Linux:iptables防火墙部署优化之连接转移(目的地地址转化)
文章目录
node1操作
检测ip情况
bash
#查看网卡的ip信息
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:40 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 172.25.254.200/24 brd 172.25.254.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::fa94:b632:5bd6:a146/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:4a brd ff:ff:ff:ff:ff:ff
altname enp19s0
altname ens224
inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::518f:2870:1a4c:178f/64 scope link noprefixroute
valid_lft forever preferred_lft forever关闭firewalld防火墙服务,并锁定该服务
bash
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
# 锁定firewalld服务
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.开启iptables服务
bash
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.清空iptables的默认策略
bash
[root@node1 ~]# iptables -F
[root@node1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination开启内核路由转发功能
bash
# 发现内核路由转发功能未开启
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
# 修改配置文件,开启内核路由转发功能
[root@node1 ~]# vim /etc/sysctl.conf
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0配置iptables的策略,实现连接转移(目的地地址转换)
bash
[root@server100 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200
[root@server100 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere anywhere to:192.168.0.200
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destinationnode2测试,是否可以登录转移
bash
ssh [email protected]
Warning: Permanently added '172.25.254.100' (ED25519) to the list of known hosts.
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu May 16 20:09:18 2024 from 192.168.0.1
[root@node2 ~]#
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:8c:36:ce brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::261:1a18:738d:cacb/64 scope link noprefixroute
valid_lft forever preferred_lft forever这里原来是登录到node1主机,但是却登录到了node2主机