01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)
Subsystem: Dell RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
02:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
02:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
共有三个网口:01:00.0 02:00.0 02:00.1
Gigabit是数据存储的单位,通常用符号Gbit或Gb表示,它的换算公式:1 Gb = 10的9次方 bits = 1,000,000,000 bits
另一个常见的单位是Gibibit,gibibit是用来表示二进制换算的,1 gibibit = 2的30次方 bits = 1,073,741,824 bits
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT group default qlen 1000
link/ether e4:54:e8:cf:c2:11 brd ff:ff:ff:ff:ff:ff
3: enp2s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN mode DEFAULT group default qlen 1000
link/ether 6c:b3:11:1c:ee:f6 brd ff:ff:ff:ff:ff:ff
4: enp2s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN mode DEFAULT group default qlen 1000
link/ether 6c:b3:11:1c:ee:f7 brd ff:ff:ff:ff:ff:ff
5: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DORMANT group default qlen 1000
link/ether 2e:5e:a1:2e:fa:93 brd ff:ff:ff:ff:ff:ff
共有4个物理网卡,其中三个有线网卡(enp1s0, enp2s0f0, enp2s0f1),一个无线网卡(wlp3s0)
ethtool enp1s0
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
enp1s0, enp2s0f0, enp2s0f1三个网卡均支持1000baseT/Full,即全部是千兆网卡
sudo vim /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
# 上外网的网卡
# The primary network interface
auto enp1s0
allow-hotplug enp1s0
iface enp1s0 inet dhcp
# 内网进行dhcp分配的网卡,桥接为br0
auto br0
iface br0 inet static
address 192.168.152.254
netmask 255.255.255.0
network 192.168.152.0
broadcast 192.168.152.255
gateway 192.168.152.254
dns-nameservers 211.148.192.141,211.148.192.151,202.96.128.166,202.96.134.133
bridge_ports enp2s0f0 enp2s0f1
bridge_stp off
bridge_maxwait 0
# 重启网络
sudo /etc/init.d/networking restart
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 #0为关闭,1为开启
# 是配置生效
sudo sysctl -p
# 安装DHCP服务
sudo apt-get install isc-dhcp-server
# 设置监听网口
sudo vim /etc/default/isc-dhcp-server
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="br0"
INTERFACESv6="br0"
# 设置分配子网ip的信息
sudo vim /etc/dhcp/dhcpd.conf
option domain-name "dfxd_debian10.org";
option domain-name-servers 211.148.192.141,211.148.192.151,202.96.128.166,202.96.134.133;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.152.0 netmask 255.255.255.224 {
range 192.168.152.100 192.168.152.200;
option routers 192.168.152.254;
option broadcast-address 192.168.152.255;
default-lease-time 600;
max-lease-time 7200;
}
# 设置mac与ip进行绑定,可以不设置
host debian-node{
hardware ethernet 6c:b3:11:1c:ee:f6;
fixed-address 192.168.152.254;
}
# 手动启动DHCP
/usr/sbin/dhcpd -t $VERSION -cf /etc/dhcp/dhcpd.conf
# 开机自动启动
sudo rm -rf /var/run/dhcpd.pid
sudo systemctl enable isc-dhcp-server
# 查看进程是否已经启动
sudo netstat -uap | grep 'dhcp*'
vim router_setup.sh
# 允许内核进行路由转发
echo 1 >> /proc/sys/net/ipv4/ip_forward
# 清空nat表和filter表
iptables -t nat -F
iptables -t filter -F
# INPUT链进行规则设置,只允许内网的IP进来,外网主动访问的IP一律丢弃
# 丢弃外网主动访问的包
iptables -I INPUT -p tcp -s 0.0.0.0/0 -j DROP
iptables -I INPUT -p udp -s 0.0.0.0/0 -j DROP
# 允许内网IP访问
iptables -I INPUT -p tcp -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -p tcp -s 172.16.0.0/16 -j ACCEPT
iptables -I INPUT -p tcp -s 10.0.0.0/16 -j ACCEPT
iptables -I INPUT -p tcp -s 127.0.0.0/16 -j ACCEPT
ptables -I INPUT -p udp -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -p udp -s 172.16.0.0/16 -j ACCEPT
iptables -I INPUT -p udp -s 10.0.0.0/16 -j ACCEPT
iptables -I INPUT -p udp -s 127.0.0.0/16 -j ACCEPT
# 设置DNS的端口放通
iptables -I INPUT -p tcp --sport 53 -s 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --sport 53 -s 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT
# apt-get端口放通
iptables -I INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# 允许ICMP协议
iptables -A INPUT -p icmp --icmp 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp 0 -j ACCEPT
# SNAT转换规则,基于网口来转换
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE
# 查看规则
sudo iptables -t filter -L -n -v
sudo iptables -t nat -L -n -v
sudo vim /usr/lib/systemd/system/router_setup.service
[Unit]
Description=Become a router
After=network.target
[Service]
Type=oneshot
ExecStart=/home/bowenerchen/Tools/router_setup.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# 设置开机自启动
sudo systemctl daemon-reload
sudo systemctl enable router_setup.service
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。