Linux配置软路由

阅读量: searchstar 2024-09-03 09:41:41
Categories: Tags:

假设出口网口是end0,入口网口是end1

outdev=end0
indev=end1
# 子网不要与其他interface的IP重合
prefix=10.233.233

配置入口网口IP

#nmcli dev set $indev managed no
ip link set up dev $indev
ip addr add $prefix.1/24 dev $indev

但网线拔下来之后这个IP就会消失。可以参考下面的开机自启设置永久静态IP。

配置DHCP

apt install isc-dhcp-server
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.$(date +%s%N)

cat > /etc/dhcp/dhcpd.conf <<EOF
option domain-name-servers 223.6.6.6;
option subnet-mask 255.255.255.0;
option routers $prefix.1;
subnet $prefix.0 netmask 255.255.255.0 {
  range $prefix.2 $prefix.254;
}

default-lease-time 600;
max-lease-time 7200;
EOF

systemctl restart isc-dhcp-server

223.6.6.6是阿里的DNS server。其他DNS server: https://www.zhihu.com/question/32229915/answer/3572478879

参考:https://wiki.archlinux.org/title/Dhcpd

开启转发

# 查看是否开启了转发
sysctl net.ipv4.ip_forward
# 开启转发
sysctl -w net.ipv4.ip_forward=1

配置NAT

iptables -t nat -A POSTROUTING -s $prefix.0/24 -o $outdev -j MASQUERADE

让防火墙不要拦截从indev到outdev的流量:

iptables -t filter -A FORWARD -i $indev -o $outdev -j ACCEPT

IPv6 NAT

一般认为IPv6是不需要NAT的。但是在类似校园网的环境,每个接入的IPv6地址都需要进行认证,这时候就可以用IPv6 NAT,只需要一个通过认证的IP就可以代理整个子网的流量。

# 子网前缀
prefix6=fd00:1
# 生成link local address,这样链路才能工作
sysctl -w net.ipv6.conf.$indev.addr_gen_mode=0

# 设置静态IP
ip -6 addr add $prefix6::1/64 dev $indev

# 开启IPv6转发
sysctl -w net.ipv6.conf.all.forwarding=1
# 接受router advertisements
sysctl -w net.ipv6.conf.$indev.accept_ra=2

ip6tables -t nat -A POSTROUTING -o $outdev -j MASQUERADE
ip6tables -t filter -A FORWARD -i $indev -o $outdev -j ACCEPT

开机自启

cat >> /etc/network/interfaces <<EOF
allow-hotplug $indev
iface $indev inet static
	address $prefix.1
	netmask 255.255.255.0
iface end1 inet6 static
	address $prefix6::1
	netmask 64
EOF

sudo systemctl restart networking

systemctl enable isc-dhcp-server

cat >> /etc/sysctl.conf <<EOF
net.ipv4.ip_forward=1
net.ipv6.conf.$indev.addr_gen_mode=0
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.$indev.accept_ra=2
EOF
sysctl -p

sudo apt install -y iptables-persistent
# https://serverfault.com/a/714348
# :<NAME> <DEFAULT_POLICY> [<PACKET_COUNT>:<BYTE_COUNT>]
# PACKET_COUNT和BYTE_COUNT不重要,这里全部设置为0
cat > /etc/iptables/rules.v4 <<EOF
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.233.233.0/24 -o end0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i end1 -o end0 -j ACCEPT
COMMIT
EOF

cat > /etc/iptables/rules.v6 <<EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i end1 -o end0 -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o end0 -j MASQUERADE
COMMIT
EOF