Fla*_*lav 18 linux routing iptables nat iproute
Linux 作为路由器:我有 3 个 Internet 提供商,每个提供商都有自己的调制解调器。
Provider1,网关地址 192.168.1.1
连接linux路由器eth1 /192.168.1.2
Provider2,网关地址192.168.2.1
连接linux路由器eth2 /192.168.2.2
Provider3,网关地址192.168.3.1
连接linux路由器eth3 /192.168.3.2
________
+------------+ /
| | |
+----------------------+ Provider 1 +--------|
__ |192.168.1.2 |192.168.1.1 | /
___/ \_ +------+-------+ +------------+ |
_/ \__ | eth1 | +------------+ /
/ \ eth0| |192.168.2.2 | | |
|Client network -----+ ROUTER eth2|--------------+ Provider 2 +------| Internet
\10.0.0.0/24 __/ | | |192.168.2.1 | |
\__ __/ | eth3 | +------------+ \
\___/ +------+-------+ +------------+ |
|192.168.3.2 | | \
+----------------------+ Provider 3 +-------|
|192.168.3.1 | |
+------------+ \________
我想通过源 IP 将网络 10.0.0.0/24 中的客户端路由到不同的网关。
客户端网络的接口是eth0 /10.0.0.1,这是所有客户端的默认网关。
例如:
10.0.0.11 应该路由到 Provider1 @ eth1
10.0.0.12 应该路由到 Provider2 @ eth2
...等等...
我想我需要使用ip route和iptables用于 SNAT,但我还没有弄清楚究竟如何。
这是我到目前为止的脚本。
启用 ipv4 转发。
#!/bin/bash
# flush tables
ip route flush table connection1
ip route flush table connection2
ip route flush table connection3
# add the default gateways for each table
ip route add table connection1 default via 192.168.1.1
ip route add table connection2 default via 192.168.2.1
ip route add table connection3 default via 192.168.3.1
# add some IP addresses for marking
iptables -t mangle -A PREROUTING -s 10.0.0.11 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -s 10.0.0.12 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 10.0.0.13 -j MARK --set-mark 3
# add the source nat rules for each outgoing interface
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.2.2
iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 192.168.3.2
# link routing tables to connections (?)
ip rule add fwmark 1 table connection1
ip rule add fwmark 2 table connection2
ip rule add fwmark 3 table connection3
#default route for anything not configured above should be eth2
der*_*ert 15
这是我们的一个路由器的类似设置(剪掉了一些不相关的东西)。请注意,这也处理传入连接。
请注意使用变量而不是硬编码的标记号。更容易维护!它们存储在一个单独的脚本中,并来源于 . 表名在/etc/iproute2/rt_tables. 接口名称在/etc/udev/rules.d/70-persistent-net.rules.
##### fwmark ######
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN # if already set, we're done
iptables -t mangle -A PREROUTING -i wan -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A PREROUTING -i comcast -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A PREROUTING -i vz-dsl -j MARK --set-mark $MARK_VZDSL
iptables -t mangle -A POSTROUTING -o wan -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A POSTROUTING -o comcast -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A POSTROUTING -o vz-dsl -j MARK --set-mark $MARK_VZDSL
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark
##### NAT ######
iptables -t nat -F
iptables -t nat -X
for local in «list of internal IP/netmask combos»; do
iptables -t nat -A POSTROUTING -s $local -o wan -j SNAT --to-source «IP»
iptables -t nat -A POSTROUTING -s $local -o comcast -j SNAT --to-source «IP»
iptables -t nat -A POSTROUTING -s $local -o vz-dsl -j SNAT --to-source «IP»
done
# this is an example of what the incoming traffic rules look like
for extip in «list of external IPs»; do
iptables -t nat -A PREROUTING -p tcp -d $extip --dport «port» -j DNAT --to-destination «internal-IP»:443
done
和规则:
ip rule flush
ip rule add from all pref 1000 lookup main
ip rule add from A.B.C.D/29 pref 1500 lookup comcast # these IPs are the external ranges (we have multiple IPs on each connection)
ip rule add from E.F.G.H/29 pref 1501 lookup cavtel
ip rule add from I.J.K.L/31 pref 1502 lookup vzdsl
ip rule add from M.N.O.P/31 pref 1502 lookup vzdsl # yes, you can have multiple ranges
ip rule add fwmark $MARK_COMCAST pref 2000 lookup comcast
ip rule add fwmark $MARK_CAVTEL pref 2001 lookup cavtel
ip rule add fwmark $MARK_VZDSL pref 2002 lookup vzdsl
ip rule add pref 2500 lookup comcast # the pref order here determines the default—we default to Comcast.
ip rule add pref 2501 lookup cavtel
ip rule add pref 2502 lookup vzdsl
ip rule add pref 32767 lookup default
路由表在 中设置/etc/network/interfaces,以便关闭接口使其切换到使用不同的接口:
iface comcast inet static
address A.B.C.Q
netmask 255.255.255.248
up ip route add table comcast default via A.B.C.R dev comcast
down ip route flush table comcast
注意:如果你正在做筛选,以及(你可能是)你还需要相应的规则添加到FORWARD到ACCEPT交通。特别是对于任何传入流量。