让 Debian 服务器变成一个内网上外网的路由器

1 目标

使内网主机通过网关主机访问外网。

2 前置条件

2.1 网关主机 Router

两块网卡：

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:c8:27:4f brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 86025sec preferred_lft 86025sec
inet6 fe80::a00:27ff:fec8:274f/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:4a:27:99 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.111/24 brd 192.168.56.255 scope global dynamic enp0s8
valid_lft 508sec preferred_lft 508sec
inet6 fe80::a00:27ff:fe4a:2799/64 scope link
valid_lft forever preferred_lft forever

10.0.2.15 可以上外网

192.168.56.111 为内网卡

2.2 客户机 Client

2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:79:02:15 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.113/24 brd 192.168.56.255 scope global enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe79:215/64 scope link
valid_lft forever preferred_lft forever

3 开工

3.1 网关主机

建立服务脚本：

root@gateway:~# cat /usr/local/src/become-a-router.sh

#!/bin/bash

/usr/bin/echo 1 >> /proc/sys/net/ipv4/ip_forward
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -j MASQUERADE

 建立 systemd service 文件：

root@gateway:~# cat /usr/lib/systemd/system/become-a-router.service
[Unit]
Description=Become a router
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/src/become-a-router.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

注册服务并加入开机运行：

systemctl daemon-reload
systemctl start become-a-router.service
systemctl enable become-a-router.service

3.2 客户机配置 IP 地址并指定网关

root@client1:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# 1
auto enp0s3
allow-hotplug enp0s3
iface enp0s3 inet dhcp

# 2
auto enp0s8
allow-hotplug enp0s8
iface enp0s8 inet static
address 192.168.56.113
netmask 255.255.255.0
gateway 192.168.56.111

# dns-nameservers 8.8.8.8

4 测试

4.1 网关查看 iptables

root@gateway:~# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.56.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

4.2 客户机访问外网

root@client1:~# ping www.126.com
PING www.126.com (220.181.12.218) 56(84) bytes of data.
64 bytes from www.126.com (220.181.12.218): icmp_seq=1 ttl=61 time=69.9 ms
64 bytes from www.126.com (220.181.12.218): icmp_seq=2 ttl=61 time=71.2 ms

5 大功告成

6 注意事项

调用程序时，要注意路径的引用问题，发行版本不同，调用的路径也许不同。