免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 3506 | 回复: 5

[网络管理] FW: Proxy ARP with Linux [复制链接]

论坛徽章:
0
发表于 2008-10-29 01:12 |显示全部楼层
http://www.sjdjweis.com/linux/proxyarp/

Proxy ARP with Linux
www.internetsolver.com | Other Linux Documents
By David Weis with Internet Solver, LLC

AKA: firewalling a subnet with a single IP address
Why and How

Proxy ARP basically means that a particular machine (such as a firewall) will respond to ARP requests for hosts other than itself. This can be used to make a firewall mostly disappear from the machines on a network.

For an example, say you have a /28 subnet from your ISP that is routed through a Cisco router. Your router appears at the IP of x.x.x.97 with a network address of x.x.x.96 and a broadcast address of x.x.x.111. This leaves a usable chunk of 14 addresses for your hosts.

If you wanted to firewall these hosts from the internet without using proxy arp, you would need to either subnet your addresses and lose two more addresses for the new network and broadcast, plus half of your remaining IP's would be in the non-firewalled half.

Another method would be to have the firewall do port forwarding between all of the addresses to non-routed IP's (192.168.x.x) for your servers. Done properly, this would be okay. It isn't as transparent and may break some protocols like active FTP unless the firewall will compensate.

By using Proxy ARP, you can set up your machines in a DMZ to separate them from your client machines. This is also the least invasive method to set up, since you can keep the same IP's on all of the servers as you had when things weren't firewalled.

To set up the network, you will need a machine with at least two NIC's, three if you want to also masquerade client machines for outgoing access. Some variations on how I configured this are surely possible, but this is how I know how to do it and know that it does work. You will need a 2.4 series kernel, the iproute2 utility, and a recent iptables userspace program.

Doing it
You will need to set up the machine with the software mentioned above. Be sure to compile netfilter into the kernel by selecting yes for "Network Packet Filtering" under the "Networking Options" section. All of the pieces associated with netfilter are listed under "Netfilter Configuration" further down the list. It is probably easier to build each of the options into the kernel than use modules, there should be +- 22 choices to turn on.

Build your kernel, install it, and boot to make sure it functions. You should see some lines like

ip_conntrack (2046 buckets, 16368 max)
ip_tables: (c)2000 Netfilter core team

in the kernel boot messages (use dmesg if they went by too fast).

After you have your kernel running, build and install iproute2 and iptables. Instructions for doing so are in the packages themselves. Your distribution may have included them, but they are probably older ones. Grab the newest ones to make sure you have the right versions. Test them by running ip and iptables and see if they print something. Don't continue until they do.

After you have the above steps done, you will need to configure your network cards. This step should be done off of the network since you may end up with some conflicting addresses. Give two NIC's identical IP addresses, subnet masks, and gateways. The IP you choose needs to be an unused address on your network. In my case, I used x.x.x.98, since my router is at x.x.x.97. You could actually use about any address on the wire that isn't in use.

There is an example configuration available for download below that uses three NIC's, one for an internal 192.168.x.x network for client machines. If you want to create the file yourself, here are the steps. First off, enable Proxy ARP in the kernel. We'll assume your cards are eth0 and eth1.

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

Next, you will tell the kernel how to get to each of the two networks. When you are done, there will be a crossover cable from one NIC on your firewall to your router and the other NIC will be connected to the port on your hub/switch that the router was previously plugged in to. The kernel now thinks that the same machines are on each wire, which definitely won't work. We'll set it straight with these commands:

ip route del x.x.x.96/28 dev eth0
ip route del x.x.x.96/28 dev eth1
ip route add x.x.x.97 dev eth0
ip route add x.x.x.96/28 dev eth1

What we've done is first say that no network is reachable via either NIC, then say that the router (x.x.x.97) is connected to eth0 and the rest of your servers are hooked to eth1. I would suggest using this setup (router on eth0, servers on eth1) since the downloadable example assumes that.

We'll now use the ip command to verify our work. Running ip addr should yield something like this:

1: lo:  mtu 3904 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:27:3f:23:9c brd ff:ff:ff:ff:ff:ff
    inet x.x.x.98/28 brd x.x.x.111 scope global eth0
3: eth1:  mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:27:3f:4d:6c brd ff:ff:ff:ff:ff:ff
    inet x.x.x.98/28 brd x.x.x.111 scope global eth1

and ip route should show this

x.x.x.98 dev eth0  scope link
x.x.x.98 dev eth1  scope link
x.x.x.97 dev eth0  scope link
x.x.x.96/28 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via x.x.x.97 dev eth0

After the routing tables and IP addresses look okay, you can turn on IP forwarding in the kernel by doing this:

echo 1 > /proc/sys/net/ipv4/ip_forward

At this point, you could take your new firewall, hook up the ethernet cables correctly, and have identical functionality (hopefully) to what you have now with no firewalling. Of course, this machine doesn't really do any firewalling, grab the IP tables howto from the link below and set up your tables. You can also use the example script provided below.

Troubleshooting
First, verify that you can ping all of the machines from the firewall, including the router. The main problem you can run into is that the router will probably cache the ARP entries for the machines for quite a while. The easiest way to solve that is to kill the power to your router and plug it back in. Try to ping again.

Let me know if you have any problems, there is a link to my email address at the bottom of the page, along with a place that you can post questions directly on this page.

Downloads

    * Example incorporating firewall and proxy arp

Other Sources of Information

    * Linux 2.4 Advanced Routing & Traffic Control
    * Netfilter Home

Other Stuff
This is a reply to a question on comp.os.linux.networking where I first explained how to do some of this. Above is a cleaned up response. It's here as a source for my copy and paste.

What you want is called proxy-arp. You would set the two NICS to both
have the same real IP address,
such as .55 in your second diagram. Then
you do this
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

You will need to use the 2.4 kernel and get iproute2, then try these
commands

ip route del x.x.x.32/27 dev eth0
ip route del x.x.x.32/27 dev eth1
ip route add x.x.x.33 dev eth0
ip route add x.x.x.32/27 dev eth1

This tells the kernel that the router is the only thing reachable via
eth0 and the rest of the network is on eth1 (change as needed). This
will make the linux machine respond for the machines on either side.
Finally, do this

echo 1 > /proc/sys/net/ipv4/ip_forward

to enable routing. Either wait a while for the arp caches to expire or
restart your router. At that point you should be able to get back and
forth between the router and the other servers on the network. If you
look at your arp cache on a server, it will show the mac address of the
router as the mac address of eth1 on your linux firewall.

After you have this layer working, you can add your rules.

Good luck!
dave

"Norman D. Megill" wrote:
>
> I want to set up an IP filter in the following setup.  Right now every
> machine is connected directly to the internet with static (real) IP's in
> subnet X.Y.Z.32/27.  X.Y.Z.35-X.Y.Z.54 are DHCP'd with an NT server and
> the others are hard-configured in various machines.  There is currently
> no firewalling.
>
> Current setup:
>                                                          internet
>    other X.Y.Z.32/27 ------------------------------------ISP feed
>      NT/W98 machines      |                            X.Y.Z.32/27
>                           |                            gw=X.Y.Z.33
>                           |
>                           |
>                     NT web server
>                       X.Y.Z.60
>
> The management of the Windows-only office is more paranoid about Linux
> than about security, and furthermore wants no work disruption or risk
> caused by changing IP setups on various machines.  To demo an initial
> firewall, it must be "transparent" so that if it has a problem the
> internal network cable can be instantly unplugged from Linux and hooked
> back to the ISP feed to restore the current configuration.  My idea is
> that once we get it working we can slowly start to tighten things up,
> move the machines to masq'd/forwarded 192.168.x.x's, etc.
>
> Without getting into the security problems that will be initially
> present with this "firewall", if I don't get a "transparent" mode to
> work there is not going to be any firewall at all, or at best it might
> be an NT machine for management comfort.  The current setup has been in
> place for a few years with no apparent security problems, and "if it
> ain't broke don't fix it".
>
> Because both sides of the firewall are on the same subnet, I have not
> been able to get it to work after experimenting with all kinds of
> routing and ip setups.  I am starting to look at bridging, which may be
> the only solution, but the fact that it (I think) sets the NICs to
> promiscuous mode seems against the spirit of the firewall.  But before I
> give up I'll ask about it here.
>
> I am using RedHat 7.0 with kernel 2.2.16 and RH security updates.
>
> Experiment 1:
>                                   eth1       eth0
>    other X.Y.Z.32/27 ----------------- Linux -----------ISP feed
>      NT/W98 machines      |     X.Y.Z.55   X.Y.Z.56    X.Y.Z.32/27
>                           |                            gw=X.Y.Z.33
>                           |
>                           |
>                     NT web server
>                       X.Y.Z.60
>
> Experiment #1 doesn't work because a packet from the internet to
> the X.Y.Z.60 server makes the ISP gateway think that X.Y.Z.60 is
> on its local cable, and it sits there doing "arp who-has" for X.Y.Z.60.
> Of course Linux never responds because it only looks for packets
> to X.Y.Z.56.
>
> Experiment 2:  Same as Experiment 1 but added X.Y.Z.33 to eth1:0 and
> added X.Y.Z.60 to eth0:0
>
> Experiment #2 allows Linux to see the gateway arp's, but it seems to
> think the packets are for itself and I have found no way to
> transparently forward them to the eth1 side.
>
> Now, it seems that what I want should be theoretical possible, but I
> can't figure out how to make Linux can do it (without promiscuous
> bridging).  Adding to my puzzlement is that Figure 3-2 on
>
>    http://www.bb-zone.com/FWHowTo/chapter3.html
>
> shows the exact setup I want.  The author seems to say that the
> FW_ROUTER variable just bypasses the spoofing filter, but that would not
> solve the problem (since for now I have ipchains completely open).  He
> references "the SuSE firewall script," but there is no FW_ROUTER
> variable in SuSE's firewals-2.6-33.rpm if that's the script he means.
>
> Thanks for any advice.
>
> --Norm


djweis@internetsolver.com

[ 本帖最后由 aha120 于 2008-10-29 13:59 编辑 ]

论坛徽章:
0
发表于 2008-10-29 09:00 |显示全部楼层

回复 #1 aha120 的帖子

这个东东还是很好的,学习一下呀

论坛徽章:
0
发表于 2008-10-29 23:43 |显示全部楼层


http://bbs.chinaunix.net/viewthread.php?tid=598801

#Ip forward
/sbin/sysctl -w net.ipv4.conf.all.forwarding=1

#Enable proxy-arp
/sbin/sysctl -w net.ipv4.conf.eth0.proxy_arp=1
/sbin/sysctl -w net.ipv4.conf.eth1.proxy_arp=1


http://www.unix.com/members/45658.html

[ 本帖最后由 aha120 于 2008-11-8 23:06 编辑 ]

Proxy ARP.pdf

23.21 KB, 下载次数: 71

论坛徽章:
0
发表于 2008-11-06 11:47 |显示全部楼层
* Example incorporating firewall and proxy arp


#!/bin/sh

# make me executable (chmod a+x rc.firewall ) and run me on boot

#
# djweis@internetsolver.com
# iptables firewall script
# this script is meant to be run once per boot
# the rules will be double added if you try to run it twice
# if you need to add another rule during runtime, change the
# -A to a -I to add it to the top of the list of rules
# if you use -A it will go at the end after the reject rule
#


# interface definitions
BAD_IFACE=eth0

DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28

GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24

MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3

# testing
#set -x

ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE

# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# flush all rules in the filter table
#iptables -F

# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good

iptables -N icmp-acc

# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT

# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad

iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good

iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good

# drop anything that doesn't fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP

# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP

# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP

# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP

# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l

# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP

# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP

# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT

# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if

# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if

# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY

# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT

# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP


# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1

论坛徽章:
0
发表于 2008-11-08 23:25 |显示全部楼层
http://spike.samoa.net.ws/horde/ ... hp?page=ArpProxying

Table of Contents

   1. ARP PRoxying
         1. Build a new BOX
                     1. iptables
                     2. ip route
         2. Setting up
         3. A Specific Exampls
               1. The Gateway Box or Router
               2. The Arp Proxy server
                     1. Creating the Arp Proxy server
                     2. This is how things should now look:
               3. Making it perminent.
                     1. /etc/sysctl.conf
                     2. /etc/init.d/network


ARP PRoxying
WikiHome         Geek Zone
Build a new BOX

Install what you want but not a firewall
Setup /sbin/modprobe ip_conntrack
ip_tables should already be running
Check with lsmod
iproute2 and iptables should be installed. Check with:

rpm -qa|grep iptab
iptables-1.2.11-3.1.RHEL4
rpm -qa|grep iprou
iproute-2.6.9-3.EL4.3

iptables

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip route

192.168.20.0/24 dev eth0  proto kernel  scope link  src 192.168.20.9
192.168.20.0/24 dev eth1  proto kernel  scope link  src 192.168.20.201
169.254.0.0/16 dev eth1  scope link
default via 192.168.20.3 dev eth0

Setting up

Run and then include these items in

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

ip route del
A Specific Exampls
The Gateway Box or Router

Set up a router or a box as your gateway.
In my case this was a linux box housed at the other end of a wireless network

                -------(-        202.174.161.32/28        -)-------
               |                                                  |
202.174.161.45 -                                                  - 202.174.161.44:eth1[server]eth0:202.174.161.44

The Arp Proxy server

We have a small real ip network of 202.174.161.32/28.
The gateway is 202.174.161.45.
This is connected to our Arp Proxy Server, 202.174.161.44.
We now have the ability to build a DMZ behind this Arp Proxy Server that is seemless and totally transparaent to the outside world.
We can firewall this as we please and have the apperance of the machines on this side of the DMZ appearing to be connected to the Internet, when in fact we have a firewall.
Creating the Arp Proxy server

    * Set up BOTH network cards to have the same IP address:

Eth0 is connected to the gateway

ifcfg-eth1
DEVICE=eth1
IPADDR=202.174.161.44
NETMASK=255.255.255.240
NETWORK=202.174.161.32
BROADCAST=202.174.161.47
ONBOOT=yes
BOOTPROTO=none
USERCTL=no


AND
Eth1 is connected to the internal swich for the rest of the 202.174.161.32/28 network.

ifcfg-eth0
DEVICE=eth0
IPADDR=202.174.161.44
NETMASK=255.255.255.240
NETWORK=202.174.161.32
BROADCAST=202.174.161.47
ONBOOT=yes
BOOTPROTO=none
USERCTL=no

    * Restart the Network:

/etc/init.d/network restart

    * Set up Proxy ARP in the Kenel:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

    * Create the route:

This needs to be added to both /etc/rc.d/rc.local & /etc/rc.d/init.d/network

Under /etc/rc.d/init.d/network add it to the end of the start) section just before the ;;

echo "Deleting Default routes"
route del default
ip route del 202.174.161.32/28 dev eth0
ip route del 202.174.161.32/28 dev eth1

echo "Creating New routes"
ip route add 202.174.161.45 dev eth0
ip route add 202.174.161.32/28 dev eth1
echo "Creating default GW"
route add default gw 202.174.161.45

This is how things should now look:

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.174.161.45  0.0.0.0         255.255.255.255 UH    0      0        0 eth0
202.174.161.32  0.0.0.0         255.255.255.240 U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
0.0.0.0         202.174.161.45  0.0.0.0         UG    0      0        0 eth0

ip route
202.174.161.45 dev eth0  scope link
202.174.161.32/28 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
default via 202.174.161.45 dev eth0

ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0d:9d:55:22:b1 brd ff:ff:ff:ff:ff:ff
    inet 202.174.161.44/28 brd 202.174.161.47 scope global eth0
    inet6 fe80::20d:9dff:fe55:22b1/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0e:2e:ae:df:b5 brd ff:ff:ff:ff:ff:ff
    inet 202.174.161.44/28 brd 202.174.161.47 scope global eth1
    inet6 fe80::20e:2eff:feae:dfb5/64 scope link
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0


The big question now is does this all hold together after a reboot, or do we need a script added to the network service to keep it all together.
And the answer is yes, we need more work.
After a reboot, with just the above, we no longer have proxy arp working.
So:
Making it perminent.
/etc/sysctl.conf

Edit this file and add these lines at the end:

net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth1.proxy_arp = 1

/etc/init.d/network

Edit this file add the following at the end of the Start section amd before the { ;; }.

# Extra needed for the Proxy ARP
        echo -n Proxy ARP.

        echo -n .Kill Default GW.
        route del default

        echo -n .Kill Routes.
        ip route del 202.174.161.32/28 dev eth0
        ip route del 202.174.161.32/28 dev eth1

        echo -n .Add Routes.
        ip route add 202.174.161.45 dev eth0
        ip route add 202.174.161.32/28 dev eth1

        echo .Add Default GW.
        route add default gw 202.174.161.45


Editing the /etc/init.d/network file is a little messy, but it is late at night and I want to get this wiki finished and go to beb.
Having dones all this there is only the fine tuning fo the firewall to what ever we need.
We will be adding Netstat for Traffic accounting
SQUID for a proxy cache
SARG as a SQUID reporting agent
and Cacti as a monitoring tool.

论坛徽章:
0
发表于 2008-11-14 15:22 |显示全部楼层

回复 #1 aha120 的帖子

都是内核态实现的,现在的应用也只是有些皮毛
还是要多多学习的
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

SACC2019中国系统架构师大会

【数字转型 架构演进】SACC2019中国系统架构师大会,8.5折限时优惠重磅来袭!
2019年10月31日~11月2日第11届中国系统架构师大会(SACC2019)将在北京隆重召开。四大主线并行的演讲模式,1个主会场、20个技术专场、超千人参与的会议规模,100+来自互联网、金融、制造业、电商等领域的嘉宾阵容,将为广大参会者提供一场最具价值的技术交流盛会。

限时8.5折扣期:2019年9月30日前


----------------------------------------

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP