因此,我尝试了很长时间将服务器设置为本地网络的前端路由器。这是因为我的服务器上下载了大量多媒体,而当前的路由器根本不够用。我不想买一个新的路由器,因为那些可能够用的路由器相当昂贵。幸运的是,我看到了一些设置,其中服务器本身作为路由器工作。
我的新设置将如下所示:
WAN - IPS -|-> My server -> Home router -> Local computer 1
^ Local computer 2
'- possibly a switch ...
我搜索了一下,幸运地找到了本教程,描述了完全相同的设置 - 一个用作路由器的 OpenSUSE 服务器。但是,我注意到该教程有点不对劲,主要是因为我的服务器上安装了不同版本的 YaST。
不过,我尽力遵循它,使用较低级别的命令(使用终端)来完成相同的操作。这花了一点时间,但我认为结果是一样的。
不幸的是,它没有起作用。
这是我迄今为止所取得的成果:
- 两块网卡,一块在板载,一块是 PCI 设备,分别在 /dev/eth0 (板载,内部) 和 /dev/eth1 (PCI,外部) 上运行。
- eth1 设置了 DHCP 地址,可轻松从 ISP 获取 IP 地址(我有一个静态 IP 地址,因此它始终是同一个)并连接。这个绝对有效,因为我可以在服务器本身上使用互联网。
- eth0 设置了静态 IP 192.168.0.1。
DHCP 服务器,在 eth0 上运行 - 工作正常,连接的计算机获取 IP 地址,即使路由器上的 DHCP 服务器已关闭。
显然现在 DHCP 服务器都无法正常工作。我正在使用这个 ISC DHCP 服务器,但不确定它是否是最好的选择。
我需要的最后一部分是以某种方式桥接或连接两张卡,这样我就可以通过 eth1 从连接到 eth0 的计算机(通过路由器)访问互联网。在本教程中,这只是使用“伪装”来实现的,或者允许内部区域 (eth0) 通过外部区域 (eth1) 访问互联网。显然,这部分在两个版本的 YaST(我的版本和教程中的版本)中都是相同的。但是我认为这不起作用。我尝试使用 YaST 进行设置,然后我使用了终端,但没有任何区别。
我猜伪装本身可能有效,但计算机无法正确连接?或者是伪装出了问题。无论如何,使用 ping,我可以 ping 192.168.0.1,并且响应非常快且成功。
我做错了什么?请随意提问(很可能我忘了什么),我很乐意回答...
iptables -L:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_int all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
reject_func all -- anywhere anywhere
Chain input_ext (1 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:lm-x flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:lm-x
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:lm-x
LOG tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC '
ACCEPT tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain input_int (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
iptables -t nat -L:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DHCP 服务器配置:
authoritative;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option ip-forwarding on;
default-lease-time 7200;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
option domain-name "domain-local.sk"; # I really don't know what should I put here.
option domain-name-servers 192.168.0.1;
}
答案1
也许您只需要像这样启用 IPv4 转发(路由):
echo 1 > /proc/sys/net/ipv4/ip_forward
(默认值为 0。我 2 天前将 debian 设置为防火墙,这很有帮助 ;))
编辑
该脚本保存并删除 iptables 中的所有条目并设置用于从内部网络进行伪装的基本配置。
#!/bin/bash
# saving old iptables-configuration
iptables-save > /home/xxusernamexx/iptables-saved.out
# delete all existing rules and chains
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -t nat -Z
# setting up masquerade
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# forwarding for answer-packages from the internet
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -j LOG --log-ip-options --log-prefix fwd-drop
iptables -A FORWARD -j DROP
# allowing loopback and internal connections
# uncommend the following line if you want to allow ping from external
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT # for your webserver
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # edited
iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT # for connections from lan-nic
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LOG --log-ip-options --log-prefix io-drop
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT # edited
iptables -A OUTPUT -p icmp --icmp-type 0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -j LOG --log-ip-options --log-prefix io-drop
iptables -A OUTPUT -j DROP
# just to make sure that routing is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
尝试这个脚本。我无法真正测试它,因为我的 eth1-eth0 接口以另一种方式使用,但我根据自己的配置编写了这个脚本。为了保存,此脚本将您的实际 iptables 配置导出到您的主文件夹。可以使用以下方法恢复它iptables-restore < 文件名
编辑:在 OUTPUT 的第一条规则中添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT和删除,-m state --state RELATED,ESTABLISHED以允许服务器在每个网络中建立自己的连接(即查询 DNS 服务器)
编辑2:问题已解决。有几个配置错误:
iptables:我们必须稍微修改一下脚本才能使其完全正常运行(在我的回答中也对其进行了编辑)。
DHCP:dhcpd 配置为使用“192.168.0.1”作为 DNS 服务器。但该服务器未运行 DNS 服务器。我们将其配置为 ISP DNS 服务器。
路由器:服务器插入路由器的 WAN 端口。这样路由器就会从客户端向服务器(再向服务器)发送多个数据包。Aurel 将其插入 LAN 端口,然后就可以正常工作。