我有 3 張網路卡。 NIC1 和 NIC2 用於 Internet 連接,LAN 用於 Intranet 連接。
我想使用 ip 表來平衡 ISP 的負載。由於我是菜鳥,我的粗略嘗試在下面的程式碼中給出,顯然沒有成功。該程式碼是透過查看有關該主題的許多網站來組裝的。
我們希望使用循環方法在 LAN 中最佳地使用傳入的互聯網
或者
是否可以使用路由表拆分兩個 isp,即係統 1 至 5 (ISP1) 和 5 至 10 (ISP2)?
希望有人能幫助我,非常感謝。
set -x
IPT="/sbin/iptables"
NIC1="enp4s5f0"
NIC2="enp4s5f1"
LAN="ens2"
ISP1="192.168.9.33"
ISP2="192.168.10.33"
#***************
# reset iptables
#_______________
## reset the default policies in the filter table.
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
## reset the default policies in the nat table.
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
## reset the default policies in the mangle table.
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
## flush all the rules in the filter and nat tables.
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
## erase all chains that's not default in filter and nat table.
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#*********************
# enable IP forwarding
#_____________________
echo 1 > /proc/sys/net/ipv4/ip_forward
#****************
# rules
#________________
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -p icmp -j ACCEPT
$IPT -t nat -A PREROUTING -i NIC1 -p tcp --dport 80\
-m state --state NEW -m statistic --mode\
random --probability .33 -j DNAT --to-destination 10.1.1.1:1
$IPT -t nat -A PREROUTING -i NIC2 -p tcp --dport 80\
-m state --state NEW -m statistic --mode\
random --probability .33 -j DNAT --to-destination 10.1.1.1:2
$IPT -A FORWARD -i $NIC1 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NIC2 -o $LAN -j ACCEPT
# ifconfig -a
#********************************
# allow certain hosts full access
#________________________________
allowHost() {
$IPT -A FORWARD -i $LAN -s $1 -j ACCEPT
}
allowHost 192.168.2.10
allowHost 192.168.2.11
allowHost 192.168.2.12
allowHost 192.168.2.13
allowHost 192.168.2.14
allowHost 192.168.2.15
####Extra
$IPT -A FORWARD -d 8.8.8.8 -p tcp -m multiport --dports 53 -j ACCEPT
#********************
# block anything else
#____________________
$IPT -A FORWARD -j LOG -m limit --limit 10/minute --limit-burst 1 --log-prefix "Blocked:"
$IPT -A FORWARD -j DROP
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe iptable_nat
答案1
警告:執行前請先通讀
免責聲明:未經測試
先決條件:
安裝 iptables 持久性包
sudo apt-get install iptables-persistent備份現有的 iptables 規則:
sudo iptables-save > ~/iptables-export恢復:
sudo iptables-restore < ~/iptables-export
刷新以前的 iptables 規則:
sudo iptables -F && sudo iptables -t nat -F && sudo iptables -t mangle -F && sudo iptables -X && sudo iptables -t nat -X && sudo iptables -t mangle -X
腳步:
使用終端機中的以下命令新增一個新的“路由表”,以處理來自某個 NIC 的封包:
sudo bash -c 'echo "1 rt2" >> /etc/iproute2/rt_tables'啟用 ipv4 轉發
sudo sysctl net.ipv4.ip_forward=1 sudo sysctl -p添加允許“偽裝”的過濾器
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.90 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.90 sudo iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE sudo netfilter-persistent save sudo netfilter-persistent reload編輯
/etc/network/interfaces文件並添加第二個網卡的配置,但當然複製一份舊的,sudo cp /etc/network/interfaces /etc/network/interfaces.bkup:iface enp4s5f1 inet static address <YOUR_NIC_ADD>/24 netmask 255.255.255.0 post-up ip route add 192.168.10.0/24 dev enp4s5f1 src 192.168.10.33 table rt2 post-up ip route add default via 192.168.10.1 dev enp4s5f1 table rt2 post-up ip rule add from 192.168.10.33/32 table rt2 post-up ip rule add to 192.168.10.33/32 table rt2重新啟動網路管理員:
sudo systemctl restart NetworkManager.service
新增iptable規則:
sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 5 --packet 0 -j DNAT --to-destination 192.168.2.26 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 4 --packet 0 -j DNAT --to-destination 192.168.2.27 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.2.28 sudo iptables -t nat -A PREROUTING -i enp4s5f0 -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.2.29 sudo iptables -t nat -A PREROUTING -i enp4s5f0 --to-destination 192.168.2.30
=========================================
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 5 --packet 0 -j DNAT --to-destination 192.168.2.21
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 4 --packet 0 -j DNAT --to-destination 192.168.2.22
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 3 --packet 0 -j DNAT --to-destination 192.168.2.23
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -m state --state NEW -m statistic --mode nth
--every 2 --packet 0 -j DNAT --to-destination 192.168.2.24
sudo iptables -t nat -A PREROUTING -i enp4s5f1 -j DNAT --to-destination 192.168.2.25
sudo netfilter-persistent save
sudo netfilter-persistent reload
來源:
https://scalingo.com/articles/2018/04/20/iptables.html
https://www.webair.com/community/simple-stateful-load-balancer-with-iptables-and-nat/
http://ipset.netfilter.org/iptables-extensions.man.html
https://www.linuxquestions.org/linux/answers/Networking/Spanning_Multiple_DSLs
https://linuxconfig.org/how-to-restart-network-on-ubuntu-16-04-xenial-xerus-linux