Linux:iptables防火墙部署优化之连接转移(目的地地址转化)

Linux:iptables防火墙部署优化之连接转移(目的地地址转化)

文章目录

node1操作

检测ip情况

bash 复制代码
#查看网卡的ip信息
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:33:49:40 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 172.25.254.200/24 brd 172.25.254.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fa94:b632:5bd6:a146/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:33:49:4a brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    altname ens224
    inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::518f:2870:1a4c:178f/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

关闭firewalld防火墙服务,并锁定该服务

bash 复制代码
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".

# 锁定firewalld服务
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.

开启iptables服务

bash 复制代码
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

清空iptables的默认策略

bash 复制代码
[root@node1 ~]# iptables -F
[root@node1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

开启内核路由转发功能

bash 复制代码
# 发现内核路由转发功能未开启
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

# 修改配置文件,开启内核路由转发功能
[root@node1 ~]# vim /etc/sysctl.conf
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

配置iptables的策略,实现连接转移(目的地地址转换)

bash 复制代码
[root@server100 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200

[root@server100 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  anywhere             anywhere             to:192.168.0.200

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

node2测试,是否可以登录转移

bash 复制代码
ssh root@172.25.254.100
Warning: Permanently added '172.25.254.100' (ED25519) to the list of known hosts.
root@172.25.254.100's password:
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu May 16 20:09:18 2024 from 192.168.0.1
[root@node2 ~]#
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:8c:36:ce brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::261:1a18:738d:cacb/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

这里原来是登录到node1主机,但是却登录到了node2主机

相关推荐
YCY^v^42 分钟前
centos 7 开启80,443端口,怎么弄?
linux·运维·centos
北南京海44 分钟前
[Linux]进程地址空间
linux·运维·服务器
yzx9910132 小时前
服务器生成图片
运维·服务器
db_murphy3 小时前
Oracle数据块8KB、OS默认认块管理4KB,是否需调整大小为一致?
linux
liulilittle4 小时前
C++ TAP(基于任务的异步编程模式)
服务器·开发语言·网络·c++·分布式·任务·tap
小阳睡不醒6 小时前
小白成长之路-部署Zabbix7(二)
android·运维
mCell6 小时前
从删库到跑路?这50个Linux命令能保你职业生涯
linux·windows·macos
杰克逊的日记6 小时前
GPU运维常见问题处理
linux·运维·gpu
caolib6 小时前
无需云服务器的内网穿透方案 -- cloudflare tunnel
运维·服务器·内网穿透·tunnel·cloudflared
奇舞精选6 小时前
k8s基本概念初探
运维