introduce

System environment: centos7

Objectives: Achieve corporate office network access and network permission control for various departments

Adopt technology: ipset, iptables, iprule, and iproute

background

The purpose of this article is to implement the design and implementation of self-built gateways that can be adopted by thousands of Companies

First, plan the use of Intranet segments, which can be divided by department or location, such as: operation Department (192.168.1.0/24), Development Department (192.168.2.0/24), after-sales department (192.168.3.0/24), product department (192.168.4.0/24), network management department (192.168.5.0/24)....

Then, for each department of the company, not only can they get out of the network normally, but also design control of rights, such as not accessible across network segments, restricting download bandwidth, vpn rights control, etc.

Technical implementation

1. Network Card Design

In addition to having a management ip for the gateway machine, there are two other network cards: the internal network card and the public network card. Then for the network card, it can be designed as a subnet card, which can be divided into network segments, create corresponding subnet cards, and then set up as gateway ip for each network segment.

# Intranet network card: eth1
vconfig add eth1 1                       # Add Subnet Card
ip addr add 192.168.1.254 dev eth1.1     # Add a segment of gateway ip for the subnet card
ifconfig eth0.1 up                       # up network card

# Public network card: eth2
vconfig add eth2 1                       # Add subnet card: xx operator
ip addr add Operator Out of the Network ip1 dev eth2.1      # Add the operator's outbound ip to the subnet card
ip addr add Operator Out of the Network ip2 dev eth2.1
ip addr add Operator Out of the Network ip3 dev eth2.1....  # When adding multiple IPS to a subnet card, using ip addr and ifconfig add will be different, pitted and testable

 2. ipset

We use iptables as a tool for rights control, so if an IP needs to set a rule, it would be a waste of system performance. ipset can solve this problem very well. ipset is a concept of a collection, it can belong to one ipset group, and then set rights for this group (the ipset group can be ip, net, port type, depending on specific requirements)

Create an ipset group for all office segments

ipset create Operator Out of the Network ip1 hash:net family inet  # Create an ipset group whose name can be written by segment or by outgoing ip
ipset create Operator Out of the Network ip2 hash:net family inet
ipset create Operator Out of the Network ip3 hash:net family inet
ipset create Operator Out of the Network ip4 hash:net family inet.....

Add all office IPS to the corresponding ip set group

ipset add Operator Out of the Network ip1 192.168.1.0/24   # Because the ipset group built is of type net, the entire segment can be added
ipset add Operator Out of the Network ip2 192.168.2.0/24
ipset add Operator Out of the Network ip3 192.168.3.0/24
ipset add Operator Out of the Network ip4 192.168.4.0/24

3. iptables-mangle table

The order and functions of the four tables and five chains of iptables are no longer described. The design will set the ipset groups we just created into labels one by one through the mangle table. We will match the corresponding ipset groups by labels

iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip1 src -j MARK --set-xmark 0x01
iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip2 src -j MARK --set-xmark 0x02
iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip3 src -j MARK --set-xmark 0x03
iptables -t mangle -A PREROUTING -m set --match-set Operator Out of the Network ip4 src -j MARK --set-xmark 0x04

4. iptables-net table

The net table matches the corresponding ipset groups by tags, and then makes snet s of all ip outbound ipsets in the groups, converting them into corresponding operator outbound IPS

iptables -t nat -A POSTROUTING -m mark --mark 0x01 -j SNAT --to-source Operator Out of the Network ip1
iptables -t nat -A POSTROUTING -m mark --mark 0x02 -j SNAT --to-source Operator Out of the Network ip2
iptables -t nat -A POSTROUTING -m mark --mark 0x03 -j SNAT --to-source Operator Out of the Network ip3
iptables -t nat -A POSTROUTING -m mark --mark 0x04 -j SNAT --to-source Operator Out of the Network ip4

5.iprule

Policy-based routing has many extensibilities over iproute s, where we point all ipset groups of the same operator to the operator's routing table

ip rule add from all fwmark 0x01 lookup xx Operator Routing Table
ip rule add from all fwmark 0x02 lookup xx Operator Routing Table
ip rule add from all fwmark 0x03 lookup xx Operator Routing Table
ip rule add from all fwmark 0x04 lookup xx Operator Routing Table......

6.iproute

The data points to the corresponding routing table according to the routing policy, and then finds the next hop based on the specific rules in the routing table

# Packet Trend Rules for Intranet Sections
/sbin/ip route add 192.168.1.0/24   via 192.168.1.254  table xx Operator Routing Table
/sbin/ip route add 192.168.2.0/24   via 192.168.2.254  table xx Operator Routing Table
/sbin/ip route add 192.168.3.0/24   via 192.168.3.254  table xx Operator Routing Table
/sbin/ip route add 192.168.4.0/24   via 192.168.3.254  table xx Operator Routing Table

# The routing table also has a default rule, that is, the operator's gateway ip, which means the default data is going through this public network gateway
/sbin/ip route add default via xxx.xxx.xxx.xxx table xx Operator Routing Table

7.iptables-filter table

The above steps basically meet the office requirements, but there is no control over permissions. Here, set up the default not to interoperate each office section through the filter table. Of course, if you need a section with the most permissions, such as the network management department needs to pass all sections, you can control it through this table.

#01 Prohibit cross-office communication

iptables -A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -m comment --comment "Office network prohibits intranet interchange" -j DROP

#02 Set up the rules for this segment to communicate with each other (suspected here, you don't need to set up this segment to communicate with each segment, because no cross-segment access seems to be tested and can't get to the gateway, there is a convergence, a lot of access under the gateway)

# Here is to add an extension chain for each segment, with specific rules taking the extension chain
iptables -A FORWARD -m comment --comment "1 Segment Interchange Chain" -j 1_FORWARD 

# Here is set in the extension chain, and a section allows access to the content of the later matching ipset group
iptables -A 1_FORWARD -s 192.168.1.0/24 -m set --match-set 192.168.1.0/24_all dst,dst -j ACCEPT

# View matching ipset group content
# ipset list 192.168.1.0/24_all
Name: 192.168.1.0/24_all
Type: list:set
Revision: 3
Header: size 8
Size in memory: 208
References: 1
Number of entries: 2
Members:
192.168.1.0/24_ip
192.168.1.0/24_port

# ipset list 192.168.1.0/24_ip
Name: 192.168.1.0/24_ip
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 568
References: 1
Number of entries: 3
Members:
192.168.1.0/24

Configure Access to Cloud Environment, Test Cluster Environment

Cloud environments and test cluster environments both use cloud networking or vpn technology to achieve intranet connectivity, so if someone in a department needs access to cloud environments or machines to test cluster environments, adding target IPS directly under the ip set group at that time is sufficient

8. Speed Limit

Speed limits are available through the tc tool, write a script, tc command before you know, I'll look at it again and record it here

End

In fact, this structure is relatively simple, there will certainly be a variety of special needs in the production environment, and need to be combined with more expansion, so this article needs to be supplemented.