iptables设置网关
Sharing the networking is important and setting up a gateway is a good solution to it. Building up the gateway on a Linux box is easy, cost efficient and reliable. With a Linux box, you can share the internet connection or the only cable connected to the network.
共享网络很重要,设置网关是一个很好的解决方案。 在Linux机器上构建网关非常容易,经济高效且可靠。 使用Linux盒,您可以共享Internet连接或连接到网络的唯一电缆。
Linux Box网络配置 (The Linux box network configuration)
The Linux box that we use has this configuration:
我们使用的Linux盒具有以下配置:
NIC1: eth0 with ip 192.168.0.1 connected to our small local area network.
NIC1 :将ip0 192.168.0.1连接到我们的小型局域网的eth0 。
NIC2: eth1 with ip 198.51.100.1 connected to another network such as a public network connected to Internet.
NIC2 :具有IP 198.51.100.1的eth1连接到另一个网络,例如连接到Internet的公共网络。
Now we want to share this Linux box’s connection with the other computers in the local area network with ip in 192.168.0.0/16.
现在,我们要与192.168.0.0/16中的ip与局域网中的其他计算机共享此Linux盒的连接。
设置网关 (Setting up the gateway)
All the operations in this part is done under root on the Linux gateway.
本部分中的所有操作都在Linux网关的root用户下完成。
操作IP路由表 (Manipulate the IP route table)
# ip route add 192.168.0.0/16 dev eth0or
要么
# route add -net 192.168.0.0/16 dev eth0启用Linux IP转发 (Enable Linux IP forwarding)
# sysctl -w net.ipv4.ip_forward=1or
要么
# echo 1 > /proc/sys/net/ipv4/ip_forwardYou can also make the setting permanent in `/etc/sysctl.conf by adding a line below to /etc/sysctl.conf:
您还可以通过在`/etc/sysctl.conf添加以下一行来使设置在`/etc/sysctl.conf永久生效 :
net.ipv4.ip_forward = 1通过iptables设置SNAT (Set up SNAT by iptables)
Change the source IP of out packets to gateway’s IP. Don’t worry since iptables will automatically change the replied packet’s destination IP to the original source IP.
将输出数据包的源IP更改为网关的IP。 不用担心,因为iptables会自动将回复的数据包的目标IP更改为原始源IP。
# iptables -t nat -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j SNAT --to-source 198.51.100.1Instead of using SNAT, another way is to use MASQUERADE:
除了使用SNAT,另一种方法是使用MASQUERADE:
# iptables -t nat -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j MASQUERADEHowever, please note that, for static IPs, SNAT is suggested as from the iptables man page:
但是,请注意,对于静态IP,建议使用iptables手册页中的 SNAT:
> This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).
>此目标仅在POSTROUTING链的nat表中有效。 它仅应与动态分配的IP(拨号)连接一起使用:如果您具有静态IP地址,则应使用SNAT目标。 伪装等同于指定到数据包出接口的IP地址的映射,但是还具有当接口断开时会忘记连接的效果。 当下一个拨号不太可能具有相同的接口地址(因此,无论如何建立的连接都会丢失)时,这是正确的行为。
Some other discussion on the Web: http://lists.debian.org/debian-firewall/2002/02/msg00020.html
网上其他一些讨论: http : //lists.debian.org/debian-firewall/2002/02/msg00020.html
And then make sure that the other iptables tables do not deny these connections. If you have problem in this step, you can try
然后确保其他iptables表不拒绝这些连接。 如果您在此步骤中遇到问题,可以尝试
# iptables -F
# iptables -t nat -F
# iptables -t nat -A POSTROUTING ! -d 192.168.0.0/16 -o eth1 -j SNAT --to-source 198.51.100.1
to allow all connections in. But there may be security problems after open all ports to the public. Firewall should be carefully configured.
允许所有连接进入。但是向公众开放所有端口后,可能会出现安全问题。 防火墙应仔细配置。
By now, the we have set up the Linux gateway.
至此,我们已经建立了Linux网关。
客户端配置 (Client side configuration)
On client such as Linux or Windows with IP 192.168.0.4, set the network connection to use this profile:
在IP值为192.168.0.4的Linux或Windows之类的客户端上,将网络连接设置为使用此配置文件:
The configuration profile:
配置配置文件:
Gateway: 192.168.0.1.
网关 : 192.168.0.1。
DNS Server: your ISP’s DNS server IP addresses.
DNS服务器 :您的ISP的DNS服务器IP地址。
The method to configure the network maybe different from using NetworkManager and network and Windows.
配置网络的方法可能不同于使用NetworkManager和网络以及Windows的方法。
You can try this command on Linux:
您可以在Linux上尝试以下命令:
# ip route add default via 192.168.0.1 dev eth0or
要么
# route add default gw 192.168.0.1 eth0You can use this GUI/TUI tool on Fedora / RedHat / CentOS systems:
您可以在Fedora / RedHat / CentOS 系统上使用此GUI / TUI工具:
# system-config-networkor
要么
# system-config-network-tui翻译自: https://www.systutorials.com/setting-up-gateway-using-iptables-and-route-on-linux/
iptables设置网关
1344
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
