1.已知node2的主机名称为node2.timinglee.org其ip为192.168.0.200,这台主机中只允许sshd,和nginx两个服务可以被访问
2.已知node1的主机名为node1.timinglee.org,此主机为双网卡主机其IP为172.25.254.200,和192.168.0.100,请在此主机中配置策略可以使node2主机访问外网
主机一:node1
[root@server1 ~]# hostnamectl hostname node1.timinglee.orgifc
[root@node1 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.100 netmask 255.255.255.0 broadcast 172.25.254.255
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
[root@node1 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
uuid=131e87fa-8bcb-431b-994c-fa1fefa05f9e
type=ethernet
interface-name=eth0
[ethernet]
mac-address=00:0C:29:6F:65:C5
[ipv4]
address1=172.25.254.100/24,172.25.254.2
dns=114.114.114.114;
method=manual
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]
[root@node1 ~]# dnf install iptables-services -y
[root@node1 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service"
[root@node1 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node1 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@node1 ~]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@node1 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@node1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.25.254.100
[root@node1 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200
[root@node1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.0.200
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:172.25.254.100
主机二:node2
[root@server2 ~]# hostnamectl hostname node2.timinglee.orgifc
[root@node2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.200 netmask 255.255.255.0 broadcast 192.168.0.255
[root@node2 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
uuid=93b1a959-7482-4616-a966-676b4d5ef093
type=ethernet
interface-name=eth0
[ethernet]
mac-address=00:0C:29:6C:07:11
[ipv4]
address1=192.168.0.200/24,192.168.0.100
dns=114.114.114.114
method=manual
[ipv6]
addr-gen-mode=stable-privacy
method=auto
[proxy]
[root@node2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search timinglee.org
nameserver 114.114.114.114
[root@node2 ~]# dnf install iptables-services -y
[root@node2 ~]# systemctl disable --now firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@node2 ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node2 ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@node2 ~]# iptables -F
[root@node2 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -j REJECT
[root@node2 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
测试:
node2:
[root@node2 ~]# ping www.baidu.com
PING www.a.shifen.com (183.2.172.185) 56(84) 比特的数据。
64 比特,来自 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=127 时间=40.5 毫秒
外网:
C:\Users\lenovo>ssh -l root 172.25.254.100 使用外网主机ssh远程登录
[root@node2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.200 netmask 255.255.255.0 broadcast 192.168.0.255
[root@node2 ~]# exit
注销
Connection to 172.25.254.100 closed.
C:\Users\lenovo>