u4e3aE\u5728172.17.0.0\u7f51\u7edc\uff0c\u4eceE\u53d1\u51fa\u7684ICMP\u5305\u5230\u8fbeA\uff0c\u800c\u4eceA\u8fd4\u56de\u7684ICMP\u5305\u6ca1\u6709\u901a\u8fc7em1\u63a5\u53e3\u800c\u662fdocker0\u53d1\u51fa\uff0c\u8fd9\u6837E->A\u5c31\u663e\u793a\u4e86Host unavailable\u3002<\/p>\n

\u503c\u5f97\u6ce8\u610f\u7684\u662f\u5728\u8def\u7531IP\u5305\u65f6\uff0c\u5b83\u7684\u7ec8\u70b9\u5e76\u4e0d\u662f\u7b2c\u4e00\u4e2a\u53ef\u4ee5\u5339\u914d\u7684\u8def\u7531\uff0c\u800c\u662f\u6240\u6709\u8def\u7531\u91cc\u7684\u7b2c\u4e00\u4e2a\u5339\u914d\u6700\u597d\u7684\u8def\u7531\u3002
\n\u539f\u6587\uff1aAny entry whose first field matches the destination IP address completely(a host) or partially (a network) would signal the IP address of the next router. (link<\/a>)<\/p>\n

\u627e\u5230\u539f\u56e0\u540e\uff0c\u6211\u4eec\u53ef\u4ee5\u8ba9docker0\u7684\u7f51\u7edcIP\u5730\u5740\u907f\u5f00172.17.0.0\u5b50\u7f51\uff0c\u8fd9\u5c31\u53ef\u4ee5\u89e3\u51b3E->A\u7684\u8fde\u63a5\u95ee\u9898\u3002
\n\u8fd9\u4e2a\u89e3\u51b3\u65b9\u6848\u91cc\u7684\u91cd\u8981\u547d\u4ee4\u662f \uff08\u53c2\u8003\u94fe\u63a5<\/a>\uff09<\/p>\n


\n ip link set dev docker0 down
\n ip addr del 172.17.42.1\/16 dev docker0 # 172.17.42.1\u662fdocker0\u7684ip
\n ip addr add 10.0.0.10\/24 dev docker0
\n ip link set dev docker0 up
\n ip addr show docker0 \uff03\u68c0\u67e5docker0\u7684ip
\n<\/code><\/p>\n

\u6b64\u5916\u8981\u5728\/etc\/default\/docker\u91cc\u52a0\u4e0aDOCKER_OPTS (–bip\u53c2\u6570\u89c1Docker\u6587\u6863Customize the docker0 bridge<\/a>\uff09\u3002\u8fd9\u6837docker0\u7684IP\u4e0d\u4f1a\u5728\u670d\u52a1\u5668\u91cd\u542f\u540e\u6539\u53d8\u3002<\/p>\n


\nDOCKER_OPTS=\"--bip=10.0.0.10\/24\"
\n<\/code><\/p>\n

\u9898\u5916\u8bdd<\/h2>\n

<\/h2>\n

1. \u4e3a\u4ec0\u4e48docker\u548c\u65e0\u7ebf\u7f51\u90fd\u7528172.17.0.0\u5b50\u7f51\uff1f
\n<\/strong>
\n\u6839\u636eRFC 1918<\/a> 3. Private Address Space, \u4fdd\u7559IP\u9664\u4e86\u5e38\u89c1\u7684192.168.0.0\u5916\uff0c \u8fd8\u6709\uff1a<\/p>\n

\r\n10.0.0.0 - 10.255.255.255 (10\/8 prefix)\r\n172.16.0.0 - 172.31.255.255 (172.16\/12 prefix)\r\n192.168.0.0 - 192.168.255.255 (192.168\/16 prefix)\r\n<\/pre>\n
\u56e0\u4e3a172.17.0.0\u662f\u4fdd\u7559\u5730\u5740\uff0c\u6b63\u5de7docker\u548c\u65e0\u7ebf\u7f51\u540c\u65f6\u90fd\u4f7f\u7528\u4e86\u8fd9\u4e2a\u5b50\u7f51\uff0c\u56e0\u6b64\u9020\u6210\u4e86\u6211\u9047\u5230\u7684\u7f51\u7edc\u95ee\u9898\u3002<\/p>\n
2. \u600e\u4e48\u76d1\u6d4b\u670d\u52a1\u5668\u662f\u5426\u63a5\u6536\u5230IP\u5305\uff1f
\n<\/strong>
\n\u53ef\u4ee5\u4f7f\u7528iptables<\/p>\n
\u4f8b\u5982\u53c2\u8003 http:\/\/askubuntu.com\/questions\/348439\/iptables-log-file-and-how-change-it<\/a>\uff0c \u8bb0\u5f55192.168.11.0\/24\u53d1\u6765\u7684\u5305\uff1a<\/p>\n

\niptables -A INPUT -s 192.168.11.0\/24 -j LOG --log-prefix='[netfilter] '
\n<\/code><\/p>\n
\u53ef\u4ee5\u5728\/var\/log\/kern.log \u627e\u542b\u6709\u201c[netfilter]\u201d\u7684\u65e5\u5fd7\u3002<\/p>\n
\u5982\u679c\u60f3\u76d1\u6d4bICMP\u5305\uff0c\u53ef\u4ee5\u7528\uff1a<\/p>\n

\niptables -A INPUT -p icmp -j LOG --log-prefix='[netfilter] '
\n<\/code><\/p>\n
\u5176\u4ed6\u5e38\u7528\u547d\u4ee4\uff08\u53c2\u8003\u8fd9\u4e2a\u94fe\u63a5<\/a>\uff09\u5305\u62ec\uff1a<\/p>\n

\nsudo iptables -L \uff03 \u6253\u5370iptables\u5185\u5bb9
\nsudo iptables -L INPUT -v \uff03 \u68c0\u67e5INPUT\u8868\u6536\u5230\u4e86\u591a\u5c11\u6570\u636e
\nsudo iptables -Z \uff03 \u6e05\u96f6
\nsudo iptables -Z INPUT \uff03 \u6e05\u96f6INPUT\u8868\u6570\u636e\u6e05\u96f6
\nsudo iptables -A INPUT -p icmp -j LOG --log-prefix='[netfilter] ' # \u8bb0\u5f55ICMP\u5305
\nsudo iptables -D INPUT -p icmp -j LOG --log-prefix='[netfilter] ' # \u5220\u9664\u9632\u706b\u5899\u89c4\u5219\uff08\u8bb0\u5f55ICMP\u5305\uff09
\nsudo iptables -F \uff03\u9632\u706b\u5899\u89c4\u5219\u751f\u6548
\n<\/code><\/p>\n
\u4ee5\u4e0b\u547d\u4ee4\u91cd\u7f6e\u9632\u706b\u5899
\n
\nsudo iptables -P INPUT ACCEPT
\nsudo iptables -P FORWARD ACCEPT
\nsudo iptables -P OUTPUT ACCEPT
\nsudo iptables -t nat -F
\nsudo iptables -t mangle -F
\nsudo iptables -F
\nsudo iptables -X
\n<\/code><\/p>\n
iptable\u662f\u4e2a\u590d\u6742\u7684\u9632\u706b\u5899\uff0c\u5b83\u4f7f\u7528\u4e86table\uff0cchain\u7b49\u6982\u5ff5\uff0c\u6bd4\u5982\u4e0b\u56fe\uff1a<\/p>\n
\"iptables<\/a>
iptables Overview<\/figcaption><\/figure>\n
\uff08\u6765\u81ea\u94fe\u63a5<\/a>\uff09
\n\u66f4\u8be6\u7ec6\u7684\u4ecb\u7ecd\u53ef\u4ee5\u53c2\u8003\uff3b2\uff3d\u3002<\/p>\n
\u9664iptables\u5916\uff0cUbuntu\u8fd8\u63d0\u4f9b\u4e86UFW<\/a>\uff0c\u8fd9\u4e2a\u5de5\u5177\u5efa\u7acb\u5728iptables\u4e0a\uff0c\u63d0\u4f9b\u6bd4iptables\u66f4\u7b80\u6613\u7684\u914d\u7f6e\u3002\u6bd4\u5982\uff1a<\/p>\n

\nufw enable # \u542f\u7528\u9632\u706b\u5899
\nufw disable \uff03 \u5173\u95ed\u9632\u706b\u5899
\nsudo ufw status # \u663e\u793a\u9632\u706b\u5899\u8bbe\u7f6e
\nufw deny 80\/tcp \uff03 \u5c01\u9501tcp\u768480\u7aef\u53e3
\nsudo ufw delete deny 80\/tcp \uff03 \u5220\u9664\u4e0a\u4e00\u6761\uff08\u5c01\u9501tcp\u768480\u7aef\u53e3\uff09
\n<\/code><\/p>\n
\u66f4\u591a\u7684\u4fe1\u606f\u53ef\u4ee5\u53c2\u8003Ubuntu UFW\u6587\u6863 \uff08\u94fe\u63a5<\/a>\uff09\u3002<\/p>\n
 <\/p>\n
\u53c2\u8003<\/h2>\n
<\/h2>\n
\uff3b1\uff3d7 Linux Route Command Examples (How to Add Route in Linux)<\/a><\/p>\n
\uff3b2\uff3dLinux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u89e3\u51b3\u4e00\u4e2a\u5947\u602a\u7684\u7f51\u7edc\u8fde\u63a5\u9519\u8bef Solve a strange network problem \u6211\u7684\u670d\u52a1\u5668bunny\u6700\u8fd1\u51fa\u73b0\u4e86\u4e00\u4e2a\u5947\u602a\u7684\u7f51\u7edc\u8fde\u63a5\u9519\u8bef\uff1a\u53ea\u6709\u53f0\u5f0f\u673a\u548c\u670d\u52a1\u5668\u80fd\u8fde\u63a5\u5230bunny\uff0c\u7b14\u8bb0\u672c\u5c31\u8fde\u4e0d\u4e0a\u3002 \u5047\u8bbe\u7f51\u7edcIP\u5982\u4e0b\uff1a A. \u670d\u52a1\u5668bunny\uff1a198.215.54.48 10G \u7f51\u7edc B. \u670d\u52a1\u5668\uff1a 198.215.54.5 10G \u7f51\u7edc C. \u670d\u52a1\u5668bronco: 129.112.7.169 1G \u7f51\u7edc D. \u53f0\u5f0f\u673a\uff1a129.112.185.246 \u5c40\u57df\u7f51 E. \u7b14\u8bb0\u672c\uff1a172.17.157.121 \u65e0\u7ebf\u7f51 \u73b0\u5728\u7684\u95ee\u9898\u662f\u53ef\u4ee5\u4eceB, C, D \u8fde\u63a5\u5230A\uff0c\u4f46\u4e0d\u80fd\u4eceE\u8fde\u63a5\u5230A\u3002 \u89e3\u51b3\u601d\u8def\u5982\u4e0b\uff1a 1. \u6000\u7591E->A\u7684\u8def\u7531\u6709\u95ee\u9898 \u901a\u8fc7traceroute\uff0c\u53d1\u73b0E\u5230A\u7684\u6700\u540e\u4e00\u8df3\u662f\uff0a\uff0c\u72b6\u6001\u662fHost unavailable. \u4f46\u8fdb\u4e00\u6b65\u53d1\u73b0E->B\uff0cA\u548cB\u5728\u540c\u4e00\u4e2a\u5b50\u7f51\uff0c\u56e0\u6b64E->A\u7684\u8def\u7531\u4e0d\u5927\u53ef\u80fd\u6709\u95ee\u9898 2. \u68c0\u67e5A\u7684\u9632\u706b\u5899\u8bbe\u7f6e \u5148\u5173\u95ed\u6240\u6709\u9632\u706b\u5899\uff0c\u7528\uff1a ufw disable \u4f46E\u4ecd\u7136\u4e0d\u80fd\u8fdeA 3. \u68c0\u67e5A\u7684\u8def\u7531 > route -n Kernel IP routing table Destination Gateway […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[147,144,146,13,145],"class_list":["post-711","post","type-post","status-publish","format-standard","hentry","category-sysadmin","tag-docker","tag-iptables","tag-network","tag-ubuntu","tag-ufw"],"_links":{"self":[{"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/posts\/711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/comments?post=711"}],"version-history":[{"count":0,"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/posts\/711\/revisions"}],"wp:attachment":[{"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/media?parent=711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/categories?post=711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zhanxw.com\/blog\/wp-json\/wp\/v2\/tags?post=711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}