Iptables
如何在不同子網上的 2 個 VLAN 之間路由流量
我有以下問題:我有一個界面
eth0 with IP 172.20.51.61/24我在同一台機器上配置了 2 個 VLAN:
eth0.120 : 172.20.52.61/24 eth0.200 : 172.20.54.61/24我也有一個 DELL 交換機
trunk port 2 and access ports 6 VLAN 120 and access port 10 VLAN 200.這台機器上有一個 DHCP 伺服器,所以當我在兩個 VLAN 上連接兩台筆記型電腦時,我會得到各自的 IP 地址:
PC1 172.20.54.234 PC2 172.20.52.114問題是我無法從一台 PC1 ping 到 PC2。
那麼如何在不同的子網中啟用從 PC1 到 PC2 的 ping。
我的iptable規則如下:
Chain INPUT (policy ACCEPT 81 packets, 5386 bytes) pkts bytes target prot opt in out source destination 178 19945 delegate_input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 delegate_forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 626 211K delegate_output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain delegate_forward (1 references) pkts bytes target prot opt in out source destination 0 0 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 zone_lan_forward all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain delegate_input (1 references) pkts bytes target prot opt in out source destination 23 2206 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 155 17739 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 74 12353 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3 180 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 0 0 zone_lan_input all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_input all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain delegate_output (1 references) pkts bytes target prot opt in out source destination 23 2206 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 603 209K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 601 208K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 264 zone_lan_output all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 zone_wan_output all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain syn_flood (1 references) pkts bytes target prot opt in out source destination 3 180 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_dest_ACCEPT (2 references) pkts bytes target prot opt in out source destination 2 264 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_forward (1 references) pkts bytes target prot opt in out source destination 0 0 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding lan -> wan */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */ 0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_input (1 references) pkts bytes target prot opt in out source destination 0 0 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */ 0 0 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_output (1 references) pkts bytes target prot opt in out source destination 2 264 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 2 264 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_lan_src_ACCEPT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_dest_ACCEPT (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_dest_REJECT (1 references) pkts bytes target prot opt in out source destination 0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_forward (1 references) pkts bytes target prot opt in out source destination 0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */ 0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_input (1 references) pkts bytes target prot opt in out source destination 0 0 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* Allow-DHCP-Renew */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Allow-Ping */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */ 0 0 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_output (1 references) pkts bytes target prot opt in out source destination 0 0 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */ 0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain zone_wan_src_REJECT (1 references) pkts bytes target prot opt in out source destination 0 0 reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0
您需要為筆記型電腦中的其他網路添加 IP 路由。
如果
172.20.51.61機器也是您網路中的預設路由器,這是最簡單的。在這種情況下,您需要以下內容:
- 確保在路由器機器中啟用了 IP 路由。
- 添加防火牆規則,以便允許兩個 VLAN 網路之間的流量。
- 確保兩台客戶端機器將此路由器作為預設網關(客戶端機器網路中介面的 IP)。
路由器似乎安裝了某種防火牆管理軟體,您應該檢查該配置而不是直接操作 IPTables。