Last active
November 7, 2015 11:13
-
-
Save lo48576/c1aecda717958973e071 to your computer and use it in GitHub Desktop.
なんかうまくいかない
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Match] | |
| Name=host0 | |
| [Network] | |
| #IPForward=yes | |
| DNS=8.8.8.8 | |
| Address=172.16.0.2/24 | |
| Gateway=172.16.0.1 | |
| [Address] | |
| Address=172.16.0.2/24 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@bridge ~]# ip addr | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: host0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 | |
| link/ether be:80:0f:5c:1e:b3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 | |
| inet 172.16.0.2/24 brd 172.16.0.255 scope global host0 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::bc80:fff:fe5c:1eb3/64 scope link | |
| valid_lft forever preferred_lft forever |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@bridge ~]# ip route show | |
| default via 172.16.0.1 dev host0 proto static | |
| 172.16.0.0/24 dev host0 proto kernel scope link src 172.16.0.2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Match] | |
| Name=br0 | |
| [Address] | |
| Address=172.16.0.1/24 | |
| [Network] | |
| #IPForward=yes | |
| # `IPMasquerade=yes` implies `IPForward=yes`. | |
| #IPMasquerade=yes |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % brctl show | |
| bridge name bridge id STP enabled interfaces | |
| br0 8000.7aae25cc4555 no vb-bridge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (一部抜粋) | |
| 3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default | |
| link/ether 7a:ae:25:cc:45:55 brd ff:ff:ff:ff:ff:ff | |
| inet 172.16.0.1/24 brd 172.16.0.255 scope global br0 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::78ae:25ff:fecc:4555/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 5: vb-bridge@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 | |
| link/ether ce:76:d8:f6:74:df brd ff:ff:ff:ff:ff:ff link-netnsid 0 | |
| inet6 fe80::cc76:d8ff:fef6:74df/64 scope link | |
| valid_lft forever preferred_lft forever |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| echo 1 >/proc/sys/net/ipv4/ip_forward | |
| ### | |
| # Flush & Reset | |
| ### | |
| iptables -F | |
| iptables -t nat -F | |
| iptables -X | |
| ### | |
| # Default Rule | |
| ### | |
| # Deny all inbound connections by default. | |
| iptables -P INPUT DROP | |
| # Allow ESTABLISHED and RELATED connections. | |
| # 内部からのアクセスに対する外部からの返答を許可。 | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow NEW connections to 22(ssh), 80(http), 443(https). | |
| iptables -A INPUT -m state --state NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT | |
| # Allow all outbound connections by default. | |
| iptables -P OUTPUT ACCEPT | |
| # Deny all forward connections by default. | |
| # このホストを通過するアクセスをデフォルトで全て拒否。 | |
| iptables -P FORWARD DROP | |
| # Allow all ESTABLISHED and RELATED connections. | |
| iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| ### | |
| # loopback | |
| ### | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow packets from br0 (localhost) to eth0 | |
| iptables -A FORWARD -i br0 -o eth0 -s localhost -j ACCEPT | |
| ## | |
| # ICMP | |
| ## | |
| # Allow incoming ping. | |
| # 0: echo-reply | |
| # 8: echo-request | |
| iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| # (is this necessary?) | |
| iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
| ## | |
| # SNAT (masquerade) | |
| ## | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| iptables -A FORWARD -i br0 -o eth0 -j ACCEPT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE | |
| iptables -A FORWARD -i br0 -o eth0 -j ACCEPT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment