LINUX環境下Iprouter2 + iptables + tc 雙線策略路由

原創 liuzhenhua_andy 2020-07-03 21:44

一、環境和要求:

線路:  內網百兆網絡1:   eth0    192.168.1.1 100Mbit

      電信百兆光纖1:   eth1    222.88.1.1     gateway 222.88.1.2 100Mbit

      網通百兆光纖1 :   eth2    218.28.1.1     gateway 218.28.1.2 100Mbit

操作系統: Red Hat Enterprise AS 5


二、 網絡要求:

業務需求: 一. 雙線策略路由,網通IP走網通網關,電信IP走電信網關.

            二. 網內所有主機ARP綁定

            三. TC流量控制, 根據提供服務不同,走相應的策略.
     
三、具體步驟:

1. linux安裝這裏不多介紹,網上的教程很多.裝完之後配置IP地址,滿足上面的線路需求即可.(注:安裝時儘量不要配置gateway,會和iproute2有衝突)

2.   打開內核IP轉發機制:   echo "1" > /proc/sys/net/ipv4/ip_forward

3. SNAT地址轉換:
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth2 -j MASQUERADE


4. 修改/etc/iproute2/ rt_table文件,建立路由表對應關係.具體文件格式如下:

# reserved values
#
255 local
254 main
253 default
0 unspec
100 shangdu
#
# local
#
#1   inr.ruhep

5.   配置電信默認路由添加到main表中:

ip route add 0/0 via 222.88.1.2   dev eth1 table main

6. 新建路由表table 100,配置網通默認路由添加到100表中:

ip route add 0/0 via 218.28.1.2 dev eth2 table 100
   
7. 在table 100的路由表中添加規則.(注:包含所有的網通IP段)
ip rule add to 58.16.0.0/16 table 100
ip rule add to 58.17.0.0/17 table 100
ip rule add to 58.17.128.0/17 table 100
ip rule add to 58.18.0.0/16 table 100
ip rule add to 58.19.0.0/16 table 100
ip rule add to 58.20.0.0/16 table 100
ip rule add to 58.21.0.0/16 table 100
ip rule add to 58.22.0.0/15 table 100
ip rule add to 58.240.0.0/15 table 100
ip rule add to 58.242.0.0/15 table 100
ip rule add to 58.244.0.0/15 table 100
ip rule add to 58.246.0.0/15 table 100
ip rule add to 58.248.0.0/13 table 100
ip rule add to 60.0.0.0/13 table 100
ip rule add to 60.8.0.0/15 table 100
ip rule add to 60.10.0.0/16 table 100
ip rule add to 60.11.0.0/16 table 100
ip rule add to 60.12.0.0/16 table 100
ip rule add to 60.13.0.0/18 table 100
ip rule add to 60.13.64.0/18 table 100
ip rule add to 60.13.128.0/17 table 100
ip rule add to 60.14.0.0/15 table 100
ip rule add to 60.16.0.0/13 table 100
ip rule add to 60.24.0.0/14 table 100
ip rule add to 60.28.0.0/15 table 100
ip rule add to 60.30.0.0/16 table 100
ip rule add to 60.31.0.0/16 table 100
ip rule add to 60.55.0.0/16 table 100
ip rule add to 60.208.0.0/13 table 100
ip rule add to 60.216.0.0/15 table 100
ip rule add to 60.218.0.0/15 table 100
ip rule add to 60.220.0.0/14 table 100
ip rule add to 61.48.0.0/14 table 100
ip rule add to 61.52.0.0/15 table 100
ip rule add to 61.54.0.0/16 table 100
ip rule add to 61.55.0.0/16 table 100
ip rule add to 61.133.0.0/17 table 100
ip rule add to 61.134.96.0/19 table 100
ip rule add to 61.134.128.0/18 table 100
ip rule add to 61.134.192.0/18 table 100
ip rule add to 61.135.0.0/16 table 100
ip rule add to 61.136.0.0/18 table 100
ip rule add to 61.136.64.0/18 table 100
ip rule add to 61.137.128.0/17 table 100
ip rule add to 61.138.0.0/18 table 100
ip rule add to 61.138.64.0/18 table 100
ip rule add to 61.138.128.0/18 table 100
ip rule add to 61.139.128.0/18 table 100
ip rule add to 61.148.0.0/15 table 100
ip rule add to 61.156.0.0/16 table 100
ip rule add to 61.158.0.0/17 table 100
ip rule add to 61.158.128.0/17 table 100
ip rule add to 61.159.0.0/18 table 100
ip rule add to 61.161.0.0/18 table 100
ip rule add to 61.161.128.0/17 table 100
ip rule add to 61.162.0.0/16 table 100
ip rule add to 61.163.0.0/16 table 100
ip rule add to 61.167.0.0/16 table 100
ip rule add to 61.168.0.0/16 table 100
ip rule add to 61.176.0.0/16 table 100
ip rule add to 61.179.0.0/16 table 100
ip rule add to 61.180.128.0/17 table 100
ip rule add to 61.181.0.0/16 table 100
ip rule add to 61.182.0.0/16 table 100
ip rule add to 61.189.0.0/17 table 100
ip rule add to 116.2.0.0/15 table 100
ip rule add to 121.16.0.0/13 table 100
ip rule add to 121.24.0.0/14 table 100
ip rule add to 121.28.0.0/15 table 100
ip rule add to 121.30.0.0/16 table 100
ip rule add to 121.31.0.0/16 table 100
ip rule add to 122.96.0.0/15 table 100
ip rule add to 122.136.0.0/13 table 100
ip rule add to 122.156.0.0/14 table 100
ip rule add to 122.192.0.0/14 table 100
ip rule add to 122.198.0.0/16 table 100
ip rule add to 123.4.0.0/14 table 100
ip rule add to 123.8.0.0/13 table 100
ip rule add to 123.112.0.0/12 table 100
ip rule add to 123.128.0.0/13 table 100
ip rule add to 123.137.0.0/16 table 100
ip rule add to 123.138.0.0/15 table 100
ip rule add to 123.144.0.0/14 table 100
ip rule add to 123.148.0.0/16 table 100
ip rule add to 123.152.0.0/13 table 100
ip rule add to 123.188.0.0/14 table 100
ip rule add to 123.232.0.0/14 table 100
ip rule add to 124.64.0.0/15 table 100
ip rule add to 124.66.0.0/17 table 100
ip rule add to 124.67.0.0/16 table 100
ip rule add to 124.88.0.0/16 table 100
ip rule add to 124.89.0.0/17 table 100
ip rule add to 124.89.128.0/17 table 100
ip rule add to 124.90.0.0/15 table 100
ip rule add to 124.92.0.0/14 table 100
ip rule add to 124.128.0.0/13 table 100
ip rule add to 124.160.0.0/16 table 100
ip rule add to 124.161.0.0/16 table 100
ip rule add to 124.162.0.0/16 table 100
ip rule add to 124.163.0.0/16 table 100
ip rule add to 124.164.0.0/14 table 100
ip rule add to 125.32.0.0/16 table 100
ip rule add to 125.33.0.0/16 table 100
ip rule add to 125.34.0.0/16 table 100
ip rule add to 125.35.0.0/17 table 100
ip rule add to 125.35.128.0/17 table 100
ip rule add to 125.36.0.0/14 table 100
ip rule add to 125.40.0.0/13 table 100
ip rule add to 125.211.0.0/16 table 100
ip rule add to 202.96.0.0/18 table 100
ip rule add to 202.96.64.0/21 table 100
ip rule add to 202.96.72.0/21 table 100
ip rule add to 202.96.80.0/20 table 100
ip rule add to 202.97.128.0/18 table 100
ip rule add to 202.97.192.0/19 table 100
ip rule add to 202.97.224.0/21 table 100
ip rule add to 202.97.232.0/21 table 100
ip rule add to 202.97.240.0/20 table 100
ip rule add to 202.98.0.0/21 table 100
ip rule add to 202.98.8.0/21 table 100
ip rule add to 202.98.16.0/20 table 100
ip rule add to 202.99.0.0/18 table 100
ip rule add to 202.99.64.0/19 table 100
ip rule add to 202.99.96.0/21 table 100
ip rule add to 202.99.104.0/21 table 100
ip rule add to 202.99.112.0/20 table 100
ip rule add to 202.99.128.0/19 table 100
ip rule add to 202.99.160.0/21 table 100
ip rule add to 202.99.168.0/21 table 100
ip rule add to 202.99.176.0/20 table 100
ip rule add to 202.99.192.0/21 table 100
ip rule add to 202.99.200.0/21 table 100
ip rule add to 202.99.208.0/20 table 100
ip rule add to 202.99.224.0/21 table 100
ip rule add to 202.99.232.0/21 table 100
ip rule add to 202.99.240.0/20 table 100
ip rule add to 202.102.128.0/21 table 100
ip rule add to 202.102.136.0/21 table 100
ip rule add to 202.102.144.0/20 table 100
ip rule add to 202.102.160.0/19 table 100
ip rule add to 202.102.224.0/21 table 100
ip rule add to 202.102.232.0/21 table 100
ip rule add to 202.102.240.0/20 table 100
ip rule add to 202.106.0.0/16 table 100
ip rule add to 202.107.0.0/17 table 100
ip rule add to 202.108.0.0/16 table 100
ip rule add to 202.110.0.0/18 table 100
ip rule add to 202.110.64.0/18 table 100
ip rule add to 202.110.192.0/18 table 100
ip rule add to 202.111.128.0/19 table 100
ip rule add to 202.111.160.0/19 table 100
ip rule add to 203.93.8.0/24 table 100
ip rule add to 203.93.9.0/24 table 100
ip rule add to 203.93.10.0/23 table 100
ip rule add to 203.93.12.0/22 table 100
ip rule add to 203.93.16.0/20 table 100
ip rule add to 203.93.32.0/19 table 100
ip rule add to 203.93.64.0/18 table 100
ip rule add to 203.93.128.0/21 table 100
ip rule add to 203.93.136.0/22 table 100
ip rule add to 203.93.140.0/24 table 100
ip rule add to 203.93.141.0/24 table 100
ip rule add to 203.93.142.0/23 table 100
ip rule add to 203.93.144.0/20 table 100
ip rule add to 203.93.160.0/19 table 100
ip rule add to 203.93.192.0/18 table 100
ip rule add to 203.175.192.0/18 table 100
ip rule add to 210.13.128.0/17 table 100
ip rule add to 210.14.160.0/19 table 100
ip rule add to 210.14.192.0/19 table 100
ip rule add to 210.14.224.0/19 table 100
ip rule add to 210.15.32.0/19 table 100
ip rule add to 210.15.64.0/19 table 100
ip rule add to 210.15.96.0/19 table 100
ip rule add to 210.15.128.0/18 table 100
ip rule add to 210.21.0.0/17 table 100
ip rule add to 210.21.128.0/17 table 100
ip rule add to 210.22.0.0/16 table 100
ip rule add to 210.51.0.0/16 table 100
ip rule add to 210.52.0.0/18 table 100
ip rule add to 210.52.64.0/18 table 100
ip rule add to 210.52.128.0/17 table 100
ip rule add to 210.53.0.0/17 table 100
ip rule add to 210.53.128.0/17 table 100
ip rule add to 210.74.96.0/19 table 100
ip rule add to 210.74.128.0/19 table 100
ip rule add to 210.78.0.0/19 table 100
ip rule add to 210.82.0.0/15 table 100
ip rule add to 211.144.0.0/15 table 100
ip rule add to 218.7.0.0/16 table 100
ip rule add to 218.8.0.0/15 table 100
ip rule add to 218.10.0.0/16 table 100
ip rule add to 218.11.0.0/16 table 100
ip rule add to 218.12.0.0/16 table 100
ip rule add to 218.21.128.0/17 table 100
ip rule add to 218.24.0.0/15 table 100
ip rule add to 218.26.0.0/16 table 100
ip rule add to 218.27.0.0/16 table 100
ip rule add to 218.28.0.0/15 table 100
ip rule add to 218.56.0.0/14 table 100
ip rule add to 218.60.0.0/15 table 100
ip rule add to 218.62.0.0/17 table 100
ip rule add to 218.67.128.0/17 table 100
ip rule add to 218.68.0.0/15 table 100
ip rule add to 218.104.0.0/17 table 100
ip rule add to 218.104.128.0/19 table 100
ip rule add to 218.104.160.0/19 table 100
ip rule add to 218.104.192.0/21 table 100
ip rule add to 218.104.200.0/21 table 100
ip rule add to 218.104.208.0/20 table 100
ip rule add to 218.104.224.0/19 table 100
ip rule add to 218.105.0.0/16 table 100
ip rule add to 218.106.0.0/15 table 100
ip rule add to 219.154.0.0/15 table 100
ip rule add to 219.156.0.0/15 table 100
ip rule add to 219.158.0.0/17 table 100
ip rule add to 219.158.128.0/17 table 100
ip rule add to 219.159.0.0/18 table 100
ip rule add to 219.232.0.0/14 table 100
ip rule add to 220.248.0.0/14 table 100
ip rule add to 220.252.0.0/16 table 100
ip rule add to 221.0.0.0/15 table 100
ip rule add to 221.2.0.0/16 table 100
ip rule add to 221.3.0.0/17 table 100
ip rule add to 221.3.128.0/17 table 100
ip rule add to 221.4.0.0/16 table 100
ip rule add to 221.5.0.0/17 table 100
ip rule add to 221.5.128.0/17 table 100
ip rule add to 221.6.0.0/16 table 100
ip rule add to 221.7.0.0/19 table 100
ip rule add to 221.7.32.0/19 table 100
ip rule add to 221.7.64.0/19 table 100
ip rule add to 221.7.96.0/19 table 100
ip rule add to 221.7.128.0/17 table 100
ip rule add to 221.8.0.0/15 table 100
ip rule add to 221.10.0.0/16 table 100
ip rule add to 221.11.0.0/17 table 100
ip rule add to 221.11.128.0/18 table 100
ip rule add to 221.11.192.0/19 table 100
ip rule add to 221.11.224.0/19 table 100
ip rule add to 221.12.0.0/17 table 100
ip rule add to 221.12.128.0/18 table 100
ip rule add to 221.13.0.0/18 table 100
ip rule add to 221.13.64.0/19 table 100
ip rule add to 221.13.96.0/19 table 100
ip rule add to 221.13.128.0/17 table 100
ip rule add to 221.14.0.0/15 table 100
ip rule add to 221.136.0.0/16 table 100
ip rule add to 221.192.0.0/15 table 100
ip rule add to 221.194.0.0/16 table 100
ip rule add to 221.195.0.0/16 table 100
ip rule add to 221.196.0.0/15 table 100
ip rule add to 221.198.0.0/16 table 100
ip rule add to 221.199.0.0/19 table 100
ip rule add to 221.199.32.0/20 table 100
ip rule add to 221.199.48.0/20 table 100
ip rule add to 221.199.64.0/18 table 100
ip rule add to 221.199.128.0/18 table 100
ip rule add to 221.199.192.0/20 table 100
ip rule add to 221.199.224.0/19 table 100
ip rule add to 221.200.0.0/14 table 100
ip rule add to 221.204.0.0/15 table 100
ip rule add to 221.206.0.0/16 table 100
ip rule add to 221.207.0.0/18 table 100
ip rule add to 221.207.64.0/18 table 100
ip rule add to 221.207.128.0/17 table 100
ip rule add to 221.208.0.0/14 table 100
ip rule add to 221.212.0.0/16 table 100
ip rule add to 221.213.0.0/16 table 100
ip rule add to 221.214.0.0/15 table 100
ip rule add to 221.216.0.0/13 table 100
ip rule add to 222.128.0.0/14 table 100
ip rule add to 222.132.0.0/14 table 100
ip rule add to 222.136.0.0/13 table 100
ip rule add to 222.160.0.0/15 table 100
ip rule add to 222.162.0.0/16 table 100
ip rule add to 222.163.0.0/19 table 100
ip rule add to 222.163.32.0/19 table 100
ip rule add to 222.163.64.0/18 table 100
ip rule add to 222.163.128.0/17 table 100

8. arp綁定.建立/etc/ethers文件,具體格式如:

192.168.2.102    00:11:5B:1D9:77
192.168.2.111    00:11:5B:1A2:6C

9. 用TC進行流量控制,HTB具體分三類.具體腳本如下:   (#腳本文件位置/etc/tc)
#/bin/bash
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc del dev eth1 ingress 2>/dev/null
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc del dev eth0 ingress 2>/dev/null
tc qdisc del dev eth2 root 2>/dev/null
tc qdisc del dev eth2 ingress 2>/dev/null
tc qdisc add dev eth1 root handle 1: htb default 15
tc qdisc add dev eth2 root handle 2: htb default 15
tc qdisc add dev eth0 root handle 3: htb default 15
tc class add dev eth1 parent 1:   classid 1:1   htb rate 75Mbit ceil 75Mbit
tc class add dev eth2 parent 2:   classid 2:1   htb rate 75Mbit ceil 75Mbit
tc class add dev eth0 parent 3:   classid 3:1   htb rate 85Mbit ceil 85Mbit
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth2 parent 2:1 classid 2:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth0 parent 3:1 classid 3:11 htb rate 40Mbit ceil 40Mbit prio 0
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth2 parent 2:1 classid 2:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth0 parent 3:1 classid 3:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth1 parent 1:1 classid 1:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth2 parent 2:1 classid 2:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth0 parent 3:1 classid 3:15 htb rate 20Mbit ceil 20Mbit prio 2
tc qdisc add dev eth1 parent 1:12 handle 12: sfq
tc qdisc add dev eth1 parent 1:15 handle 15: sfq
tc qdisc add dev eth2 parent 2:12 handle 12: sfq
tc qdisc add dev eth2 parent 2:15 handle 15: sfq
tc qdisc add dev eth0 parent 3:12 handle 12: sfq
tc qdisc add dev eth0 parent 3:15 handle 15: sfq
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:11
tc filter add dev eth2 parent 2:0 protocol ip prio 1 handle 1 fw classid 2:11
tc filter add dev eth0 parent 3:0 protocol ip prio 1 handle 1 fw classid 3:11
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:12
tc filter add dev eth2 parent 2:0 protocol ip prio 2 handle 2 fw classid 2:12
tc filter add dev eth0 parent 3:0 protocol ip prio 2 handle 2 fw classid 3:12
tc filter add dev eth1 parent 1:0 protocol ip prio 5 handle 5 fw classid 1:15
tc filter add dev eth2 parent 2:0 protocol ip prio 5 handle 5 fw classid 2:15
tc filter add dev eth0 parent 3:0 protocol ip prio 5 handle 5 fw classid 3:15
tc qdisc add dev eth1 handle ffff: ingress
tc qdisc add dev eth2 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
iptables -F -t mangle
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j RETURN
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5

10.  防火牆腳本如下(存放位置:/etc/fire)

#/bin/sh
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Allow SSH connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#IGMP
iptables -A INPUT -p ICMP -d 218.28.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 222.88.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 192.168.0.0/22 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

#synfoold

iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT

#NAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth2 -j MASQUERADE

11. 最後rc.local腳本如下:
#!/bin/sh
touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
/etc/cncroute
/etc/fire
arp -f
/etc/tc
#注:5 ,6 ,7 三步合併爲/etc/cncroute 腳本

來源:http://hi.baidu.com/barcating/blog/item/647825746159a402b151b939.html
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

記一些CISP-PTE題目解析

0x01 命令執行 直接payload: 127.0.0.1 &whoami,發現可以成功執行whoami命令 然後ls ../ ,發現有個key.php文件 嘗試用cat命令查看發現不行被攔截了。(其實題目過濾了常用的查看文件的命

原創 2024-05-11 23:51:24

Linux系統中的文件和目錄權限

一、文件屬性        下文中,“文件”一詞默認代指廣義的數據類型,跟“目錄”等詞對比使用時,則專指普通文件(File)這一特定數據類型。        Linux系統中,我們可以使用命令“ls -al”來查看當前目錄

原創 2024-05-11 01:45:47

迅爲RK3568開發板瑞芯微人工智能AI鴻蒙Linux安卓開發學習

PU:iTOP-3568開發板採用瑞芯微RK3568處理器,內部集成了四核64位Cortex-A55處理器。主頻高達2.0Ghz,RK809動態調頻。集成了雙核心架構GPU,ARM G52 2EE、支持OpenGL ES1.1/2.0/3.

原創 2024-05-06 22:54:29

Redis開源社區持續壯大,華爲云爲Valkey項目注入新的活力

摘要:作爲Valkey社區的Technical Steering Committee member,華爲雲將持續參與社區建設。 一、背景 今年3月21日,Redis Labs宣佈從Redis 7.4版本開始,將原先比較寬鬆的BSD

原創 2024-05-06 22:32:57

銀行核心背後的落地工程體系丨Oracle - TiDB 數據遷移詳解

本文作者: 張顯華,孟凡輝,莊培培 系列導讀:徐戟(白鱔)數據庫技術專家,Oracle ACE,PostgreSQL ACE Director 當前,國內大量的關鍵行業的核心繫統正在實現國產化替代,而與此同時,這些行業的數字化轉型也正在進入

原創 2024-04-30 22:24:59

Linux下製作Nginx綠色免安裝包

前言 linux下安裝nginx比較繁瑣,遇到內網部署環境更是麻煩,所以研究了下nginx綠色免安裝版的部署包製作,開箱即用,特此記錄分享,一下操作在centos8環境下安裝,如果需要其他內核系統的安裝(Debian/Ubuntu等),請在

原創 2024-04-29 21:38:23

用DolphinScheduler輕鬆實現Flume數據採集任務自動化!

轉載自天地風雷水火山澤 目的 因爲我們的數倉數據源是Kafka,離線數倉需要用Flume採集Kafka中的數據到HDFS中。 在實際項目中,我們不可能一直在Xshell中啓動Flume任務,一是因爲項目的Flume任務很多,二是一旦Xsh

原創 2024-04-24 21:18:09

一鍵自動化博客發佈工具,用過的人都說好(infoq篇)

infoq的博客發佈界面也是非常簡潔的。首頁就只有基本的標題,內容和封面圖片,所以infoq的實現也相對比較簡單。 一起來看看吧。 前提條件 前提條件當然是先下載 blog-auto-publishing-tools這個博客自動發佈工具,地

原創 2024-05-10 21:47:53

一種極簡單的SpringBoot單元測試方法| 京東零售技術團隊

前言 本文主要提供了一種單元測試方法,力求0基礎人員可以從本文中受到啓發,可以搭建一套好用的單元測試環境,並能切實的提高交付代碼的質量。極簡體現在除了POM依賴和單元測試類之外,其他什麼都不需要引入,只需要一個本地能啓動的springboo

原創 2024-05-10 00:30:06

GaussDB細粒度資源管控技術透視

本文分享自華爲雲社區《【GaussTech速遞】技術解讀之細粒度資源管控》,作者:GaussDB 數據庫。 背景 對數據庫集羣內資源管控與資源隔離一直是企業客戶長久以來的訴求。華爲雲GaussDB作爲一款企業級分佈式數據庫,一直致力於

原創 2024-05-09 23:22:17

O2OA紅頭文件流轉與O2OA版式公文編輯器基本使用

O2OA開發平臺在流程管理中,可以讓用戶在包含公文管理的項目實施過程中,輕鬆地實現標準化公文格式的在線編輯、痕跡保留、手寫籤批等功能。並且可以快速將版式公文編輯器集成到O2OA開發平臺之外的其他協同辦公系統中。 一、適用範圍   公文編

原創 2024-05-09 23:10:22

一鍵自動化博客發佈工具,用過的人都說好(簡書篇)

好不容易寫好了一篇博客,現在想要把它發佈到各個平臺上供大家一起欣賞? 然後一個網站一個網站打開要發佈的博客站點,手動點創建文章,然後拷貝粘貼寫的markdown文件。 甚至有些網站還不支持markdown格式,你還需要對格式進行轉換。 每次

原創 2024-04-30 21:30:54

Apache DolphinScheduler支持Flink嗎?

隨着大數據技術的快速發展,很多企業開始將Flink引入到生產環境中,以滿足日益複雜的數據處理需求。而作爲一款企業級的數據調度平臺,Apache DolphinScheduler也跟上了時代步伐,推出了對Flink任務類型的支持。 Flink

原創 2024-04-30 11:49:27

ArkTS開發原生鴻蒙HarmonyOS短視頻應用

HarmonyOS實戰課程“2024鴻蒙零基礎快速實戰-仿抖音App開發(ArkTS版)”已經於今日上線至慕課網(https://coding.imooc.com/class/843.html),有致力於鴻蒙生態開發的同學們可以關注一下。

原創 2024-04-29 23:07:45

前端面試題 - 說一下原型和原型鏈?

前端面試題 - 說一下原型和原型鏈? JavaScript 中,萬物皆對象,對象分爲普通對象和函數對象。 所有的函數都是函數對象(typeof f === 'function'),其他都是普通對象(typeof o === 'object'

原創 2024-04-24 23:51:10