测试环境,建立3个虚拟机器:
A机器使用bridged模式:hostname是demo,ip地址是 192.168.0.106
B机器2个网卡:hostname是rhel64-64bit,bridged的网卡地址:192.168.0.101
host-only的网卡地址:192.168.220.131
c机器使用host-only模式:hostname是yaya,ip地址是192.168.220.130
A机器,访问196.168.220网段时候网关是B机器的bridged网卡地址:
[root@demo instance]# route add -net 192.168.220.0/24 gw 192.168.0.101
[root@demo instance]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.220.0 192.168.0.101 255.255.255.0 UG 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
B机器上开启转发功能:
[root@rhel64-64bit rules.d]# cat /etc/sysctl.conf|grep forward
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
C机器上,默认网关改为B机器的host-only网卡地址:
[root@yaya init.d]# route add default gw 192.168.220.131
[root@yaya init.d]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.220.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1
0.0.0.0 192.168.220.131 0.0.0.0 UG 0 0 0 eth1
那么A与C便可以通信了:
[root@demo instance]# ping 192.168.220.130
PING 192.168.220.130 (192.168.220.130) 56(84) bytes of data.
64 bytes from 192.168.220.130: icmp_seq=1 ttl=63 time=2.42 ms
64 bytes from 192.168.220.130: icmp_seq=2 ttl=63 time=0.634 ms
[root@yaya init.d]# ping 192.168.0.106
PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.
64 bytes from 192.168.0.106: icmp_seq=1 ttl=63 time=0.585 ms
64 bytes from 192.168.0.106: icmp_seq=2 ttl=63 time=0.648 ms
1.修改B的filter的forward链规则以测试B作为A与C两个网段之间的防火墙作用:
iptables -A FORWARD -j REJECT
此时A与C不能再次通信:
[root@demo instance]# ping 192.168.220.130
PING 192.168.220.130 (192.168.220.130) 56(84) bytes of data.
From 192.168.0.101 icmp_seq=1 Destination Port Unreachable
From 192.168.0.101 icmp_seq=2 Destination Port Unreachable
[root@yaya init.d]# ping 192.168.0.106
PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.
From 192.168.220.131 icmp_seq=1 Destination Port Unreachable
From 192.168.220.131 icmp_seq=2 Destination Port Unreachable2.B机器再加入如下规则:iptables -I FORWARD -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED -j ACCPT
B机器forward的规则如下:
[root@rhel64-64bit rules.d]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0
4 336 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachabl
此时A可以与C通信,
[root@demo instance]# ping 192.168.220.130
PING 192.168.220.130 (192.168.220.130) 56(84) bytes of data.
64 bytes from 192.168.220.130: icmp_seq=1 ttl=63 time=0.843 ms
64 bytes from 192.168.220.130: icmp_seq=2 ttl=63 time=0.655 ms
C却不能ping通A:
[root@yaya init.d]# ping 192.168.0.106
PING 192.168.0.106 (192.168.0.106) 56(84) bytes of data.
From 192.168.220.131 icmp_seq=1 Destination Port Unreachable
From 192.168.220.131 icmp_seq=2 Destination Port Unreachable3.B中再次加入:
iptables -I FORWARD 3 -s 192.168.220.0/24 -p icmp -j ACCEPT
B机器规则如下:
[root@rhel64-64bit rules.d]# iptables -nvL
Chain INPUT (policy ACCEPT 2 packets, 458 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 1092 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
2 168 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0
1 84 ACCEPT icmp -- * * 192.168.220.0/24 0.0.0.0/0
6 504 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
此时A与C可互相通信。
扫一扫
521
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
