我正在尝试将 Linux 机器配置为“中间盒路由器”,允许连接的客户端机器使用机器本身的互联网连接。它有两个物理以太网接口,我们称之为 eth0 和 eth1。eth0 是中间盒的互联网连接(连接到交换机),互联网连接测试工作正常。互联网连接的 LAN 子网为 192.168.0.0/24,网关为 192.168.1.1。我为中间盒配置了一个不同的子网,如下面的配置文件中所示。
我尝试配置另一个以太网接口 eth1 以基本上共享互联网连接,但我收到一条错误消息Internet Connection Failed to Initialize并且客户端无法连接到互联网。
我尝试设置这个中间盒如下:
1. Installed isc-dhcp-server
2. Configured DHCP and a static IP address for the client interface eth1
3. Enabled IPv4 forwarding on the middlebox
systemctl -w net.ipv4.ip_forward=1
4. iptables rules:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i etho0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
5. Set the internet connection interface (eth0) as the default route on the middlebox. IFF it's not already set to eth0, I run these commands to set the new default gateway route to eth0 (and printing the default route table shows the gateway is set to the right interface eth0 and the ip address for eth0, as expected):
GW_IP=`route -n | grep -E "^0.0.0.0 .+UG .+eth0" | awk '{print $2}'`
route del default $OTHER_INTERFACE
route add default gw $GW_IP eth0
/etc/dhcp/dhcpd.conf
interface eth1
static ip_address=192.168.34.1/24
authoritative;
subnet 192.168.34.0 netmask 255.255.255.0 {
range 192.168.34.10 192.168.34.250;
option broadcast-address 192.168.34.255;
option routers 192.168.34.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local-network";
option domain-name-servers DNS_SERVER_IP1, DNS_SERVER_IP2;
}
/etc/default/isc-dhcp 服务器
INTERFACESv4="eth1"
我不确定我遗漏了什么,但我认为这将允许 eth1 上的“客户端”连接使用与 eth0 相同的网关和互联网连接作为中间盒。有人看到我遗漏了什么或做错了什么吗?
答案1
我经过一番修改和重新设置后终于解决了这个问题。我的初始配置存在 3 个问题,导致中间盒无法正常工作:
- 中间件需要在客户端接口上设置 FORWARDING ACCEPT,而不仅仅是在内核中启用 ipv4 数据包转发
- 中间盒上 DHCP 设置的子网与客户端计算机上的子网不匹配;连接到客户端的中间盒接口和客户端接口都需要位于同一子网中
- 客户端机器还需要一个默认网关路由设置,指向连接到客户端机器的中间盒接口的子网 IP 地址
注意:中间盒有两个以太网接口(eth0 连接到路由器/主 LAN 网络,eth1 连接到客户端),客户端有一个以太网接口 eth0。此外,主 LAN 网络是 192.168.1.0/24,我将“中间盒 LAN”子网更改为 192.168.0.0/24。
修改了中间件上的 /etc/dhcp/dhcpd.conf
interface eth1
static ip_address=192.168.0.1
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.1 192.168.0.250;
}
option broadcast-address 192.168.0.255;
option routers 192.168.1.1; # gateway for internet connecting interface
default-lease-time 600;
max-lease-time 7200;
option domain-name "local-network";
option domain-name-servers 192.168.1.1. # use router/gateway for DNS
假设中间盒本身已成功连接到主 LAN,并且可以通过以太网接口 eth0 访问互联网,并且 DNS 正常运行...
设置中间盒的步骤
ifconfig eth1 192.168.0.1 netmask 255.255.255.0
# Confirm the gateway is 192.168.1.1, or add it on dev eth1 if not
# Configure DNAT on middlebox:
## IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
## masquerade between interfaces going out on eth0 so incoming routes back
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
## enable forwarding from the client interface eth1
iptables -A FORWARD -i eth1 -j ACCEPT
设置客户端的步骤
ifconfig eth0 down
# same subnet but different ip address on middlebox DHCP LAN
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
# set default gateway route to the ip address of the connected middlebox interface
route del -net default
route add default gw 192.168.0.1
# client DNS configuration (multiple options, I chose router DNS)
echo "nameserver 192.168.1.1" >> /etc/resolv.conf
测试步骤
检查子网/地址通信是否正常:
- (来自中间盒)$ ping 192.168.0.2
- (来自客户端)$ ping 192.168.0.1
- (来自客户端)$ ping 8.8.8.8
检查 DNS 解析是否有效:
- (来自客户端)$ ping google.com 或 dig google.com