Internet sharing (简体中文)

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
翻译状态:本文是 Internet sharing翻译。上次翻译日期:2017-06-28。如果英文版本有所更改,则您可以帮助同步翻译。

Tango-preferences-desktop-locale.png本文或本节需要翻译。要贡献翻译,请访问简体中文翻译团队Tango-preferences-desktop-locale.png

附注: 初创页面,尚未翻译(在 Talk:Internet sharing (简体中文)# 中讨论)

这篇文章解释了如何从一台机器向其他机器分享网络连接。

依赖

作为服务器的机器应该有一个额外的网络设备。这个网络设备需要一个数据链路层来连接到将要获得网络访问的机器:

  • 如果想给若干台机器分享网络连接,switch可以提供数据连接。
  • 一个无线设备同样可以给若干台机器分享网络访问,参见Software access point
  • 如果只需分享网络给一台机器,一根交叉网线就可以了。 如果两台电脑的网卡支持MDI-X,交叉网线也不是必须的,一根普通直连网线也可以。 运行 ethtool interface | grep MDI 确认网卡是否支持MDI-X。

配置

这个章节假定,连接到客户机的网络设备被命名为 net0而连接到互联网的网络设备被命名为internet0

提示: 为了此事,你可以使用Udev#Setting static device names所述的方法重命名你的设备。

所有的配置都是在服务器计算机上完成的,除了最后一步#给客户机分配IP地址.

静态IP地址

在服务器计算机上,给要连接到其他机器的网卡分配一个静态的IP地址。IP地址的前3个字节不能和其他网卡的一模一样,除非两个网卡都有一个严格大于/24的子网掩码。

# ip link set up dev net0
# ip addr add 192.168.123.100/24 dev net0 # arbitrary address

为了使你的静态IP在启动时被分配,你可以使用network manager

启用包转发

检查当前的包转发设置:

# sysctl -a | grep forward

你将会注意到控制每个默认值,每个网卡的包转发的选项都是存在的,同时每个网卡的IPv4和IPv6选项都是分开的。

输入这条命令以在运行时临时启用包转发:

# sysctl net.ipv4.ip_forward=1
提示: 要想选择性地为某一个具体的网卡提供包转发,使用sysctl net.ipv4.conf.interface_name.forwarding=1来代替。
警告: 如果系统使用了systemd-networkd来控制网卡,就不可能为单个网卡配置IPv4的设置,换言之,systemd的操作规则会将所有配置过的转发发送到一个全局(针对所有网卡)的IPv4的设置。建议的变通方法是使用防火墙在选中的网卡上禁止转发。参考systemd.network(5)手册页以获取更多信息。在之前的systemd发行版本220/221中引入的执行内核设置的IPForward=kernel已不再适用。[1] [2]

编辑/etc/sysctl.d/30-ipforward.conf来使得之前的改变可以永久地应用于所有接口上:

/etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

这之后,仍然建议在重启之后再次检查,以确认转发已经按需求启用。

Enable NAT

With iptables

Install the iptables package. Use iptables to enable NAT:

# iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i net0 -o internet0 -j ACCEPT
注意: Of course, this also works with a mobile broadband connection (usually called ppp0 on routing PC).

Read the iptables article for more information (especially saving the rule and applying it automatically on boot). There is also an excellent guide on iptables Simple stateful firewall.

With nftables

Install the nftables package. To enable NAT with nftables, you will have to create the prerouting and postrouting chains in a new/exisiting table (you need both chains even if they are empty):

# nft add table ip nat
# nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
# nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
注意: If you want to use IPv6, you have to replace all occurences of ip with ip6.

After that, you have to masquerade the net0 adresses for internet0:

# nft add rule nat postrouting oifname internet0 masquerade

You may want to add some more firewall restrictions on the forwarding (assuming the filter table already exists, like configured in Nftables#Server):

# nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop}
# nft add rule filter forward ct state related,established accept
# nft add rule filter forward iifname net0 oifname internet0 accept

You can find more information on NAT in nftables in the nftables Wiki. If you want to make these changes permanent, follow the instructions on nftables

给客户机分配IP地址

If you are planning to regularly have several machines using the internet shared by this machine, then is a good idea to install a DHCP server, such as dhcpd or dnsmasq. Then configure a DHCP client (e.g. dhcpcd) on every client PC.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: This is not an iptables guide. Expanding the chain with iptables -I might skip other important rules; if you need to script an ON/OFF switch for this, use custom chain with a jump placed carefully in the INPUT chain. (Discuss in Talk:Internet sharing (简体中文))

Incoming connections to UDP port 67 has to be allowed for DHCP server. It also necessary to allow incoming connections to UDP/TCP port 53 for DNS requests.

# iptables -I INPUT -p udp --dport 67 -i net0 -j ACCEPT
# iptables -I INPUT -p udp --dport 53 -s 192.168.123.0/24 -j ACCEPT
# iptables -I INPUT -p tcp --dport 53 -s 192.168.123.0/24 -j ACCEPT

If you are not planing to use this setup regularly, you can manually add an IP to each client instead.

Manually adding an IP

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Instead of using DHCP, on each client PC, add an IP address and the default route:

# ip addr add 192.168.123.201/24 dev eth0  # arbitrary address, first three blocks must match the address from above
# ip link set up dev eth0
# ip route add default via 192.168.123.100 dev eth0   # same address as in the beginning

Configure a DNS server for each client, see resolv.conf for details.

That's it. The client PC should now have Internet.

Troubleshooting

If you are able to connect the two PCs but cannot send data (for example, if the client PC makes a DHCP request to the server PC, the server PC receives the request and offers an IP to the client, but the client does not accept it, timing out instead), check that you do not have other Iptables rules interfering.

See also