因为只有一个open*** client证书,但是局域网有两台都要访问*** server的一台服务器,怎么办才好呢,想到了通过增加静态路由来实现。

环境:*** server端提供的外网ip和端口:101.11.1.2  1234

局域网: 192.168.0.1(*** client证书放在这台服务器上)

               192.168.0.2

       gw:   192.168.0.3

192.168.0.1的网卡

eth0      Link encap:Ethernet  HWaddr 94:DE:80:84:5B:B5 
          inet addr:192.168.0.1  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::96de:80ff:fe84:5bb5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1107185 errors:0 dropped:0 overruns:0 frame:0
          TX packets:168532 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:109457526 (104.3 MiB)  TX bytes:71446453 (68.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:12.16.13.101  P-t-P:12.16.13.102  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP 0ULTICAST  MTU:1500  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:142 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2072 (2.0 KiB)  TX bytes:8296 (8.1 KiB)

192.168.0.1的路由表

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
101.11.1.0    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
101.11.1.0    12.16.13.101  255.255.255.255 UGH   0      0        0 tun0
12.16.13.12  0.0.0.0         255.255.255.255 UH    0      0        0 tun0
12.16.14.1    12.16.13.102  255.255.255.255 UGH   0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
101.11.0.0     12.16.13.102  255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         192.168.0.3  0.0.0.0         UG    0      0        0 eth0

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

sysctl -p

192.168.0.2的网卡

eth0      Link encap:Ethernet  HWaddr 94:DE:80:E8:76:61 
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::96de:80ff:fee8:7661/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:207826530 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34449534802 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16607632731 (15.4 GiB)  TX bytes:34263871184786 (31.1 TiB)
          Interrupt:30 Base address:0xa000

192.168.0.2的路由表

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
101.11.1.0    192.168.0.1   255.255.255.0   UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         192.168.0.3   0.0.0.0         UG    0      0        0 eth0

 

关键步骤在192.168.0.2上加上去*** server的路由下一跳为*** client的eth0地址192.168.0.1

route add -net 101.11.1.0 netmask 255.255.255.0 gw 192.168.0.1

第二步是在*** client192.168.0.1上加iptables rule like this

#!/bin/bash
echo '1' >/proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT  ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
#/sbin/iptables -A INPUT -i tun0 -j ACCEPT
/sbin/iptables -A INPUT -i bond0 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -t nat -P PREROUTING  ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT      ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth0 --dport  22  -j ACCEPT
#/sbin/iptables -A INPUT -p TCP -i tun0 --dport  22  -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE
sleep 10
/sbin/iptables-save >/etc/sysconfig/iptables