(OK) CORE nodes access Internet—虚拟节点访问互联网—commands

[root@localhost core]# systemctl start core-daemon.service

---------------------------------------------------------------------------
[root@localhost core]# core-gui

----------------------
/root/.core/configs/m-MPE-manet.imn
----------------------
Under the Session Menu, the Options... dialog has an option to set a control network prefix.
This can be set to a network prefix such as 172.16.0.0/24. A bridge will be created on the host machine having the last address in the prefix range (e.g. 172.16.0.254), and each node will have an extra ctrl0 control interface configured with an address corresponding to its node number (e.g. 172.16.0.3 for n3.)

----------------------
[root@localhost core]# ifconfig
enp13s0: flags=4163  mtu 1500
        inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::3e97:eff:fef0:b5bb  prefixlen 64  scopeid 0x20
        ether 3c:97:0e:f0:b5:bb  txqueuelen 1000  (Ethernet)
        RX packets 424786  bytes 474479916 (452.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 402854  bytes 46953257 (44.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

b.ctrl0net.6a: flags=4163  mtu 1500
        inet 172.16.0.254  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::bc49:1ff:fe27:a95  prefixlen 64  scopeid 0x20
        ether 16:32:81:19:ca:43  txqueuelen 1000  (Ethernet)
        RX packets 149  bytes 12753 (12.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 84  bytes 8808 (8.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

----------------------
[root@localhost core]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp13s0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 b.ctrl0net.6a
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp13s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

----------------------
[root@localhost 桌面]# . iptables_core.sh
[root@localhost 桌面]# cat iptables_core.sh

点击(此处)折叠或打开

				#!/bin/bash

				echo 1 > /proc/sys/net/ipv4/ip_forward

				echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

				echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

				echo 1 > /proc/sys/net/ipv4/tcp_syncookies


				#网卡：上外、下内

				#上外  192.168.0.100

				#下内  172.16.0.254

				#INET_IF="ppp0"

				INET_IF="enp13s0"

				LAN_IF="b.ctrl0net.6a"

				INET_IP="192.168.0.100"

				LAN_IP="172.16.0.254"

				LAN_IP_RANGE="172.16.0.0/24"

				#LAN_WWW="172.16.0.6"

				IPT="/sbin/iptables"

				#TC="/sbin/tc"

				MODPROBE="/sbin/modprobe"


				$MODPROBE ip_tables

				$MODPROBE iptable_nat

				$MODPROBE ip_nat_ftp

				$MODPROBE ip_nat_irc

				$MODPROBE ipt_mark

				$MODPROBE ip_conntrack

				$MODPROBE ip_conntrack_ftp

				$MODPROBE ip_conntrack_irc

				$MODPROBE ipt_MASQUERADE


				for TABLE in filter nat mangle ; do

				$IPT -t $TABLE -F

				$IPT -t $TABLE -X

				$IPT -t $TABLE -Z

				done


				$IPT -P INPUT DROP

				$IPT -P OUTPUT ACCEPT

				$IPT -P FORWARD DROP

				$IPT -t nat -P PREROUTING ACCEPT

				$IPT -t nat -P OUTPUT ACCEPT

				$IPT -t nat -P POSTROUTING ACCEPT


				# 拒绝INTERNET客户访问

				#$IPT -A INPUT -i $INET_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

				$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

				#$IPT -A INPUT -i $INET_IF -p tcp -s 123.5.0.0/16 --dport 22 -j ACCEPT

				$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

				$IPT -A INPUT -i $INET_IF -m state --state NEW,INVALID -j DROP


				for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do

				$IPT -A INPUT -p tcp -s $DNS --sport domain -j ACCEPT

				$IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT

				done


				# anti bad scaning

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL ALL -j DROP

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL NONE -j DROP

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

				$IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


				#$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 8008 -j DNAT --to-destination $LAN_WWW:8008

				#$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 22 -j DNAT --to-destination $LAN_WWW:22


				if [ $INET_IF = "ppp0" ] ; then

				$IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j MASQUERADE

				else

				$IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j SNAT --to-source $INET_IP

				fi


				#no limit

				#$IPT -A FORWARD -s 192.168.1.216 -m mac --mac-source 00:15:17:F7:AB:84 -j ACCEPT

				#$IPT -A FORWARD -d 192.168.1.216 -j ACCEPT


				#$IPT -A FORWARD -p tcp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP

				#$IPT -A FORWARD -p udp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP


				#MAC、IP地址绑定

				#$IPT -A FORWARD -s 192.168.1.11 -m mac --mac-source 44-87-FC-44-B9-6E -j ACCEPT


				$IPT -A FORWARD -s 172.16.0.1 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.2 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.3 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.4 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.5 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.6 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.7 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.8 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.9 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.10 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.11 -j ACCEPT

				$IPT -A FORWARD -s 172.16.0.12 -j ACCEPT


				$IPT -A FORWARD -d 172.16.0.1 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.2 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.3 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.4 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.5 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.6 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.7 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.8 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.9 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.10 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.11 -j ACCEPT

				$IPT -A FORWARD -d 172.16.0.12 -j ACCEPT

---------------------------------------------------------------------------
下面在 CORE虚拟节点 中操作
---------------------------------------------------------------------------
[root@n6 n6.conf]# ifconfig
ctrl0: flags=4163  mtu 1500
        inet 172.16.0.6  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::216:3eff:fec0:b7a4  prefixlen 64  scopeid 0x20
        ether 00:16:3e:c0:b7:a4  txqueuelen 1000  (Ethernet)
        RX packets 143  bytes 15449 (15.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60  bytes 5273 (5.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163  mtu 1500
        inet 10.0.0.6  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 a::6  prefixlen 128  scopeid 0x0
        inet6 fe80::200:ff:feaa:5  prefixlen 64  scopeid 0x20
        ether 00:00:00:aa:00:05  txqueuelen 1000  (Ethernet)
        RX packets 8182  bytes 904248 (883.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2735  bytes 301738 (294.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

----------------------
[root@n6 n6.conf]# route add default gw 172.16.0.254
[root@n6 n6.conf]# route -n          
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.254    0.0.0.0         UG    0      0        0 ctrl0
10.0.0.1        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.2        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.3        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
10.0.0.4        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
10.0.0.5        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.7        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.8        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
10.0.0.9        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
10.0.0.10       10.0.0.5        255.255.255.255 UGH   2      0        0 eth0
10.0.0.11       10.0.0.5        255.255.255.255 UGH   5      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 ctrl0

[root@n6 n6.conf]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.3.9.4
nameserver 10.3.9.5
nameserver 10.3.9.6

[root@n6 n6.conf]# ping www.bupt.edu.cn
PING www.bupt.edu.cn (10.3.9.254) 56(84) bytes of data.
64 bytes from 10.3.9.254: icmp_seq=1 ttl=58 time=0.751 ms
64 bytes from 10.3.9.254: icmp_seq=2 ttl=58 time=0.727 ms
64 bytes from 10.3.9.254: icmp_seq=3 ttl=58 time=0.936 ms
^C
--- www.bupt.edu.cn ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.727/0.804/0.936/0.098 ms
[root@n6 n6.conf]#

---------------------------------------------------------------------------
至此，CORE虚拟节点访问互联网 成功

<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>

阅读(13) | 评论(0) | 转发(0) |

0

上一篇：Open VSwitch—离开VMware的SDN之父Martin Casado是神马大神

下一篇：Docker—PaaS—微服务

相关热门文章

• cl社区最新地址
• vm虚拟机怎么访问本地硬盘...
• 使用libvirt管理kvm虚拟机...
• Linux下kvm和xen的区别
• vSphere 初体验一ESXi5的安装...

• linux dhcp peizhi roc
• 关于Unix文件的软链接
• 求教这个命令什么意思，我是新...
• sed -e "/grep/d" 是什么意思...
• 谁能够帮我解决LINUX 2.6 10...

给主人留下些什么吧！~~

评论热议