我需要在物理层上配置启用 DHCP 的网络 (192.168.2.),其中包含具有静态 IP 的现有网络 (192.168.1.)。我有一个带有两个接口的 Debian 7 服务器(服务器和接口都是虚拟的),我想将 ip 设置为我的网络的网关。我使用 eth0 将数据包路由到原始网络(访问 192.168.1.5 的互联网网关),使用 eth1 处理来自/到我的网络的流量。
如果配置
eth0 Link encap:Ethernet HWaddr 00:0c:29:d4:02:1b
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed4:21b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21668983 errors:0 dropped:0 overruns:0 frame:0
TX packets:10044848 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10931368249 (10.1 GiB) TX bytes:2383839079 (2.2 GiB)
eth1 Link encap:Ethernet HWaddr 00:0c:29:d4:02:25
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fed4:225/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14113604 errors:0 dropped:0 overruns:0 frame:0
TX packets:11269734 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1871598524 (1.7 GiB) TX bytes:10331981618 (9.6 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8158 errors:0 dropped:0 overruns:0 frame:0
TX packets:8158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:629690 (614.9 KiB) TX bytes:629690 (614.9 KiB)
路线
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.5 0.0.0.0 UG 0 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
iptables-vL
Chain INPUT (policy ACCEPT 5603K packets, 822M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 138K packets, 8597K bytes)
pkts bytes target prot opt in out source destination
14M 9542M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
398K 27M ACCEPT all -- eth1 any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2915K packets, 1432M bytes)
pkts bytes target prot opt in out source destination
iptables-tnat-vL
Chain PREROUTING (policy ACCEPT 607K packets, 49M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 112K packets, 17M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6893 packets, 977K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2391 packets, 374K bytes)
pkts bytes target prot opt in out source destination
363K 24M MASQUERADE all -- any eth0 anywhere anywhere
之后我在 eth1 上启用了权威 DHCP 服务器。
现在的问题是:与服务器的连接始终正常工作(我在那里有一个 samba 共享和一个 MySQL 服务器),但有时(似乎是随机的)客户端(主要是 Windows 7 或 XP)在一段可变的时间内无法连接到互联网。在这种情况下,我可以 ping 到 192.168.1.110,但不能 ping 到 192.168.1.5。
附录
FORWARD 链丢弃数据包的事实似乎很可疑,因此我暂时禁用了该过滤:
iptables -A FORWARD -j ACCEPT
有了这个新规则,一切就都正常了。但我仍然需要澄清到底发生了什么......
附录2
这些是实际的 iptables 规则:
iptables-保存
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*mangle
:PREROUTING ACCEPT [28129147:14012989399]
:INPUT ACCEPT [8479051:1218948772]
:FORWARD ACCEPT [19639349:12792010625]
:OUTPUT ACCEPT [4434912:3183821941]
:POSTROUTING ACCEPT [23940877:15968783924]
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*nat
:PREROUTING ACCEPT [931027:74896097]
:INPUT ACCEPT [153578:23398245]
:OUTPUT ACCEPT [9169:1292388]
:POSTROUTING ACCEPT [3186:492868]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
# Generated by iptables-save v1.4.14 on Fri Jun 27 20:53:32 2014
*filter
:INPUT ACCEPT [2415796:331288771]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1218435:1654003511]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
# Completed on Fri Jun 27 20:53:32 2014
答案1
为了帮助您诊断数据包流经 iptables 链的位置,您可以使用 -j LOG 参数,最后使用 --log-prefix“一些文本来轻松识别 kern.log 或 syslog 中的日志”您可以让默认的 Accept 策略和在启用日志记录的 FORWARD 链末尾添加拒绝所有规则,以便您可以更好地了解正在丢弃的数据包类型。
你可能会看一下这个原理图http://www.linuxnetmag.com/share/issue9/iptables3.jpg,它显示了 iptables 链内数据包的基本流向。
拥有您定义的完整 iptable 规则来给出更好的答案将会很有趣。