#这是一篇配置用户主机端口访问Linux服务器内KVM虚拟机的记录文章。
各位看官朋友有没有遇到过这种访问情况:
自己有一台笔记本电脑A,还有一台主机B。自己把主机B刷成了linux服务器系统,并且在服务器内安装创建了一台KVM虚拟服务器C。
而这时需要用A连接访问C的部分服务功能,但是A只能访问B,而B却可以访问C,因为C桥接的是B的网卡可以访问互联网和A的地址,但是A却无法访问C。
这时候需要通过B的防火墙端口将A的访问转发给C。
使用的服务器版本:CentOS7
1、查看CentOS内核转发:
net.ipv4.ip_forward = 1还是0 (1为开启)
[root@localhost ~]# sysctl -a | grep "ip_forward"
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"
sysctl: reading key "net.ipv6.conf.vnet0.stable_secret"
手动写死开启状态,编辑sysctl.conf文件,将net.ipv4.ip_forward = 1 添加:
[root@localhost ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
2、查看iptables防火墙状态:
[root@localhost ~]# systemctl status iptables.service
Unit iptables.service could not be found.
[root@localhost ~]# systemctl status iptables
Unit iptables.service could not be found.
#没有该服务,需要使用yum安装iptables服务
[root@localhost ~]# yum makecache
已加载插件:fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
元数据缓存已建立
[root@localhost ~]# yum install iptables-services -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-35.el7 将被 安装
--> 正在处理依赖关系 iptables = 1.4.21-35.el7,它被软件包 iptables-services-1.4.21-35.el7.x86_64 需要
--> 正在检查事务
---> 软件包 iptables.x86_64.0.1.4.21-18.0.1.el7.centos 将被 升级
---> 软件包 iptables.x86_64.0.1.4.21-35.el7 将被 更新
--> 解决依赖关系完成
依赖关系解决
======================================================================================================================== Package 架构 版本 源 大小
========================================================================================================================正在安装:
iptables-services x86_64 1.4.21-35.el7 base 52 k
为依赖而更新:
iptables x86_64 1.4.21-35.el7 base 432 k
事务概要
========================================================================================================================安装 1 软件包
升级 ( 1 依赖软件包)
总下载量:485 k
Downloading packages:
No Presto metadata available for base
(1/2): iptables-services-1.4.21-35.el7.x86_64.rpm | 52 kB 00:00:00
(2/2): iptables-1.4.21-35.el7.x86_64.rpm | 432 kB 00:00:06
------------------------------------------------------------------------------------------------------------------------总计 76 kB/s | 485 kB 00:00:06
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : iptables-1.4.21-35.el7.x86_64 1/3
正在安装 : iptables-services-1.4.21-35.el7.x86_64 2/3
清理 : iptables-1.4.21-18.0.1.el7.centos.x86_64 3/3
验证中 : iptables-services-1.4.21-35.el7.x86_64 1/3
验证中 : iptables-1.4.21-35.el7.x86_64 2/3
验证中 : iptables-1.4.21-18.0.1.el7.centos.x86_64 3/3
已安装:
iptables-services.x86_64 0:1.4.21-35.el7
作为依赖被升级:
iptables.x86_64 0:1.4.21-35.el7
完毕!
[root@localhost ~]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead)
查看 防火墙状态:
[root@localhost ~]# systemctl start iptables.service
[root@localhost ~]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since 五 2022-05-06 13:04:24 CST; 1s ago
Process: 6198 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 6198 (code=exited, status=0/SUCCESS)
5月 06 13:04:24 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
5月 06 13:04:24 localhost.localdomain iptables.init[6198]: iptables: Applying firewall rules: [ 确定 ]
5月 06 13:04:24 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
3、查看iptables访问策略列表:(可以看到目前是没有策略的,下面需要增加策略配置)
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
增加一条DNAT策略:
[root@localhost ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 31447 -j DNAT --to 192.168.122.10:1521
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:31447 to:192.168.122.10:1521
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
再增加一条SNAT最终转发链策略:
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j SNAT --to-source 192.168.0.200
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:31447 to:192.168.122.10:1521
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.122.0/24 0.0.0.0/0 to:192.168.0.200
现在B主机的端口转发策略已经配置完成,可以进入C虚拟主机内开启相对应的服务和端口,我在B上配置的端口是B的31447到C的1521,很明显我是映射的数据库访问端口。那么现在开启C的1521端口来提供数据库访问:
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@localhost ~]# firewall-cmd --add-port=1521/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 1521/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
现在C开启了1521端口。
4、使用相关访问工具连接C的数据库服务:
这里我就不给大家配图的 就是在A的工具上配置目标地址为B的IP地址,目标端口配置为B的映射端口:31447,注意不是1521,1521是通过B的31447端口转发过去的。配置完成后我们可以在C上查看一下本地网络端口情况:
[oracle@localhost ~]$ netstat -anptu | grep 1521
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:38026 127.0.0.1:1521 ESTABLISHED 8033/ora_lreg_orcl
tcp6 0 0 :::1521 :::* LISTEN 8345/tnslsnr
tcp6 0 0 127.0.0.1:1521 127.0.0.1:38026 ESTABLISHED 8345/tnslsnr
tcp6 0 0 192.168.122.10:1521 192.168.0.198:55992 ESTABLISHED 8655/oracleorcl
#可以看到,这里最后有个192.168.0.198到的地址,是我的笔记本地址,已经正常访问到了C的服务
大家可以根据自己的需要来配置各种端口映射来保证只用端口访问服务的安全性。