vlan资料(zt)
原文
呵呵,你的意思是 internet | squid代理(没有做路由转发) | 客服 这个样子的把,其实你打开echo 1 > /proc/sys/net/ipv4/ip_forward 并且开放出去的53端口就可以。 你怎么不在linux上也做nat,而在csico上做呢?一般网络都讲层次。越是核心层的设备就应该尽量让他跑的规则少,这样不但可以保证包转发速度也可以不会因为核心层的设备出问题。 这个是我们学校的nat上的规则。 #!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward #echo 100000 > /proc/sys/net/ipv4/ip_conntrack_max #Neighbour table overflow #echo "net.ipv4.neigh.default.gc_thresh1 = 512" >> sysctl.conf #echo "net.ipv4.neigh.default.gc_thresh2 = 2048" >> sysctl.conf #echo "net.ipv4.neigh.default.gc_thresh3 = 4096" >> sysctl.conf #sysctl -p #VLAN vconfig add eth0 12 ip address add 210.41.126.65/26 dev eth0.12 ip link set dev eth0.12 up vconfig add eth0 15 ip address add 219.221.176.1/24 dev eth0.15 ip link set dev eth0.15 up vconfig add eth0 17 ip address add 219.221.177.1/24 dev eth0.17 ip link set dev eth0.17 up vconfig add eth0 18 ip address add 219.221.178.1/24 dev eth0.18 ip link set dev eth0.18 up vconfig add eth0 19 ip address add 219.221.179.1/24 dev eth0.19 ip link set dev eth0.19 up vconfig add eth0 20 ip address add 219.221.180.1/25 dev eth0.20 ip link set dev eth0.20 up vconfig add eth0 21 ip address add 219.221.180.128/26 dev eth0.21 ip link set dev eth0.21 up vconfig add eth0 22 ip address add 219.221.180.193/26 dev eth0.22 ip link set dev eth0.22 up vconfig add eth0 51 ip address add 219.221.181.1/24 dev eth0.51 ip link set dev eth0.51 up vconfig add eth0 52 ip address add 219.221.182.1/24 dev eth0.52 ip link set dev eth0.52 up vconfig add eth0 53 ip address add 219.221.183.1/24 dev eth0.53 ip link set dev eth0.53 up vconfig add eth0 54 ip address add 219.221.184.1/24 dev eth0.54 ip link set dev eth0.54 up vconfig add eth0 55 ip address add 219.221.185.1/24 dev eth0.55 ip link set dev eth0.55 up vconfig add eth0 56 ip address add 219.221.186.1/24 dev eth0.56 ip link set dev eth0.56 up vconfig add eth0 57 ip address add 219.221.187.1/24 dev eth0.57 ip link set dev eth0.57 up #route add route add -net 192.168.0.0 netmask 255.255.0.0 gw 219.221.181.254 route add -net 210.41.120.0 netmask 255.255.248.0 gw 219.221.181.254 route add -net 219.221.176.0 netmask 255.255.240.0 gw 219.221.181.254 route add -net 61.139.105.128 netmask 255.255.255.224 gw 219.221.181.254 route add -net 61.139.105.96 netmask 255.255.255.224 gw 219.221.181.254 modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc /sbin/iptables -F /sbin/iptables -X /sbin/iptables -Z /sbin/iptables -F -t nat /sbin/iptables -X -t nat /sbin/iptables -Z -t nat /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT #jiazaimokuai modprobe ip_tables 2> /dev/null modprobe ip_nat_ftp 2> /dev/null modprobe ip_nat_irc 2> /dev/null modprobe ip_conntrack 2> /dev/null modprobe ip_conntrack_ftp 2> /dev/null modprobe ip_conntrack_irc 2> /dev/null #ip filter #/sbin/iptables -t filter -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP /sbin/iptables -t filter -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 69 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 135 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 136 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 137 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 139 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 138 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 445 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 593 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1025 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1068 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1042 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1234 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 2754 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 3333 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 3127 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 4444 -j DROP #/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 4899 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5554 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5800 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5900 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 6667 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 6881 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 9995 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 9996 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 69 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 135 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 136 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 137 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 138 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 139 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 593 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1042 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1234 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1433 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1434 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 3333 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 3127 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 4444 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 5800 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 5900 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 6667 -j DROP /sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 9000 -j DROP #ip weizhuang /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 219.221.176.0/20 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 210.41.120.0/21 -j MASQUERADE #vod.zgcnc.net /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 -d 221.10.166.0/24 --dport 80 -j ACCEPT #/sbin/iptables -t nat -A PREROUTING -p tcp -s 219.221.176.0/20 --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth1 -p tcp -s 219.221.176.0/20 --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth1 -p tcp -s 210.41.120.0/21 --dport 80 -j REDIRECT --to-port 3128 这个应该以前LEOD都发过吧,呵呵,我们是一起的。 hofman 2005-03-20 10:43:27 评论:0 阅读:1321 引用:0
from site : http://www./hofman/13236.html
|
|