环境:双线IDC机房,服务器在天津
网通:ip:11.22.33.44 gw:11.22.33.1 eth1
电信:ip:55.66.77.88 gw:55.66.77.1 eth1:1
私网:ip:10.10.10.10 gw:10.10.10.1 eth0
1.设置服务器默认网关,因为服务器在北方,属于网通的势力范围,所以我们选择网通作为默认的网关
[root@xxx ~]# ip route replace table main default via 11.22.33.1 dev eth1
2.设置从外面访问服务器的流量如何走
添加内网,电信,网通3个路由表
[root@xxx ~]# cat /etc/iproute2/rt_tables
50 private
100 tel
200 cnc
分别为eth0,eth1,eth1:1设置路由条目
##############
# add routing for private route table
ip route add table private 10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.10
ip route add table private default via 10.10.10.1 dev eth0 src 10.10.10.10
# using private table ,if the package src ip is 10.10.10.10
ip rule add from 10.10.10.10 table private prio 500
##############
# add routing for telcom route table
ip route add table tel 11.22.33.0/24 dev eth1 proto kernel scope link src 11.22.33.44
ip route add table tel default via 11.22.33.1 dev eth1 src 11.22.33.44
# using tel table ,if the package src ip is 11.22.33.44
ip rule add from 11.22.33.44 table tel prio 1000
##############
# add routing for netcom route table
ip route add table cnc 55.66.77.0/24 dev eth1:1 proto kernel scope link src 55.66.77.88
ip route add table cnc default via 55.66.77.1 dev eth1:1 src 55.66.77.88
# using cnc table ,if the package src ip is 55.66.77.88
ip rule add from 55.66.77.88 table cnc prio 500
测试:我们可以在服务器上用tcpdump来测试我们设置是否正确
3.设置从外面访问服务器的流量如何走
首先你要有一份完整的电信网段ip,你自己可以去收集或者花钱买都可以
比如说我把所有电信的ip都放在了/opt/scripts/telecom_ip_list里面,写个简单的脚步去批量添加这些路由规则
for subnet in `cat /opt/scripts/telecom_ip_list`; do
if ip rule | grep "from $subnet lookup tel" >/dev/null; then
:
else
ip rule add to $subnet table tel prio 5000
fi
done
测试:
ip route get xxx.xxx.xxx.xxx(电信)
ip route get xxx.xxx.xxx.xxx(网通)
查看返回的信息是否正确
