Chinaunix

标题: 路由策略请教！ [打印本页]

作者: goon86 时间: 2010-03-16 22:07
标题: 路由策略请教！
你好，
有台linux设备做路由器有三张网卡
wan eth0,
lan eth1 192.168.1.1,
lan eth2 192.168.2.1
eth1内有台设备a 192.168.1.10
eth2内有台设备b 192.168.2.20
当设备a的网关设定成192.168.1.1时，设备b能ping通设备a，但设备a的网关为其他时，设备bping不通a。
试过在a上设置路由表route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0，却没有效果。
请教有什么方法能使a的默认网关非192.168.1.1时，b也能ping通a。
谢谢！

作者: ssffzz1 时间: 2010-03-17 09:04
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0

修改为：
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0

作者: goon86 时间: 2010-03-17 14:11
非常感谢，ssffzz1
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0
似乎没有生效，执行后可以在a设备上看到，但却ping不通，在路由器需要做什么吗？
root:~> route
Kernel IP routing table
Destination    Gateway       Genmask       Flags Metric Ref Use Iface
192.168.2.0    192.168.1.1    255.255.255.0 UG 0    0       0 eth0
192.168.1.0    *             255.255.255.0 U    0    0       0 eth0

作者: ssffzz1 时间: 2010-03-17 14:14
奇怪。
你把A设置成能通的情况。然后帖：ifconfig route print arp -a的输出。然后按照我说的设置，再帖这3个命令的输出。

作者: goon86 时间: 2010-03-17 15:28
谢谢。
route print ，arp -a这两个命令都没有，

添加route add default gw 192.168.1.1，就可以了

root:~> ifconfig
eth0    Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:3 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:192 (192.0 B)  TX bytes:126 (126.0 B)
      Interrupt:48

eth0:1 Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:10.10.189.2  Bcast:10.10.10.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      Interrupt:48

lo       Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:1 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:112 (112.0 B)  TX bytes:112 (112.0 B)

root:~> route print
BusyBox v1.13.4 (2010-03-03 14:31:53 CST) multi-call binary

Usage: route [{add|del|delete}]

Edit kernel routing tables

Options:
      -n    Don't resolve names
      -e    Display other/more information
      -A inet Select address family

root:~>

root:~> route
Kernel IP routing table
Destination    Gateway       Genmask       Flags Metric Ref Use Iface
192.168.1.0    *             255.255.255.0 U    0    0       0 eth0
10.10.189.0    *             255.255.255.0 U    0    0       0 eth0
default       192.168.1.1    0.0.0.0       UG 0    0       0 eth0

作者: ssffzz1 时间: 2010-03-17 15:34
哦。

route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1

添加这个后。然后修改你的缺省网关。再试试。帖route
arp ? 看看能不能打印Arp表。

作者: goon86 时间: 2010-03-17 15:38
因为在嵌入式下的，arp给去掉了，有其他方法能打印arp吗？稍等，马上试

作者: goon86 时间: 2010-03-17 15:59
root:~> route
Kernel IP routing table
Destination    Gateway       Genmask       Flags Metric Ref Use Iface
192.200.1.21  *
192.168.1.0    *             255.255.255.0 U    0    0       0 eth0
10.10.189.0    *             255.255.255.0 U    0    0       0 eth0
default       192.168.1.1    0.0.0.0       UG 0    0       0 eth0

作者: goon86 时间: 2010-03-17 16:03
root:~> route
Kernel IP routing table
Destination    Gateway       Genmask       Flags Metric Ref Use Iface
192.200.1.21  *                255.255.255.255 uh  0 0       0  ppp0
192.168.2.0 192.168.1.1 255.255.255.0 ug 0    0       0 eth0
192.168.1.0    *             255.255.255.0 U    0    0       0 eth0
10.10.189.0    *             255.255.255.0 U    0    0       0 eth0
default       192.200.1.21    0.0.0.0       UG 0    0       0 ppp0

root:~> ifconfig
eth0    Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:3 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:192 (192.0 B)  TX bytes:126 (126.0 B)
      Interrupt:48

eth0:1 Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:10.10.189.2  Bcast:10.10.10.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      Interrupt:48

lo       Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:1 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:112 (112.0 B)  TX bytes:112 (112.0 B)

作者: goon86 时间: 2010-03-17 16:07
root:~> ifconfig
eth0    Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:38 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 B)  TX bytes:1680 (1.6 KiB)
      Interrupt:48

eth0:1 Link encap:Ethernet  HWaddr 44:22:31:11:55:31
      inet addr:10.10.189.2  Bcast:10.10.10.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      Interrupt:48

lo       Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:28 errors:0 dropped:0 overruns:0 frame:0
      TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:2488 (2.4 KiB)  TX bytes:2488 (2.4 KiB)

ppp0    Link encap

oint-to-Point Protocol
      inet addr:10.71.55.125  P-t-P:192.200.1.21  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:5 errors:1 dropped:0 overruns:0 frame:0
      TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:3
      RX bytes:194 (194.0 B)  TX bytes:1107 (1.0 KiB)

root:~>

作者: ssffzz1 时间: 2010-03-17 16:13
你现在这个状态ping 192.168.2.1 和192.168.2.20 的结果是？？？？？

作者: goon86 时间: 2010-03-17 16:50
加了arp进去了，运行arp 或arp -a马上就退出来了，什么信息也没有显示，有个arping，
root:~>
root:~> arp -a
root:~>
root:~>
root:~> arp
root:~>

root:~> arping
BusyBox v1.13.4 (2010-03-03 14:31:53 CST) multi-call binary

Usage: arping [-fqbDUA] [-c count] [-w timeout] [-I dev] [-s sender] target

Send ARP requests/replies

Options:
      -f             Quit on first ARP reply
      -q             Quiet
      -b             Keep broadcasting, don't go unicast
      -D             Duplicated address detection mode
      -U             Unsolicited ARP mode, update your neighbors
      -A             ARP answer mode, update your neighbors
      -c N          Stop after sending N ARP requests
      -w timeout    Time to wait for ARP reply, in seconds
      -I dev       Interface to use (default eth0)
      -s sender    Sender IP address
      target       Target IP address

root:~>

作者: goon86 时间: 2010-03-17 17:03
ping 192.168.2.1 没有反应，一直停在那里，也没有time out

作者: ssffzz1 时间: 2010-03-17 17:04
奇怪啊。不可理解的现象。
192.168.1.21 这个路由器的配置你能动吗？

作者: goon86 时间: 2010-03-17 17:06
路由器的配置是192.168.1.1 能动

作者: goon86 时间: 2010-03-17 17:07
ping 192.168.1.1能ping通，ping 192.168.2.1就不了，gw default 为192.168.1.1就可以了

作者: ssffzz1 时间: 2010-03-17 17:17
我问的是192.168.1.21 能动不能？？？

作者: goon86 时间: 2010-03-17 17:21
192.200.1.21 是这个吗，这个不行，它是pppd拨号gprs时分配的

作者: goon86 时间: 2010-03-17 17:26
能不能把default gw设置成192.168.1.1,然后上网的数据都从192.200.1.21出去呢

作者: ssffzz1 时间: 2010-03-17 17:32
郁闷的不行了。

帖192.168.1.1的
ifconfig
route
arp -a
看看

作者: ssffzz1 时间: 2010-03-17 17:33
哦对了，没做策略路由之类的吧。

另外帖iptables-save 看看。

作者: goon86 时间: 2010-03-17 17:40
路由器的
/ # ifconfig
eth1    Link encap:Ethernet  HWaddr 00:11:C3:00:4A:A8
      inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
      Interrupt:16 Base address:0x8000

eth1:1 Link encap:Ethernet  HWaddr 00:11:C3:00:4A:A8
      inet addr:10.10.189.1  Bcast:10.10.10.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      Interrupt:16 Base address:0x8000

eth2    Link encap:Ethernet  HWaddr 00:12:7B:40:28:1F
      inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:4 errors:0 dropped:0 overruns:0 frame:0
      TX packets:42 errors:2 dropped:2 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:1312 (1.2 KiB)  TX bytes:2135 (2.0 KiB)

lo       Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp0    Link encap

oint-Point Protocol
      inet addr:10.71.6.106  P-t-P:192.200.1.21  Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
      RX packets:3 errors:0 dropped:0 overruns:0 frame:0
      TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:3
      RX bytes:54 (54.0 B)  TX bytes:98 (98.0 B)

/ # route
Kernel IP routing table
Destination    Gateway       Genmask       Flags Metric Ref Use Iface
192.200.1.21 *             255.255.255.255 UH 0    0       0 ppp0
192.168.2.0    *             255.255.255.0 U    0    0       0 eth2
192.168.1.0    *             255.255.255.0 U    0    0       0 eth1
10.10.189.0    *             255.255.255.0 U    0    0       0 eth1
127.0.0.0    *             255.0.0.0    U    0    0       0 lo
default       192.200.1.21 0.0.0.0       UG 0    0       0 ppp0
/ #

作者: goon86 时间: 2010-03-17 17:42
arp 也没有

作者: goon86 时间: 2010-03-17 17:47
#!/bin/ash
# Soho Router Firewall Script for Kendin Project
# by Hui Jia (hjia@kendin.com)
#
#
# Assumptions:
#    the internal network is 192.168.1.0/24 on eth1
#    the internet IP is DHCP assigned
#
# Additonally:
#    you have another internal network, a DMZ: 192.168.2.0/24 on eth2
#    you have mail server on 192.168.1.10
#    you have web access on 192.168.0.100
#

LANIPC=$(/bin/sysconfig -p -L | cut -d. -f3)
LANIPC=192.168."$LANIPC"
SYS26=26
WLANIP=192.168.2.1

SERHARIP=$(/bin/sysconfig -p -t)
if [ "$SERHARIP" = "YES" ]; then
SERIP="$LANIPC".2
else
SERIP=$(/bin/sysconfig -p -q)
fi

BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
/bin/cp /web/disnat_mlTree.html /web/mlTree.html
/bin/cp /web/disnat_index.html /web/index.html
/usr/bin/killall -9 udhcpd > /dev/null 2>&1
echo nat is disable
/sbin/ifconfig eth1 192.168.10.1
exit
fi
if [ "$BLOCK" = "NO" ]; then
/bin/cp /web/en_mlTree.html /web/mlTree.html
/bin/cp /web/ennat_index.html /web/index.html

fi

WLAN=$(/bin/sysconfig -p -VWLANBRSTARTED)
if [ "$WLAN" = "1" ]; then
FACE=br0
else
FACE=eth1
fi

LANIP=$(/sbin/ifconfig "$FACE" | grep addr: | cut -d. -f1-3 | cut -d: -f2)
LAN=$LANIP.0/$(/sbin/ifconfig "$FACE" | grep Mask | cut -d: -f4)
PPPOE=$(/bin/sysconfig -p -Es)
G3=$(/bin/sysconfig -p -Cc)

if [ "$PPPOE" = "YES" ]; then
ETH0=ppp0
MTU=$(/bin/sysconfig -p -J)
else
if [ "$G3" = "3g" ]; then
ETH0=ppp0
PPPOE=YES
   MTU=$(/bin/sysconfig -p -J)
  else
ETH0=eth0
MTU=$(/bin/sysconfig -p -u)
  fi
fi

if [ "$PPPOE" = "YES" ]; then
  WANIP=$(/sbin/ifconfig $ETH0 | grep addr: | cut -d: -f2 | cut -dP -f1) > /dev/null 2>&1
else
  WANIP=$(/sbin/ifconfig $ETH0 | grep addr: | cut -d: -f2 | cut -dB -f1) > /dev/null 2>&1
fi

if [ -z "$WANIP" ]; then
echo "WAN Port is not assigned an IP address, firewall is not set, exit"
sysconfig -w -VFIREON=NO
exit 1
fi

#check DHCP server  //move by goon86 here from godhcp
#needed with dhcp-2.0pl5, source come with RedHat 7.1
#Socket filtering need to be turned on for kernel build

DHCPS=$(/bin/sysconfig -p -Cs)
if [ "$DHCPS" = "YES" ] ; then
  /bin/sysconfig -c
  touch /var/lib/misc/udhcpd.leases
  if [ -f /var/run/udhcpd.pid ]
  then
  /usr/bin/killall udhcpd
  fi
  udhcpd
fi

IPTABLES=/sbin/iptables

#clean up everything first each time any of the rule has been changed

$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

# Set default policies for packets going through this firewall box

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Set default policies for packet entering this box
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
done

BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
/bin/cp /web/disnat_mlTree.html /web/mlTree.html
echo nat is disable
exit
fi

PPPOE=$(/bin/sysconfig -p -Es)
if [ "$PPPOE" = "YES" ]; then
MTU=$(/bin/sysconfig -p -J)
else
MTU=$(/bin/sysconfig -p -u)
fi

MAX=1492
if [ "$MTU" -ge "$MAX" ]; then
if [ "$PPPOE" = "YES" ]; then
   MTU=1492
fi
fi
MSS=$(expr $MTU - 40)
#echo GOON86$MSS
#MSS=$(($MTU - 40))

/sbin/ifconfig $ETH0 mtu $MTU

$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss $MSS
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss $MSS
#echo $IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss $MSS
#echo $IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss $MSS

$IPTABLES -I FORWARD -p tcp -s 192.168.1.0/24 --dport 1723 -j ACCEPT
$IPTABLES -I FORWARD -p 47 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -I FORWARD -p 47 -d 192.168.1.0/24 -j ACCEPT

FIRE=$(/bin/sysconfig -p -VFIREON)
if [ "$FIRE" = "NO" ]; then
$IPTABLES -t nat -A PREROUTING -p 47 -i $ETH0  -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 5039 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 1723 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 3176 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 5060 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 4569 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 10000:20000 -j DNAT --to $SERIP
  $IPTABLES -t nat -A POSTROUTING -o $ETH0 -j MASQUERADE
  echo "1" >/proc/sys/net/ipv4/ip_forward
  echo "1" >/proc/sys/net/ipv4/ip_dynaddr
  echo "firewall is not enabled but NAT is on."
  exit
fi

$IPTABLES -A FORWARD -i eth1 -s ! $LAN -j DROP

# Anything coming from the Internet should have a real Internet address
#$IPTABLES -A FORWARD -i $ETH0 -s 192.168.1.0/16 -j DROP #del by goon86 for lan
#$IPTABLES -A FORWARD -i $ETH0 -s 172.16.0.0/12 -j DROP
#$IPTABLES -A FORWARD -i $ETH0 -s 10.0.0.0/8 -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
$IPTABLES -A FORWARD -p tcp --sport 137:139 -j DROP
$IPTABLES -A FORWARD -p udp --sport 137:139 -j DROP

#  NFS Mount Service (TCP/UDP 635)
$IPTABLES -A FORWARD -p tcp --sport 635 -j DROP
$IPTABLES -A FORWARD -p udp --sport 635 -j DROP

#  NFS (TCP/UDP 2049)
$IPTABLES -A FORWARD -p tcp --sport 2049 -j DROP
$IPTABLES -A FORWARD -p udp --sport 2049 -j DROP

#  Portmapper (TCP/UDP 111)
$IPTABLES -A FORWARD -p tcp --sport 111 -j DROP
$IPTABLES -A FORWARD -p udp --sport 111 -j DROP

PING=$(/bin/sysconfig -p -B)
if [ "$PING" = "YES" ]; then
#  $IPTABLES -A FORWARD -i $ETH0 -p icmp --icmp-type echo-request -j DROP
  $IPTABLES -A INPUT -i $ETH0 -p icmp --icmp-type echo-request -j DROP
  echo "Disable pinging from outside. Interface=$ETH0"
fi

# Block incoming syslog, lpr, rsh, rexec...
BLOCK=$(/bin/sysconfig -p -X)
if [ "$BLOCK" = "YES" ]; then
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 515 -j DROP
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 514 -j DROP
  $IPTABLES -A FORWARD -i $ETH0 -p tcp --dport 512 -j DROP
fi

# Transparently forward all outgoing mail to a relay host

#SMTP=192.168.1.10
#$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to $SMTP

RADM=$(/bin/sysconfig -p -A)
SIP=$(/sbin/ifconfig "$FACE" | grep addr: | cut -d: -f2 | cut -d" " -f1)
if [ "$RADM" = "YES" ]; then
$IPTABLES -t nat -A PREROUTING -i $ETH0 -d $WANIP \
            -p tcp --dport 80 -j DNAT --to $SIP
#echo "Enable remote access to Webserver. Interface=$ETH0 WANIP=$WANIP SIP=$SIP"
else
$IPTABLES -A INPUT -i $ETH0 -p tcp --dport 80 -j DROP
echo "Disable remote access to Webserver. Interface=$ETH0"
fi

# Transparently redirect web connections from outside to the DMZ web
# server

for INDX in 1 2 3 4 5
do
  DPORT=$(/bin/sysconfig -p -Z "n$INDX" | cut -d: -f2)
  DIP=$(/bin/sysconfig -p -Z "n$INDX" | cut -d: -f1)
  if [ "$DPORT" != "END" ]; then
$IPTABLES -t nat -A PREROUTING -i $ETH0 -d $WANIP \
            -p tcp --dport $DPORT -j DNAT --to $DIP
  fi
done

# Source NAT to get Internet traffic through
# $IPTABLES -t nat -A POSTROUTING -o $ETH0 -j SNAT --to $WANIP

$IPTABLES -t nat -A POSTROUTING -o $ETH0 -j MASQUERADE

# Finally let all estalished and related connections go through to the
# internal network.
# Let new connection request, related and estalished connections from
# internal network go through to the outside

# this the mac filter
FIP="1"
for IP in 1 2 3 4 5
do
FIP=$(/bin/sysconfig -p -M s="n$IP")
if [ "$FIP" != "END" ]; then
   FIP=$(/bin/sysconfig -p -M s="n$IP" | cut -d" " -f1)
   if [ "$FIP" != "0.0.0.0.0.0" ]; then
#    $IPTABLES -A FORWARD -m mac --mac-source $FIP -j DROP
#    $IPTABLES -A INPUT -m mac --mac-source $FIP -j DROP
$IPTABLES -t nat -I PREROUTING -m mac --mac-source $FIP -j DROP
   else
   echo "Invalid MAC address"
   fi
   FIP=$(/bin/sysconfig -p -M s="n$IP" | cut -d" " -f2)
   if [ "$FIP" != " " ] && [ "$FIP" != "0.0.0.0.0.0" ] ; then
      $IPTABLES -t nat -I PREROUTING -m mac --mac-source $FIP -j DROP
   fi
fi
done

# IP filter
# source ip filter

echo cir port vvv

FIP="1"
for IP in 1 2 3 4 5 6 7 8 9 10
do
FIP=$(/bin/sysconfig -p -R "n$IP" | cut -d. -f4)

PORT=$(/bin/sysconfig -p -R "n$IP" | cut -d- -f1 )
JUST=$(/bin/echo $PORT | cut -c1,2)
if [ "$FIP" != "END" ]; then
   PROT=$(/bin/sysconfig -p -R "n$IP" | cut -d" " -f3)
   if [ "$PROT" = "all" ]; then

   if [ "$JUST" = "47" ]; then
          $IPTABLES -t nat -A PREROUTING -p 47 -i ppp0  -j DNAT --to $LANIPC.$FIP
        else
   $IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP
   $IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP

   fi
   else
        if [ "$JUST" = "47" ]; then
          $IPTABLES -t nat -A PREROUTING -p 47 -i ppp0  -j DNAT --to $LANIPC.$FIP
        else
   $IPTABLES -t nat -A PREROUTING -p $PROT -i $ETH0 --dport $PORT -j DNAT --to $LANIPC.$FIP
   fi
   fi
fi
done

#$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 21 -j DNAT --to $SERIP
#echo goon86666666666666 $IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 21 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p 47 -i $ETH0  -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 5039 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p tcp -i $ETH0 --dport 1723 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 3176 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 5060 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 4569 -j DNAT --to $SERIP
$IPTABLES -t nat -A PREROUTING -p udp -i $ETH0 --dport 10000:20000 -j DNAT --to $SERIP

# destination ip filter

GIP="1"
for IP in 1 2 3 4 5
do
GIP=$(/bin/sysconfig -p -F s="n$IP")
if [ "$GIP" != "END" ]; then
   FIP=$(/bin/sysconfig -p -F s="n$IP" | cut -d" " -f3)
#    GIP=$(echo $GIP | sed s/\\/255.255.255/-$LANIPC/)
   if [ "$FIP" = "all" ]; then
   FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/ | sed s/all/tcp/)
   $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
   FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/ | sed s/all/udp/)
   $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
   else
        FIP=$(/bin/sysconfig -p -F s="n$IP" | sed s/\\/255.255.255/-$LANIPC/)
   $IPTABLES -A FORWARD -m iprange --src-range $FIP -j DROP
   fi
fi
done

# port forwarding

FIP="1"
for IP in 1 2 3 4 5
do
FIP=$(/bin/sysconfig -p -F d="n$IP")
if [ "$FIP" != "END" ]; then
   $IPTABLES -A FORWARD -d $FIP -j DROP
fi
done

#RLQ, port filtering
for ENTRY in 1 2 3 4 5
do
VAL=$(sysconfig -p -Ts="n$ENTRY")
if [ "$VAL" != "END" ]; then
   PORT=$(sysconfig -p -Ts="n$ENTRY" | grep p | cut -d- -f1)
   PRO=$(sysconfig -p -Ts="n$ENTRY" | grep p | cut -d- -f2)
   $IPTABLES -A FORWARD -$PRO --dport $PORT -j DROP
fi
done

$IPTABLES -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -s $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -s ! $LAN -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d $LAN -j ACCEPT

$IPTABLES -A FORWARD -m state --state NEW,RELATED,ESTABLISHED -s $WLANIP -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -s ! $WLANIP -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d $WLANIP -j ACCEPT

# Activate ip forwarding!
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --syn --set-mss 1400
$IPTABLES -t mangle -A PREROUTING -j TCPMSS -p tcp --tcp-flags SYN,ACK SYN,ACK --set-mss 1400

作者: ssffzz1 时间: 2010-03-17 17:52
哥哥，这是个什么脚本啊。晕死了。iptables-save 直接这样看看。

作者: goon86 时间: 2010-03-17 18:01
只有这个了，在嵌入式下都给改过了。。iptables的所有的都在这里了

作者: goon86 时间: 2010-03-17 18:03
只有这个了，在嵌入式下都给改过了。。iptables的所有的都在这里了。。，没有iptables-save
/ # iptables-save
/bin/sh: iptables-save: not found

作者: goon86 时间: 2010-03-17 18:04
/ # iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source             destination
DROP    tcp  --  anywhere          anywhere          tcp dpt:http

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination
ACCEPT    47 --  anywhere          192.168.1.0/24
ACCEPT    47 --  192.168.1.0/24    anywhere
ACCEPT    tcp  --  192.168.1.0/24    anywhere          tcp dpt:1723
DROP    all  -- !192.168.1.0/24    anywhere
DROP    tcp  --  anywhere          anywhere          tcp spts:137:139
DROP    udp  --  anywhere          anywhere          udp spts:137:139
DROP    tcp  --  anywhere          anywhere          tcp spt:635
DROP    udp  --  anywhere          anywhere          udp spt:635
DROP    tcp  --  anywhere          anywhere          tcp spt:2049
DROP    udp  --  anywhere          anywhere          udp spt:2049
DROP    tcp  --  anywhere          anywhere          tcp spt:111
DROP    udp  --  anywhere          anywhere          udp spt:111
ACCEPT    all  --  192.168.1.0/24    anywhere          state NEW,RELATED,ESTABLISHED
ACCEPT    all  -- !192.168.1.0/24    anywhere          state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere          192.168.1.0/24    state RELATED,ESTABLISHED
ACCEPT    all  --  192.168.2.1       anywhere          state NEW,RELATED,ESTABLISHED
ACCEPT    all  -- !192.168.2.1       anywhere          state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere          192.168.2.1       state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination
/ #

作者: ssffzz1 时间: 2010-03-17 18:23
你把ICMP完全放开，再此时一次试试。太奇怪了。

作者: goon86 时间: 2010-03-17 18:32
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

还是不行

作者: goon86 时间: 2010-03-17 18:33
/ # iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source             destination
ndsRTR    all  --  anywhere          anywhere
ACCEPT    icmp --  anywhere          anywhere          icmp echo-request
DROP    tcp  --  anywhere          anywhere          tcp dpt:http

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination

作者: ssffzz1 时间: 2010-03-18 17:05
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

哦。网络拓扑有吗？我看。

作者: luren04 时间: 2010-03-18 17:29
关注中。。。。。。

作者: shenbo7 时间: 2010-03-22 09:38
持续关注中。。。。

作者: xthaha 时间: 2010-03-24 14:28
提示: 作者被禁止或删除内容自动屏蔽

作者: hyagami 时间: 2010-03-24 14:48

你好，
有台linux设备做路由器有三张网卡
wan eth0,
lan eth1 192.168.1.1,
lan eth2 192.168.2.1
eth1内有台设备a 192.168.1.10
eth2内有台设备b 192.168.2.20
当设备a的网关设定成192.168.1.1时，设备b能ping通设备a，但设备a的网关为其他时，设备bping不通a。
试过在a上设置路由表route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev eth0，却没有效果。
请教有什么方法能使a的默认网关非 192.168.1.1时，b也能ping通a。
谢谢！
goon86 发表于 2010-03-16 22:07

画个拓扑上来吧，照你这么说a网关不设定192.168.1.1，改成192.168.2.1也不会这么复杂啊，难道网关还设成别的？

作者: xthaha 时间: 2010-03-24 15:11
提示: 作者被禁止或删除内容自动屏蔽

作者: hyagami 时间: 2010-03-24 17:07
回复 37# xthaha

搞糊涂了，只是觉得即使a机器网关不是192.168.1.1或是不设也有办法让b ping
通的

欢迎光临 Chinaunix (http://bbs.chinaunix.net/)