vlan资料（zt)

农夫子oice 2008-09-08

展开全文

vlan资料（zt)

原文
呵呵，你的意思是
internet
|
squid代理（没有做路由转发）
|
客服
这个样子的把，其实你打开echo 1 > /proc/sys/net/ipv4/ip_forward
并且开放出去的53端口就可以。
你怎么不在linux上也做nat，而在csico上做呢？一般网络都讲层次。越是核心层的设备就应该尽量让他跑的规则少，这样不但可以保证包转发速度也可以不会因为核心层的设备出问题。
这个是我们学校的nat上的规则。
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 100000 > /proc/sys/net/ipv4/ip_conntrack_max
#Neighbour table overflow
#echo "net.ipv4.neigh.default.gc_thresh1 = 512" >> sysctl.conf
#echo "net.ipv4.neigh.default.gc_thresh2 = 2048" >> sysctl.conf
#echo "net.ipv4.neigh.default.gc_thresh3 = 4096" >> sysctl.conf
#sysctl -p

#VLAN
vconfig add eth0 12
ip address add 210.41.126.65/26 dev eth0.12
ip link set dev eth0.12 up

vconfig add eth0 15
ip address add 219.221.176.1/24 dev eth0.15
ip link set dev eth0.15 up

vconfig add eth0 17
ip address add 219.221.177.1/24 dev eth0.17
ip link set dev eth0.17 up

vconfig add eth0 18
ip address add 219.221.178.1/24 dev eth0.18
ip link set dev eth0.18 up

vconfig add eth0 19
ip address add 219.221.179.1/24 dev eth0.19
ip link set dev eth0.19 up

vconfig add eth0 20
ip address add 219.221.180.1/25 dev eth0.20
ip link set dev eth0.20 up

vconfig add eth0 21
ip address add 219.221.180.128/26 dev eth0.21
ip link set dev eth0.21 up

vconfig add eth0 22
ip address add 219.221.180.193/26 dev eth0.22
ip link set dev eth0.22 up

vconfig add eth0 51
ip address add 219.221.181.1/24 dev eth0.51
ip link set dev eth0.51 up

vconfig add eth0 52
ip address add 219.221.182.1/24 dev eth0.52
ip link set dev eth0.52 up

vconfig add eth0 53
ip address add 219.221.183.1/24 dev eth0.53
ip link set dev eth0.53 up

vconfig add eth0 54
ip address add 219.221.184.1/24 dev eth0.54
ip link set dev eth0.54 up

vconfig add eth0 55
ip address add 219.221.185.1/24 dev eth0.55
ip link set dev eth0.55 up

vconfig add eth0 56
ip address add 219.221.186.1/24 dev eth0.56
ip link set dev eth0.56 up

vconfig add eth0 57
ip address add 219.221.187.1/24 dev eth0.57
ip link set dev eth0.57 up

#route add
route add -net 192.168.0.0 netmask 255.255.0.0 gw 219.221.181.254
route add -net 210.41.120.0 netmask 255.255.248.0 gw 219.221.181.254
route add -net 219.221.176.0 netmask 255.255.240.0 gw 219.221.181.254
route add -net 61.139.105.128 netmask 255.255.255.224 gw 219.221.181.254
route add -net 61.139.105.96 netmask 255.255.255.224 gw 219.221.181.254

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#jiazaimokuai
modprobe ip_tables 2> /dev/null
modprobe ip_nat_ftp 2> /dev/null
modprobe ip_nat_irc 2> /dev/null
modprobe ip_conntrack 2> /dev/null
modprobe ip_conntrack_ftp 2> /dev/null
modprobe ip_conntrack_irc 2> /dev/null

#ip filter
#/sbin/iptables -t filter -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
/sbin/iptables -t filter -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP

/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 69 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 135 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 136 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 137 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 139 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 138 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 445 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 593 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1025 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1068 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1042 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 1234 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 2754 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 3333 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 3127 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 4444 -j DROP
#/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 4899 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5554 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5800 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 5900 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 6667 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 6881 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 9995 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p tcp --dport 9996 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 69 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 135 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 136 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 137 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 138 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 139 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 593 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1042 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1234 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1433 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 1434 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 3333 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 3127 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 4444 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 5800 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 5900 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 6667 -j DROP
/sbin/iptables -t filter -A FORWARD -s 0/0 -p udp --dport 9000 -j DROP

#ip weizhuang
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 219.221.176.0/20 -j MASQUERADE

/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 210.41.120.0/21 -j MASQUERADE
#vod.zgcnc.net
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 -d 221.10.166.0/24 --dport 80 -j ACCEPT

#/sbin/iptables -t nat -A PREROUTING -p tcp -s 219.221.176.0/20 --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -s 219.221.176.0/20 --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -s 210.41.120.0/21 --dport 80 -j REDIRECT --to-port 3128

这个应该以前LEOD都发过吧，呵呵，我们是一起的。

hofman 2005-03-20 10:43:27 评论:0 阅读:1321 引用:0

from site : http://www./hofman/13236.html