分类: LINUX
2009-11-15 13:46:46
一、目的
使用iptables和iproute2做策略路由,实现数据包正确路由转发。不同线路的客户端访问CentOS时,能够从正确响应客户端;使用CentOS做转发路由器,能够正确转发数据包。
二、实验环境
四台cisco2691分别模拟三条线路的接入路由器和一台远端主机;CentOS5.3服务器分别与三台接入路由器相连。
三、拓扑
四、实现方法
R1方向的路由采用策略路由实现,R2方向的路由指定了默认路由,R3方向的路由通过静态明细路由实现。
1)PC端(2691模拟)配置:
en
conf t
host PC
inter f0/0
ip addr
no sh
exit
ip route
end
2)R1配置:
en
conf t
host R1
inter f0/0
ip addr
no sh
inter f0/1
ip addr
no sh
exit
ip route 192.168.13.0 255.255.255.0
ip route 33.33.33.0 255.255.255.0
ip route 172.16.13.0 255.255.255.0
ip route 202.96.134.0 255.255.255.0
end
3)R2配置:
en
conf t
host R2
inter f0/0
ip addr 192.168.13.254 255.255.255.0
no sh
inter loopback0
ip add 33.33.33.13 255.255.255.0
no sh
exit
ip route
ip route
ip route 172.16.13.0 255.255.255.0 192.168.13.114
ip route 202.96.134.0 255.255.255.0 192.168.13.114
end
4)R3配置:
en
conf t
host R3
inter f0/0
ip addr 172.16.13.13 255.255.255.0
no sh
inter loopback0
ip addr 202.96.134.134 255.255.255.0
exit
ip route
line vty 0 4
password cisco
login
end
5)CentOS配置:
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig eth1
ifconfig eth0 192.168.13.114 netmask 255.255.255.0 up
ifconfig eth2 172.16.13.254 netmask 255.255.255.0 up
ifconfig eth2:1 172.16.13.253 netmask 255.255.255.0 up
route add default gw 192.168.13.254
route add -net 202.96.134.0/24 gw 172.16.13.13
iptables -t mangle -F
iptables -t nat -F
iptables -F
iptables -t mangle -A PREROUTING -i eth0 -d ! 192.168.13.114 -j MARK --set-mark 8126
iptables -t mangle -A PREROUTING -d 172.16.13.253 -j MARK --set-mark 8126
iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 8125
iptables -t nat -A POSTROUTING -o eth2 -m mark --mark 8125 -j SNAT --to 172.16.13.253
echo "800 markroute" >> /etc/iproute2/rt_tables
ip rule add fwmark 8126 table markroute
ip rule add from
ip route add default vi
ip route flush cache
五、现象
PC端:
PC#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/34/120 ms
PC#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/33/76 ms
PC#ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/49/160 ms
PC#ping 33.33.33.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/42/108 ms
PC#ping 172.16.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC#ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/92 ms
PC#ping 202.96.134.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/40/100 ms
PC#telnet 172.16.13.13
Trying 172.16.13.13 ... Open
User Access Verification
Password:
R3>exit
[Connection to 172.16.13.13 closed by foreign host]
PC#telnet 202.96.134.134
Trying 202.96.134.134 ... Open
User Access Verification
Password:
R3>exit
[Connection to 202.96.134.134 closed by foreign host]
R2端:
R2#ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
R2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
.....
Success rate is 0 percent (0/5)
R2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/43/100 ms
R2#ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/100 ms
R2#ping 172.16.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/33/72 ms
R2#ping 172.16.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.13.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/152 ms
R2#ping 202.96.134.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.96.134.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/92 ms
R2#telnet 172.16.13.13
Trying 172.16.13.13 ... Open
User Access Verification
Password:
R3>exit
[Connection to 172.16.13.13 closed by foreign host]
R2#telnet 202.96.134.134
Trying 202.96.134.134 ... Open
User Access Verification
Password:
R3>exit
[Connection to 202.96.134.134 closed by foreign host]
R3端:
R3>ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
.....
Success rate is 0 percent (0/5)
R3>ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
R3>ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/48/156 ms
R3>traceroute
Type escape sequence to abort.
Tracing the route to
1 172.16.13.254 12 msec 24 msec 32 msec
2 192.168.13.254 8 msec 20 msec 40 msec
3 172.16.13.254 20 msec 28 msec 12 msec
4
5
R3>ping 192.168.13.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.114, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
R3>ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
R3>ping 33.33.33.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.33.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/37/120 ms
六、结论
请注意测试结果中蓝色和红色部分内容。
1、测试目标基本实现。
2、红色部分是做了策略路由出现的异常现象。
3、R1到R3的数据包通过SNAT实现回包正确路由。
4、蓝色部分R3到PC方向是通过R2跳转的。如果R2没有到R1方向的路由,R3到PC是不通的。