Shulou(Shulou.com)06/01 Report--

The background of the question is as follows:

1. The intranet of the company cannot connect to the public network of a computer room (not even ping,traceroute,curl)

2. In a computer room, the machines in this public network cannot be connected to the intranet of the company (not even ping,traceroute,curl)

3. However, in a computer room, which machine in this public network can connect to the public network through the gateway, and the public network environment can also access the public network ip in a computer room. Only the company's internal network is different from these ip.

4. There is no problem from the company's intranet to the public network of several other computer rooms.

The traceroute result of the disconnection from the private network of the company to the public network of a computer room:

$traceroute x.x.x.x

Traceroute to x.x.x.x (x.x.x.x), 30 hops max, 60 byte packets

1 *

2 10.x.253.1 (10.x.253.1) 7.092 ms 7.388 ms 7.384 ms

3 10.x.2.2 (10.x.2.2) 7.372 ms 7.615 ms 8.347 ms

4 10.x.1.2 (10.x.1.2) 7.595 ms 8.335 ms 8.331 ms

5 192.x.168.254 (192.x.168.254) 8.879 ms 9.325 ms 10.077 ms

6 *

.

30 *

Normal traceroute results of the public network from the company's private network to other computer rooms:

$traceroute xx.xx.xx.xx

Traceroute toxx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 60 byte packets

1 *

2 10.x.253.1 (10.x.253.1) 7.092 ms 7.388 ms 7.384 ms

3 10.x.2.2 (10.x.2.2) 7.372 ms 7.615 ms 8.347 ms

4 10.x.1.2 (10.x.1.2) 7.595 ms 8.335 ms 8.331 ms

5 *

6 111.111.111.111 (111.111.111.111) 8.879 ms 9.325 ms 10.077 ms

7 *

8 xx.xx.xx.xx

Problem analysis and solution steps: (after discovering this problem, it feels strange and strange, although it does not affect the service, but curiosity still drives the problem to be clear.)

First, after analyzing the routing of the machines in a certain computer room, we found that all of them were normal and no abnormalities were found.

Second, I tested the network between a computer room and other computer rooms, and the network from the external network to a computer room is normal. The first suspect is that the company's intranet is limited, because looking at the traceroute results, the packet has not yet left the company's intranet. So, I checked with the company's IT department and found that there were no restrictions.

Third, then, it is doubtful whether there are any restrictions in the company's computer room. So, I checked with the network group again, and it turned out that there were still no restrictions.

Fourth, after excluding external factors, it is suspected that there may be something wrong with the system. Moreover, by grabbing packets on the external network machine in a computer room, we can catch the traceroute packets delivered by the company's internal network, but the machines in a computer room do not reply to the data packets, so it is more certain that it is the fault of the system itself. Through the powerful google found that the parameter rp_filter caused this problem, because we have a computer room machine this parameter is 1. 5.

The function of the rp_filter parameter:

Rp_filter-INTEGER 0-No source validation. 1-Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. 2-Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet's source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail. Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. The max value from conf/ {all,interface} / rp_filter is used when doing source validation on the {interface}. Default value is 0. Note that some distributions enable it in startup scripts.

The function of setting to 1 is: which network port does the packet come in and which network goes out? if it does not match, it is discarded.

Conclusion:

The request packet from the company's intranet to the machine in a computer room enters from the public network card, while the reply packet flows out from the intranet card of the machine in the computer room according to the routing rules of the machine. The rp_filter of a computer room machine is 1, which causes the packet to be discarded by the system. The rp_filter parameter defaults to 0, which is adjusted to 1 due to historical reasons, so we re-adjust all managed machines to default values to solve similar problems.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.