我正在使用 Arch Linux 为学校设置防火墙,该防火墙将把每个班级的视频流式传输给家里的学生,所以我需要一个强大而安全的连接,这就是为什么我考虑绑定多个连接以增加稳定性和流的带宽,我有一个TP-Link TL-SG1016PE并且它不支持 IEEE 802.3ad 动态链路聚合,所以我选择将绑定设置设置为balance-tlb 模式。
所有这些方法对我来说都很新颖,所以如果我的计划有问题,请告诉我。
我的物理配置如下:
ETH => |
| MY FIREWALL | => *COMPUTER 1
WIFI => | => BONDING => MY SWITCH => | => *COMPUTER 2
| | => *COMPUTER 3, etc
*n TETHERED |
PHONES TO USB => |
按照这些说明操作https://wiki.archlinux.org/index.php/Simple_stateful_firewall我还完成了其他一些设置状态防火墙的操作,该防火墙允许我共享与本地网络的连接,并且可以与 iptables、端口转发和 dnsmasq 完美配合。
ip a这是连接转发工作正常时的输出:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s20u1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 36:cd:92:83:53:c0 brd ff:ff:ff:ff:ff:ff
3: enp0s20u4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 42:4b:12:8f:33:9d brd ff:ff:ff:ff:ff:ff
4: home0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:e8:a6:68:6b:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.0/24 scope global home0
valid_lft forever preferred_lft forever
inet6 fe80::2e8:a6ff:fe68:6b00/64 scope link
valid_lft forever preferred_lft forever
5: net0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:e8:a6:68:6b:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.35/24 brd 192.168.0.255 scope global dynamic noprefixroute net0
valid_lft 42678sec preferred_lft 37278sec
inet6 2a01:e0a:258:c2d0:c55f:7102:5bea:a7a1/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86391sec preferred_lft 86391sec
inet6 fe80::a304:76bf:a944:3a76/64 scope link
valid_lft forever preferred_lft forever
6: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 70:77:81:69:5f:1d brd ff:ff:ff:ff:ff:ff
inet6 fe80::7277:81ff:fe69:5f1d/64 scope link
valid_lft forever preferred_lft forever
我的iptables.conf(同上ip6tables.conf除了 ip 地址是 ip6 格式之外)(我需要多端口行允许WEBRTC协议无缝运行)
# Generated by iptables-save v1.8.4 on Fri Jul 31 01:49:07 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o net0 -j MASQUERADE
COMMIT
# Completed on Fri Jul 31 01:49:07 2020
# Generated by iptables-save v1.8.4 on Fri Jul 31 01:49:07 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 49152:65535 -j ACCEPT
-A INPUT -i net0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 53 -j ACCEPT
-A TCP -p tcp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A TCP -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A UDP -p udp -m multiport --dports 3478,5349,8443,8888,19305,19307 -j ACCEPT
-A UDP -p udp -m udp --dport 49152:65535 -j ACCEPT
-A UDP -p udp -m udp --dport 53 -j ACCEPT
-A fw-interfaces -i home0 -j ACCEPT
COMMIT
# Completed on Fri Jul 31 01:49:07 2020
和dnsmasq配置文件输出
interface=home0
dhcp-range=192.168.1.10,192.168.1.250,12h
dhcp-option=6,10.202.0.1,1.1.1.1
因此,就像我之前说的,我使用https://wiki.archlinux.org/index.php/Netctl#Bonding netctl 方法似乎可以正常工作,使用 2 部手机、以太网和 wifi 我得到了以下输出
$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
Bonding Mode: transmit load balancing
Primary Slave: None
Currently Active Slave: enp0s20u1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Peer Notification Delay (ms): 0
Slave Interface: net0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:e8:a6:68:6b:01
Slave queue ID: 0
Slave Interface: wifi0
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 70:77:81:69:5f:1d
Slave queue ID: 0
Slave Interface: enp0s20u1
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 36:cd:92:83:53:c0
Slave queue ID: 0
Slave Interface: enp0s20u4
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr: 42:4b:12:8f:33:9d
Slave queue ID: 0
所以我想转发这个连接bond0对于我的家庭网络,我尝试了三种简单的方法来使其发挥作用;
- 首先,我尝试用 bond0 替换 iptables 中所有提到的 net0,但没有成功,
- 我还尝试
-A INPUT -i net0 -p udp -m udp --dport 67 -j ACCEPT在我的iptables.conf文件,没有工作 - 最后我尝试......简单地改变连接转发设置中的工作输出接口的名称,我将其命名为“internet0“我将我的债券连接命名为之前工作的输出名称”net0“,是的,这听起来很蠢......嗯,令人惊讶的是它也没有起作用......
我的问题是:
- 绑定模式 5 对我的课堂流媒体项目有用吗?文档中的描述似乎与我的担忧相符传出的流量根据每个从属设备上的当前负载(根据速度计算)进行分配。看起来很棒
- 如果第一个问题的答案是“是”,那么我该如何实现将连接正确转发到绑定接口
好吧,我希望一切都清楚了,如果没有,请让我知道缺少了什么以帮助您帮助我:-)
祝你有美好的一天,
和平,