我需要在實體層上設定啟用 DHCP 的網路 (192.168.2.),其中包含具有靜態 IP 的現有網路 (192.168.1.)。我有一個帶有兩個介面的 Debian 7 伺服器(伺服器和介面都是虛擬的),我想將 ip 設定為我的網路的網關。我使用 eth0 將封包路由到原始網路(存取 192.168.1.5 的網際網路閘道),使用 eth1 處理來自/到我的網路的流量。
如果配置
eth0 Link encap:Ethernet HWaddr 00:0c:29:d4:02:1b
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed4:21b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21668983 errors:0 dropped:0 overruns:0 frame:0
TX packets:10044848 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10931368249 (10.1 GiB) TX bytes:2383839079 (2.2 GiB)
eth1 Link encap:Ethernet HWaddr 00:0c:29:d4:02:25
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed4:225/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14113604 errors:0 dropped:0 overruns:0 frame:0
TX packets:11269734 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1871598524 (1.7 GiB) TX bytes:10331981618 (9.6 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8158 errors:0 dropped:0 overruns:0 frame:0
TX packets:8158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:629690 (614.9 KiB) TX bytes:629690 (614.9 KiB)
路線
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.5 0.0.0.0 UG 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
iptables-vL
Chain INPUT (policy ACCEPT 5603K packets, 822M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 138K packets, 8597K bytes)
pkts bytes target prot opt in out source destination
14M 9542M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
398K 27M ACCEPT all -- eth1 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2915K packets, 1432M bytes)
pkts bytes target prot opt in out source destination
iptables-tnat-vL
Chain PREROUTING (policy ACCEPT 607K packets, 49M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 112K packets, 17M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6893 packets, 977K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2391 packets, 374K bytes)
pkts bytes target prot opt in out source destination
363K 24M MASQUERADE all -- any eth0 anywhere anywhere
之後我在 eth1 上啟用了權威 DHCP 伺服器。
現在的問題是:與伺服器的連接始終正常工作(我在那裡有一個samba 共享和一個MySQL 伺服器),但有時(似乎是隨機的)客戶端(主要是Windows 7 或XP)在一段可變的時間內無法連接網路。在這種情況下,我可以 ping 到 192.168.1.110,但不能 ping 到 192.168.1.5。
附錄
FORWARD 鏈丟棄封包的事實似乎很可疑,因此我暫時停用了該篩選:
iptables -A FORWARD -j ACCEPT
有了這個新規則,一切就都正常了。但我仍然需要澄清到底發生了什麼事...
附錄2
這些是實際的 iptables 規則:
iptables-保存
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*mangle
:PREROUTING ACCEPT [28129147:14012989399]
:INPUT ACCEPT [8479051:1218948772]
:FORWARD ACCEPT [19639349:12792010625]
:OUTPUT ACCEPT [4434912:3183821941]
:POSTROUTING ACCEPT [23940877:15968783924]
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*nat
:PREROUTING ACCEPT [931027:74896097]
:INPUT ACCEPT [153578:23398245]
:OUTPUT ACCEPT [9169:1292388]
:POSTROUTING ACCEPT [3186:492868]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*filter
:INPUT ACCEPT [2415796:331288771]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1218435:1654003511]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
答案1
為了幫助您診斷封包流經iptables 鏈的位置,您可以使用-j LOG 參數,最後使用--log-prefix “一些文字來輕鬆識別kern.log 或syslog 中的日誌” 您可以讓預設的Accept 策略和在啟用日誌記錄的 FORWARD 鏈末尾添加拒絕所有規則,以便您可以更好地了解正在丟棄的資料包類型。
你可能會看一下這個原理圖http://www.linuxnetmag.com/share/issue9/iptables3.jpg,它顯示了 iptables 鏈內資料包的基本流向。
擁有您定義的完整 iptable 規則來給出更好的答案將會很有趣。