在本文中,我将探讨如何为连接到Linux主机的设备提供网络访问。将使用一个实际的故障排查案例来详细说明这个过程,最终实现用脚本完成各项检查和配置工作。
背景:
客户有一个RK3568主板,运行Ubuntu Linux系统。该主板有两个以太网接口:假设定义eth0(内网)和eth1(外网)。客户希望通过RK3568为连接到eth0的Windows PC提供外部网络访问。
简而言之就是Windows PC通过网线连接到RK3568主板的内网口 ,就能在Windows PC访问www.baidu.com(外网)。
Windows PC设置:
PC是Windows 10,需要通过图形界面或命令行来设置默认网关:
- 打开“控制面板”。
- 选择“网络和共享中心”。
- 在左侧,点击“更改适配器设置”。
- 右键点击网络连接(可能是“以太网”或类似名称),然后选择“属性”。
- 在列表中找到并双击“Internet 协议版本 4 (TCP/IPv4)”。
- 选择“使用下面的IP地址”并输入你的IP地址、子网掩码。在“默认网关”中,输入
192.168.52.2。 - 点击“确定”保存设置。
#执行ipconfig简单确认下 ipconfig
RK3568 Ubuntu设置:
1. 故障排查步骤:
1.配置NAT(网络地址转换)
确保在Linux主机上设置了正确的NAT规则。
root@xxx:/# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables v1.8.4 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
很好这一步就出错了 查下资料 我之前调试RK3399 docker的时候加过iptables nat config , 想起来了 需要在kernel 打开config功能。
那我们先解决iptables nat命令的问题 , 先让kernel boot支持 打开kernel/arch/arm64/configs/rockchip_linux_defconfig进行增加 , 下面有些内容可能不是 先不管了 把配置拷进去 后面再研究。
+CONFIG_TUN=y + +#------------iptables +#CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_POSIX_MQUEUE=y +CONFIG_CGROUP_PIDS=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_RT_GROUP_SCHED=y +CONFIG_BLK_CGROUP=y +CONFIG_BLK_DEV_THROTTLING=y +CONFIG_CFQ_GROUP_IOSCHED=y +CONFIG_INET_ESP=y +CONFIG_BRIDGE_NETFILTER=y +CONFIG_NF_CONNTRACK_FTP=y +CONFIG_NF_CONNTRACK_TFTP=y +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +CONFIG_NETFILTER_XT_MATCH_IPVS=y +CONFIG_IP_VS=y +CONFIG_IP_VS_PROTO_TCP=y +CONFIG_IP_VS_PROTO_UDP=y +CONFIG_IP_VS_RR=y +CONFIG_IP_VS_NFCT=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_BRIDGE=y +CONFIG_CGROUP_NET_PRIO=y +CONFIG_BLK_DEV_DM=y +CONFIG_DM_THIN_PROVISIONING=y +CONFIG_DUMMY=y +CONFIG_MACVLAN=y +CONFIG_IPVLAN=y +CONFIG_VXLAN=y +CONFIG_VETH=y +CONFIG_BTRFS_FS=y +CONFIG_BTRFS_FS_POSIX_ACL=y
编译kernel boot.img 重新烧录到RK3568 系统中, 重启。
重新验证下功能是否可以被执行 , 执行完没有任何报错 这一步完成。
root@xxx:/# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
2. 启用IP转发:
Linux主机必须允许IP转发。
echo 1 > /proc/sys/net/ipv4/ip_forward
并确保在 /etc/sysctl.conf 文件中有以下行:
net.ipv4.ip_forward=1
3. 检 查配置双网口环境:
如果没有一个接口在与试图添加的网关相同的子网上,可能需要配置一个接口来使用这个子网。例如,如果有一个名为 eth0 的接口,可以使用以下命令为其分配一个IP地址:
ifconfig eth0 192.168.52.2 netmask 255.255.255.0 up
下面这个 ip 命令测试发现没有添加到route 不行不要用:
ip addr add 192.168.52.2/24 dev eth0 ip link set eth0 up
在这里,192.168.52.2 是一个示例IP地址,你可以选择该子网上的任何可用地址。
root@xxx:/# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::f5d1:863c:90d8:c00e prefixlen 64 scopeid 0x20<link> ether f6:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 121 bytes 9206 (9.2 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 47 bytes 7793 (7.7 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 38 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::1b34:5d25:1cc3:eb3d prefixlen 64 scopeid 0x20<link> ether f2:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 1317 bytes 219566 (219.5 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 55 bytes 5851 (5.8 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 43 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 166 bytes 11692 (11.6 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 166 bytes 11692 (11.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@xxx:/# ifconfig eth0 192.168.52.2 netmask 255.255.255.0 up root@xxx:/# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.52.2 netmask 255.255.255.0 broadcast 192.168.52.255 ether f6:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 873 bytes 299601 (299.6 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 98 bytes 15353 (15.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 38 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::1b34:5d25:1cc3:eb3d prefixlen 64 scopeid 0x20<link> ether f2:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 5035 bytes 782225 (782.2 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 668 bytes 287954 (287.9 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 43 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 242 bytes 17162 (17.1 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 242 bytes 17162 (17.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@xxx:/# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 102 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 102 0 0 eth1 192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
OK 看上面的eth0 已经被配置IP和路由了。
4. 检查网络是否通:
如果Windows 10 PC无法通过RK3568访问外部网络,需要进行一系列的故障排查步骤。
Ping测试:
- 从PC上ping RK3568的内部IP地址(192.168.52.2)。确保它是通的。(OK)
- 从RK3568 ping PC的IP地址(192.168.52.1)。确保它也是通的。(OK)
- 从RK3568 ping 外部网站,如8.8.8.8。确保外部网络是通的。(OK)
- 从PC ping 8.8.8.8。如果这不起作用,但上述所有步骤都起作用,那么问题可能与NAT或路由有关。
检查NAT设置:确保在RK3568上正确设置了NAT。再次运行以下命令:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
检查DNS:问题可能与DNS解析有关。尝试从PC ping一个域名,如www.baidu.com。如果这不起作用,但ping 8.8.8.8起作用,可能需要在PC上设置一个静态DNS,如Google的8.8.8.8和8.8.4.4。
RK3568验证:
root@btf:/# ping 192.168.52.1 PING 192.168.52.1 (192.168.52.1) 56(84) bytes of data. 64 bytes from 192.168.52.1: icmp_seq=1 ttl=128 time=1.17 ms 64 bytes from 192.168.52.1: icmp_seq=2 ttl=128 time=1.33 ms 64 bytes from 192.168.52.1: icmp_seq=3 ttl=128 time=1.27 ms 64 bytes from 192.168.52.1: icmp_seq=4 ttl=128 time=0.937 ms 64 bytes from 192.168.52.1: icmp_seq=5 ttl=128 time=1.66 ms 64 bytes from 192.168.52.1: icmp_seq=6 ttl=128 time=3.46 ms 64 bytes from 192.168.52.1: icmp_seq=7 ttl=128 time=1.32 ms 64 bytes from 192.168.52.1: icmp_seq=8 ttl=128 time=1.62 ms 64 bytes from 192.168.52.1: icmp_seq=9 ttl=128 time=1.75 ms 64 bytes from 192.168.52.1: icmp_seq=10 ttl=128 time=1.42 ms ^C --- 192.168.52.1 ping statistics --- 10 packets transmitted, 10 received, 0% packet loss, time 9015ms rtt min/avg/max/mdev = 0.937/1.593/3.460/0.663 ms root@btf:/# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=110 time=184 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=110 time=186 ms ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 183.646/184.745/185.844/1.099 ms root@btf:/#
PC Windows验证:
先验证内网通不通 (OK)
再验证外网通不通(OK)
其实到这里已经可以上网了 不信你看PC右下角图标 以及打开浏览器。
5. 防火墙设置:
确保Linux主机的防火墙允许流量通过。(这一步我是没弄的 , 如果以上步骤还是不行 可以尝试弄下防火墙)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
6. 小节:
如果遇到问题 请详细按照第4步骤检查 , 下面2项是重要的 不要遗漏:
1. 外部连接测试:
从Linux主机ping 8.8.8.8,确保它可以访问外部网络。
2. PC的网络设置:
确保PC的默认网关设置为Linux主机的内部IP地址。
3. 最终可上网状态:
route
或
ip route
下面是我最终OK可以上网的各项配置。
root@xxx:/# ip route default via 192.168.1.1 dev eth1 proto dhcp metric 101 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 metric 101 192.168.52.0/24 dev eth0 proto kernel scope link src 192.168.52.2 root@xxx:/# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 101 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1 192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 root@xxx:/# ifconfig -a can0: flags=128<NOARP> mtu 16 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 10 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 55 can1: flags=128<NOARP> mtu 16 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 10 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 56 dummy0: flags=130<BROADCAST,NOARP> mtu 1500 ether f2:4c:f0:78:b5:b0 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.52.2 netmask 255.255.255.0 broadcast 192.168.52.255 ether f6:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 49950 bytes 15323445 (15.3 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 43930 bytes 7288991 (7.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 38 eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::1b34:5d25:1cc3:eb3d prefixlen 64 scopeid 0x20<link> ether f2:b2:f0:93:bb:ab txqueuelen 1000 (Ethernet) RX packets 55814 bytes 9172054 (9.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 49908 bytes 15222325 (15.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 43 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 202 bytes 16611 (16.6 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 202 bytes 16611 (16.6 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 usb0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether ae:0c:29:a3:9b:6d txqueuelen 1000 (Ethernet) RX packets 1 bytes 28 (28.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2 bytes 433 (433.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@xxx:/# cat /etc/sysctl.conf | grep net.ipv4.ip_forward=1 #net.ipv4.ip_forward=1 #后面发现这个不打开其实也是可以的 root@xxx:/# cat /proc/sys/net/ipv4/ip_forward 1 #这个要打开设置为1
7. 脚本:
调试过程中一脸懵逼到逐渐清晰 , 中间也学习了很多概念 也尝试了很多遍 最终反复尝试是找到了设置成符合客户需求的规律 , 命令有些繁琐 按照我的特点 肯定是要搞个脚本自动执行啦。
#!/bin/bash # 检查参数数量 if [ "$#" -ne 3 ]; then echo "使用方法: $0 <内网接口名> <内网接口IP地址> <外网接口名>" exit 1 fi # 获取参数 INTERNAL_IF="$1" IPADDR="$2" EXTERNAL_IF="$3" # 启用IP转发 echo "启用IP转发..." echo 1 > /proc/sys/net/ipv4/ip_forward # 清理旧的NAT规则 echo "清理旧的NAT规则..." iptables -F iptables -t nat -F # 清理旧的NAT规则 echo "清理旧的NAT规则..." iptables -t nat -F # 设置NAT规则 echo "设置NAT规则..." iptables -t nat -A POSTROUTING -o $EXTERNAL_IF -j MASQUERADE # 配置内网接口 echo "配置内网接口 $INTERNAL_IF..." ip addr add $IPADDR/24 dev $INTERNAL_IF ip link set $INTERNAL_IF up # 打印网络接口信息 echo "当前网络接口信息:" ip addr # 测试外网连接 echo "测试外网连接..." ping -c 4 8.8.8.8 echo "脚本执行完毕!"
现在 可以使用以下命令来运行脚本:
./enable_nat_routing.sh eth0 192.168.52.2 eth1
脚本执行结果:
root@btf:/opt# ./enable_nat_routing.sh 使用方法: ./enable_nat_routing.sh <内网接口名> <内网接口IP地址> <外网接口名> root@btf:/opt# ./enable_nat_routing.sh eth0 192.168.52.2 eth1 启用IP转发... 清理旧的NAT规则... 设置NAT规则... 配置内网接口 eth0... 当前网络接口信息: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether aa:e4:19:76:54:43 brd ff:ff:ff:ff:ff:ff 3: can0: <NOARP,ECHO> mtu 16 qdisc noop state DOWN group default qlen 10 link/can 4: can1: <NOARP,ECHO> mtu 16 qdisc noop state DOWN group default qlen 10 link/can 5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f6:b2:f0:93:bb:ab brd ff:ff:ff:ff:ff:ff inet 192.168.52.2/24 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::f5d1:863c:90d8:c00e/64 scope link noprefixroute valid_lft forever preferred_lft forever 6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether f2:b2:f0:93:bb:ab brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic noprefixroute eth1 valid_lft 86348sec preferred_lft 86348sec inet6 fe80::1b34:5d25:1cc3:eb3d/64 scope link noprefixroute valid_lft forever preferred_lft forever 7: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether ae:0c:29:a3:9b:6d brd ff:ff:ff:ff:ff:ff 当前路由信息: default via 192.168.1.1 dev eth1 proto dhcp metric 102 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 metric 102 192.168.52.0/24 dev eth0 proto kernel scope link src 192.168.52.2 测试外网连接... PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=110 time=286 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=110 time=283 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=110 time=283 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=110 time=289 ms --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 282.528/285.120/289.283/2.689 ms 脚本执行完毕!
补充:
后面测试发现 route规则会突然消失,并且ifconfig eth0 ip也没了。
root@xxx:/opt# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 102 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 102 0 0 eth1
正常情况
root@xxx:/opt# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default _gateway 0.0.0.0 UG 102 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 102 0 0 eth1 192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
总结:
为连接到Linux主机的设备提供网络访问可能需要多个配置步骤。通过仔细地检查每个配置和进行逐步的故障排查,我们可以成功地解决这类问题。
希望这篇博客对你有所帮助!
