switch可以這樣用嗎？ - Linux

Fig.1
in1
---- /
out in | |--- in2
__ C___ _| S |--- in3
|____|\
\ in4
out:10.xxx.yyy.zzz in:192.xxx.yyy.200
in1:192.xxx.yyy.1 in2:192.xxx.yyy.2
in3:192.xxx.yyy.3 in4:192.xxx.yyy.4

Fig.2
ina2
---- /
out | |--- inb2
______| S |--- inb1
|____|\ |
\ |
ina1 C
out:10.xxx.yyy.zzz
ina1:10.xxx.yyy.1 inb1:20.xxx.yyy.1
ina2:10.xxx.yyy.2 inb2:20.xxx.yyy.2

之前我在板上問是否switch可以改成Fig.2的架構,而不是用
一般架NAT的架構Fig.1,其中C代表NAT server,S代表switch

後來我架設成功,也用了好幾個月。在此我貢獻我的iptable
給iptable的新手,OS是Fedora16：
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth+ -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport (open port) -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -o eth+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

--