System environment: centos7
Objectives: Achieve corporate office network access and network permission control for various departments
Adopt technology: ipset, iptables, iprule, and iproute
The purpose of this article is to implement the design and implementation of self-built gateways that can be adopted by thousands of Companies
First, plan the use of Intranet segments, which can be divided by department or location, such as: operation Department (192.168.1.0/24), Development Department (192.168.2.0/24), after-sales department (192.168.3.0/24), product department (192.168.4.0/24), network management department (192.168.5.0/24)....
Then, for each department of the company, not only can they get out of the network normally, but also design control of rights, such as not accessible across network segments, restricting download bandwidth, vpn rights control, etc.
1. Network Card Design
In addition to having a management ip for the gateway machine, there are two other network cards: the internal network card and the public network card. Then for the network card, it can be designed as a subnet card, which can be divided into network segments, create corresponding subnet cards, and then set up as gateway ip for each network segment.
# Intranet network card: eth1 vconfig add eth1 1 # Add Subnet Card ip addr add 192.168.1.254 dev eth1.1 # Add a segment of gateway ip for the subnet card ifconfig eth0.1 up # up network card # Public network card: eth2 vconfig add eth2 1 # Add subnet card: xx operator ip addr add Operator Out of the Network ip1 dev eth2.1 # Add the operator's outbound ip to the subnet card ip addr add Operator Out of the Network ip2 dev eth2.1 ip addr add Operator Out of the Network ip3 dev eth2.1.... # When adding multiple IPS to a subnet card, using ip addr and ifconfig add will be different, pitted and testable
We use iptables as a tool for rights control, so if an IP needs to set a rule, it would be a waste of system performance. ipset can solve this problem very well. ipset is a concept of a collection, it can belong to one ipset group, and then set rights for this group (the ipset group can be ip, net, port type, depending on specific requirements)
Create an ipset group for all office segments
ipset create Operator Out of the Network ip1 hash:net family inet # Create an ipset group whose name can be written by segment or by outgoing ip ipset create Operator Out of the Network ip2 hash:net family inet ipset create Operator Out of the Network ip3 hash:net family inet ipset create Operator Out of the Network ip4 hash:net family inet.....
Add all office IPS to the corresponding ip set group
ipset add Operator Out of the Network ip1 192.168.1.0/24 # Because the ipset group built is of type net, the entire segment can be added ipset add Operator Out of the Network ip2 192.168.2.0/24 ipset add Operator Out of the Network ip3 192.168.3.0/24 ipset add Operator Out of the Network ip4 192.168.4.0/24
3. iptables-mangle table
The order and functions of the four tables and five chains of iptables are no longer described. The design will set the ipset groups we just created into labels one by one through the mangle table. We will match the corresponding ipset groups by labels
iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip1 src -j MARK --set-xmark 0x01 iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip2 src -j MARK --set-xmark 0x02 iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip3 src -j MARK --set-xmark 0x03 iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip4 src -j MARK --set-xmark 0x04
4. iptables-net table
The net table matches the corresponding ipset groups by tags, and then makes snet s of all ip outbound ipsets in the groups, converting them into corresponding operator outbound IPS
iptables -t nat -A POSTROUTING -m mark --mark 0x01 -j SNAT --to-source Operator Out of the Network ip1 iptables -t nat -A POSTROUTING -m mark --mark 0x02 -j SNAT --to-source Operator Out of the Network ip2 iptables -t nat -A POSTROUTING -m mark --mark 0x03 -j SNAT --to-source Operator Out of the Network ip3 iptables -t nat -A POSTROUTING -m mark --mark 0x04 -j SNAT --to-source Operator Out of the Network ip4
Policy-based routing has many extensibilities over iproute s, where we point all ipset groups of the same operator to the operator's routing table
ip rule add from all fwmark 0x01 lookup xx Operator Routing Table ip rule add from all fwmark 0x02 lookup xx Operator Routing Table ip rule add from all fwmark 0x03 lookup xx Operator Routing Table ip rule add from all fwmark 0x04 lookup xx Operator Routing Table......
The data points to the corresponding routing table according to the routing policy, and then finds the next hop based on the specific rules in the routing table
# Packet Trend Rules for Intranet Sections /sbin/ip route add 192.168.1.0/24 via 192.168.1.254 table xx Operator Routing Table /sbin/ip route add 192.168.2.0/24 via 192.168.2.254 table xx Operator Routing Table /sbin/ip route add 192.168.3.0/24 via 192.168.3.254 table xx Operator Routing Table /sbin/ip route add 192.168.4.0/24 via 192.168.3.254 table xx Operator Routing Table # The routing table also has a default rule, that is, the operator's gateway ip, which means the default data is going through this public network gateway /sbin/ip route add default via xxx.xxx.xxx.xxx table xx Operator Routing Table
The above steps basically meet the office requirements, but there is no control over permissions. Here, set up the default not to interoperate each office section through the filter table. Of course, if you need a section with the most permissions, such as the network management department needs to pass all sections, you can control it through this table.
#01 Prohibit cross-office communication
iptables -A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -m comment --comment "Office network prohibits intranet interchange" -j DROP
#02 Set up the rules for this segment to communicate with each other (suspected here, you don't need to set up this segment to communicate with each segment, because no cross-segment access seems to be tested and can't get to the gateway, there is a convergence, a lot of access under the gateway)
# Here is to add an extension chain for each segment, with specific rules taking the extension chain iptables -A FORWARD -m comment --comment "1 Segment Interchange Chain" -j 1_FORWARD # Here is set in the extension chain, and a section allows access to the content of the later matching ipset group iptables -A 1_FORWARD -s 192.168.1.0/24 -m set --match-set 192.168.1.0/24_all dst,dst -j ACCEPT # View matching ipset group content # ipset list 192.168.1.0/24_all Name: 192.168.1.0/24_all Type: list:set Revision: 3 Header: size 8 Size in memory: 208 References: 1 Number of entries: 2 Members: 192.168.1.0/24_ip 192.168.1.0/24_port # ipset list 192.168.1.0/24_ip Name: 192.168.1.0/24_ip Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 568 References: 1 Number of entries: 3 Members: 192.168.1.0/24
Configure Access to Cloud Environment, Test Cluster Environment
Cloud environments and test cluster environments both use cloud networking or vpn technology to achieve intranet connectivity, so if someone in a department needs access to cloud environments or machines to test cluster environments, adding target IPS directly under the ip set group at that time is sufficient
8. Speed Limit
Speed limits are available through the tc tool, write a script, tc command before you know, I'll look at it again and record it here
In fact, this structure is relatively simple, there will certainly be a variety of special needs in the production environment, and need to be combined with more expansion, so this article needs to be supplemented.