Linux:iptables防火墙部署优化之连接转移(目的地地址转化)
文章目录
node1操作
检测ip情况
bash
#查看网卡的ip信息
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:40 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 172.25.254.200/24 brd 172.25.254.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::fa94:b632:5bd6:a146/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:33:49:4a brd ff:ff:ff:ff:ff:ff
altname enp19s0
altname ens224
inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::518f:2870:1a4c:178f/64 scope link noprefixroute
valid_lft forever preferred_lft forever关闭firewalld防火墙服务,并锁定该服务
bash
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
# 锁定firewalld服务
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.开启iptables服务
bash
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.清空iptables的默认策略
bash
[root@node1 ~]# iptables -F
[root@node1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination开启内核路由转发功能
bash
# 发现内核路由转发功能未开启
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
# 修改配置文件,开启内核路由转发功能
[root@node1 ~]# vim /etc/sysctl.conf
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0配置iptables的策略,实现连接转移(目的地地址转换)
bash
[root@server100 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200
[root@server100 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere anywhere to:192.168.0.200
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destinationnode2测试,是否可以登录转移
bash
ssh root@172.25.254.100
Warning: Permanently added '172.25.254.100' (ED25519) to the list of known hosts.
root@172.25.254.100's password:
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu May 16 20:09:18 2024 from 192.168.0.1
[root@node2 ~]#
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:8c:36:ce brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::261:1a18:738d:cacb/64 scope link noprefixroute
valid_lft forever preferred_lft forever这里原来是登录到node1主机,但是却登录到了node2主机