大家好,我被从办公室到互联网的路由流量所困扰,我有一个这样的网络结构 http://asthana.me/images/ip.png 我已经为 cent os 服务器(有两个 NIC)分配了静态 ip,内部网络运行正常,从我的 cent os 我可以浏览互联网,但在切换后的内部网络中,我无法浏览互联网,我正在使用 iptable 来解决这些问题,根据我在互联网上找到的信息,我尝试了以下代码,但出现错误
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
-t nat -A POSTROUTING -o eth2 -j MASQUERADE
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
每当我尝试重新启动 iptable 时,都会收到以下行中的错误
" -t nat -A POSTROUTING -o eth2 -j MASQUERADE"
我尝试了各种代码,但都不起作用,我的主要问题是我想在办公室内运行互联网并想用这个 IP 托管一个域,但我无法这样做。
非常感谢您的帮助,并提前致谢
ifconfig 的输出如下,告诉你我的 eth1 卡在那里,但没有工作
[root@ZyXEL2 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:25:22:1C:89:2D
inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::225:22ff:fe1c:892d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:42968 errors:0 dropped:0 overruns:0 frame:0
TX packets:16281 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26041912 (24.8 MiB) TX bytes:1683535 (1.6 MiB)
eth1 Link encap:Ethernet HWaddr 00:E0:1C:3C:5C:40
inet6 addr: fe80::2e0:1cff:fe3c:5c40/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:478 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:2652 (2.5 KiB)
Interrupt:23 Base address:0x8c00
eth2 Link encap:Ethernet HWaddr 00:E0:4A:09:C6:AA
inet6 addr: fe80::2e0:4aff:fe09:c6aa/64 Scope:Link
UP BROADCAST MULTICAST MTU:1400 Metric:1
RX packets:2007 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:176727 (172.5 KiB) TX bytes:2498 (2.4 KiB)
Interrupt:22 Base address:0x6800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:312 errors:0 dropped:0 overruns:0 frame:0
TX packets:312 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:28959 (28.2 KiB) TX bytes:28959 (28.2 KiB)
[root@ZyXEL2 ~]#
当我尝试重新启动 iptable 时,出现以下输出
service iptables restart
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore v1.4.7: Line 14 seems to have a -t table option.
Error occurred at line: 14
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]
[root@ZyXEL2 ~]#
答案1
使用iptables命令插入或添加规则。
获得满意的结果后,使用iptables-保存命令 - 它将生成正确格式的输出。在当前情况下,您缺少以下部分:
*nat
....
COMMIT
它必须看起来像这样(按照你的规则):
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
......
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
尝试看看NAT 指南,从某种意义上说,使用 iptables 并启用转发对于 CentOS 来说一定是没问题的。
还要注意,办公室客户端必须添加指向您的 CentOS(充当路由器)的路由,因此您可能希望在 CentOs 上设置 DHCP 服务器以便为用户机器提供正确的设置。
另请查看tcpdump命令 - 非常方便检查流量并确定:规则是否有效。