假設在貴公司的網路環境當中,除了一般職員的工作用電腦是直接連接到對外的路由器來連結網際網路, 在內部其實還有一個部門需要較安全的獨立環境,因此這部份的網路規劃可能是這樣的情況 (參考圖 3.2-1 內容延伸而來):
Assuming that, in your company's online environment, in addition to the general employee's computer, which links the Internet directly to an external router, there is actually a more secure and independent environment in the interior, this part of the network is likely to be the case (see figure 3.2-1 ):
圖 8.2-1、靜態路由之路由器架構示意圖
以上圖的架構來說,這家公司主要有兩個 class C 的網段,分別是:
In the structure of the above figure, the company has two main segments of the glass C network, the difference being:
- 一般區網(192.168.1.0/24) :包括 Router A, workstation 以及 Linux Router 三部主機所構成;
- 保護內網(192.168.100.0/24):包括 Linux Router, clientlinux, winxp, win7 等主機所構成。
其中 192.168.1.0/24 是用來做為一般員工連接網際網路用的,至於 192.168.100.0/24 則是給特殊的部門用的。workstation 代表的是一般員工的電腦,clientlinux 及 winxp, win7 則是特殊部門的工作用電腦, Linux Router 則是這個特殊部門用來連接到公司內部網域的路由器。在這樣的架構下, 該特殊部門的封包就能夠與公司其他部門作實體的分隔了。
Of these, 192.168.1.0/24 is intended for general employees to connect to the Internet, and 192.168.100.0/24 is for special departments. Workstation represents a general employee's computer, clitlinux and winxp, win7 are working computers for special departments, and Linux Router is the router used by this special department to connect to the company's inner domain. Under this structure, the envelope of this special department can be physically separated from the rest of the company.
由上圖你也不難發現,只要是具有路由器功能的設備 (Router A, Linux Router) 都會具有兩個以上的介面, 分別用來溝通不同的網域,同時該路由器也都會具有一個預設路由啊! ^_^! 另外,你還可以加上一些防火牆的軟體在 Linux Router 上,以保護 clientlinux, winxp, win7 呢!
It's not hard for you to see from the above figure that every device with a router function (Router A, Linux Router) will have more than two interfaces, separately to communicate different domains, and at the same time it will have a default router! ##! Plus, you can add some firewall software on Linux Router to protect clitolinux, winxp, win7!
那我們先來探討一下連線的機制好了,先從 clientlinux 這部電腦談起。如果 clientlinux 想要連上 Internet,那麼他的連線情況會是如何?
So let's explore the possibilities of the connection, starting with the computer of clitlinux. If clitlinux wants to connect to the Internet, what's his connection?
- 發起連線需求:clientlinux --> Linux Router --> Router A --> Internet
- 回應連線需求:Internet --> Router A --> Linux Router --> clientlinux
觀察一下兩部 Router 的設定,要達到上述功能,則 Router A 必須要有兩個介面,一個是對外的 Public IP 一個則是對內的 Private IP ,因為 IP 的類別不同,因此 Router A 還需要額外增加 NAT 這個機制才行,這個機制我們在後續章節會繼續談到。 除此之外,Router A 並不需要什麼額外的設定。至於 Linux Router 就更簡單了!什麼事都不用作,將兩個網路介面卡設定兩個 IP , 並且啟動核心的封包轉遞功能,立刻就架設完畢了!非常簡單!我們就來談一談這幾個機器的設定吧!
Look at the two Router configurations, and to achieve the above functions, Router A has to have two interfaces, one Public IP and one Private IP, which is external, because IPs are different, so Router A needs to add an extra NT, which we will continue to talk about at the end of the chapter. In addition, Router A doesn't need any extra configuration. As for Linux Router, it's simpler. Nothing is to be used, two IPs are to be used, and the core envelopes are to be activated.
- Linux Router
在這部主機內需要有兩張網卡,鳥哥在這裡將他定義為 (假設你已經將剛剛實作的 eth0:0 取消掉了):
Two web cards are needed in this mainframe, where Brother Bird defines him as:
- eth0: 192.168.1.100/24
- eth1: 192.168.100.254/24
# 1. 再看看 eth0 的設定吧!雖然我們已經在第四章就搞定了: [root@www ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" HWADDR="08:00:27:71:85:BD" NM_CONTROLLED="no" ONBOOT="yes" BOOTPROTO=none IPADDR=192.168.1.100 NETMASK=255.255.255.0 GATEWAY=192.168.1.254 <==最重要的設定啊!透過這部主機連出去的! # 2. 再處理 eth1 這張之前一直都沒有驅動的網路卡吧! [root@www ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1" HWADDR="08:00:27:2A:30:14" NM_CONTROLLED="no" ONBOOT="yes" BOOTPROTO="none" IPADDR=192.168.100.254 NETMASK=255.255.255.0 # 3. 啟動 IP 轉遞,真的來實作成功才行! [root@www ~]# vim /etc/sysctl.conf net.ipv4.ip_forward=1 # 找到上述的設定值,將預設值 0 改為上述的 1 即可!儲存後離開去! [root@www ~]# sysctl -p [root@www ~]# cat /proc/sys/net/ipv4/ip_forward 1 <==這就是重點!要是 1 才可以呦! # 4. 重新啟動網路,並且觀察路由與 ping Router A [root@www ~]# /etc/init.d/network restart [root@www ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 # 上面的重點在於最後面那個路由器的設定是否正確呦! [root@www ~]# ping -c 2 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.294 ms 64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.119 ms <==有回應即可 # 5. 暫時關閉防火牆!這一步也很重要喔! [root@www ~]# /etc/init.d/iptables stop
有夠簡單吧!而且透過最後的 ping 我們也知道 Linux Router 可以連上 Router A 囉!這樣你的 Linux Router 就 OK 了吶!此外,CentOS 6.x 預設的防火牆規則會將來自不同網卡的溝通封包剔除,所以還得要暫時關閉防火牆才行。 接下來則是要設定 clientlinux 這個被保護的內部主機網路囉。
It's easy enough! And through the last ping, we also know that Linux Router can connect to Router A. So your Linux Router will be OK! Moreover, the predefined CentOS 6.x firewall rule will remove the communication envelopes from different web cards, so that the firewall will have to be shut down for a while.
- 受保護的網域,以 clientlinux 為例
不論你的 clientlinux 是哪一種作業系統,你的環境都應該是這樣的 (圖 8.2-1):
Whatever your clitrinux is, your environment should be like this ():
- IP: 192.168.100.10
- netmask: 255.255.255.0
- gateway: 192.168.100.254
- hostname: clientlinux.centos.vbird
- DNS: 168.95.1.1
以 Linux 作業系統為例,並且 clientlinux 僅有 eth0 一張網卡時,他的設定是這樣的:
In the case of Linux, for example, when clitlinux has only one eth0 card, his settings are as follows:
[root@clientlinux ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NM_CONTROLLED="no" ONBOOT="yes" BOOTPROTO=none IPADDR=192.168.100.10 NETMASK=255.255.255.0 GATEWAY=192.168.100.254 <==這個設定最重要啦! DNS1=168.95.1.1 <==有這個就不用自己改 /etc/resolv.conf [root@clientlinux ~]# /etc/init.d/network restart [root@clientlinux ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 192.168.100.254 0.0.0.0 UG 0 0 0 eth0 [root@clientlinux ~]# ping -c 2 192.168.100.254 <==ping自己的gateway(會成功) [root@clientlinux ~]# ping -c 2 192.168.1.254 <==ping外部的gateway(會失敗)
最後一個動作有問題呦!怎麼會連 ping 都沒有辦法 ping 到 Router A 的 IP 呢?如果連 ping 都沒有辦法給予回應的話, 那麼表示我們的連線是有問題的!再從剛剛的回應連線需求流程來看一下吧!
There's a problem with the last move! How come there's no IP for ping to put to Router A? If there's no answer for ping, there's a problem with our connection!
- 發起連線:clientlinux --> Linux Router (OK) --> Router A (OK)
- 回應連線:Router A (此時 router A 要回應的目標是 192.168.100.10),Router A 僅有 public 與 192.168.1.0/24 的路由,所以該封包會由 public 介面再傳出去,因此封包就回不來了...
發現了嗎?網路是雙向的,此時封包出的去,但是非常可憐的,封包回不來~那怎辦呢?只好告知 Router A 當路由規則碰到 192.168.100.0/24 時,要將該封包傳 192.168.1.100 就是了!所以你要這樣進行。
Did you find out that the Internet was two-way, and then the envelope came out, but it was pathetic, and the bag couldn't come back? What should we do? So we told Router A that when the route rules hit 192,168,10.00/24, it would be 192,168, 1.100! So you're going to do it.
- 特別的路由規則: Router A 所需路由
假設我的 Router A 對外的網卡為 eth1 ,而內部的 192.168.1.254 則是設定在 eth0 上頭。 那怎麼在 Router A 增加一條路由規則呢?很簡單啊!直接使用 route add 去增加即可!如下所示的情況:
Assuming that my Router A's off-site net is eth1, while the inside's 192.168.1.254 is set on eth0. How can a route rule be added to Router A?
[root@routera ~]# route add -net 192.168.100.0 netmask 255.255.255.0 \ > gw 192.168.1.100
不過這個規則並不會寫入到設定檔,因此下次重新開機這個規則就不見了!所以,你應該要建立一個路由設定檔。 由於這個路由是依附在 eth0 網卡上的,所以設定檔的檔名應該要是 route-eth0 喔!這個設定檔的內容當中,我們要設定 192.168.100.0/24 這個網域的 gateway 是 192.168.1.100,且是透過 eth0 ,那麼寫法就會變成:
However, this rule will not be written into the configuration file, so the next rule on restarting is missing! So you should create a route configuration file. Since this route is attached to the eth0 web card, the profile should be named root-eth0!
[root@routera ~]# vim /etc/sysconfig/network-scripts/route-eth0 192.168.100.0/24 via 192.168.1.100 dev eth0 目標網域 透過的gateway 裝置 [root@routera ~]# route -n Destination Gateway Genmask Flags Metric Ref Use Iface 120.114.142.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.100.0 192.168.1.100 255.255.255.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 120.114.142.254 0.0.0.0 UG 0 0 0 eth1
上述觀察的重點在於有沒有出現 192.168.100.0 那行路由!如果有的話,請 ping 192.168.100.10 看看能不能有回應? 然後再到 clientlinux 上面去 ping 192.168.1.254 看看有沒有回應,你就知道設定成功囉!好了,既然內部保護網路已經可以連上 Internet 了,那麼是否代表 clientlinux 可以直接與一般員工的網域,例如 workstation 進行連線呢?我們依舊透過路由規則來探討一下,當 clientlinux 要直接連線到 workstation 時,他的連線方向是這樣的 (參考圖 8.2-1):
The point of observation is whether there are 192,168,100, the route. If there are, please ping 192,168.100.10, see if there is a response. Then go to clitlinux and see if there is a response.
- 連線發起: clientlinux --> Linux Router (OK) --> workstation (OK)
- 回應連線: workstation (連線目標為 192.168.100.10,因為並沒有該路由規則,因此連線丟給 default gateway,亦即是 Router A) --> Router A (OK) --> Linux Router (OK) --> clientlinux
有沒有發現一個很可愛的傳輸流程?連線發起是沒有問題啦,不過呢,回應連線竟然會偷偷透過 Router A 來幫忙呦! 這是因為 workstation 與當初的 Router A 一樣,並不知道 192.168.100.0/24 在 192.168.1.100 裡面啦!不過,反正 Router A 已經知道了該網域在 Linux Router 內,所以,該封包還是可以順利的回到 clientlinux 就是了。
Did you find a lovely transmission process? The connection is not a problem, but the response is going to go through Router A to help because the workstation, like the original Router A, doesn't know that 192,168.0.0/24 is in 192,168.1.100. But, anyway, Router A already knows that the domain is in Linux Router, so it's still going back to clitlinux.
- 讓 workstation 與 clientlinux 不透過 Router A 的溝通方式
如果你不想要讓 workstation 得要透過 Router A 才能夠連線到 clientlinux 的話,那麼就得要與 Router A 相同,增加那一條路由規則囉!如果是 Linux 的系統,那麼如同 Router A 一樣的設定如下:
If you don't want workstation to go through Router A to be able to connect to clientlinux, then you have to add the same route rule as Router A. If Linux is the system, then the same setup as Router A is as follows:
[root@workstation ~]# vim /etc/sysconfig/network-scripts/route-eth0 192.168.100.0/24 via 192.168.1.100 dev eth0 [root@workstation ~]# /etc/init.d/network restart [root@www ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.100.0 192.168.1.100 255.255.255.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
最後只要 clientlinux 使用 ping 可以連到 workstation,同樣的,workstation 也可以 ping 到 clientlinux 的話,就表示你的設定是 OK 的啦!搞定!而透過這樣的設定方式,你也可以發現到一件事,那就是:『路由是雙向的,你必須要瞭解出去的路由與回來時的規則』。 舉例來說,在預設的情況下 (Router A 與 workstation 都沒有額外的路由設定時),其實封包是可以由 clientlinux 連線到 workstation 的,但是 workstation 卻沒有相關的路由可以回應到 clientlinux ~所以上頭才會要你在 Router A 或者是 workstation 上面設定額外的路由規則啊!這樣說,瞭了吧? ^_^
In the end, as long as clieentlinux uses the ping, it can be connected to workstations, and, similarly, workstations can also be ping to clieentlinux, it means that your setup is OK! It's done! And through this setup, you can find one thing: .
用 Linux 作一個靜態路由的 Router 很簡單吧!以上面的案例來說,你在 Linux Router 上面幾乎沒有作什麼額外的工作,只要將網路 IP 與網路介面對應好啟動,然後加上 IP Forward 的功能, 讓你的 Linux 核心支援封包轉遞,然後其他的工作咱們的 Linux kernel 就主動幫你搞定了!真是好簡單!
It's easy to use Linux as a static route, Router. In the above case, you've done little extra work on Linux Router, just to start the network IP with the Internet interface, and then to add the IP Forward function, to get your Linux core support package transferred, and the rest of our Linux Kernel to help you with it! That's easy!
不過這裡必須要提醒的是,如果你的 Linux Router 有設定防火牆的話, 而且還有設定類似 NAT 主機的 IP 偽裝技術,那可得特別留意,因為還可能會造成路由誤判的問題~ 上述的 Linux Router 當中『並沒有使用到任何 NAT 的功能』喔!特別給他留意到!
But it's important to remind you that if your Linux Router has set up a firewall, and if you have an IP device similar to that of the NAT host, that's very interesting, because it may cause a misunderstanding of the path > above, Linux Router, who "did not use any of the NET functions"!
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论