闲置台式机(Linux Debian)制作家用网关出口设备

2022-12-04 10:34:12 浏览数 (1)

Debian Linux路由器配置

查看网卡信息

  • 首先查看网络设备地址列表lspci -vvv | grep Ethernet

01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)

代码语言:txt复制
    Subsystem: Dell RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller

02:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)

02:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)

共有三个网口:01:00.0 02:00.0 02:00.1

Gigabit是数据存储的单位,通常用符号Gbit或Gb表示,它的换算公式:1 Gb = 10的9次方 bits = 1,000,000,000 bits

另一个常见的单位是Gibibit,gibibit是用来表示二进制换算的,1 gibibit = 2的30次方 bits = 1,073,741,824 bits

  • 查看物理网卡名ip link show

2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT group default qlen 1000

代码语言:txt复制
link/ether e4:54:e8:cf:c2:11 brd ff:ff:ff:ff:ff:ff

3: enp2s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN mode DEFAULT group default qlen 1000

代码语言:txt复制
link/ether 6c:b3:11:1c:ee:f6 brd ff:ff:ff:ff:ff:ff

4: enp2s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br0 state DOWN mode DEFAULT group default qlen 1000

代码语言:txt复制
link/ether 6c:b3:11:1c:ee:f7 brd ff:ff:ff:ff:ff:ff

5: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DORMANT group default qlen 1000

代码语言:txt复制
link/ether 2e:5e:a1:2e:fa:93 brd ff:ff:ff:ff:ff:ff

共有4个物理网卡,其中三个有线网卡(enp1s0, enp2s0f0, enp2s0f1),一个无线网卡(wlp3s0)

  • 查看每个网卡支持的带宽# 安装ethtool sudo apt install ethtool

查看网卡详情

ethtool enp1s0

Supported link modes: 10baseT/Half 10baseT/Full

代码语言:txt复制
                  100baseT/Half 100baseT/Full 
代码语言:txt复制
                  1000baseT/Full

enp1s0, enp2s0f0, enp2s0f1三个网卡均支持1000baseT/Full,即全部是千兆网卡

设置网桥

代码语言:txt复制
sudo vim /etc/network/interfaces

source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback

# 上外网的网卡
# The primary network interface
auto enp1s0
allow-hotplug enp1s0
iface enp1s0 inet dhcp

# 内网进行dhcp分配的网卡,桥接为br0
auto br0 
iface br0 inet static
address 192.168.152.254
netmask 255.255.255.0
network 192.168.152.0
broadcast 192.168.152.255
gateway 192.168.152.254
dns-nameservers 211.148.192.141,211.148.192.151,202.96.128.166,202.96.134.133
bridge_ports enp2s0f0 enp2s0f1
bridge_stp off 
bridge_maxwait 0

# 重启网络
sudo /etc/init.d/networking restart

配置Debian系统,允许内核进行路由转发

代码语言:txt复制
sudo vim /etc/sysctl.conf

net.ipv4.ip_forward = 1 #0为关闭,1为开启

# 是配置生效
sudo sysctl -p

配置DHCP服务

代码语言:txt复制
# 安装DHCP服务
sudo apt-get install isc-dhcp-server

# 设置监听网口
sudo vim /etc/default/isc-dhcp-server
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#   Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="br0"
INTERFACESv6="br0"

# 设置分配子网ip的信息
sudo vim /etc/dhcp/dhcpd.conf

option domain-name "dfxd_debian10.org";
option domain-name-servers 211.148.192.141,211.148.192.151,202.96.128.166,202.96.134.133;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.152.0 netmask 255.255.255.224 {
  range 192.168.152.100 192.168.152.200;
  option routers 192.168.152.254;
  option broadcast-address 192.168.152.255;
  default-lease-time 600;
  max-lease-time 7200;
}

# 设置mac与ip进行绑定,可以不设置
host debian-node{
    hardware ethernet 6c:b3:11:1c:ee:f6;
    fixed-address 192.168.152.254;
}

# 手动启动DHCP
/usr/sbin/dhcpd -t $VERSION -cf /etc/dhcp/dhcpd.conf

# 开机自动启动
sudo rm -rf /var/run/dhcpd.pid
sudo systemctl enable isc-dhcp-server

# 查看进程是否已经启动
sudo netstat -uap | grep 'dhcp*'

配置SNAT IPTABLES规则

代码语言:txt复制
vim router_setup.sh

# 允许内核进行路由转发
echo 1 >> /proc/sys/net/ipv4/ip_forward

# 清空nat表和filter表
iptables -t nat -F
iptables -t filter -F

# INPUT链进行规则设置,只允许内网的IP进来,外网主动访问的IP一律丢弃
# 丢弃外网主动访问的包
iptables -I INPUT -p tcp -s 0.0.0.0/0 -j DROP
iptables -I INPUT -p udp -s 0.0.0.0/0 -j DROP

# 允许内网IP访问
iptables -I INPUT -p tcp -s 192.168.0.0/16 -j ACCEPT 
iptables -I INPUT -p tcp -s 172.16.0.0/16 -j ACCEPT 
iptables -I INPUT -p tcp -s 10.0.0.0/16 -j ACCEPT 
iptables -I INPUT -p tcp -s 127.0.0.0/16 -j ACCEPT 

ptables -I INPUT -p udp -s 192.168.0.0/16 -j ACCEPT 
iptables -I INPUT -p udp -s 172.16.0.0/16 -j ACCEPT 
iptables -I INPUT -p udp -s 10.0.0.0/16 -j ACCEPT 
iptables -I INPUT -p udp -s 127.0.0.0/16 -j ACCEPT 

# 设置DNS的端口放通
iptables -I INPUT -p tcp --sport 53 -s 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT 
iptables -I INPUT -p udp --sport 53 -s 0.0.0.0/0 -m state --state ESTABLISHED -j ACCEPT 

# apt-get端口放通
iptables -I INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 允许ICMP协议
iptables -A INPUT -p icmp --icmp 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp 0 -j ACCEPT

# SNAT转换规则,基于网口来转换
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE

iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 192.168.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 172.16.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 10.0.0.0/16 -o enp1s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 127.0.0.0/16 ! -d 127.0.0.0/16 -o enp1s0 -j MASQUERADE


# 查看规则
sudo iptables -t filter -L -n -v
sudo iptables -t nat -L -n -v

配置开机启动脚本任务

代码语言:txt复制
sudo vim /usr/lib/systemd/system/router_setup.service

[Unit]
Description=Become a router
After=network.target

[Service]
Type=oneshot
ExecStart=/home/bowenerchen/Tools/router_setup.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

# 设置开机自启动
sudo systemctl daemon-reload
sudo systemctl enable router_setup.service

大致的网络拓扑:

简易网络拓扑简易网络拓扑

0 人点赞