Linux

Linux 作為具有多個 Internet 提供商的路由器

  • February 1, 2016

Linux 作為路由器:我有 3 個 Internet 提供商,每個提供商都有自己的調製解調器。

Provider1,即網關地址 192.168.1.1

連接到 linux 路由器eth1 /192.168.1.2

Provider2,網關地址192.168.2.1

連接linux路由器eth2 /192.168.2.2

Provider3,網關地址 192.168.3.1

連接linux路由器eth3 /192.168.3.2

                                                                          ________
                                                  +------------+         /
                                                  |            |        |
                           +----------------------+ Provider 1 +--------|
       __                  |192.168.1.2           |192.168.1.1 |       /
   ___/  \_         +------+-------+              +------------+      |
 _/        \__      |    eth1      |              +------------+      /
/             \ eth0|              |192.168.2.2   |            |      |
|Client network -----+  ROUTER  eth2|--------------+ Provider 2 +------|     Internet
\10.0.0.0/24 __/    |              |              |192.168.2.1 |      |
  \__     __/       |    eth3      |              +------------+      \
     \___/          +------+-------+              +------------+       |
                           |192.168.3.2           |            |       \
                           +----------------------+ Provider 3 +-------|
                                                  |192.168.3.1 |       |
                                                  +------------+       \________

我想通過源 IP 將網路 10.0.0.0/24 中的客戶端路由到不同的網關。

客戶端網路的介面是eth0 /10.0.0.1,這是所有客戶端的預設網關。

例如:

10.0.0.11 應該路由到 Provider1 @ eth1

10.0.0.12 應該路由到 Provider2 @ eth2

…等等…

我想我需要使用ip routeandiptables來進行 SNAT,但我還沒有弄清楚到底是怎麼做的。

這是我到目前為止的腳本。

啟用了 ipv4 轉發。

#!/bin/bash
# flush tables
ip route flush table connection1
ip route flush table connection2
ip route flush table connection3

# add the default gateways for each table
ip route add table connection1 default via 192.168.1.1
ip route add table connection2 default via 192.168.2.1
ip route add table connection3 default via 192.168.3.1

# add some IP addresses for marking
iptables -t mangle -A PREROUTING -s 10.0.0.11 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -s 10.0.0.12 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 10.0.0.13 -j MARK --set-mark 3

# add the source nat rules for each outgoing interface
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.2.2
iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 192.168.3.2

# link routing tables to connections (?)
ip rule add fwmark 1 table connection1
ip rule add fwmark 2 table connection2
ip rule add fwmark 3 table connection3

#default route for anything not configured above should be eth2

這是我們的一個路由器的類似設置(剪掉了一些不相關的東西)。請注意,這也處理傳入連接。

請注意使用變數而不是硬編碼的標記號。更容易維護!它們儲存在一個單獨的腳本中,並且來源於。表名在/etc/iproute2/rt_tables. 介面名稱設置在/etc/udev/rules.d/70-persistent-net.rules.

##### fwmark ######
iptables -t mangle -F
iptables -t mangle -X

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN # if already set, we're done
iptables -t mangle -A PREROUTING -i wan      -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A PREROUTING -i comcast  -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A PREROUTING -i vz-dsl   -j MARK --set-mark $MARK_VZDSL

iptables -t mangle -A POSTROUTING -o wan     -j MARK --set-mark $MARK_CAVTEL
iptables -t mangle -A POSTROUTING -o comcast -j MARK --set-mark $MARK_COMCAST
iptables -t mangle -A POSTROUTING -o vz-dsl  -j MARK --set-mark $MARK_VZDSL
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

##### NAT ######
iptables -t nat -F
iptables -t nat -X
for local in «list of internal IP/netmask combos»; do
   iptables -t nat -A POSTROUTING -s $local -o wan     -j SNAT --to-source «IP»
   iptables -t nat -A POSTROUTING -s $local -o comcast -j SNAT --to-source «IP»
   iptables -t nat -A POSTROUTING -s $local -o vz-dsl  -j SNAT --to-source «IP»
done

# this is an example of what the incoming traffic rules look like
for extip in «list of external IPs»; do
   iptables -t nat -A PREROUTING   -p tcp -d $extip --dport «port» -j DNAT --to-destination «internal-IP»:443
done

和規則:

ip rule flush
ip rule add from all               pref 1000  lookup main 
ip rule add from A.B.C.D/29        pref 1500  lookup comcast # these IPs are the external ranges (we have multiple IPs on each connection)
ip rule add from E.F.G.H/29        pref 1501  lookup cavtel
ip rule add from I.J.K.L/31        pref 1502  lookup vzdsl
ip rule add from M.N.O.P/31        pref 1502  lookup vzdsl # yes, you can have multiple ranges
ip rule add fwmark $MARK_COMCAST   pref 2000  lookup comcast
ip rule add fwmark $MARK_CAVTEL    pref 2001  lookup cavtel
ip rule add fwmark $MARK_VZDSL     pref 2002  lookup vzdsl
ip rule add                        pref 2500  lookup comcast # the pref order here determines the default—we default to Comcast.
ip rule add                        pref 2501  lookup cavtel
ip rule add                        pref 2502  lookup vzdsl
ip rule add                        pref 32767 lookup default

路由表在 中設置/etc/network/interfaces,因此關閉介面使其切換到使用不同的介面:

iface comcast inet static
       address A.B.C.Q
       netmask 255.255.255.248
       up ip route add table comcast default via A.B.C.R dev comcast
       down ip route flush table comcast

**注意:**如果您也在進行過濾(您可能是),您還需要將適當的規則添加FORWARDACCEPT流量中。特別是對於任何傳入流量。

引用自:https://unix.stackexchange.com/questions/87990

相關問答

Linux

通過 NAT 的虛擬網關

  • April 20, 2021
檢視問答
Linux

在核心 >= 4.4 上實現每個數據包的多路徑 ip 路由

  • December 14, 2016
檢視問答
Linux

iptables:filter 和 mangle 有什麼區別

  • June 27, 2016
檢視問答
Linux

具有多個內部和外部介面的 NAT 盒

  • June 17, 2015
檢視問答
Linux

如何將所有流量從特定介面路由到特定網關而不是預設路由?

  • September 10, 2022
檢視問答
Linux

多個子網之間的路由

  • December 3, 2021
檢視問答