一、目的
使用iptables和iproute2做策略路由,实现数据包正确路由转发。不同线路的客户端访问CentOS时,能够从正确响应客户端;使用CentOS做转发路由器,能够正确转发数据包。
二、实验环境
四台cisco2691分别模拟三条线路的接入路由器和一台远端主机;CentOS5.3服务器分别与三台接入路由器相连。
三、拓扑
四、实现方法
R1方向的路由采用策略路由实现,R2方向的路由指定了默认路由,R3方向的路由通过静态明细路由实现。
1)PC端(2691模拟)配置:
en
conf t
host PC
inter f0/0
ip addr 22.22.22.13 255.255.255.0
no sh
exit
ip route 0.0.0.0 0.0.0.0 22.22.22.254
end
2)R1配置:
en
conf t
host R1
inter f0/0
ip addr 22.22.22.254 255.255.255.0
no sh
inter f0/1
ip addr 10.10.10.254 255.255.255.0
no sh
exit
ip route 192.168.13.0 255.255.255.0 10.10.10.13
ip route 33.33.33.0 255.255.255.0 10.10.10.13
ip route 172.16.13.0 255.255.255.0 10.10.10.13
ip route 202.96.134.0 255.255.255.0 10.10.10.13
end
3)R2配置:
en
conf t
host R2
inter f0/0
ip addr 192.168.13.254 255.255.255.0
no sh
inter loopback0
ip add 33.33.33.13 255.255.255.0
no sh
exit
ip route 10.10.10.0 255.255.255.0 192.168.13.114
ip route 22.22.22.0 255.255.255.0 192.168.13.114
ip route 172.16.13.0 255.255.255.0 192.168.13.114
ip route 202.96.134.0 255.255.255.0 192.168.13.114
end
4)R3配置:
en
conf t
host R3
inter f0/0
ip addr 172.16.13.13 255.255.255.0
no sh
inter loopback0
ip addr 202.96.134.134 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 172.16.13.254
line vty 0 4
password cisco
login
end
5)CentOS配置:
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth1 10.10.10.13 netmask 255.255.255.0 up
ifconfig eth0 192.168.13.114 netmask 255.255.255.0 up
ifconfig eth2 172.16.13.254 netmask 255.255.255.0 up
ifconfig eth2:1 172.16.13.253 netmask 255.255.255.0 up
route add default gw 192.168.13.254
route add -net 202.96.134.0/24 gw 172.16.13.13
iptables -t mangle -F
iptables -t nat -F
iptables -F
iptables -t mangle -A PREROUTING -i eth0 -d ! 192.168.13.114 -j MARK --set-mark 8126
iptables -t mangle -A PREROUTING -d 172.16.13.253 -j MARK --set-mark 8126
iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 8125
iptables -t nat -A POSTROUTING -o eth2 -m mark --mark 8125 -j SNAT --to 172.16.13.253
echo "800 markroute" >> /etc/iproute2/rt_tables
ip rule add fwmark 8126 table markroute
ip rule add from 10.10.10.13 table markroute
ip route add default via 10.10.10.254 table markroute
ip route flush cache
五、现象
PC端:
PC#ping 10.10.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/120 ms
PC#ping 10.10.10.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/76 ms
PC#ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/49/160 ms
PC#ping 33.33.33.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/42/108 ms
PC#ping 172.16.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC#ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/92 ms
PC#ping 202.96.134.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/40/100 ms
PC#telnet 172.16.13.13
Trying 172.16.13.13 ... Open
User Access Verification
Password:
R3>exit
[Connection to 172.16.13.13 closed by foreign host]
PC#telnet 202.96.134.134
Trying 202.96.134.134 ... Open
User Access Verification
Password:
R3>exit
[Connection to 202.96.134.134 closed by foreign host]
R2端:
R2#ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/29/80 ms
R2#ping 10.10.10.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 10.10.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/100 ms
R2#ping 22.22.22.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/100 ms
R2#ping 172.16.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/33/72 ms
R2#ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/152 ms
R2#ping 202.96.134.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/92 ms
R2#telnet 172.16.13.13
Trying 172.16.13.13 ... Open
User Access Verification
Password:
R3>exit
[Connection to 172.16.13.13 closed by foreign host]
R2#telnet 202.96.134.134
Trying 202.96.134.134 ... Open
User Access Verification
Password:
R3>exit
[Connection to 202.96.134.134 closed by foreign host]
R3端:
R3>ping 10.10.10.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.13, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3>ping 10.10.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/30/72 ms
R3>ping 22.22.22.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/48/156 ms
R3>traceroute 22.22.22.13
Type escape sequence to abort.
Tracing the route to 22.22.22.13
1 172.16.13.254 12 msec 24 msec 32 msec
2 192.168.13.254 8 msec 20 msec 40 msec
3 172.16.13.254 20 msec 28 msec 12 msec
4 10.10.10.254 16 msec 12 msec 16 msec
5 22.22.22.13 8 msec 56 msec *
R3>ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/28 ms
R3>ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/31/56 ms
R3>ping 33.33.33.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/37/120 ms
六、结论
请注意测试结果中蓝色和红色部分内容。
1、测试目标基本实现。
2、红色部分是做了策略路由出现的异常现象。
3、R1到R3的数据包通过SNAT实现回包正确路由。
4、蓝色部分R3到PC方向是通过R2跳转的。如果R2没有到R1方向的路由,R3到PC是不通的。