所以,我一直在尝试将服务器设置为本地networking的前端路由器。 这是因为我的服务器有相当多的多媒体下载一个LOT,目前的路由器是不够的。 我不想买一个新的路由器,因为那些可能够用的是相当昂贵的。 幸运的是,我看到了一些服务器作为路由器本身的设置。
我的新安装程序将如下所示:
WAN - IPS -|-> My server -> Home router -> Local computer 1 ^ Local computer 2 '- possibly a switch ... 我做了一个search,幸运地find了本教程 ,描述了相同的设置 – 作为路由器的OpenSUSE服务器。 不过,我注意到这个教程有点不合适,主要是因为我的服务器上有不同版本的YaST。
但是,我尽我所能,遵循它,使用较低级别的命令(使用terminal)来完成相同的。 花了一点时间,但我认为结果是一样的。
不幸的是,它没有工作。
这是我到目前为止所pipe理的:
显然现在甚至没有DHCP服务器的作品。 我正在使用这个ISC DHCP服务器,不知道这是不是最好的select。
我需要的最后一部分是以某种方式桥接或连接这两个卡,这样我就可以通过eth1从(通过路由器)连接到eth0的计算机访问Internet。 在教程中,这只是使用“伪装”,或者允许内部区域(eth0)通过外部区域(eth1)访问互联网。 显然这个部分在YaST和我的教程中都是一样的。 不过,我认为这是行不通的。 我试过使用YaST来设置,然后我使用terminal,但没有任何区别。
我猜想伪装本身可能工作,但电脑连接不正确? 或者这是伪装的错误。 无论如何,使用ping,我可以ping 192.168.0.1与一个非常快速和成功的反应。
我究竟做错了什么? 请随时提出任何问题(很可能我忘记了一些东西),我很乐意回应。
iptables -L:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_int all -- anywhere anywhere input_ext all -- anywhere anywhere input_int all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU forward_int all -- anywhere anywhere forward_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain forward_int (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' reject_func all -- anywhere anywhere Chain input_ext (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:lm-x flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:lm-x LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:lm-x LOG tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- 192.168.0.1 anywhere tcp spt:lm-x dpt:lm-x DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain input_int (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain reject_func (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
iptables -t nat -L:
Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
DHCP服务器configuration:
authoritative; subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.100 192.168.0.200; option ip-forwarding on; default-lease-time 7200; max-lease-time 86400; option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option routers 192.168.0.1; option domain-name "domain-local.sk"; # I really don't know what should I put here. option domain-name-servers 192.168.0.1; }
也许你只需要像这样启用IPv4转发(路由):
echo 1> / proc / sys / net / ipv4 / ip_forward
(默认值是0,我在2天前把debian设置为防火墙,这有帮助;))
编辑
该脚本保存并删除iptables中的所有条目,并从内部networkingbuild立伪装的基本configuration。
#!/bin/bash # saving old iptables-configuration iptables-save > /home/xxusernamexx/iptables-saved.out # delete all existing rules and chains iptables -F iptables -t nat -F iptables -X iptables -Z iptables -t nat -Z # setting up masquerade iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # forwarding for answer-packages from the internet iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -j LOG --log-ip-options --log-prefix fwd-drop iptables -A FORWARD -j DROP # allowing loopback and internal connections # uncommend the following line if you want to allow ping from external iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT # for your webserver iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # edited iptables -A INPUT -p icmp --icmp-type 8 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT # for connections from lan-nic iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j LOG --log-ip-options --log-prefix io-drop iptables -A INPUT -j DROP iptables -A OUTPUT -j ACCEPT # edited iptables -A OUTPUT -p icmp --icmp-type 0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -j LOG --log-ip-options --log-prefix io-drop iptables -A OUTPUT -j DROP # just to make sure that routing is enabled echo 1 > /proc/sys/net/ipv4/ip_forward
试试这个脚本。 我真的不能testing它,因为我的eth1-eth0接口是用另一种方式,但是我根据自己的configuration编写了这个脚本。 为了保存,这个脚本将你实际的iptablesconfiguration导出到你的home文件夹。 它可以使用iptables-restore <文件名恢复
编辑 :添加iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT和删除-m state --state RELATED,ESTABLISHED在输出的第一个规则-m state --state RELATED,ESTABLISHED ,以便让服务器在每个networking(即为查询DNS服务器)
编辑2 :问题解决了。 有一些错误configuration的东西:
iptables :我们必须稍微改变一下脚本才能使其完全正常工作(在我的答案中也对其进行了编辑)。
DHCP :dhcpd被configuration为使用“192.168.0.1”作为DNS服务器。 但服务器没有运行DNS服务器。 我们将其configuration到ISP-DNS服务器。
路由器 :服务器被插入路由器的WAN端口。 这使路由器从客户端丢弃几个数据包到服务器(和后面)。 Aurel把它插入到一个局域网端口,它工作。