Ubuntu16以下可以使用,18使用netplan進行網絡管理,方法不同
開啟ubuntu核心轉發
在/etc/sysctl.conf寫入
net.ipv4.ip_forward=1
sysctl -p使其生效
配置dns服務
apt-get update && apt-get install -y dnsmasq
vim /etc/dnsmasq.conf
dnsmasq配置參考:https://blog.51cto.com/longlei/2065967
配置dhcp服務
apt install isc-dhcp-server vlan
vim /etc/default/isc-dhcp-server
vim /etc/dhcp/dhcpd.conf
service isc-dhcp-server restart
/etc/default/isc-dhcp-server參考:
# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts
#
# This is a POSIX shell fragment
#
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid
# Additional options to start dhcpd with.
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="vlan10 vlan11 vlan12 vlan13"
/etc/dhcp/dhcpd.conf參考
default-lease-time 3600;
max-lease-time 21600;
authoritative;
subnet 192.168.66.0 netmask 255.255.0.0 {
interface vlan10;
option routers 192.168.66.1;
option subnet-mask 255.255.255.0;
range 192.168.66.128 192.168.66.254;
}
host demo {
hardware ethernet 00:1c:39:dd:1f:08;
fixed-address 192.168.66.16;
}
subnet 10.101.0.0 netmask 255.255.255.0 {
interface vlan11;
option routers 10.101.0.1;
option subnet-mask 255.255.255.0;
range 10.101.0.100 10.101.0.254;
}
subnet 10.201.0.0 netmask 255.255.255.0 {
interface vlan12;
option routers 10.201.0.1;
option subnet-mask 255.255.255.0;
range 10.201.0.100 10.201.0.254;
}
subnet 10.105.0.0 netmask 255.255.255.0 {
interface vlan13;
option routers 10.105.0.1;
option subnet-mask 255.255.255.0;
range 10.105.0.100 10.105.0.254;
}
配置網卡vlan
eth0用於配置內部網絡即lan
eth1用於連接公網即wan
vim /etc/network/interfaces.d/eth0
配置參考:
auto vlan10
iface vlan10 inet static
address 192.168.66.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0
auto vlan11
iface vlan11 inet static
address 10.101.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0
auto vlan12
iface vlan12 inet static
address 10.201.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0
auto vlan13
iface vlan13 inet static
address 10.105.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0
eth1:
vim /etc/network/interfaces.d/eth1
auto eth1
iface eth1 inet dhcp
配置iptables
開啟snat,將內部數據轉發到公網
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
其他用途:
nat端口轉發
10.6.10.157為eth1的ip,192.168.66.11:443為內部地址端口
iptables -t nat -A PREROUTING -d 10.6.10.157 -p tcp --dport 8001 -j DNAT --to 192.168.66.11:443
網絡轉發限制
-s是源地址(source)
-d是目標地址(destination)
iptables -A FORWARD -s 192.168.128.0/17 -d 192.168.66.16 -j ACCEPT
iptables -A FORWARD -s 10.11.0.0/24 -d 10.105.0.0/24 -j DROP
流量抓取
tcpdump -i eth0 -s0 -G 3600 -w '%Y-%m-%d_%H:%M.pcap'
esxi流量抓取
nohup pktcap-uw --switchport 33554434 -G 60 -o '%Y-%m-%d_%H:%M.pcap' &
配合esxi超好用