Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Recommended Posts

逆向路由:

如果启用,则向外转发数据包时需查询路由表

如果禁用,则向外转发数据包不查路由表,而根据会话信息实现数据包从哪里来,就从哪里出去。

接口的逆向路由 影响到 运营商(联通)链路设备的连通!

假设防火墙上接口1的IP地址为202.0.0.1/30,接口2的IP地址为61.0.0.1/30 ,接口3的IP地址为219.1.1.1/30

有一条路由为 210.0.0.0/8 next-hop 61.0.0.2

一数据包源IP地址为210.0. 0.1 目的IP地址为 219.1.1.2的数据包从接口1收到,

接口1如果不开启逆向路由,源IP219.1.1.2 目的IP210.0.0.1的回复数据包会从接口1转发(原路返回,匹配会话表),

接口1如果开启逆向路由,会查找路由表,这样SOURCE_IP 219.1.1.2 D_IP 210.0.0.1的回复数据包将从接口2转发。

反向接口策略路由: 华三AR6600系列路由器 配置案例

1. 组网需求

网关设备Router A通过两个接口(Serail2/2/0和Serial2/2/1)和公网连接。用户PC从公网访问内网的HTTP Server服务,不妨设PC请求报文从Router A接口Serial2/2/0进入,通过网关设备转发,从Router A的私网接口GigabitEthernet2/1/1进入内网访问HTTP Server服务器。

要求:从私网返回的响应报文从Router A的接口GigabitEthernet2/1/1进入,经Router A转发时,能够从原来请求报文的入接口Serial2/2/0进入公网,返回用户PC。

http://s10.sinaimg.cn/mw690/0041vd9Rzy6P2SmLuEp69

配置步骤

# 配置Router A各接口IP地址,并保证Router A与公网连通(略)。

# 在接口Serial2/2/0上配置内部服务器功能,将HTTP Server的IP地址192.168.1.2/24映射为2.1.1.100/16(和Router A的接口Serial2/2/0的IP地址在同一网段)。

system-view

[RouterA] interface serial 2/2/0

[RouterA-Serial2/2/0] nat server protocol tcp global 2.1.1.100 www inside 192.168.1.2 www

[RouterA-Serial2/2/0] quit

# 在接口Serial2/2/1上配置内部服务器功能,将HTTP Server的IP地址192.168.1.2/24映射为2.2.1.100/16(和Router A的接口Serial2/2/1的IP地址在同一网段)。

[RouterA] interface serial 2/2/1

[RouterA-Serial2/2/1] nat server protocol tcp global 2.2.1.100 www inside 192.168.1.2 www

[RouterA-Serial2/2/1] quit

# 定义10号节点,使匹配反向入接口Serial2/2/0的报文的下一跳地址为2.1.1.2/16。

system-view

[RouterA] policy-based-route test permit node 10

[RouterA-pbr-test-10] if-match reverse-input-interface serial 2/2/0

[RouterA-pbr-test-10] apply ip-address next-hop 2.1.1.2

[RouterA-pbr-test-10] quit

# 在以太网接口GigabitEthernet2/1/1上应用策略test。

[RouterA] interface GigabitEthernet 2/1/1

[RouterA-GigabitEthernet2/1/1] ip policy-based-route test

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...