#!/bin/sh # Shell script scripts to read ip address # ------------------------------------------------------------------------- # Copyright (c) 2005 nixCraft project <http://cyberciti.biz/fb/> # This script is licensed under GNU GPL version 2.0 or above # ------------------------------------------------------------------------- # This script is part of nixCraft shell script collection (NSSC) # Visit http://bash.cyberciti.biz/ for more information. # ------------------------------------------------------------------------- # Get OS name OS=`uname` IO="" # store IP case $OS in Linux) IP=`ifconfig | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;; FreeBSD|OpenBSD) IP=`ifconfig | grep -E 'inet.[0-9]' | grep -v '127.0.0.1' | awk '{ print $2}'` ;; SunOS) IP=`ifconfig -a | grep inet | grep -v '127.0.0.1' | awk '{ print $2} '` ;; *) IP="Unknown";; esac echo "$IP"
IP路由转换,把一个网口的数据转到另外的网口
#!/bin/bash #最多有4个参数,$1表示正常情况下DUT IP,$2表示PC IP,$3表示tftp时服务器IP,$4表示tftp时DUT IP #$4为空时表示tftp DUT IP和正常模式下DUT IP相同 if [ "$1" == "" ]; then echo "err: please input dut ip!!!" exit 1 fi modprobe ip_nat_tftp echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward dutip=$1 pcip=$2 server=$3 client=$4 tftpip="" flag=`cat /etc/iproute2/rt_tables | grep '100 eth0'` if [ -z "$flag" ]; then echo "100 eth0" >> /etc/iproute2/rt_tables echo "200 eth1" >> /etc/iproute2/rt_tables echo "300 eth2" >> /etc/iproute2/rt_tables echo "400 eth3" >> /etc/iproute2/rt_tables fi read -a array <<< `echo $dutip | awk 'BEGIN{FS="."}{print $1" "$2" "$3" "$4}'` if [ "${array[3]}" -ge "250" ]; then array[3]=1; fi if [ -n "$server" ]; then read -a srv_arr <<< `echo $server | awk 'BEGIN{FS="."}{print $1" "$2" "$3" "$4}'` if [ -n "$client" ]; then read -a tftp_arr <<< `echo $client | awk 'BEGIN{FS="."}{print $1" "$2" "$3" "$4}'` if [ "${array[0]}" != "${tftp_arr[0]}" -o "${array[1]}" != "${tftp_arr[1]}" -o "${array[2]}" != "${tftp_arr[2]}" ]; then if [ "${srv_arr[3]}" -ge "200" -o "${srv_arr[3]}" -le "100" ]; then if [ "${tftp_arr[3]}" -ge "200" -o "${tftp_arr[3]}" -le "100" ]; then tmp=150 elif [ "${tftp_arr[3]}" -ge "150" ]; then tmp=128 else tmp=160 fi else if [ "${tftp_arr[3]}" -le "100" ]; then tmp=220 else tmp=64 fi fi tftpip="${tftp_arr[0]}.${tftp_arr[1]}.${tftp_arr[2]}.$tmp" fi else client=$dutip fi fi iptables -t nat -F iptables -t mangle -F for((i=1;i<=4;i++)) do j=`expr $i - 1` array[3]=`expr ${array[3]} + 1` ifconfig eth$j ${array[0]}.${array[1]}.${array[2]}.${array[3]} ip route flush table eth$j ip route add default dev eth$j table eth$j ip rule add fwmark "$i"00 table eth$j localip=`ifconfig eth5:$i | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'` iptables -t mangle -A PREROUTING -d $localip -j MARK --set-mark "$i"00 iptables -t nat -A PREROUTING -d $localip -j DNAT --to $dutip iptables -t nat -A POSTROUTING -o eth$j -j MASQUERADE if [ -n "$server" ]; then if [ -n "$tftpip" ]; then tmp=`expr $tmp + 1` ifconfig eth$j:1 ${tftp_arr[0]}.${tftp_arr[1]}.${tftp_arr[2]}.$tmp fi iptables -t mangle -A PREROUTING -i eth$j -d $server -j MARK --set-mark 50"$j" iptables -t nat -A PREROUTING -i eth$j -d $server -j DNAT --to $pcip iptables -t nat -A POSTROUTING -m mark --mark 50"$j" -j SNAT --to-source $localip arpspoof -i eth$j $server &>/dev/null & fi done
# rpm -qf $(which ip)
iproute-2.6.18-9.el5
帮助:ip help
<1>链路层:
# ip link
# ip link help
Usage: ip link set DEVICE { up | down | #启用停用网卡
arp { on | off } | #打开关闭arp广播
dynamic { on | off } |
multicast { on | off } |
allmulticast { on | off } |
promisc { on | off } |
trailers { on | off } |
txqueuelen PACKETS | #发送缓冲队列长度(默认1000)
name NEWNAME | #网卡命名(lan,wan)
address LLADDR | broadcast LLADDR |#修改MAC地址
mtu MTU } #最大传输单元(默认1500)
ip link show [ DEVICE ]
网卡命名举例:
# ip link set lan down
# ip link set wlan down
# ip link set eth0 name wlan
# ip link set eth1 name lan
# ip link set lan up
# ip link set wlan up
<2>ip addr
# ip addr add 192.168.2.77/24 dev lan #添加ip
# ip addr show dev lan
# ip addr flush dev lan #清空网卡的所有ip地址
<3>ip neigh
# ip neigh show #显示ip与mac对应关系
# ip neigh flush dev lan
<4>ip route (需要开启ip_forward)
# ip route #相当于route -n
# ip route add 192.168.2.0/24 via 192.168.1.1 dev lan #添加一条路由:去往2.0网段,通过lan网卡,下一跳IP为192.168.1.1
# ip route add 0.0.0.0/0 via 10.10.10.30 dev wan #添加默认路由
# ip route add default via 10.10.10.30 dev wan #添加默认路由
# ip route del 192.168.2.0/24
# traceroute www.google.com #路由追踪
# tracepath www.google.com #..
# mtr www.google.com #动态刷新追踪
------------------------------------------------------------------------------------------------------------
二、ECMP(Equal Cost Multipath等值多路径路由)
当路由上有多个链路接入时,并且同时使用,可以考虑ECMP技术
添加两个默认路由,使用rr调度算法根据会话轮询
# ip route help #查看帮助
# ip route add default mpath rr nexthop via 192.168.96.254 dev vmnet1 nexthop via 192.168.203.254 dev vmnet8
# ip route #这样就会有两条默认路由了
设置权重
# ip route add default mpath rr nexthop via 192.168.96.254 dev vmnet1 weight 100 nexthop via 192.168.203.254 dev vmnet8 weight 10 #权重最大256
默认RHEL5U3内核会cache路由,对于已经建立好的连接,不会轮询,而直接读取cache路由,从而破坏rr轮询,所以需要将“在cache情况下仍然支持ECMP的模块“编译出来安装
Networking --->
--- Networking support
Networking options --->
IP: equal cost multipath with caching support (EXPERIMENTAL)
ip rule
# ip route list table local #最先查的表
# ip route list table main #平时操作的表
# ip route list table default
------------------------------------------------------------------------------------------------------------
三、策略路由
1、基于源地址策略路由
根据源客户端的子网网段走向相应的路由路径
例如:销售部门和办公部门,让销售部门享受10M带宽线路,让办公部门享受1M带宽线路;
配置举例:
需求:让公司192.168.0.0/24网段的客户走网通路由,192.168.1.0/24网段的走电信路由;
IP及拓扑说明:
C1--\ /-----CNC\
(GW) > ---->Client3C2--/ \------TEL/
Client1:192.168.0.1
Client2:192.168.1.2
Client3:20.0.0.1
公司网关GW
对内:
I1:192.168.0.254 eth0
I2:192.168.1.254 eth0
对外:
E1:202.106.0.21 eth1
E2:202.106.46.152 eth1
网通CNC网关
C1:202.106.0.20 eth0
C2:20.0.0.2 eth1
电信TEL网关
T1:202.106.46.151 eth0
T2:20.0.0.3 eth1
GW配置:
<1>增加自定义的路由表
# vi /etc/iproute2/rt_tables
100 tab1
101 tab2
# ip rule
<2>添加路由规则
# ip route add default via 202.106.0.20 dev eth1 table tab1 #添加默认路由到表tab1
# ip route add default via 202.106.46.151 dev eth1 table tab2 #添加默认路由到表tab2
# ip rule add from 192.168.1.0/24 table tab1 #来自192.168.1.0/24网段的请求走tab1表
# ip rule add from 192.168.0.0/24 table tab2
# ip rule
# ip route add 192.168.1.0/24 dev eth0 table tab1 #添加直连路由,若不添加则Client1 ping GW后,数据包不能返回,因为tab1表中只有一个default路由
# ip route add 192.168.0.0/24 dev eth0 table tab2
TEL配置:
添加去往Client1/2的路由
# ip route add 192.168.0.0/24 via 202.106.46.152 dev eth0
# ip route add 192.168.1.0/24 via 202.106.46.152 dev eth0
CNC配置:
添加去往Client1/2的路由
# ip route add 192.168.0.0/24 via 202.106.0.21 dev eth0
# ip route add 192.168.1.0/24 via 202.106.0.21 dev eth0
Client配置:
Client1\2:
# ip route add default via 192.168.0.254 dev eth0
# ip route add default via 192.168.1.254 dev eth0
Client3:
# ip route add default via 20.0.0.3 dev eth0 #测试仅从TEL路径返回也可以双路返回
# ip route add default mpath rr nexthop via 20.0.0.2 dev eth0 nexthop via 20.0.0.3 dev eth0
Client1\2测试:
# traceroute 20.0.0.1
------------------------------------------------------------
2、基于防火墙标记的路由(firemark)
将来自不同ip段的数据包打上不同的防火墙标记,根据防火墙的标记路由到相应的地址
GW配置:
1-100的IP标记为1,101-253的IP标记为10
# iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.1-192.168.1.100 -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.101-192.168.1.253 -j MARK --set-mark 10
先清空之前的rule
# ip rule del from 192.168.1.0/24
# ip rule del from 192.168.0.0/24
# ip rule add fwmark 1 pref 1000 table tab1 #将标记为1的包送至tab1,pref为优先级
# ip rule add fwmark 10 pref 2000 table tab2
# ip rule
0: from all lookup 255
1000: .... tab1
2000: .... tab2
32766: from all lookup main
32767: from all lookup default
剩余基本同上
# ip route add default via 202.106.0.20 dev eth1 table tab1 #添加默认路由到表tab1
# ip route add default via 202.106.46.151 dev eth1 table tab2
# ip route add 192.168.1.0/24 dev eth0 table tab1 #添加直连路由
# ip route add 192.168.0.0/24 dev eth0 table tab2
........
------------------------------------------------------------
3、基于目的地址策略路由
根据访问的目标地址返回,访问网通的IP段走CNC,访问电信的走TEL
GW配置:
删除规则
# iptables -F -t mangle
# ip rule del fwmark 1 pref 1000 table tab1
# ip rule del fwmark 10 pref 2000 table tab2
# ip rule add to 20.0.0.1 table tab2
# ip rule add to 20.0.0.4 table tab1
# ip rule
其余配置同上
Client1\2测试:
# traceroute 20.0.0.1
# traceroute 20.0.0.4
假如访问教育网或国外网络,可以在main表中添加一条默认的路由