我有一台带有 3 个以太网端口(RJ45,100 MB/s)的工业 PC。我想将其中一个指定为传入互联网连接(来自公司),将另外两个指定为专用网络。专用网络由 PLC 和 VPN 连接组成。出于安全原因,VPN 连接不应能够访问公司的网络。我的操作系统是 Debian 7.7。我已遵循此指导到目前为止。我当前的网络将使用 DNS 自动为 PC 分配一个 IP 地址,所以到目前为止一切都很好。但现在我需要指导如何实现我的目标。我之前可以 ping PLC,但 RSLinx 无法连接到它。 网络图
name address netmask network broadcast
eth1 10.1.1.69 255.255.255.0 10.1.1.1
eth2 192.168.0.1 255.255.255.0 192.168.0.0 192.168.0.255
eth3 192.168.0.2 255.255.255.0 192.168.0.1 192.168.0.256
root@pc223:/home/adam# ifconfig
eth1 Link encap:Ethernet HWaddr 00:1b:eb:45:0d:74
inet addr:10.1.1.69 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::21b:ebff:fe45:d74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4643 errors:0 dropped:0 overruns:0 frame:0
TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1806325 (1.7 MiB) TX bytes:222806 (217.5 KiB)
Interrupt:6
eth2 Link encap:Ethernet HWaddr 00:1b:eb:46:9f:26
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::21b:ebff:fe46:9f26/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:640 (640.0 B) TX bytes:14136 (13.8 KiB)
Interrupt:11 Base address:0xdd00
eth3 Link encap:Ethernet HWaddr 00:1b:eb:46:9f:25
inet addr:192.168.1.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:11 Base address:0xdc00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:622 errors:0 dropped:0 overruns:0 frame:0
TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:108090 (105.5 KiB) TX bytes:108090 (105.5 KiB)
root@pc223:/home/adam# ip ro show
default via 10.1.1.1 dev eth1
10.1.1.0/24 dev eth1 proto kernel scope link src 10.1.1.69
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.1
root@pc223:/home/adam# iptables-save
# Generated by iptables-save v1.4.14 on Fri Aug 8 04:03:12 2008
*filter
:INPUT ACCEPT [4384:1816840]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2926:303271]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Aug 8 04:03:12 2008
#iptables.rules
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.3:50000
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Always accept loopback traffic
-A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -i ! eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
-A FORWARD -i eth1 -o eth2 -j ACCEPT
# Masquerade.
-t nat -A POSTROUTING -o eth2 -j MASQUERADE
# Don't forward from the outside to the inside.
-A FORWARD -i eth2 -o eth2 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# debian router/gateway in 15 minutes (online guide)
#*filter
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -i eth1 -p tcp -m tcp --dport 222 -j ACCEPT
#-A INPUT -i eth1 -j DROP
#update rules
# iptables-restore </etc/iptables.rules
任何帮助都将不胜感激,谢谢。
答案1
- 每个接口的 IP 子网范围必须是唯一的。eth2 和 eth3 应该位于不同的子网上,例如 192.168.0.1/24 作为 eth2 上的地址,192.168.1.1/24 作为 eth3 上的地址。
- 对于 /24 子网,eth3 上的广播地址应以 255 结尾。
- 验证
ip_forward
sysctl 是否已启用。这可能会有帮助 - 验证是否有适当的
iptables -L FORWARD
规则来允许接口之间的互连。 - 验证 eth3 网络上的 PLC 是否使用 eth3 地址作为默认路由。