Linux – Enable packet forwarding

測試環境為 CentOS 8 x86_64

不知道什麼時候 IPv4 預設 IP Forwarding 變成啟動 的 Enable (1).

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1

或是檢視別網路裝置的 IP Fordwarding .

[root@localhost ~]# ll /proc/sys/net/ipv[46]/conf/*/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/all/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/default/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/ens33/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/lo/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/virbr0/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv4/conf/virbr0-nic/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/all/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/default/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/ens33/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/lo/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/virbr0/forwarding
-rw-r--r--. 1 root root 0 Dec  7 17:32 /proc/sys/net/ipv6/conf/virbr0-nic/forwarding
[root@localhost ~]# cat /proc/sys/net/ipv4/conf/ens33/forwarding
1
[root@localhost ~]# cat /proc/sys/net/ipv6/conf/ens33/forwarding
0

或是透過 sysctl 指令來查看

[root@localhost ~]# sysctl -a  | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@localhost ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

手動變更

透過 sysctl 指令可以手動變更.

[root@localhost ~]# sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]# cat /proc/sys/net/ipv4/conf/ens33/forwarding
0

Note : IP v6 名稱為 net.ipv6.conf.all.forwarding

或是

[root@localhost ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

設定檔

systemd-sysctl 服務是依據 sysctl.conf 設定檔.

[root@localhost ~]# systemctl is-enabled systemd-sysctl.service
static

剛剛已經關閉,現在透過設定檔 + sysctl 指令來開啟.

[root@localhost ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1

這次把 IP Forward 關閉,並重新啟動 CentOS.

[root@localhost ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward=0
[root@localhost ~]# reboot

奇怪剛剛 IP Forwarding 不是已經設定為關閉 Disable (0) 了嗎?

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1

目前看到 https://wiki.archlinux.org/title/Internet_sharing 說明,須關閉可以透過防火牆的方式來處理.

Warning: If the system uses systemd-networkd to control the network interfaces, a per-interface setting for IPv4 is not possible, i.e. systemd logic propagates any configured forwarding into a global (for all interfaces) setting for IPv4. The advised work-around is to use a firewall to forbid forwarding again on selective interfaces.

CentOS 8 之後可以使用 nftables 來設定防火牆,功能比傳統的 iptables 會更靈活.

[root@localhost ~]# nft list table ip nat
table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 67 bytes 5434 jump LIBVIRT_PRT
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
        }

        chain LIBVIRT_PRT {
                @nh,96,24 12626042 @nh,128,24 14680064 counter packets 2 bytes 159 return
                @nh,96,24 12626042 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
                meta l4proto tcp @nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade to :1024-65535
                meta l4proto udp @nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade to :1024-65535
                @nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade
        }
}
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料