Linux:iptables防火墙部署优化之路由转发(地址伪装)

Linux:iptables防火墙部署优化之路由转发(地址伪装)

文章目录

准备工作:

​ 1.已知node2的主机名称为node2.timinglee.org其ip为192.168.0.200

2.已知node1的主机名为node1.timinglee.org,此主机为双网卡主机其IP为172.25.254.200和192.168.0.100,请在此主机中配置策略可以使node2主机访问外网

node1主机操作

检测ip情况

bash 复制代码
#查看网卡的ip信息
[root@node1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:33:49:40 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 172.25.254.200/24 brd 172.25.254.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fa94:b632:5bd6:a146/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:33:49:4a brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    altname ens224
    inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::518f:2870:1a4c:178f/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

关闭firewalld防火墙服务,并锁定该服务

bash 复制代码
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".

# 锁定firewalld服务
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.

开启iptables服务

bash 复制代码
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

清空iptables的默认策略

bash 复制代码
[root@node1 ~]# iptables -F
[root@node1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

开启内核路由转发功能

bash 复制代码
# 发现内核路由转发功能未开启
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

# 修改配置文件,开启内核路由转发功能
[root@node1 ~]# vim /etc/sysctl.conf
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

配置iptables的策略,实现地址伪装(路由转化),从而使得node2主机可以访问外网

bash 复制代码
[root@node1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.200

[root@node1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  0.0.0.0/0            0.0.0.0/0            to:172.25.254.200

永久保存策略

bash 复制代码
[root@node1 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]

node2主机操作

检测ip情况

bash 复制代码
#查看网卡的ip信息
[root@node2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:8c:36:ce brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 192.168.0.200/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::fecd:4c84:736e:eae/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

修改node2的网关以及dns

bash 复制代码
[root@node2 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[ipv4]
address1=192.168.0.200/24,192.168.0.100
dns=114.114.114.114;
method=manual

重启网卡配置文件

bash 复制代码
[root@node2 ~]# nmcli connection reload
[root@node2 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

查看是否修改成功

bash 复制代码
[root@node2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search timinglee.org
nameserver 114.114.114.114
[root@node2 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.100   0.0.0.0         UG    100    0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0

测试看是否可以访问外网,测试成功

bash 复制代码
[root@node2 ~]# ping www.baidu.com
PING www.a.shifen.com (110.242.68.3) 56(84) bytes of data.
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=1 ttl=127 time=54.3 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=2 ttl=127 time=65.6 ms
64 bytes from 110.242.68.3 (110.242.68.3): icmp_seq=3 ttl=127 time=49.2 ms
^C64 bytes from 110.242.68.3: icmp_seq=4 ttl=127 time=99.9 ms

--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 30198ms
rtt min/avg/max/mdev = 49.160/67.248/99.925/19.780 ms
相关推荐
JunLan~2 小时前
Rocky Linux 系统安装/部署 Docker
linux·docker·容器
麻瓜也要学魔法2 小时前
链路状态路由协议-OSPF
网络
方竞3 小时前
Linux空口抓包方法
linux·空口抓包
Estar.Lee3 小时前
查手机号归属地免费API接口教程
android·网络·后端·网络协议·tcp/ip·oneapi
傻啦嘿哟3 小时前
代理IP在后端开发中的应用与后端工程师的角色
网络·网络协议·tcp/ip
sun0077003 小时前
ubuntu dpkg 删除安装包
运维·服务器·ubuntu
Red Red4 小时前
网安基础知识|IDS入侵检测系统|IPS入侵防御系统|堡垒机|VPN|EDR|CC防御|云安全-VDC/VPC|安全服务
网络·笔记·学习·安全·web安全
海岛日记4 小时前
centos一键卸载docker脚本
linux·docker·centos
oi774 小时前
使用itextpdf进行pdf模版填充中文文本时部分字不显示问题
java·服务器