【9.26】日常运维——iptables 的应用
10.16/10.17/10.18 iptables nat表应用
-
需求:
A:两块网卡,一块可以上外网,一块用内网
B:只有一块内网网卡
让B机器可以连外网 -
给A机器增加一块网卡
虚拟机设置——>添加——>添加网络适配器——>默认——>在LAN区段中,新建一个自定义区段名称——>选择该区段
-
B 机器添加网卡,断开原先的网卡连接
-
同A机器添加一块网卡,选择LAN区段,选择内网交换机
A 和 B,两台机器选择同一个区段,同一个交换机
A 机器可以继续使用远程连接,而 B 机器以为已经禁掉了原先的网卡,那么只能直接操作虚拟机
- A 机器:
[root@arslinux-01 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.130 netmask 255.255.255.0 broadcast 192.168.194.255
inet6 fe80::c905:5e78:b916:41da prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:24:ea:f2 txqueuelen 1000 (Ethernet)
RX packets 102 bytes 11545 (11.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 115 bytes 15471 (15.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.150 netmask 255.255.255.0 broadcast 192.168.194.255
ether 00:0c:29:24:ea:f2 txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:24:ea:fc txqueuelen 1000 (Ethernet)
RX packets 23 bytes 7866 (7.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 64 bytes 10952 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37 为新增的网卡
ifconfig ens37 192.168.100.1/24 手动命令行设置 IP ,重启恢复默认
直接添加配置文件可以永久生效
- 为 ens37 添加 IP
[root@arslinux-01 ~]# cd /etc/sysconfig/network-scripts/
[root@arslinux-01 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@arslinux-01 network-scripts]# vim ifcfg-37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.100.1
NETMASK=255.255.255.0
:wq
只要设置 IP 和 子网掩码,删掉 UUID 和 MAC 地址
- 重启网络,可以看到 ens37 已经射程成功
[root@arslinux-01 network-scripts]# systemctl restart network
[root@arslinux-01 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.130 netmask 255.255.255.0 broadcast 192.168.194.255
inet6 fe80::c905:5e78:b916:41da prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:24:ea:f2 txqueuelen 1000 (Ethernet)
RX packets 678 bytes 62503 (61.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 506 bytes 86900 (84.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.150 netmask 255.255.255.0 broadcast 192.168.194.255
ether 00:0c:29:24:ea:f2 txqueuelen 1000 (Ethernet)
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::f41:9da7:d8e3:10ba prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:24:ea:fc txqueuelen 1000 (Ethernet)
RX packets 42 bytes 14364 (14.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 156 bytes 25698 (25.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 登录B机器,同样方法设置 ens37 网卡,ip 为 192.168.100.100/24
[root@arslinux-02 ~]# cd /etc/sysconfig/network-scripts/
[root@arslinux-02 network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@arslinux-02 network-scripts]# vim ifcfg-37
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.100.100
NETMASK=255.255.255.0
:wq
[root@arslinux-02 network-scripts]# ifdown end33
Device 'ens33' successfully disconnected.
[root@arslinux-02 network-scripts]# systemctl restart network
[root@arslinux-02 network-scripts]# ifconfig
ens33: flags=4099<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:14:4f:d9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::3771:e1f:d792:b669 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:14:4f:e3 txqueuelen 1000 (Ethernet)
RX packets 47 bytes 15228 (14.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 233 bytes 35912 (35.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@arslinux-02 network-scripts]# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=1.31 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.337 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.296 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=0.304 ms
^C
--- 192.168.100.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.296/0.562/1.312/0.433 ms
[root@arslinux-01 network-scripts]#
A 和 B 已经成功连接
准备工作完成
☆需求1:可以让B机器连接外网
在windows中,主机无法ping通两台虚拟机的网卡
B 机器也无法联通 A 的第一块网卡,同时也无法联网
1、在A机器上打开端口转发
echo “1” > /proc/sys/net/ipv4/ip_forward(0为关闭,1为打开,默认为0)
[root@arslinux-01 network-scripts]# cat /proc/sys/net/ipv4/ip_forward
0
[root@arslinux-01 network-scripts]# echo "1" > !$
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@arslinux-01 network-scripts]# !cat
cat /proc/sys/net/ipv4/ip_forward
1
2、A机器增加一条规则
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@arslinux-01 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@arslinux-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
3、B机器设置网关192.168.100.1,让数据包从B到A
B 机器已经能够 ping 通 A 机器的第一张网卡了
编辑公共 DNS 配置文件 /etc/resolve.conf
刚开始 ping 不同 119.29.29.29,也 ping 不通 www.qq.com
重新到A机器,把 iptables 规则重新添加一次,再返回 B 机器就可以连通了
A 机器
[root@arslinux-01 network-scripts]# iptables -F
[root@arslinux-01 network-scripts]# iptables -t nat -F
[root@arslinux-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@arslinux-01 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@arslinux-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
B机器
可以连外网,但是依然连不了内网
A 机器就是路由器,B 机器就是连接路由器的终端
☆需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口(端口映射)
虽然无法连接192.168.100.100,但是可以连接A机器192.168.194.130,可以做一个跳转到B机器192.168.100.100,这就叫端口映射
把A机器192.168.65.128的某端口(我们设置为1122),映射为B机器上192.168.100.100的22端口
访问A机器的192.168.194.130的1122端口,实际上访问的就是B机器的192.168.100.100的22端口
1、打开端口转发
[root@arslinux-01 network-scripts]# echo "1" > /proc/sys/net/ipv4/ip_forward
2、删除原先 iptables 规则
[root@arslinux-01 network-scripts]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@arslinux-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3、增加新 iptables 规则
进出A机器的包都要指定
出:iptables -t nat -A PREROUTING -d 192.168.194.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
进:iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.194.130
[root@arslinux-01 network-scripts]# iptables -t nat -A PREROUTING -d 192.168.194.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@arslinux-01 network-scripts]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.194.130
[root@arslinux-01 network-scripts]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.194.130 tcp dpt:1122 to:192.168.100.100:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.194.130
4、给B机器加网关
之前需求1时已经做过了
新建一个会话,连A机器的1122端口
已经成功进入到了 B 机器
可以成功连接互联网
参考资料:
http://man.linuxde.net/iptables
http://blog.chinaunix.net/uid-26495963-id-3279216.html
10.19 iptables规则备份和恢复
- service iptables save 把规则保存到 /etc/sysconfig/iptables
iptables-save > 目标文件 保存规则到另一个文件中
[root@arslinux-01 ~]# iptables-save > /tmp/ipt.txt
[root@arslinux-01 ~]# cat !$
cat /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Wed Apr 17 19:56:24 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [192:17603]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Sep 25 19:56:24 2019
- iptables-restore < 存档文件 恢复 iptables 规则
[root@arslinux-01 ~]# iptables -F
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 24 packets, 1584 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1228 bytes)
pkts bytes target prot opt in out source destination
[root@arslinux-01 ~]# iptables-restore < /tmp/ipt.txt
[root@arslinux-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2640 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 21 packets, 1964 bytes)
pkts bytes target prot opt in out source destination