• (OK) CORE nodes access Internet—虚拟节点访问互联网—commands



    [root@localhost core]# systemctl start core-daemon.service

    ---------------------------------------------------------------------------
    [root@localhost core]# core-gui

    ----------------------
    /root/.core/configs/m-MPE-manet.imn
    ----------------------
    Under the Session Menu, the Options... dialog has an option to set a control network prefix.
    This can be set to a network prefix such as 172.16.0.0/24. A bridge will be created on the host machine having the last address in the prefix range (e.g. 172.16.0.254), and each node will have an extra ctrl0 control interface configured with an address corresponding to its node number (e.g. 172.16.0.3 for n3.)

    ----------------------
    [root@localhost core]# ifconfig
    enp13s0: flags=4163  mtu 1500
            inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255
            inet6 fe80::3e97:eff:fef0:b5bb  prefixlen 64  scopeid 0x20
            ether 3c:97:0e:f0:b5:bb  txqueuelen 1000  (Ethernet)
            RX packets 424786  bytes 474479916 (452.4 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 402854  bytes 46953257 (44.7 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    b.ctrl0net.6a: flags=4163  mtu 1500
            inet 172.16.0.254  netmask 255.255.255.0  broadcast 0.0.0.0
            inet6 fe80::bc49:1ff:fe27:a95  prefixlen 64  scopeid 0x20
            ether 16:32:81:19:ca:43  txqueuelen 1000  (Ethernet)
            RX packets 149  bytes 12753 (12.4 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 84  bytes 8808 (8.6 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    ----------------------
    [root@localhost core]# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp13s0
    172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 b.ctrl0net.6a
    192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp13s0
    192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

    ----------------------
    [root@localhost 桌面]# . iptables_core.sh
    [root@localhost 桌面]# cat iptables_core.sh

    点击(此处)折叠或打开

    1. #!/bin/bash
    2. echo 1 > /proc/sys/net/ipv4/ip_forward
    3. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    4. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    5. echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    6. #网卡:上外、下内
    7. #上外 192.168.0.100
    8. #下内 172.16.0.254
    9. #INET_IF="ppp0"
    10. INET_IF="enp13s0"
    11. LAN_IF="b.ctrl0net.6a"
    12. INET_IP="192.168.0.100"
    13. LAN_IP="172.16.0.254"
    14. LAN_IP_RANGE="172.16.0.0/24"
    15. #LAN_WWW="172.16.0.6"
    16. IPT="/sbin/iptables"
    17. #TC="/sbin/tc"
    18. MODPROBE="/sbin/modprobe"

    19. $MODPROBE ip_tables
    20. $MODPROBE iptable_nat
    21. $MODPROBE ip_nat_ftp
    22. $MODPROBE ip_nat_irc
    23. $MODPROBE ipt_mark
    24. $MODPROBE ip_conntrack
    25. $MODPROBE ip_conntrack_ftp
    26. $MODPROBE ip_conntrack_irc
    27. $MODPROBE ipt_MASQUERADE

    28. for TABLE in filter nat mangle ; do
    29. $IPT -t $TABLE -F
    30. $IPT -t $TABLE -X
    31. $IPT -t $TABLE -Z
    32. done

    33. $IPT -P INPUT DROP
    34. $IPT -P OUTPUT ACCEPT
    35. $IPT -P FORWARD DROP
    36. $IPT -t nat -P PREROUTING ACCEPT
    37. $IPT -t nat -P OUTPUT ACCEPT
    38. $IPT -t nat -P POSTROUTING ACCEPT

    39. # 拒绝INTERNET客户访问
    40. #$IPT -A INPUT -i $INET_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
    41. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    42. #$IPT -A INPUT -i $INET_IF -p tcp -s 123.5.0.0/16 --dport 22 -j ACCEPT
    43. $IPT -A INPUT -p tcp --dport 22 -j ACCEPT
    44. $IPT -A INPUT -i $INET_IF -m state --state NEW,INVALID -j DROP

    45. for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do
    46. $IPT -A INPUT -p tcp -s $DNS --sport domain -j ACCEPT
    47. $IPT -A INPUT -p udp -s $DNS --sport domain -j ACCEPT
    48. done

    49. # anti bad scaning
    50. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    51. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL ALL -j DROP
    52. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    53. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags ALL NONE -j DROP
    54. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    55. $IPT -A INPUT -i $INET_IF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    56. #$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 8008 -j DNAT --to-destination $LAN_WWW:8008
    57. #$IPT -t nat -A PREROUTING -d $INET_IP -p tcp --dport 22 -j DNAT --to-destination $LAN_WWW:22

    58. if [ $INET_IF = "ppp0" ] ; then
    59. $IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j MASQUERADE
    60. else
    61. $IPT -t nat -A POSTROUTING -o $INET_IF -s $LAN_IP_RANGE -j SNAT --to-source $INET_IP
    62. fi

    63. #no limit
    64. #$IPT -A FORWARD -s 192.168.1.216 -m mac --mac-source 00:15:17:F7:AB:84 -j ACCEPT
    65. #$IPT -A FORWARD -d 192.168.1.216 -j ACCEPT

    66. #$IPT -A FORWARD -p tcp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP
    67. #$IPT -A FORWARD -p udp -d ! $LAN_IP_RANGE -m multiport --dports ! 20,21,22,25,53,80,110,443,8080 -j DROP

    68. #MAC、IP地址绑定
    69. #$IPT -A FORWARD -s 192.168.1.11 -m mac --mac-source 44-87-FC-44-B9-6E -j ACCEPT

    70. $IPT -A FORWARD -s 172.16.0.1 -j ACCEPT
    71. $IPT -A FORWARD -s 172.16.0.2 -j ACCEPT
    72. $IPT -A FORWARD -s 172.16.0.3 -j ACCEPT
    73. $IPT -A FORWARD -s 172.16.0.4 -j ACCEPT
    74. $IPT -A FORWARD -s 172.16.0.5 -j ACCEPT
    75. $IPT -A FORWARD -s 172.16.0.6 -j ACCEPT
    76. $IPT -A FORWARD -s 172.16.0.7 -j ACCEPT
    77. $IPT -A FORWARD -s 172.16.0.8 -j ACCEPT
    78. $IPT -A FORWARD -s 172.16.0.9 -j ACCEPT
    79. $IPT -A FORWARD -s 172.16.0.10 -j ACCEPT
    80. $IPT -A FORWARD -s 172.16.0.11 -j ACCEPT
    81. $IPT -A FORWARD -s 172.16.0.12 -j ACCEPT

    82. $IPT -A FORWARD -d 172.16.0.1 -j ACCEPT
    83. $IPT -A FORWARD -d 172.16.0.2 -j ACCEPT
    84. $IPT -A FORWARD -d 172.16.0.3 -j ACCEPT
    85. $IPT -A FORWARD -d 172.16.0.4 -j ACCEPT
    86. $IPT -A FORWARD -d 172.16.0.5 -j ACCEPT
    87. $IPT -A FORWARD -d 172.16.0.6 -j ACCEPT
    88. $IPT -A FORWARD -d 172.16.0.7 -j ACCEPT
    89. $IPT -A FORWARD -d 172.16.0.8 -j ACCEPT
    90. $IPT -A FORWARD -d 172.16.0.9 -j ACCEPT
    91. $IPT -A FORWARD -d 172.16.0.10 -j ACCEPT
    92. $IPT -A FORWARD -d 172.16.0.11 -j ACCEPT
    93. $IPT -A FORWARD -d 172.16.0.12 -j ACCEPT

    ---------------------------------------------------------------------------
    下面在 CORE虚拟节点 中操作
    ---------------------------------------------------------------------------
    [root@n6 n6.conf]# ifconfig
    ctrl0: flags=4163  mtu 1500
            inet 172.16.0.6  netmask 255.255.255.0  broadcast 0.0.0.0
            inet6 fe80::216:3eff:fec0:b7a4  prefixlen 64  scopeid 0x20
            ether 00:16:3e:c0:b7:a4  txqueuelen 1000  (Ethernet)
            RX packets 143  bytes 15449 (15.0 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 60  bytes 5273 (5.1 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    eth0: flags=4163  mtu 1500
            inet 10.0.0.6  netmask 255.255.255.255  broadcast 0.0.0.0
            inet6 a::6  prefixlen 128  scopeid 0x0
            inet6 fe80::200:ff:feaa:5  prefixlen 64  scopeid 0x20
            ether 00:00:00:aa:00:05  txqueuelen 1000  (Ethernet)
            RX packets 8182  bytes 904248 (883.0 KiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 2735  bytes 301738 (294.6 KiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    ----------------------
    [root@n6 n6.conf]# route add default gw 172.16.0.254
    [root@n6 n6.conf]# route -n          
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         172.16.0.254    0.0.0.0         UG    0      0        0 ctrl0
    10.0.0.1        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
    10.0.0.2        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
    10.0.0.3        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
    10.0.0.4        10.0.0.5        255.255.255.255 UGH   3      0        0 eth0
    10.0.0.5        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
    10.0.0.7        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
    10.0.0.8        10.0.0.5        255.255.255.255 UGH   4      0        0 eth0
    10.0.0.9        0.0.0.0         255.255.255.255 UH    1      0        0 eth0
    10.0.0.10       10.0.0.5        255.255.255.255 UGH   2      0        0 eth0
    10.0.0.11       10.0.0.5        255.255.255.255 UGH   5      0        0 eth0
    172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 ctrl0

    [root@n6 n6.conf]# cat /etc/resolv.conf
    # Generated by NetworkManager
    nameserver 10.3.9.4
    nameserver 10.3.9.5
    nameserver 10.3.9.6

    [root@n6 n6.conf]# ping www.bupt.edu.cn
    PING www.bupt.edu.cn (10.3.9.254) 56(84) bytes of data.
    64 bytes from 10.3.9.254: icmp_seq=1 ttl=58 time=0.751 ms
    64 bytes from 10.3.9.254: icmp_seq=2 ttl=58 time=0.727 ms
    64 bytes from 10.3.9.254: icmp_seq=3 ttl=58 time=0.936 ms
    ^C
    --- www.bupt.edu.cn ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 0.727/0.804/0.936/0.098 ms
    [root@n6 n6.conf]#

    ---------------------------------------------------------------------------
    至此,CORE虚拟节点访问互联网 成功


    <script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>
    阅读(13) | 评论(0) | 转发(0) |
    给主人留下些什么吧!~~
    评论热议
  • 相关阅读:
    继承
    对象和封装
    类的无参、带参方法
    类和对象
    数组
    循环结构
    选择结构
    变量、数据类型和运算符
    快捷键
    MyEclipse与JDK的配置
  • 原文地址:https://www.cnblogs.com/ztguang/p/12649580.html
Copyright © 2020-2023  润新知