Configure static routes in iptables to use dual-network access

Iptables + static routing configuration of dual-network access author: unknown ----------------------------------------------------------------- iptables-tnat-APOSTROUTING-s192.168.0.0/24-jMASQUERADEiproutereplacede Iptables+ Configure dual-Internet access for static routing
Author: Unknown
-----------------------------------------------------------------
Iptables-t nat-a postrouting-s 192.168.0.0/24-jMASQUERADE
Ip route replace default via telecom gateway
Ip route add education network address via education network gateway
-----------------------------------------------------------------
The installation process is very simple. after installation, we need to modify the following files:
The network file indicates the Master network setting file.
Ifcfg-eth0 eth0 this file means Nic settings file
Ifcfg-eth1 eth1 this file means Nic settings file
Hosts indicates the network host name configuration.
Static-routes indicates a static route table file.
Rc. local IPTABLES indicates a script.
In sysctl. conf Linux, this file indicates that Kernel IP forwarding is enabled.
The directories corresponding to these files are:
/Etc/sysconfig/network
/Etc/sysconfig/network-scripts/ifcfg-eth0
/Etc/sysconfig/network-scripts/ifcfg-eth1
/Etc/hosts
/Etc/sysconfig/static-routes
/Etc/rc. d/rc. local
/Etc/sysctl. conf
First we modify the ifcfg-eth2 (we later connected to Netcom IP: 11.11.11.11) ifcfg-eth1 (telecommunications IP: 22.22.22.22) and ifcfg-eth0 (intranet) three files. This is the IP address file of the NIC!
The ifcfg-eth0 corresponds to your intranet IP address and Gateway (of course, these can be set according to your actual situation, you want to make that do intranet is no problem) and ifcfg-eth1 and ifcfg-eth2 is the Internet IP address and Gateway.
Here is the content:
DEVICE = eth1 hardware DEVICE name
BOOTPROTO = static configuration method
BROADCAST = 192.168.0.255 BROADCAST address
IPADDR = 192.168.0.1 is your IP address
NETMASK = 255.255.255.0 subnet mask
NETWORK = 192.168.0.0 IP address of the entire NETWORK segment
GATEWAY = GATEWAY of 192.168.0.1
ON BOOT = yes whether to enable Nic (usually enabled by default)
Other network card settings are similar, so I will not talk nonsense.
After the settings are complete, set the host file, that is, set the working group.
After the above work is done, we modify sysctl. conf, that is, the IP forwarding file. Here we must use IP forwarding. It can be written as follows:
Net. ipv4.ip _ forward = 1
Net. ipv4.conf. default. rp_filter = 1
Kernel. sysrq = 0
Then there is the static-routes file. This file is a static route table file! This file must be added! The syntax is as follows:
Eth0 (device name) net (network address) 192.168.0.0 (subnet) netmask 255.255.255.0 (Gateway address) gw 192.168.0.1
Next, modify the resolv file. This file is the address file of your DNS server. syntax:
Nameserver (DNS server) 10.0.0.1
These are general setup problems, which are actually very simple. The following will make everyone better, that is, the two-line access strategy we need.
First, the IP address disguised as masquerade is used for packets sent from two WAN ports.
/Sbin/iptables-t nat-A postrouting-o eth1-jmasquerade
/Sbin/iptables-t nat-A postrouting-o eth2-jmasquerade
(The A mentioned above indicates append, append, and-I can also be used, but I is insert, which is insert, which is inserted to the first entry by default)
Then, add a route table marked as 11 to the system and a default gateway, which is the gateway provided by China Netcom.
Ip route add 0/0 via 11.11.11.11table 11
Configure the gateway for the system's main route table. The Gateway is a telecom gateway.
Ip route add 0/0 via 22.22.22.22
Then add a routing rule to mark all the data queries to the network as the 11 route table:
Ip rule add to 60.0.0.0/13 table 11
Ip rule add to 60.8.0.0/15 table 11
Ip rule add to 60.10.0.0/16 table 11
..........
These rules can be used to learn from routeros. There are a lot of online rules, so I won't talk about them. if I don't have any, I can ask for them. I have MMS, and it should be comprehensive.
After setting all the data to access China Netcom, we will query route Table 11, and the data to other places will go to China Telecom. (If there are other lines, you can add a route table and a policy)
Note that when configuring the network card, do not configure the gateway, do not use the old ifconfig command to configure the gateway, but use iproute2 to configure the gateway. Otherwise, a conflict may occur, alternatively, use the ip route replace command to replace the ip route add command.
Another approach is:
Internet
|
|
China Telecom Netcom
|
|
VSwitch
|
Eth1 eth2
Server
Eth0
|
_____________
Client 192.168.0.0/24 Gateway 192.168.0.254
Eth0 ip 192.168.0.0/24
Eth12220.1.3/255.255.255.252
Eth2218.62.3.3/255.255.255.252
The default gateway is China Netcom's 218.62.3.2
China telecom gateway 222.161.2 with ip route add
Some scripts are
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-d $ Telecom ip-jSNAT -- to 222.161.3
***
***
***
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to218.62.3.3
In this way, a CIDR block can be automatically switched over to China Telecom.
Preliminary test: if the ip address is switched separately, the intranet will coexist with two gateways, 192.168.0.254/24192.168.2.254/24. the speed is stable and the expected effect can be achieved.
# Echo "200 DIANXIN" >;>;/etc/iproute2/rt_table (this is added to the file and can be executed once)
# Ip route replace default via 222.161.2 table DIANXIN
# Ip rule add fwmark 1 table DIANXIN (this attention sequence can be viewed using ip rule)
# Iptables-t nat-F
# Iptables-t mangle-F
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d222.222.5.0/15-j MARK -- set-mark 1
# Iptables-t mangle-a prerouting-I eth0-s 192.168.0.0/24-d222.240.0.0/13-j MARK -- set-mark 1
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d222.222.5.0/15-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-d222.240.0.0/13-j SNAT -- to $ DIANXIN
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to $ address for connecting to the network card of the China Netcom line
# Ip route flush cache
As a result, access 222.222.5.0/15 and 222.240.0.0/13 to go through the China Telecom Nic and China Telecom route, disguised as the China Telecom egress address.