Debian 安全网络

Debian 安全网络

我有一台带有 3 个以太网端口(RJ45,100 MB/s)的工业 PC。我想将其中一个指定为传入互联网连接(来自公司),将另外两个指定为专用网络。专用网络由 PLC 和 VPN 连接组成。出于安全原因,VPN 连接不应能够访问公司的网络。我的操作系统是 Debian 7.7。我已遵循此指导到目前为止。我当前的网络将使用 DNS 自动为 PC 分配一个 IP 地址,所以到目前为止一切都很好。但现在我需要指导如何实现我的目标。我之前可以 ping PLC,但 RSLinx 无法连接到它。 网络图

name        address        netmask      network      broadcast
eth1    10.1.1.69    255.255.255.0  10.1.1.1    
eth2    192.168.0.1  255.255.255.0  192.168.0.0  192.168.0.255
eth3    192.168.0.2  255.255.255.0  192.168.0.1  192.168.0.256

root@pc223:/home/adam# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:1b:eb:45:0d:74  
          inet addr:10.1.1.69  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:ebff:fe45:d74/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4643 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1806325 (1.7 MiB)  TX bytes:222806 (217.5 KiB)
          Interrupt:6 

eth2      Link encap:Ethernet  HWaddr 00:1b:eb:46:9f:26  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:ebff:fe46:9f26/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:640 (640.0 B)  TX bytes:14136 (13.8 KiB)
          Interrupt:11 Base address:0xdd00 

eth3      Link encap:Ethernet  HWaddr 00:1b:eb:46:9f:25  
          inet addr:192.168.1.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:11 Base address:0xdc00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:108090 (105.5 KiB)  TX bytes:108090 (105.5 KiB)

root@pc223:/home/adam# ip ro show
default via 10.1.1.1 dev eth1 
10.1.1.0/24 dev eth1  proto kernel  scope link  src 10.1.1.69 
192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1 
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.1 

root@pc223:/home/adam# iptables-save
# Generated by iptables-save v1.4.14 on Fri Aug  8 04:03:12 2008
*filter
:INPUT ACCEPT [4384:1816840]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2926:303271]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Aug  8 04:03:12 2008

#iptables.rules
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.3:50000
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

# Always accept loopback traffic
-A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -i ! eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
-A FORWARD -i eth1 -o eth2 -j ACCEPT

# Masquerade.
-t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Don't forward from the outside to the inside.
-A FORWARD -i eth2 -o eth2 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward



# debian router/gateway in 15 minutes (online guide)
#*filter
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -i eth1 -p tcp -m tcp --dport 222 -j ACCEPT
#-A INPUT -i eth1 -j DROP

#update rules
# iptables-restore </etc/iptables.rules

任何帮助都将不胜感激,谢谢。

答案1

  1. 每个接口的 IP 子网范围必须是唯一的。eth2 和 eth3 应该位于不同的子网上,例如 192.168.0.1/24 作为 eth2 上的地址,192.168.1.1/24 作为 eth3 上的地址。
  2. 对于 /24 子网,eth3 上的广播地址应以 255 结尾。
  3. 验证ip_forwardsysctl 是否已启用。这可能会有帮助
  4. 验证是否有适当的iptables -L FORWARD规则来允许接口之间的互连。
  5. 验证 eth3 网络上的 PLC 是否使用 eth3 地址作为默认路由。

相关内容