Chinaunix首页 | 论坛 | 博客
  • 博客访问: 6507956
  • 博文数量: 1159
  • 博客积分: 12444
  • 博客等级: 上将
  • 技术积分: 12570
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-13 21:34
文章分类

全部博文(1159)

文章存档

2016年(126)

2015年(350)

2014年(56)

2013年(91)

2012年(182)

2011年(193)

2010年(138)

2009年(23)

分类: 虚拟化

2016-02-29 09:37:15


[root@localhost core]# systemctl start core-daemon.service

---------------------------------------------------------------------------
[root@localhost core]# core-gui

----------------------
/root/.core/configs/m-MPE-manet.imn
----------------------
Under the Session Menu, the Options... dialog has an option to set a control network prefix.
This can be set to a network prefix such as 172.16.0.0/24. A bridge will be created on the host machine having the last address in the prefix range (e.g. 172.16.0.254), and each node will have an extra ctrl0 control interface configured with an address corresponding to its node number (e.g. 172.16.0.3 for n3.)

----------------------
[root@localhost core]# ifconfig
enp13s0: flags=4163  mtu 1500
        inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::3e97:eff:fef0:b5bb  prefixlen 64  scopeid 0x20
        ether 3c:97:0e:f0:b5:bb  txqueuelen 1000  (Ethernet)
        RX packets 424786  bytes 474479916 (452.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 402854  bytes 46953257 (44.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

b.ctrl0net.6a: flags=4163  mtu 1500
        inet 172.16.0.254  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::bc49:1ff:fe27:a95  prefixlen 64  scopeid 0x20
        ether 16:32:81:19:ca:43  txqueuelen 1000  (Ethernet)
        RX packets 149  bytes 12753 (12.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84  bytes 8808 (8.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

----------------------
[root@localhost core]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp13s0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 b.ctrl0net.6a
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp13s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

----------------------
[root@localhost 桌面]# . iptables_core.sh
[root@localhost 桌面]# cat iptables_core.sh

点击(此处)折叠或打开

  1. #!/bin/bash
  2. echo 1 > /proc/sys/net/ipv4/ip_forward
  3. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  4. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  5. echo 1 > /proc/sys/net/ipv4/tcp_syncookies

  6. #网卡:上外、下内
  7. #上外 192.168.0.100
  8. #下内 172.16.0.254
  9. #INET_IF="ppp0"
  10. INET_IF="enp13s0"
  11. LAN_IF="b.ctrl0net.6a"
  12. INET_IP="192.168.0.100"
  13. LAN_IP="172.16.0.254"
  14. LAN_IP_RANGE="172.16.0.0/24"
  15. #LAN_WWW="172.16.0.6"
  16. IPT="/sbin/iptables"
  17. #TC="/sbin/tc"
  18. MODPROBE="/sbin/modprobe"

  19. $MODPROBE ip_tables
  20. $MODPROBE iptable_nat
  21. $MODPROBE ip_nat_ftp
  22. $MODPROBE ip_nat_irc
  23. $MODPROBE ipt_mark
  24. $MODPROBE ip_conntrack
  25. $MODPROBE ip_conntrack_ftp
  26. $MODPROBE ip_conntrack_irc
  27. $MODPROBE ipt_MASQUERADE

  28. for TABLE in filter nat mangle ; do
  29. $IPT -t $TABLE -F
  30. $IPT -t $TABLE -X
  31. $IPT -t $TABLE -Z
  32. done

  33. $IPT -P INPUT DROP
  34. $IPT -P OUTPUT ACCEPT
  35. $IPT -P FORWARD DROP
  36. $IPT -t nat -P PREROUTING ACCEPT
  37. $IPT -t nat -P OUTPUT ACCEPT
  38. $IPT -t nat -P POSTROUTING ACCEPT

  39. # 拒绝INTERNET客户访问
  40. #$IPT -A INPUT -i $INET_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
  41. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  42. #$IPT -A INPUT -i $INET_IF -p tcp -s 123.5.0.0/16 --dport 22 -j ACCEPT
  43. $IPT -A INPUT -p tcp --dport 22 -j ACCEPT
  44. $IPT -A INPUT -i $INET_IF -m state --state NEW,INVALID -j DROP

  45. for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do
  46. $IPT -A INPUT -p tcp -s $DNS --sport domain -j ACCEPT
  47. $IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
  48. done

  49. # anti bad scaning
  50. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  51. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL ALL -j DROP
  52. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  53. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL NONE -j DROP
  54. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  55. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  56. #$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 8008 -j DNAT --to-destination $LAN_WWW:8008
  57. #$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 22 -j DNAT --to-destination $LAN_WWW:22

  58. if [ $INET_IF = "ppp0" ] ; then
  59. $IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j MASQUERADE
  60. else
  61. $IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j SNAT --to-source $INET_IP
  62. fi

  63. #no limit
  64. #$IPT -A FORWARD -s 192.168.1.216 -m mac --mac-source 00:15:17:F7:AB:84 -j ACCEPT
  65. #$IPT -A FORWARD -d 192.168.1.216 -j ACCEPT

  66. #$IPT -A FORWARD -p tcp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP
  67. #$IPT -A FORWARD -p udp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP

  68. #MAC、IP地址绑定
  69. #$IPT -A FORWARD -s 192.168.1.11 -m mac --mac-source 44-87-FC-44-B9-6E -j ACCEPT

  70. $IPT -A FORWARD -s 172.16.0.1 -j ACCEPT
  71. $IPT -A FORWARD -s 172.16.0.2 -j ACCEPT
  72. $IPT -A FORWARD -s 172.16.0.3 -j ACCEPT
  73. $IPT -A FORWARD -s 172.16.0.4 -j ACCEPT
  74. $IPT -A FORWARD -s 172.16.0.5 -j ACCEPT
  75. $IPT -A FORWARD -s 172.16.0.6 -j ACCEPT
  76. $IPT -A FORWARD -s 172.16.0.7 -j ACCEPT
  77. $IPT -A FORWARD -s 172.16.0.8 -j ACCEPT
  78. $IPT -A FORWARD -s 172.16.0.9 -j ACCEPT
  79. $IPT -A FORWARD -s 172.16.0.10 -j ACCEPT
  80. $IPT -A FORWARD -s 172.16.0.11 -j ACCEPT
  81. $IPT -A FORWARD -s 172.16.0.12 -j ACCEPT

  82. $IPT -A FORWARD -d 172.16.0.1 -j ACCEPT
  83. $IPT -A FORWARD -d 172.16.0.2 -j ACCEPT
  84. $IPT -A FORWARD -d 172.16.0.3 -j ACCEPT
  85. $IPT -A FORWARD -d 172.16.0.4 -j ACCEPT
  86. $IPT -A FORWARD -d 172.16.0.5 -j ACCEPT
  87. $IPT -A FORWARD -d 172.16.0.6 -j ACCEPT
  88. $IPT -A FORWARD -d 172.16.0.7 -j ACCEPT
  89. $IPT -A FORWARD -d 172.16.0.8 -j ACCEPT
  90. $IPT -A FORWARD -d 172.16.0.9 -j ACCEPT
  91. $IPT -A FORWARD -d 172.16.0.10 -j ACCEPT
  92. $IPT -A FORWARD -d 172.16.0.11 -j ACCEPT
  93. $IPT -A FORWARD -d 172.16.0.12 -j ACCEPT

---------------------------------------------------------------------------
下面在 CORE虚拟节点 中操作
---------------------------------------------------------------------------
[root@n6 n6.conf]# ifconfig
ctrl0: flags=4163  mtu 1500
        inet 172.16.0.6  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::216:3eff:fec0:b7a4  prefixlen 64  scopeid 0x20
        ether 00:16:3e:c0:b7:a4  txqueuelen 1000  (Ethernet)
        RX packets 143  bytes 15449 (15.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 5273 (5.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 10.0.0.6  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 a::6  prefixlen 128  scopeid 0x0
        inet6 fe80::200:ff:feaa:5  prefixlen 64  scopeid 0x20
        ether 00:00:00:aa:00:05  txqueuelen 1000  (Ethernet)
        RX packets 8182  bytes 904248 (883.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2735  bytes 301738 (294.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

----------------------
[root@n6 n6.conf]# route add default gw 172.16.0.254
[root@n6 n6.conf]# route -n          
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.254    0.0.0.0         UG    0      0        0 ctrl0
10.0.0.1        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.2        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.3        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
10.0.0.4        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
10.0.0.5        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.7        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.8        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.9        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.10       10.0.0.5        255.255.255.255 UGH   2      0        0 eth0
10.0.0.11       10.0.0.5        255.255.255.255 UGH   5      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 ctrl0

[root@n6 n6.conf]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.3.9.4
nameserver 10.3.9.5
nameserver 10.3.9.6

[root@n6 n6.conf]# ping
PING (10.3.9.254) 56(84) bytes of data.
64 bytes from 10.3.9.254: icmp_seq=1 ttl=58 time=0.751 ms
64 bytes from 10.3.9.254: icmp_seq=2 ttl=58 time=0.727 ms
64 bytes from 10.3.9.254: icmp_seq=3 ttl=58 time=0.936 ms
^C
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.727/0.804/0.936/0.098 ms
[root@n6 n6.conf]#

---------------------------------------------------------------------------
至此,CORE虚拟节点访问互联网 成功


阅读(1237) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~