iptables——文本配置

1.已知node2的主机名称为node2.timinglee.org其ip为192.168.0.200，这台主机中只允许sshd，和nginx两个服务可以被访问
2.已知node1的主机名为node1.timinglee.org,此主机为双网卡主机其IP为172.25.254.200，和192.168.0.100，请在此主机中配置策略可以使node2主机访问外网

主机一：node1
[root@server1 ~]# hostnamectl hostname node1.timinglee.orgifc
[root@node1 ~]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.254.100  netmask 255.255.255.0  broadcast 172.25.254.255
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.100  netmask 255.255.255.0  broadcast 192.168.0.255

[root@node1 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
uuid=131e87fa-8bcb-431b-994c-fa1fefa05f9e
type=ethernet
interface-name=eth0

[ethernet]
mac-address=00:0C:29:6F:65:C5

[ipv4]
address1=172.25.254.100/24,172.25.254.2
dns=114.114.114.114;
method=manual

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

[root@node1 ~]# dnf install iptables-services -y
[root@node1 ~]# systemctl disable --now firewalld.service 
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service"
[root@node1 ~]# systemctl mask firewalld.service 
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node1 ~]# systemctl enable --now iptables.service 
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

[root@node1 ~]# sysctl  -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@node1 ~]# vim /etc/sysctl.conf 
net.ipv4.ip_forward=1
[root@node1 ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@node1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT  --to-source 172.25.254.100
[root@node1 ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-dest 192.168.0.200
[root@node1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            0.0.0.0/0            to:192.168.0.200

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  0.0.0.0/0            0.0.0.0/0            to:172.25.254.100

主机二：node2
[root@server2 ~]# hostnamectl hostname node2.timinglee.orgifc
[root@node2 ~]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.200  netmask 255.255.255.0  broadcast 192.168.0.255

[root@node2 ~]# vim /etc/NetworkManager/system-connections/eth0.nmconnection
[connection]
id=eth0
uuid=93b1a959-7482-4616-a966-676b4d5ef093
type=ethernet
interface-name=eth0

[ethernet]
mac-address=00:0C:29:6C:07:11

[ipv4]
address1=192.168.0.200/24,192.168.0.100
dns=114.114.114.114
method=manual

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

[root@node2 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search timinglee.org
nameserver 114.114.114.114

[root@node2 ~]# dnf install iptables-services -y
[root@node2 ~]# systemctl disable --now firewalld.service 
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@node2 ~]# systemctl mask firewalld.service 
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
[root@node2 ~]# systemctl enable --now iptables.service 
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

[root@node2 ~]# iptables -F
[root@node2 ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2 ~]# iptables -A INPUT -m state --state NEW -i lo -j ACCEPT 
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT 
[root@node2 ~]# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
[root@node2 ~]# iptables -A INPUT -j REJECT
[root@node2 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

测试：
node2：
[root@node2 ~]# ping www.baidu.com
PING www.a.shifen.com (183.2.172.185) 56(84) 比特的数据。
64 比特，来自 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=127 时间=40.5 毫秒
 
外网：
C:\Users\lenovo>ssh -l root 172.25.254.100             使用外网主机ssh远程登录
[root@node2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.200  netmask 255.255.255.0  broadcast 192.168.0.255

[root@node2 ~]# exit
注销
Connection to 172.25.254.100 closed.

C:\Users\lenovo>