Ping到pppoe服务器失败,而反向工作

我在CentOS 5.4(Final)x86_64机器(Linux 2.6.18-164.el5#1 SMP)上创build了Linux PPPoE服务器。 我也成功build立了PPPoE连接。 但是,使用ppp接口从客户端ping服务器失败,而服务器可以成功ping客户端。

Server ppp IP:10.0.0.1 Client ppp IP:10.67.15.111

服务器上的PPP接口:

ppp0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 PtP:10.67.15.111 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:513 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:42304 (41.3 KiB) TX bytes:130 (130.0 b) 

服务器上的Tcpdump打印输出的ping请求,以及来自客户端的传入响应。

 # tcpdump -i ppp0 -X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 21:37:12.218177 IP 10.0.0.1 > 10.67.15.111: ICMP echo request, id 30999, seq 1, length 64 0x0000: 4500 0054 0000 4000 4001 16f7 0a00 0001 E..T..@.@....... 0x0010: 0a43 0f6f 0800 2d54 7917 0001 b019 b352 .Co.-Ty......R 0x0020: 0000 0000 2c54 0300 0000 0000 1011 1213 ....,T.......... 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 21:37:12.222904 IP 10.67.15.111 > 10.0.0.1: ICMP echo reply, id 30999, seq 1, length 64 0x0000: 4500 0054 af93 0000 4001 a763 0a43 0f6f E..T....@..cCo 0x0010: 0a00 0001 0000 3554 7917 0001 b019 b352 ......5Ty......R 0x0020: 0000 0000 2c54 0300 0000 0000 1011 1213 ....,T.......... 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 

服务器上的Tcpdump打印传入的ping请求,但没有响应被发送

 21:38:06.942359 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id 13435, seq 2, length 64 0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@.@....Co 0x0010: 0a00 0001 0800 4c41 347b 0002 a04d d6f3 ......LA4{...M.. 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 21:38:07.946344 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id 13435, seq 3, length 64 0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@.@....Co 0x0010: 0a00 0001 0800 f1e1 347b 0003 a05d 3142 ........4{...]1B 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 21:38:08.958344 IP 10.67.15.111 > 10.0.0.1: ICMP echo request, id 13435, seq 4, length 64 0x0000: 4500 0054 0000 4000 4001 16f7 0a43 0f6f E..T..@.@....Co 0x0010: 0a00 0001 0800 881b 347b 0004 a06c 9af8 ........4{...l.. 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 

我只configuration了PPPD和PPPoE服务器相关的configuration。 有人可以帮忙,我没有启用任何防火墙选项。

在检查两个链接之后:

http://www.trickylinux.net/disable-ping-response-linux.html

 cat /proc/sys/net/ipv4/icmp_echo_ignore_all 0 

https://unix.stackexchange.com/questions/44596/what-prevents-a-machine-from-responding-to-pings

 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # # # setenforce 0 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: targeted # system-config-securitylevel-tui # # # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted # system-config-securitylevel-tui # # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 21 Policy from config file: targeted # vi system-config-securitylevel # system-config-securitylevel # # # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 21 Policy from config file: targeted 

也可以根据MadHatter的评论find我目前的防火墙设置。

 iptables -L -n -v Chain INPUT (policy ACCEPT 16472 packets, 12M bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 4186 352K DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain FORWARD (policy DROP 90 packets, 5400 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17307 packets, 2685K bytes) pkts bytes target prot opt in out source destination 

同样的CMD后,我注意到很多滴。

  iptables -L -n -v Chain INPUT (policy ACCEPT 18176 packets, 13M bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 0 0 DROP udp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 0 0 DROP tcp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 4934 414K DROP icmp -- ppp+ * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain FORWARD (policy DROP 90 packets, 5400 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19179 packets, 3241K bytes) pkts bytes target prot opt in out source destination 

是否需要任何明确的防火墙规则来响应传入的ping请求。

提前致谢。 -Murugan

你可能会说你没有启用任何防火墙选项 ,但在那里, INPUT链中的第四条规则是在所有ppp接口上丢弃全部(入站)ICMPtypes8( echo-request )的一行。 它甚至有一个不错的,大的,不断增长的数据包计数,让你知道它正在做它的工作。

尝试服务器上的iptables -D INPUT 4

并回答你上面的结论性问题:不。 不需要明确的防火墙规则来响应PING请求。 但是,你必须停止明确地把它们放在地板上