1. objective: to solve the problem of poor intercommunication quality between networks and carriers, connect two linux hosts of different carriers with a dual Nic and perform nat jump through iptablse to solve this problem. 2. main reference document: Iptables Guide. chm. the following documents refer to it. For a clear flowchart, See section 1 of the firewall for the private kitchen server of laruence. objective: to solve the problem of poor mutual access quality between different network operators, use a dual Nic to connect the linux hosts of two different carriers, use iptablse to perform nat jump to solve this network problem.
2. main reference document: Iptables Guide. chm. the following documents refer to it.
For a clear flowchart, see the firewall section of the private kitchen server edition of laruence.
3. main tables:
Filter: filter table. This table is used by default when no table is added. it is used for firewall rule filtering.
Nat: forwarding table for IP jump
Mangle: modifies some package attributes for traffic control and QOS. This table is rarely used and can be ignored.
4. Installation: Some systems are self-built, and some are not self-built or old ones need to be downloaded and then compiled and installed. See Article 2.
5. open the service: service
IptablesStart
Add boot start: chkconfig iptables on
6. check the service status (sometimes it is not displayed, for example, there is no rule in it)
Service iptables status -- can also be used to view all table chain rules
7. commands required to enable route forwarding
Echo "1">/proc/sys/net/ipv4/ip_forward -- this is a necessary command to enable forwarding. However, this operation is temporary and restored after the host is restarted, for permanent settings, see the following.
Echo "1">/proc/sys/net/ipv4/tcp_syncookies
Echo "1">/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
8. set the forwarding function permanently to prevent restart failures.
# Vi/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
Net. ipv4.tcp _ syncookies = 1
# Sysctl-p (make the settings take effect immediately)
9. syntax format
Iptables [-t table] command [match] [target/jump]
-- Table
If not written, the filter table is used by default.
-- Command
See document 6.3
-- Match
See document 6.4
-- Target/jum
See document 6.5
10. single Nic instance: x ------> Guangzhou Data Center (transit host) 120.132.152.142: 9101 ------> carrier 219.140.165.20.: 80. -JMASQUERADE smart matching consumes a certain amount of cpu
Iptables-t nat-a prerouting-p tcp -- dport 9101-j DNAT -- to219.140.165.133: 80
Iptables-t nat-a postrouting-p tcp -- dport 80-j MASQUERADE
11. Dual-network instance: X ------> 183.62.178.85: 7001 ------> 158.250.56.154: 7001 ------> 112.90.176.35: 7001
Iptables-t nat-a prerouting-d 183.62.178.85-p tcp-m tcp -- dport 7001-j DNAT -- to-destination 112.90.176.35: 7001
Iptables-t nat-a postrouting-d 112.90.176.35-p tcp-m tcp -- dport 7001-j SNAT -- to-source 158.250.56.154
12. common commands:
-- Clear the PREROUTING chain of the nat table and proceed with caution.
Iptables-t nat-F PREROUTING
-- Clear the nat table POSTROUTING chain and proceed with caution.
Iptables-t nat-F POSTROUTING
-- Display details
Iptables-t nat-nvL -- line
-- Delete ID 88
Iptables-t nat-d prerouting 88
-- Save
Service iptables save or/etc/sysconfig/iptables save
-- Restart iptables
Service iptables restart
13. configure the generated file
/Etc/sysconfig/iptables # Current configuration
/Etc/sysconfig/iptables. save # Last configuration backup
14. telnet test
-- Add a static route ---------------
15. in the case of dual-network interfaces, not all two NICs in the environment can be pinged. this mainly depends on the settings of the upper-layer network provider. generally, user control cannot be changed. Only the NIC with the Gateway configured can be pinged, but this does not affect the use.
If only one machine can be pinged, you must add a route to solve the redirection problem.
If both of them can be pinged, although the jump can be successful, the egress is only the default gateway egress set by default, which is equivalent to solving only half of the network problem.
16. environment description:
Eth0: IPADDR = 183.62.178.85 GATEWAY = 183.62.178.94 -- telecom network
Eth1: IPADDR = 58.250.56.154 GATEWAY = 58.250.56.1 -- China Unicom network
Objective access: 112.90.176.35: 7001
Test path: telnet 183.62.178.85 7001
Path description: X ------> 183.62.178.85: 7001 ------> 158.250.56.154: 7001 ------> 112.90.176.35: 7001
Set the jump command as above
17. route adding:
Route adding: # route add-net 112.90.176.0 netmask route 255.255.0 gw58.250.56.1 eth1
Or # route add-net 112.90.176.0/24 gw58.250.56.1 eth1
Delete a route: # route delete-net 112.90.176.0 netmask route 255.255.0gw 58.250.56.1 eth1
Or # route delete-net 112.90.176.0/24 gw58.250.56.1 eth1
18. if the default gateway is China Telecom and the source address or destination address can be regarded as China Unicom, you must perform the above static routing on the source address or destination address of China Unicom.
19. after the host is restarted, the route will fail. Therefore, add it to/etc/rc. d/rc. local, if you accidentally restart the network card, it will also make the route invalid, then get/etc/rc. d/rc. find the script and run it again.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
