linux 跳转路由,Linux路由选路

一、目的

使用iptables和iproute2做策略路由，实现数据包正确路由转发。不同线路的客户端访问CentOS时，能够从正确响应客户端；使用CentOS做转发路由器，能够正确转发数据包。

二、实验环境

四台cisco2691分别模拟三条线路的接入路由器和一台远端主机；CentOS5.3服务器分别与三台接入路由器相连。

三、拓扑

四、实现方法

R1方向的路由采用策略路由实现，R2方向的路由指定了默认路由，R3方向的路由通过静态明细路由实现。

１)PC端(2691模拟)配置：

en

conf t

host PC

inter f0/0

ip addr 22.22.22.13 255.255.255.0

no sh

exit

ip route 0.0.0.0 0.0.0.0 22.22.22.254

end

２)R１配置：

en

conf t

host R1

inter f0/0

ip addr 22.22.22.254 255.255.255.0

no sh

inter f0/1

ip addr 10.10.10.254 255.255.255.0

no sh

exit

ip route 192.168.13.0 255.255.255.0 10.10.10.13

ip route 33.33.33.0 255.255.255.0 10.10.10.13

ip route 172.16.13.0 255.255.255.0 10.10.10.13

ip route 202.96.134.0 255.255.255.0 10.10.10.13

end

３)R２配置：

en

conf t

host R2

inter f0/0

ip addr 192.168.13.254 255.255.255.0

no sh

inter loopback0

ip add 33.33.33.13 255.255.255.0

no sh

exit

ip route 10.10.10.0 255.255.255.0 192.168.13.114

ip route 22.22.22.0 255.255.255.0 192.168.13.114

ip route 172.16.13.0 255.255.255.0 192.168.13.114

ip route 202.96.134.0 255.255.255.0 192.168.13.114

end

４)R３配置：

en

conf t

host R3

inter f0/0

ip addr 172.16.13.13 255.255.255.0

no sh

inter loopback0

ip addr 202.96.134.134 255.255.255.0

exit

ip route 0.0.0.0 0.0.0.0 172.16.13.254

line vty 0 4

password cisco

login

end

５)CentOS配置：

echo 1 > /proc/sys/net/ipv4/ip_forward

ifconfig eth1 10.10.10.13 netmask 255.255.255.0 up

ifconfig eth0 192.168.13.114 netmask 255.255.255.0 up

ifconfig eth2 172.16.13.254 netmask 255.255.255.0 up

ifconfig eth2:1 172.16.13.253 netmask 255.255.255.0 up

route add default gw 192.168.13.254

route add -net 202.96.134.0/24 gw 172.16.13.13

iptables -t mangle -F

iptables -t nat -F

iptables -F

iptables -t mangle -A PREROUTING -i eth0 -d ! 192.168.13.114 -j MARK --set-mark 8126

iptables -t mangle -A PREROUTING -d 172.16.13.253 -j MARK --set-mark 8126

iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 8125

iptables -t nat -A POSTROUTING -o eth2 -m mark --mark 8125 -j SNAT --to 172.16.13.253

echo "800 markroute" >> /etc/iproute2/rt_tables

ip rule add fwmark 8126 table markroute

ip rule add from 10.10.10.13 table markroute

ip route add default via 10.10.10.254 table markroute

ip route flush cache

五、现象

PC端：

PC#ping 10.10.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/120 ms

PC#ping 10.10.10.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/76 ms

PC#ping 192.168.13.114

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

PC#ping 192.168.13.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/49/160 ms

PC#ping 33.33.33.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/42/108 ms

PC#ping 172.16.13.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

PC#ping 172.16.13.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/92 ms

PC#ping 202.96.134.134

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/40/100 ms

PC#telnet 172.16.13.13

Trying 172.16.13.13 ... Open

User Access Verification

Password:

R3>exit

[Connection to 172.16.13.13 closed by foreign host]

PC#telnet 202.96.134.134

Trying 202.96.134.134 ... Open

User Access Verification

Password:

R3>exit

[Connection to 202.96.134.134 closed by foreign host]

R2端：

R2#ping 192.168.13.114

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/29/80 ms

R2#ping 10.10.10.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R2#ping 10.10.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/100 ms

R2#ping 22.22.22.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 22.22.22.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/100 ms

R2#ping 172.16.13.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/33/72 ms

R2#ping 172.16.13.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/152 ms

R2#ping 202.96.134.134

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/92 ms

R2#telnet 172.16.13.13

Trying 172.16.13.13 ... Open

User Access Verification

Password:

R3>exit

[Connection to 172.16.13.13 closed by foreign host]

R2#telnet 202.96.134.134

Trying 202.96.134.134 ... Open

User Access Verification

Password:

R3>exit

[Connection to 202.96.134.134 closed by foreign host]

R3端：

R3>ping 10.10.10.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3>ping 10.10.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/30/72 ms

R3>ping 22.22.22.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 22.22.22.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/48/156 ms

R3>traceroute 22.22.22.13

Type escape sequence to abort.

Tracing the route to 22.22.22.13

1 172.16.13.254 12 msec 24 msec 32 msec

2 192.168.13.254 8 msec 20 msec 40 msec

3 172.16.13.254 20 msec 28 msec 12 msec

4 10.10.10.254 16 msec 12 msec 16 msec

5 22.22.22.13 8 msec 56 msec *

R3>ping 192.168.13.114

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/28 ms

R3>ping 192.168.13.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/31/56 ms

R3>ping 33.33.33.13

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/37/120 ms

六、结论

请注意测试结果中蓝色和红色部分内容。

１、测试目标基本实现。

２、红色部分是做了策略路由出现的异常现象。

３、R1到R3的数据包通过SNAT实现回包正确路由。

４、蓝色部分R3到PC方向是通过R2跳转的。如果R2没有到R1方向的路由，R3到PC是不通的。