TSG-8393, NATGW iptables 转发策略设置不合理, 导致Layer2和VPN模式不能共用, 已修复.

2021-11-09 13:15:55 +08:00
parent 703389e834
commit 9a758df05a
4 changed files with 45 additions and 7 deletions
--- a/deploy_env/group_vars/all.yml
+++ b/deploy_env/group_vars/all.yml
@@ -22,7 +22,7 @@ wannat_global:
        location_compare_type: 0
        country_location:  "Set_your_geographic_location_here"
        province_location: "Set_your_geographic_location_here"
-        ctrl_device_ip_addr: "172.26.121.58"
+        ctrl_device_name: "eth0"

    toroad:
        http_server_listen_port: 8888
--- a/roles/natgw/files/script/natgw_set_iptables_rule.sh
+++ b/roles/natgw/files/script/natgw_set_iptables_rule.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+if [ ! $1 ]; then  
+	echo "must set device name!"
+	echo "Usage: $0 <devie_name>"
+	exit 1
+fi
+
+IP_ADDR_WITH_MASK=`ip addr show | grep $1 | grep inet | awk {'print $2'}`
+
+if [ ! $IP_ADDR_WITH_MASK ]; then  
+	echo "get IP_ADDR_WITH_MASK error!"
+	exit 1
+fi
+
+#echo "IP_ADDR_WITH_MASK = $IP_ADDR_WITH_MASK"
+
+IP_ADDR=`ip addr show | grep $1 | grep inet | awk {'print $2'} | awk -F '/' {'print $1'}`
+if [ ! $IP_ADDR ]; then  
+	echo "get IP_ADDR error!"
+	exit 1
+fi
+
+#echo "IP_ADDR = $IP_ADDR"
+
+#set iptables
+iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s $IP_ADDR -j DROP
+iptables -I OUTPUT -p icmp --icmp-type redirect -s $IP_ADDR -j DROP
+iptables -I FORWARD -s $IP_ADDR_WITH_MASK  -j DROP
+
+exit 0
+
+
--- a/roles/natgw/tasks/main.yml
+++ b/roles/natgw/tasks/main.yml
@@ -3,6 +3,7 @@
  copy:
    src: "{{ role_path }}/files/rpm/{{ wannat_global.rpm_files.natgw_rpm_file }}"
    dest: "/tmp/"
+
    
 - name: "install natgw"
  yum:
@@ -21,7 +22,13 @@
  file:
    path: /opt/tsg/wannat/natgw/conf
    state: directory
-    
+
+- name: "copy natgw_set_iptables_rule.sh to destination server"
+  copy:
+    src: "{{ role_path }}/files/script/natgw_set_iptables_rule.sh"
+    dest: "/opt/tsg/wannat/natgw/"
+    mode: a+x
+
 - name: "Template the natgw.conf"
  template:
    src: "{{ role_path }}/templates/natgw.conf.j2"
@@ -33,7 +40,7 @@
    src: "{{ role_path }}/templates/natgw_log.conf.j2"
    dest: /opt/tsg/wannat/natgw/conf/natgw_log.conf
  tags: template
- 
+
 - name: "Template the maat compile table info"
  template:
    src: "{{ role_path }}/templates/compile_tableinfo.conf.j2"
@@ -60,4 +67,4 @@
    state: started
  
    
-  
+  
--- a/roles/natgw/templates/natgw.service.j2
+++ b/roles/natgw/templates/natgw.service.j2
@@ -21,9 +21,7 @@ ExecStartPost=/bin/sh -c "ethtool -K {{wannat_global.natgw.device}} tso off"
 ExecStartPost=/bin/sh -c "ip rule add from {{wannat_global.common.vpn_client_ip_cidr}} table 1001"
 ExecStartPost=/bin/sh -c "ip route add default via 100.64.1.253 table 1001"

-ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
-ExecStartPost=/bin/sh -c "iptables -I OUTPUT -p icmp --icmp-type redirect -s {{wannat_global.natgw.ctrl_device_ip_addr}} -j DROP"
-ExecStartPost=/bin/sh -c "iptables -I FORWARD ! -d {{wannat_global.natgw.ctrl_device_ip_addr}}  -j DROP"
+ExecStartPost=/bin/sh -c "/opt/tsg/wannat/natgw/natgw_set_iptables_rule.sh {{wannat_global.natgw.ctrl_device_name}}"

 TimeoutSec=300s
 RestartSec=10s