ubuntu16.04搭建软路由

Ubuntu16以下可以使用，18使用netplan进行网络管理，方法不同

开启ubuntu核心转发

在/etc/sysctl.conf写入

net.ipv4.ip_forward=1

sysctl -p使其生效

配置dns服务

apt-get update && apt-get install -y dnsmasq
vim /etc/dnsmasq.conf

dnsmasq配置参考：https://blog.51cto.com/longlei/2065967

配置dhcp服务

apt install isc-dhcp-server vlan
vim /etc/default/isc-dhcp-server
vim /etc/dhcp/dhcpd.conf
service isc-dhcp-server restart

/etc/default/isc-dhcp-server参考：

# Defaults for isc-dhcp-server initscript
# sourced by /etc/init.d/isc-dhcp-server
# installed at /etc/default/isc-dhcp-server by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
#DHCPD_CONF=/etc/dhcp/dhcpd.conf

# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
#DHCPD_PID=/var/run/dhcpd.pid

# Additional options to start dhcpd with.
#   Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
#OPTIONS=""

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#   Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="vlan10 vlan11 vlan12 vlan13"

/etc/dhcp/dhcpd.conf参考

default-lease-time 3600;
max-lease-time 21600;
authoritative;

subnet 192.168.66.0 netmask 255.255.0.0 {
  interface vlan10;
  option routers 192.168.66.1;
  option subnet-mask 255.255.255.0;
  range 192.168.66.128 192.168.66.254;
}

host demo {
  hardware ethernet 00:1c:39:dd:1f:08;
  fixed-address 192.168.66.16;
}

subnet 10.101.0.0 netmask 255.255.255.0 {
  interface vlan11;
  option routers 10.101.0.1;
  option subnet-mask 255.255.255.0;
  range 10.101.0.100 10.101.0.254;
}

subnet 10.201.0.0 netmask 255.255.255.0 {
  interface vlan12;
  option routers 10.201.0.1;
  option subnet-mask 255.255.255.0;
  range 10.201.0.100 10.201.0.254;
}

subnet 10.105.0.0 netmask 255.255.255.0 {
  interface vlan13;
  option routers 10.105.0.1;
  option subnet-mask 255.255.255.0;
  range 10.105.0.100 10.105.0.254;
}

配置网卡vlan

eth0用于配置内部网络即lan

eth1用于连接公网即wan

vim /etc/network/interfaces.d/eth0

配置参考：

auto vlan10
iface vlan10 inet static
address 192.168.66.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

auto vlan11
iface vlan11 inet static
address 10.101.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

auto vlan12
iface vlan12 inet static
address 10.201.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

auto vlan13
iface vlan13 inet static
address 10.105.0.1
netmask 255.255.255.0
mtu 1500
vlan_raw_device eth0

eth1:

vim /etc/network/interfaces.d/eth1

auto eth1
iface eth1 inet dhcp

配置iptables

开启snat，将内部数据转发到公网

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

其他用途：

nat端口转发

10.6.10.157为eth1的ip，192.168.66.11:443为内部地址端口

iptables -t nat -A PREROUTING -d 10.6.10.157 -p tcp --dport 8001 -j DNAT --to 192.168.66.11:443

网络转发限制

-s是源地址(source)

-d是目标地址(destination)

iptables -A FORWARD -s 192.168.128.0/17 -d 192.168.66.16 -j ACCEPT
iptables -A FORWARD -s 10.11.0.0/24 -d 10.105.0.0/24 -j DROP

流量抓取

tcpdump -i eth0 -s0 -G 3600 -w  '%Y-%m-%d_%H:%M.pcap'

esxi流量抓取

nohup pktcap-uw --switchport 33554434 -G 60 -o '%Y-%m-%d_%H:%M.pcap' &

配合esxi超好用