Iptables/arptables implement Single-IP level-1 second-level Routing

Iptables/arptables implement Single-IP level-1 second-level routing. Sometimes, you only have one IP address, but there are multiple devices, such as the computer assigned by the company, your own laptop, mobile phone, iPad, etc, obviously, the computer assigned by the company will be the top priority of your IP address, and other devices will not be able to access it. If you have a Linux BOX with a Wi-Fi module, you may want to establish a secondary route. However, at this time, the machines distributed by your company will be hidden behind this BOX, if your BOX is converted to a status-based MASQURADE address on the WAN port, it is impossible for all active accesses to your hidden work machine, unless you configure complex DNAT rules or routing rules. Now, things are different. You can configure this unique IP address on your work machine and use it on all other devices. Step: assume that your BOX has three Network Ports: eth0, eth1, and wlan0. The following are a series of operations: your unique IP address and Its Configuration: Address: 192.168.10.79/24 Gateway: 192.168.10.11. bridge all these ports brctl addbf br0brctl addif br0 eth0brctl addif br0 eth1brctl addif br0 wlan02. configure an IP address for br0 for WIFI (the dhcp pool and DNS configuration process are omitted) to limit the number of connected devices: ifconfig br0 172.20.1.1/283. option 1: Add a Secondary IP address to br0 to successfully Add the default route ifconfig br0: 0 192.168.10.255/23. Note that the above prefix 23 is worth noting that the original subnet mask is 255.255.255.0, decrease prefix by 1 In this case, you can use the broadcast address in the original network as an IP address, which does not conflict with any address. Route add default gw 192.168.10.1 4. optional 2: Use the force-onlink route to add the route ip route add 0.0.0.0/0 via 192.168.10.1 dev br0 onlink5. add the address conversion rule, the source address of any WIFI package is converted into your unique IP address iptables-t mangle-a prerouting-m physdev -- physdev-in wlan0-j MARK -- set-mark 100 iptables-t nat -a postrouting-m mark -- mark 100-j SNAT -- to-source 192.168.10.796. in the case of option 2, add arp because the force-onlink route is used, it means that there is no IP address in the same CIDR block as 192.168.10.0/24 on your BOX.. 168.10.1 when the default gateway sends packets, ARP requests may not be responded. This involves the arp_filter of the default gateway or the configuration of the equivalent configuration, because the arp request source is the unique address 172.20.1.1, the requested address is not in the same CIDR block! Therefore, an arptables rule is required: arptables-t mangle-a output-d 192.168.10.1-j mangle -- mangle-ip-s 192.168.10.79. In fact, when option 1 is selected, you have configured a 192.168.10.255 address. For the original network segment, it is a broadcast, but for the BOX, it is a conventional IP address, so ARP requests can be sent, the encapsulated source is 192.168.10.255. It can also be returned normally because the source in the request is 192.168.10.255. After it reaches the default gateway 192.168.10.1, it clearly belongs to the same network segment with the mask 255.255.255.0 and obtains 192.168.10.0/24, check passed. REPLY returns! Effect: The entire BOX is a HUB for your work machine, and its work is not affected! In addition, WIFI on the BOX leads to a subnet, which allows multiple devices to access. When the packets sent by these devices go out, the BOX will convert their source IP address to your unique IP address, the ip_conntrack mechanism ensures that the quintuple of all these device-related streams will not be repeated.