讀者此時應該不難理解所謂『IP 分享』了吧︰
《鳥哥的 Linux 私房菜》
在 Linux 的 NAT 伺服器服務當中,最常見的就是類似圖 9.1-2的 IP 分享器功能了。 而由剛剛的介紹你也該知道,這個 IP 分享器的功能其實就是 SNAT 啦!作用就只是在 iptables 內的 NAT 表格當中,那個路由後的 POSTROUTING 鏈進行 IP 的偽裝就是了。另外, 你也必須要瞭解,你的 NAT 伺服器必須要有一個 public IP 介面,以及一個內部 LAN 連接的 private IP 介面才行。底下的範例中,鳥哥的假設是這樣的:
- 外部介面使用 eth0 ,這個介面具有 public IP 喔;
- 內部介面使用 eth1 ,假設這個 IP 為 192.168.100.254 ;
記住!當你利用前面幾章談到的資料來設定你的網路參數後,務必要進行路由的檢測, 因為在 NAT 伺服器的設定方面,最容易出錯的地方就是路由了!尤其是在撥接產生 ppp0 這個對外介面的環境下, 這個問題最嚴重。反正你要記得:『如果你的 public IP 取得的方式是撥接或 cable modem 時,你的設定檔 /etc/sysconfig/network, ifcfg-eth0, ifcfg-eth1 等檔案,千萬不要設定 GATEWAY 啦!』否則就會出現兩個 default gateway ,反而會造成問題。
如果你剛剛已經下載了 iptables.rule ,那麼該檔案內已經含有 NAT 的腳本了! 你可以看到該檔案的第二部份關於 NAT 伺服器的部分,應該有看到底下這幾行:
iptables -A INPUT -iINIF 在本例中為 eth1 介面 echo "1" > /proc/sys/net/ipv4/ip_forward # 上頭這一行則是在讓你的 Linux 具有 router 的能力 iptables -t nat -A POSTROUTING -s
EXTIF -j MASQUERADE # 這一行最關鍵!就是加入 nat table 封包偽裝!本例中
EXTIF 則是對外介面,本例中為 eth0
重點在那個『 MASQUERADE 』!這個設定值就是『 IP 偽裝成為封包出去 (-o) 的那塊裝置上的 IP』!以上面的例子來說,就是 $EXTIF ,也就是 eth0 啦! 所以封包來源只要來自 $innet (也就是內部 LAN 的其他主機) ,只要該封包可透過 eth0 傳送出去, 那就會自動的修改 IP 的來源表頭成為 eth0 的 public IP 啦!就這麼簡單! 你只要將 iptables.rule 下載後,並設定好你的內、外網路介面, 執行 iptables.rule 後,你的 Linux 就擁有主機防火牆以及 NAT 伺服器的功能了!
容易明白『Pi-Point AP』︰
世事經常變動不居!實務工作者總是煩惱不斷?本想著用樹莓派作 AP 不過小菜一碟,早已知知的哩︰
Pi-Point – turn your Raspberry Pi into a wireless access point
I was shown Pi Point before the holidays, but thought it was best to wait until now to spring it on you, because so many of you have got Pis for Christmas and are looking for projects to use them in.
Guy Eastwood has documentation and an SD card image which will allow you to turn your Pi into a wireless access point. With a bit of imagination applied, you can find a million uses for a tiny, waterproofable (think Tupperware and epoxy), cheap access point; of course, you can just use it to extend your home network, but the possibilities get really interesting if you think outside the box. You can build a guest network, firewalled off from your local network. You can learn about network hardening. With the addition of a home-made cantenna, you could set up a line of Pis as relays to get WiFi down to the shed in your allotment, or point a signal at your treehouse. If you’re an altruist, you can provide your local bus stop with free WiFi.
Let us know what you end up doing with Pi-Point. We’d love to hear what you come up with!
……
Turn your Raspberry Pi into a Wireless Access Point
Welcome and thank you for dropping by. If you’re a Raspberry Pi owner and are curious about some of the things you can do with it then this is where you can learn how to turn it into a WiFi Access Point.
There’s all sorts of reasons why you may want to do this…
- Extend your existing WiFi network
- Learn more about wireless networking
- Create a free Access Point
- Build a honeytrap to learn about network-hardening
- Learn about sniffing packets
- Provide guest wireless access firewalled off/through your main network
- Closed wifi monitoring station, e.g. temperature sensor, weather recording
- Create a Raspberry Pi WiFi HotSpot
Given that you have a Pi, though one of the main reasons is likely to be ‘because you can’ !
To get started, follow the Documentation link above to be guided through setting up a Pi-Point from operating system install to fully working, I hope you find this useful!
– Guy Eastwood
………
『路由』route 及『轉址』 nat 的功能,藉著 pipoint 手稿實現也!
pi@raspberrypi:~sudo nano /etc/init.d/pipoint pi@raspberrypi:~
remote_fs
time # Required-Stop:
syslog
network
network
sudo chmod +x /etc/init.d/pipoint pi@raspberrypi:~
問題是
# enable NAT
iptables -t nat -A POSTROUTING -j MASQUERADE
指令到底做了什麼呢?
※ 手冊︰
man iptables
PARAMETERS
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network name, a
hostname, a network IP address (with /mask), or a plain IP
address. Hostnames will be resolved once only, before the rule
is submitted to the kernel. Please note that specifying any
name to be resolved with a remote query such as DNS is a really
bad idea. The mask can be either an ipv4 network mask (for ipt‐
ables) or a plain number, specifying the number of 1's at the
left side of the network mask. Thus, an iptables mask of 24 is
equivalent to 255.255.255.0. A "!" argument before the address
specification inverts the sense of the address. The flag --src
is an alias for this option. Multiple addresses can be speci‐
fied, but this will expand to multiple rules (when adding with
-A), or will cause multiple rules to be deleted (with -D).
[!] -i, --in-interface name
Name of an interface via which a packet was received (only for
packets entering the INPUT, FORWARD and PREROUTING chains).
When the "!" argument is used before the interface name, the
sense is inverted. If the interface name ends in a "+", then
any interface which begins with this name will match. If this
option is omitted, any interface name will match.
[!] -o, --out-interface name
Name of an interface via which a packet is going to be sent (for
packets entering the FORWARD, OUTPUT and POSTROUTING chains).
When the "!" argument is used before the interface name, the
sense is inverted. If the interface name ends in a "+", then
any interface which begins with this name will match. If this
option is omitted, any interface name will match.
※ 執行參考︰
pi@raspberrypi:~route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default LEDE.lan 0.0.0.0 UG 202 0 0 eth0 default 192.168.8.1 0.0.0.0 UG 303 0 0 wlan0 5.168.166.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0 192.168.8.0 0.0.0.0 255.255.255.0 U 303 0 0 wlan0 pi@raspberrypi:~
sudo -s root@raspberrypi:/home/pi# iptables -t nat -n -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0