Ubuntu作为网关的组网实现
一、环境
项目现场网络出口为联通百兆专线,光猫出来的网线接到路由器,路由器开启DHCP,并与一台D-Link千兆电口交换机通过网线连接。其中一台服务安装Ubuntu18.04系统,配置了千兆光纤网卡,与其他服务器通过光纤组网,主板上集成千兆电口网卡,链接到D-Link千兆交换机,与公网联通。
二、组网
多个服务器通过千兆光纤网络组网,并将网关指向其中一台与公网联通的服务器,实现上网功能。
三、实现
3.1 网关服务器配置
首先实现光纤网络与电口网络的互通,即启用网关服务器的路由功能。
# ifconfig eno2 192.168.1.13/24 #电口网卡eno2配置ip地址
# ifconfig enp4s0 10.1.192.13/24 #光口网卡enp4s0配置ip地址
# route add -net 192.168.1.0/24 dev eno2 #添加电口网段路由
# route add -net 10.1.192.0/24 dev enp4s0 #添加光口网段路由
# route add default gw 192.168.1.1 dev eno2 #默认网关指向路由器
# sysctl -w net.ipv4.ip_forward=1 #网关服务器打开内核转发功能
# sysctl -p
# ifconfig
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.13 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::64a0:35bd:e8ba:7ec0 prefixlen 64 scopeid 0x20<link>
ether 0c:c4:7a:97:fd:72 txqueuelen 1000 (以太网)
RX packets 2943475 bytes 546789885 (546.7 MB)
RX errors 0 dropped 23652 overruns 0 frame 0
TX packets 2807831 bytes 1225829865 (1.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.192.13 netmask 255.255.255.0 broadcast 10.1.192.255
inet6 fe80::7686:9a0d:7fd9:20d4 prefixlen 64 scopeid 0x20<link>
ether 90:e2:ba:8c:48:ac txqueuelen 1000 (以太网)
RX packets 770077 bytes 157633498 (157.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 859154 bytes 306838278 (306.8 MB)
# route -n
内核 IP 路由表
目标 网关 子网掩码 标志 跃点 引用 使用 接口
0.0.0.0 192.168.1.1 0.0.0.0 UG 101 0 0 eno1
10.1.192.0 0.0.0.0 255.255.255.0 U 100 0 0 enp4s0
192.168.1.0 0.0.0.0 255.255.255.0 U 101 0 0 eno1
# ping 10.1.192.23 #与其他光纤网络服务器通信
PING 10.1.192.23 (10.1.192.23) 56(84) bytes of data.
64 bytes from 10.1.192.23: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 10.1.192.23: icmp_seq=2 ttl=64 time=0.170 ms
# ping 192.168.1.1 #与路由器通信
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.796 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.780 ms
为了其他服务器通过网关访问公网,在网关服务器上开启SNAT功能,即将来自其他服务器的数据包标记成网关的数据包,再通过办公网络的路由访问公网。
# iptables -t nat -A POSTROUTING -s 10.1.192.0/24 ! -d 192.168.1.0/24 -j SNAT --to 192.168.1.13
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.1.192.0/24 !192.168.1.0/24 to:192.168.1.13
在光纤网络中测试上网功能
# ifconfig
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.192.22 netmask 255.255.255.0 broadcast 10.1.192.255
inet6 fe80::92e2:baff:fe8c:7f34 prefixlen 64 scopeid 0x20<link>
ether 90:e2:ba:8c:7f:34 txqueuelen 1000 (以太网)
RX packets 162832 bytes 32813663 (32.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 154589 bytes 36840120 (36.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# ping 10.1.192.13
PING 10.1.192.13 (10.1.192.13) 56(84) bytes of data.
64 bytes from 10.1.192.13: icmp_seq=1 ttl=64 time=0.152 ms
64 bytes from 10.1.192.13: icmp_seq=2 ttl=64 time=0.176 ms
# curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write(‘<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=‘+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ ‘" name="tj_login" class="lb">登录</a>‘);</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必读</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a> 京ICP证030173号 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
光纤网络服务器已经能够访问公网。最后将配置写入配置文件,永久生效。
#网关服务器网络配置文件
#vim /etc/netplan/01-network-manager-all.yaml
network:
version: 2
renderer: NetworkManager
ethernets:
eno2: #电口配置固定IP
addresses: [192.168.1.13/24]
gateway4: 192.168.1.1 #网关指向路由器
nameservers:
addresses: [192.168.1.1] #DNS指向路由器
enp4s0: #光口配置固定IP
addresses: [10.1.192.13/24]
nameservers:
addresses: [223.6.6.6] #配置公网DNS
routes:
- to: 10.1.192.0/24
via: 10.1.192.13 #光口网络路由
- to: 192.168.1.0/24
via: 192.168.1.13 #电口网络路由
# vim /etc/resolv.conf #DNS服务器
nameserver 192.168.1.1
#保存iptables配置
# mkdir -p /etc/iptables-bk
# iptables-save > /etc/iptables-bk/iptables
#重启系统时读取iptables规则
# ln -fs /lib/systemd/system/rc-local.service /etc/systemd/system/rc-local.service
# vim /etc/systemd/system/rc-local.service
[Install]
WantedBy=multi-user.target
Alias=rc-local.service
# vim /etc/rc.local
iptables-restore < /etc/iptables-bk/iptables
# chmod +x /etc/rc.local
3.2 客户端服务器的配置
# vim /etc/netplan/01-network-manager-all.yaml
# Let NetworkManager manage all devices on this system
network:
version: 2
renderer: NetworkManager
ethernets:
enp4s0: #光口配置固定ip地址
addresses: [10.1.192.22/24]
gateway4: 10.1.192.13 #配置网关
nameservers:
addresses: [223.6.6.6] #配置DNS
# vim /etc/resolv.conf
nameserver 223.6.6.6