Iptables

如何在不同子網上的 2 個 VLAN 之間路由流量

  • July 16, 2015

我有以下問題:我有一個界面eth0 with IP 172.20.51.61/24

我在同一台機器上配置了 2 個 VLAN:

eth0.120 : 172.20.52.61/24 
eth0.200 : 172.20.54.61/24

我也有一個 DELL 交換機

trunk port 2 and 
access ports 6 VLAN 120 and 
access port 10 VLAN 200.

這台機器上有一個 DHCP 伺服器,所以當我在兩個 VLAN 上連接兩台筆記型電腦時,我會得到各自的 IP 地址:

PC1 172.20.54.234
PC2 172.20.52.114

問題是我無法從一台 PC1 ping 到 PC2。

那麼如何在不同的子網中啟用從 PC1 到 PC2 的 ping。

我的iptable規則如下:

Chain INPUT (policy ACCEPT 81 packets, 5386 bytes)
pkts bytes target     prot opt in     out     source               destination         
 178 19945 delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
 626  211K delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_forward (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   0     0 zone_lan_forward  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 zone_wan_forward  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
   0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_input (1 references)
pkts bytes target     prot opt in     out     source               destination         
  23  2206 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 155 17739 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
  74 12353 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   3   180 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
   0     0 zone_lan_input  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 zone_wan_input  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain delegate_output (1 references)
pkts bytes target     prot opt in     out     source               destination         
  23  2206 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
 603  209K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
 601  208K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   2   264 zone_lan_output  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   0     0 zone_wan_output  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain syn_flood (1 references)
pkts bytes target     prot opt in     out     source               destination         
   3   180 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_dest_ACCEPT (2 references)
pkts bytes target     prot opt in     out     source               destination         
   2   264 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_forward (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
   0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
   0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_input (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
   0     0 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_output (1 references)
pkts bytes target     prot opt in     out     source               destination         
   2   264 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
   2   264 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_dest_REJECT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 reject     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_forward (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
   0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_input (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* Allow-DHCP-Renew */
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Allow-Ping */
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
   0     0 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_output (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
   0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain zone_wan_src_REJECT (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 reject     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

您需要為筆記型電腦中的其他網路添加 IP 路由。

如果172.20.51.61機器也是您網路中的預設路由器,這是最簡單的。

在這種情況下,您需要以下內容:

  1. 確保在路由器機器中啟用了 IP 路由。
  2. 添加防火牆規則,以便允許兩個 VLAN 網路之間的流量。
  3. 確保兩台客戶端機器將此路由器作為預設網關(客戶端機器網路中介面的 IP)。

路由器似乎安裝了某種防火牆管理軟體,您應該檢查該配置而不是直接操作 IPTables。

引用自:https://serverfault.com/questions/706199