|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
一、环境和要求:
线路: 内网百兆网络1: eth0 192.168.1.1 100Mbit
电信百兆光纤1: eth1 222.88.1.1 gateway 222.88.1.2 100Mbit
网通百兆光纤1 : eth2 218.28.1.1 gateway 218.28.1.2 100Mbit
操作系统: Red Hat Enterprise AS 5
二、 网络要求:
业务需求: 一. 双线策略路由,网通IP走网通网关,电信IP走电信网关.
二. 网内所有主机ARP绑定
三. TC流量控制, 根据提供服务不同,走相应的策略.
三、具体步骤:
1. linux安装这里不多介绍,网上的教程很多.装完之后配置IP地址,满足上面的线路需求即可.(注:安装时尽量不要配置gateway,会和iproute2有冲突)
2. 打开内核IP转发机制: echo "1" > /proc/sys/net/ipv4/ip_forward
3. SNAT地址转换:
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth2 -j MASQUERADE
4. 修改/etc/iproute2/ rt_table文件,建立路由表对应关系.具体文件格式如下:
# reserved values
#
255 local
254 main
253 default
0 unspec
100 shangdu
#
# local
#
#1 inr.ruhep
5. 配置电信默认路由添加到main表中:
ip route add 0/0 via 222.88.1.2 dev eth1 table main
6. 新建路由表table 100,配置网通默认路由添加到100表中:
ip route add 0/0 via 218.28.1.2 dev eth2 table 100
7. 在table 100的路由表中添加规则.(注:包含所有的网通IP段)
ip rule add to 58.16.0.0/16 table 100
ip rule add to 58.17.0.0/17 table 100
ip rule add to 58.17.128.0/17 table 100
ip rule add to 58.18.0.0/16 table 100
ip rule add to 58.19.0.0/16 table 100
ip rule add to 58.20.0.0/16 table 100
ip rule add to 58.21.0.0/16 table 100
ip rule add to 58.22.0.0/15 table 100
ip rule add to 58.240.0.0/15 table 100
ip rule add to 58.242.0.0/15 table 100
ip rule add to 58.244.0.0/15 table 100
ip rule add to 58.246.0.0/15 table 100
ip rule add to 58.248.0.0/13 table 100
ip rule add to 60.0.0.0/13 table 100
ip rule add to 60.8.0.0/15 table 100
ip rule add to 60.10.0.0/16 table 100
ip rule add to 60.11.0.0/16 table 100
ip rule add to 60.12.0.0/16 table 100
ip rule add to 60.13.0.0/18 table 100
ip rule add to 60.13.64.0/18 table 100
ip rule add to 60.13.128.0/17 table 100
ip rule add to 60.14.0.0/15 table 100
ip rule add to 60.16.0.0/13 table 100
ip rule add to 60.24.0.0/14 table 100
ip rule add to 60.28.0.0/15 table 100
ip rule add to 60.30.0.0/16 table 100
ip rule add to 60.31.0.0/16 table 100
ip rule add to 60.55.0.0/16 table 100
ip rule add to 60.208.0.0/13 table 100
ip rule add to 60.216.0.0/15 table 100
ip rule add to 60.218.0.0/15 table 100
ip rule add to 60.220.0.0/14 table 100
ip rule add to 61.48.0.0/14 table 100
ip rule add to 61.52.0.0/15 table 100
ip rule add to 61.54.0.0/16 table 100
ip rule add to 61.55.0.0/16 table 100
ip rule add to 61.133.0.0/17 table 100
ip rule add to 61.134.96.0/19 table 100
ip rule add to 61.134.128.0/18 table 100
ip rule add to 61.134.192.0/18 table 100
ip rule add to 61.135.0.0/16 table 100
ip rule add to 61.136.0.0/18 table 100
ip rule add to 61.136.64.0/18 table 100
ip rule add to 61.137.128.0/17 table 100
ip rule add to 61.138.0.0/18 table 100
ip rule add to 61.138.64.0/18 table 100
ip rule add to 61.138.128.0/18 table 100
ip rule add to 61.139.128.0/18 table 100
ip rule add to 61.148.0.0/15 table 100
ip rule add to 61.156.0.0/16 table 100
ip rule add to 61.158.0.0/17 table 100
ip rule add to 61.158.128.0/17 table 100
ip rule add to 61.159.0.0/18 table 100
ip rule add to 61.161.0.0/18 table 100
ip rule add to 61.161.128.0/17 table 100
ip rule add to 61.162.0.0/16 table 100
ip rule add to 61.163.0.0/16 table 100
ip rule add to 61.167.0.0/16 table 100
ip rule add to 61.168.0.0/16 table 100
ip rule add to 61.176.0.0/16 table 100
ip rule add to 61.179.0.0/16 table 100
ip rule add to 61.180.128.0/17 table 100
ip rule add to 61.181.0.0/16 table 100
ip rule add to 61.182.0.0/16 table 100
ip rule add to 61.189.0.0/17 table 100
ip rule add to 116.2.0.0/15 table 100
ip rule add to 121.16.0.0/13 table 100
ip rule add to 121.24.0.0/14 table 100
ip rule add to 121.28.0.0/15 table 100
ip rule add to 121.30.0.0/16 table 100
ip rule add to 121.31.0.0/16 table 100
ip rule add to 122.96.0.0/15 table 100
ip rule add to 122.136.0.0/13 table 100
ip rule add to 122.156.0.0/14 table 100
ip rule add to 122.192.0.0/14 table 100
ip rule add to 122.198.0.0/16 table 100
ip rule add to 123.4.0.0/14 table 100
ip rule add to 123.8.0.0/13 table 100
ip rule add to 123.112.0.0/12 table 100
ip rule add to 123.128.0.0/13 table 100
ip rule add to 123.137.0.0/16 table 100
ip rule add to 123.138.0.0/15 table 100
ip rule add to 123.144.0.0/14 table 100
ip rule add to 123.148.0.0/16 table 100
ip rule add to 123.152.0.0/13 table 100
ip rule add to 123.188.0.0/14 table 100
ip rule add to 123.232.0.0/14 table 100
ip rule add to 124.64.0.0/15 table 100
ip rule add to 124.66.0.0/17 table 100
ip rule add to 124.67.0.0/16 table 100
ip rule add to 124.88.0.0/16 table 100
ip rule add to 124.89.0.0/17 table 100
ip rule add to 124.89.128.0/17 table 100
ip rule add to 124.90.0.0/15 table 100
ip rule add to 124.92.0.0/14 table 100
ip rule add to 124.128.0.0/13 table 100
ip rule add to 124.160.0.0/16 table 100
ip rule add to 124.161.0.0/16 table 100
ip rule add to 124.162.0.0/16 table 100
ip rule add to 124.163.0.0/16 table 100
ip rule add to 124.164.0.0/14 table 100
ip rule add to 125.32.0.0/16 table 100
ip rule add to 125.33.0.0/16 table 100
ip rule add to 125.34.0.0/16 table 100
ip rule add to 125.35.0.0/17 table 100
ip rule add to 125.35.128.0/17 table 100
ip rule add to 125.36.0.0/14 table 100
ip rule add to 125.40.0.0/13 table 100
ip rule add to 125.211.0.0/16 table 100
ip rule add to 202.96.0.0/18 table 100
ip rule add to 202.96.64.0/21 table 100
ip rule add to 202.96.72.0/21 table 100
ip rule add to 202.96.80.0/20 table 100
ip rule add to 202.97.128.0/18 table 100
ip rule add to 202.97.192.0/19 table 100
ip rule add to 202.97.224.0/21 table 100
ip rule add to 202.97.232.0/21 table 100
ip rule add to 202.97.240.0/20 table 100
ip rule add to 202.98.0.0/21 table 100
ip rule add to 202.98.8.0/21 table 100
ip rule add to 202.98.16.0/20 table 100
ip rule add to 202.99.0.0/18 table 100
ip rule add to 202.99.64.0/19 table 100
ip rule add to 202.99.96.0/21 table 100
ip rule add to 202.99.104.0/21 table 100
ip rule add to 202.99.112.0/20 table 100
ip rule add to 202.99.128.0/19 table 100
ip rule add to 202.99.160.0/21 table 100
ip rule add to 202.99.168.0/21 table 100
ip rule add to 202.99.176.0/20 table 100
ip rule add to 202.99.192.0/21 table 100
ip rule add to 202.99.200.0/21 table 100
ip rule add to 202.99.208.0/20 table 100
ip rule add to 202.99.224.0/21 table 100
ip rule add to 202.99.232.0/21 table 100
ip rule add to 202.99.240.0/20 table 100
ip rule add to 202.102.128.0/21 table 100
ip rule add to 202.102.136.0/21 table 100
ip rule add to 202.102.144.0/20 table 100
ip rule add to 202.102.160.0/19 table 100
ip rule add to 202.102.224.0/21 table 100
ip rule add to 202.102.232.0/21 table 100
ip rule add to 202.102.240.0/20 table 100
ip rule add to 202.106.0.0/16 table 100
ip rule add to 202.107.0.0/17 table 100
ip rule add to 202.108.0.0/16 table 100
ip rule add to 202.110.0.0/18 table 100
ip rule add to 202.110.64.0/18 table 100
ip rule add to 202.110.192.0/18 table 100
ip rule add to 202.111.128.0/19 table 100
ip rule add to 202.111.160.0/19 table 100
ip rule add to 203.93.8.0/24 table 100
ip rule add to 203.93.9.0/24 table 100
ip rule add to 203.93.10.0/23 table 100
ip rule add to 203.93.12.0/22 table 100
ip rule add to 203.93.16.0/20 table 100
ip rule add to 203.93.32.0/19 table 100
ip rule add to 203.93.64.0/18 table 100
ip rule add to 203.93.128.0/21 table 100
ip rule add to 203.93.136.0/22 table 100
ip rule add to 203.93.140.0/24 table 100
ip rule add to 203.93.141.0/24 table 100
ip rule add to 203.93.142.0/23 table 100
ip rule add to 203.93.144.0/20 table 100
ip rule add to 203.93.160.0/19 table 100
ip rule add to 203.93.192.0/18 table 100
ip rule add to 203.175.192.0/18 table 100
ip rule add to 210.13.128.0/17 table 100
ip rule add to 210.14.160.0/19 table 100
ip rule add to 210.14.192.0/19 table 100
ip rule add to 210.14.224.0/19 table 100
ip rule add to 210.15.32.0/19 table 100
ip rule add to 210.15.64.0/19 table 100
ip rule add to 210.15.96.0/19 table 100
ip rule add to 210.15.128.0/18 table 100
ip rule add to 210.21.0.0/17 table 100
ip rule add to 210.21.128.0/17 table 100
ip rule add to 210.22.0.0/16 table 100
ip rule add to 210.51.0.0/16 table 100
ip rule add to 210.52.0.0/18 table 100
ip rule add to 210.52.64.0/18 table 100
ip rule add to 210.52.128.0/17 table 100
ip rule add to 210.53.0.0/17 table 100
ip rule add to 210.53.128.0/17 table 100
ip rule add to 210.74.96.0/19 table 100
ip rule add to 210.74.128.0/19 table 100
ip rule add to 210.78.0.0/19 table 100
ip rule add to 210.82.0.0/15 table 100
ip rule add to 211.144.0.0/15 table 100
ip rule add to 218.7.0.0/16 table 100
ip rule add to 218.8.0.0/15 table 100
ip rule add to 218.10.0.0/16 table 100
ip rule add to 218.11.0.0/16 table 100
ip rule add to 218.12.0.0/16 table 100
ip rule add to 218.21.128.0/17 table 100
ip rule add to 218.24.0.0/15 table 100
ip rule add to 218.26.0.0/16 table 100
ip rule add to 218.27.0.0/16 table 100
ip rule add to 218.28.0.0/15 table 100
ip rule add to 218.56.0.0/14 table 100
ip rule add to 218.60.0.0/15 table 100
ip rule add to 218.62.0.0/17 table 100
ip rule add to 218.67.128.0/17 table 100
ip rule add to 218.68.0.0/15 table 100
ip rule add to 218.104.0.0/17 table 100
ip rule add to 218.104.128.0/19 table 100
ip rule add to 218.104.160.0/19 table 100
ip rule add to 218.104.192.0/21 table 100
ip rule add to 218.104.200.0/21 table 100
ip rule add to 218.104.208.0/20 table 100
ip rule add to 218.104.224.0/19 table 100
ip rule add to 218.105.0.0/16 table 100
ip rule add to 218.106.0.0/15 table 100
ip rule add to 219.154.0.0/15 table 100
ip rule add to 219.156.0.0/15 table 100
ip rule add to 219.158.0.0/17 table 100
ip rule add to 219.158.128.0/17 table 100
ip rule add to 219.159.0.0/18 table 100
ip rule add to 219.232.0.0/14 table 100
ip rule add to 220.248.0.0/14 table 100
ip rule add to 220.252.0.0/16 table 100
ip rule add to 221.0.0.0/15 table 100
ip rule add to 221.2.0.0/16 table 100
ip rule add to 221.3.0.0/17 table 100
ip rule add to 221.3.128.0/17 table 100
ip rule add to 221.4.0.0/16 table 100
ip rule add to 221.5.0.0/17 table 100
ip rule add to 221.5.128.0/17 table 100
ip rule add to 221.6.0.0/16 table 100
ip rule add to 221.7.0.0/19 table 100
ip rule add to 221.7.32.0/19 table 100
ip rule add to 221.7.64.0/19 table 100
ip rule add to 221.7.96.0/19 table 100
ip rule add to 221.7.128.0/17 table 100
ip rule add to 221.8.0.0/15 table 100
ip rule add to 221.10.0.0/16 table 100
ip rule add to 221.11.0.0/17 table 100
ip rule add to 221.11.128.0/18 table 100
ip rule add to 221.11.192.0/19 table 100
ip rule add to 221.11.224.0/19 table 100
ip rule add to 221.12.0.0/17 table 100
ip rule add to 221.12.128.0/18 table 100
ip rule add to 221.13.0.0/18 table 100
ip rule add to 221.13.64.0/19 table 100
ip rule add to 221.13.96.0/19 table 100
ip rule add to 221.13.128.0/17 table 100
ip rule add to 221.14.0.0/15 table 100
ip rule add to 221.136.0.0/16 table 100
ip rule add to 221.192.0.0/15 table 100
ip rule add to 221.194.0.0/16 table 100
ip rule add to 221.195.0.0/16 table 100
ip rule add to 221.196.0.0/15 table 100
ip rule add to 221.198.0.0/16 table 100
ip rule add to 221.199.0.0/19 table 100
ip rule add to 221.199.32.0/20 table 100
ip rule add to 221.199.48.0/20 table 100
ip rule add to 221.199.64.0/18 table 100
ip rule add to 221.199.128.0/18 table 100
ip rule add to 221.199.192.0/20 table 100
ip rule add to 221.199.224.0/19 table 100
ip rule add to 221.200.0.0/14 table 100
ip rule add to 221.204.0.0/15 table 100
ip rule add to 221.206.0.0/16 table 100
ip rule add to 221.207.0.0/18 table 100
ip rule add to 221.207.64.0/18 table 100
ip rule add to 221.207.128.0/17 table 100
ip rule add to 221.208.0.0/14 table 100
ip rule add to 221.212.0.0/16 table 100
ip rule add to 221.213.0.0/16 table 100
ip rule add to 221.214.0.0/15 table 100
ip rule add to 221.216.0.0/13 table 100
ip rule add to 222.128.0.0/14 table 100
ip rule add to 222.132.0.0/14 table 100
ip rule add to 222.136.0.0/13 table 100
ip rule add to 222.160.0.0/15 table 100
ip rule add to 222.162.0.0/16 table 100
ip rule add to 222.163.0.0/19 table 100
ip rule add to 222.163.32.0/19 table 100
ip rule add to 222.163.64.0/18 table 100
ip rule add to 222.163.128.0/17 table 100
8. arp绑定.建立/etc/ethers文件,具体格式如:
192.168.2.102 00:11:5B:1D9:77
192.168.2.111 00:11:5B:1A2:6C
9. 用TC进行流量控制,HTB具体分三类.具体脚本如下: (#脚本文件位置/etc/tc)
#/bin/bash
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc del dev eth1 ingress 2>/dev/null
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc del dev eth0 ingress 2>/dev/null
tc qdisc del dev eth2 root 2>/dev/null
tc qdisc del dev eth2 ingress 2>/dev/null
tc qdisc add dev eth1 root handle 1: htb default 15
tc qdisc add dev eth2 root handle 2: htb default 15
tc qdisc add dev eth0 root handle 3: htb default 15
tc class add dev eth1 parent 1: classid 1:1 htb rate 75Mbit ceil 75Mbit
tc class add dev eth2 parent 2: classid 2:1 htb rate 75Mbit ceil 75Mbit
tc class add dev eth0 parent 3: classid 3:1 htb rate 85Mbit ceil 85Mbit
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth2 parent 2:1 classid 2:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth0 parent 3:1 classid 3:11 htb rate 40Mbit ceil 40Mbit prio 0
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth2 parent 2:1 classid 2:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth0 parent 3:1 classid 3:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth1 parent 1:1 classid 1:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth2 parent 2:1 classid 2:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth0 parent 3:1 classid 3:15 htb rate 20Mbit ceil 20Mbit prio 2
tc qdisc add dev eth1 parent 1:12 handle 12: sfq
tc qdisc add dev eth1 parent 1:15 handle 15: sfq
tc qdisc add dev eth2 parent 2:12 handle 12: sfq
tc qdisc add dev eth2 parent 2:15 handle 15: sfq
tc qdisc add dev eth0 parent 3:12 handle 12: sfq
tc qdisc add dev eth0 parent 3:15 handle 15: sfq
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:11
tc filter add dev eth2 parent 2:0 protocol ip prio 1 handle 1 fw classid 2:11
tc filter add dev eth0 parent 3:0 protocol ip prio 1 handle 1 fw classid 3:11
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:12
tc filter add dev eth2 parent 2:0 protocol ip prio 2 handle 2 fw classid 2:12
tc filter add dev eth0 parent 3:0 protocol ip prio 2 handle 2 fw classid 3:12
tc filter add dev eth1 parent 1:0 protocol ip prio 5 handle 5 fw classid 1:15
tc filter add dev eth2 parent 2:0 protocol ip prio 5 handle 5 fw classid 2:15
tc filter add dev eth0 parent 3:0 protocol ip prio 5 handle 5 fw classid 3:15
tc qdisc add dev eth1 handle ffff: ingress
tc qdisc add dev eth2 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
iptables -F -t mangle
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j RETURN
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5
10. 防火墙脚本如下(存放位置:/etc/fire)
#/bin/sh
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#Allow SSH connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#IGMP
iptables -A INPUT -p ICMP -d 218.28.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 222.88.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 192.168.0.0/22 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
#synfoold
iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
#NAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth2 -j MASQUERADE
11. 最后rc.local脚本如下:
#!/bin/sh
touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
/etc/cncroute
/etc/fire
arp -f
/etc/tc
#注:5 ,6 ,7 三步合并为/etc/cncroute 脚本
#为了便于书写,文中所涉及到的IP地址全部为假定的,至此双线自动切换+TC流量控制算是已经完全做完,服务器运行正常,其实做起来很简单,但真要一步一步写出来还真不容易,有错的地方在所难免.哪些地方需要改进的请大家多提宝贵意见.谢谢!联系QQ:273725415 |
|