应用场景:
s32g274ardb2内外网路由方案
s32g274ardb2具有4个可用网口: eth0, pfe0, pfe1, pfe2, 其中pfe0连接交换机sja1110.
- 一块s32g274ardb2(A)当作网关
- pfe2: 连接外网, 并自动分配地址: 10.6.10.91, 外网网关: 10.6.10.1
- eth0: 作为内网网关, 并设ip为:192.168.1.100
- 另一块s32g274ardb2(B)作为内网接入设备(也可以用PC)
- pfe1: 接入内网网关, 并设ip为:192.168.1.31
本文目的:
网关上实现内外网的NAT转发, 使接入的内网设备可以通过网关访问外网
方案实现:
网关A: IP及路由设置
-
设置eth0静态ip, 将其作为内网网关给B设备接入
root@s32g2:~# ifconfig pfe1 192.168.1.100/24 up root@s32g2:~# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 ... pfe2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.6.10.91 netmask 255.255.254.0 broadcast 10.6.11.255 ... -
设置外网网关
root@s32g2:~# route add default gw 10.6.10.1 root@s32g2:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.6.10.1 0.0.0.0 UG 0 0 0 pfe2 10.6.10.0 0.0.0.0 255.255.254.0 U 100 0 0 pfe2 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pfe0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pfe1 root@s32g2:~#如果外网连接internet, 是可以ping通百度的:
root@s32g2:~# ping baidu.com PING baidu.com (39.156.66.10) 56(84) bytes of data. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=1 ttl=50 time=40.7 ms 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=2 ttl=50 time=41.2 ms ... -
检查网关A与设备B的连接正常
root@s32g2:~# ping 192.168.1.31 -I eth0 PING 192.168.1.31 (192.168.1.31) 56(84) bytes of data. 64 bytes from 192.168.1.31: icmp_seq=1 ttl=64 time=0.377 ms 64 bytes from 192.168.1.31: icmp_seq=2 ttl=64 time=0.272 ms
设备B: IP及路由设置
-
设置pfe2静态ip
root@s32g274ardb2:~# ifconfig pfe1 192.168.1.31/24 up root@s32g274ardb2:~# ifconfig ... pfe1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.31 netmask 255.255.255.0 broadcast 192.168.1.255 ... -
设置内网网关(网关A的eth0)
root@s32g274ardb2:~# route add default gw 192.168.1.100 root@s32g274ardb2:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.100 0.0.0.0 UG 0 0 0 pfe1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pfe1 root@s32g274ardb2:~# -
检查与网关A的连接
root@s32g274ardb2:~# ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. 64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.358 ms -
这时候尝试连接外网(用IP), 不出意外, 应该是ping不通的
root@s32g274ardb2:~# ping 39.156.66.10 PING 39.156.66.10 (39.156.66.10) 56(84) bytes of data. ^C --- 39.156.66.10 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1020ms
路由A:开启内核路由转发
- 开启ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
路由A:设置iptables规则
-
为了方便演示, 先将原有的iptables规则清空:
sudo iptables -F sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT -
添加NAT转发规则
iptables -t nat -F iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o pfe2 -j SNAT --to-source 10.6.10.91该规则的意思是, 将出口为pfe2的192.168.1.x网段数据, 全部通过NAT转发至10.6.10.91
-
查看当前规则
root@s32g2:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 anywhere to:10.6.10.91 Chain DOCKER (0 references) target prot opt source destination root@s32g2:~#
设备B: 外网访问
-
通过ip可以访问了
root@s32g274ardb2:~# ping 39.156.66.10 PING 39.156.66.10 (39.156.66.10) 56(84) bytes of data. 64 bytes from 39.156.66.10: icmp_seq=1 ttl=49 time=42.9 ms 64 bytes from 39.156.66.10: icmp_seq=2 ttl=49 time=41.5 ms 64 bytes from 39.156.66.10: icmp_seq=3 ttl=49 time=40.9 ms .. -
但通过域名, 提示无法解释
root@s32g274ardb2:~# ping baidu.com ping: baidu.com: Temporary failure in name resolution
设备B: DNS设置
-
配置/etc/resolv.conf
vi /etc/resolv.conf添加以下内容:
nameserver 8.8.8.8 -
再次通过域名访问
root@s32g274ardb2:~# ping baidu.com PING baidu.com (39.156.66.10) 56(84) bytes of data. 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=1 ttl=49 time=42.4 ms 64 bytes from 39.156.66.10 (39.156.66.10): icmp_seq=2 ttl=49 time=41.7 ms
关于持久化设置
以上内容是临时设置的, 板子重启后就没有了, 需要重设. 下面以网关A为例来实现IP以及iptables的相关持久化配置
-
静态IP设置
打开/etc/network/interfaces编辑
sudo vi /etc/network/interfaces修改/添加以下内容
auto eth0 # 系统启动时就自动启动网口 iface eth0 inet dhcp # 使用动态IP地址 auto pfe0 # 系统启动时就自动启动网口 iface pfe0 inet static # 使用静态IP地址 address 192.168.1.20 netmask 255.255.255.0 # gateway 192.168.1.1 # network和broadcast一般使用默认值就行 # network 192.168.1.0 # broadcast 192.168.1.255 auto pfe1 iface pfe1 inet static address 192.168.1.21 netmask 255.255.255.0 auto pfe2 iface pfe2inet static address 192.168.1.22 netmask 255.255.255.0使网卡配置生效
sudo /etc/init.d/networking restart -
开启转发功能
编辑/etc/sysctl.confecho 'net.ipv4.ip_forword=1' >> /etc/sysctl.conf sudo sysctl -p -
iptables规则
使用iptables-save命令将当前的iptables规则保存至 /etc/iptables.up.rulesroot@s32g2:~# iptables-save > /etc/iptables.up.rules root@s32g2:~# cat /etc/iptables.up.rules # Generated by iptables-save v1.8.4 on Fri Mar 31 03:37:18 2023 *nat :PREROUTING ACCEPT [1189:102049] :INPUT ACCEPT [1140:98397] :OUTPUT ACCEPT [37:2960] :POSTROUTING ACCEPT [37:2960] :DOCKER - [0:0] -A POSTROUTING -s 192.168.1.0/24 -o pfe2 -j SNAT --to-source 10.6.10.91 COMMIT # Completed on Fri Mar 31 03:37:18 2023 # Generated by iptables-save v1.8.4 on Fri Mar 31 03:37:18 2023 *filter :INPUT ACCEPT [2050:174209] :FORWARD ACCEPT [151:12188] :OUTPUT ACCEPT [78:5988] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] COMMIT # Completed on Fri Mar 31 03:37:18 2023当然, 也可以保存到其他文件, 使用iptables-restore来载入.
root@s32g2:~# iptables-save > /etc/iptables.rules.bak root@s32g2:~# iptables-restore < /etc/iptables.rules.bak
2799
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
