项目架构图
项目描述
使用DNAT技术实现发布内网的服务(ssh、dns、nginx),使用SNAT技术实现内网的机器上网功能,构建一个基于SNAT和DNAT的发布内网服务和上网的集群项目。
项目环境
7台Linux服务器(centos 7.9)、dhcp、nginx 1.25.2、mysql-5.7.41、bind
ip地址规划
| server | IP |
| firewall | wan口:192.168.2.188 lan口:192.168.50.254 |
| dhcp | 192.168.50.20 |
| dns | 192.168.50.30 |
| nginx | 192.168.50.40 |
| mysql | 192.168.50.50 |
| Springboard | 192.168.50.60 |
| client-test | 192.168.50.70 |
关闭selinux和firewalld
# 防火墙并且设置防火墙开启不启动
systemctl stop firewalld && systemctl disable firewalld
# 临时关闭seLinux
setenforce 0
# 永久关闭seLinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config修改主机名
hostnamectl set-hostname firewall
hostnamectl set-hostname dhcp
hostnamectl set-hostname dns
hostnamectl set-hostname nginx
hostnamectl set-hostname mysql
hostnamectl set-hostname Springboard
hostnamectl set-hostname client-test项目步骤
一、搭建防火墙服务器,开启SNAT和DNAT功能,实现内网服务器的服务发布和上网功能
1.给Linux网关服务器2块网卡配置ip地址
关闭虚拟机 --》添加一块网卡
2.得到网卡ens37的配置文件
[root@firewall ~]# cd /etc/sysconfig/network-scripts/
[root@firewall network-scripts]# cp ifcfg-ens33 ifcfg-ens37
# 因为前面新添加的网卡名字就是ens37,所以使用ens37
[root@firewall network-scripts]# ls
ifcfg-ens33 ifdown ifdown-ippp ifdown-post ifdown-sit ifdown-tunnel ifup-bnep ifup-ipv6 ifup-plusb ifup-routes ifup-TeamPort init.ipv6-global
ifcfg-ens37 ifdown-bnep ifdown-ipv6 ifdown-ppp ifdown-Team ifup ifup-eth ifup-isdn ifup-post ifup-sit ifup-tunnel network-functions
ifcfg-lo ifdown-eth ifdown-isdn ifdown-routes ifdown-TeamPort ifup-aliases ifup-ippp ifup-plip ifup-ppp ifup-Team ifup-wireless network-functions-ipv63.编辑网卡接口配置文件
配置WAN口的网卡ens37的ip,注意:WAN口配置网关和dns,网卡类型为桥接模式
[root@firewalld network-scripts]# cat ifcfg-ens37
BOOTPROTO=none
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.2.188
GATEWAY=192.168.2.1
NETMASK=255.255.255.0
DNS2=114.114.114.114
配置LAN口的网卡ens33的ip,注意:LAN口里不配置网关和dns,网卡类型为仅主机模式
[root@firewalld network-scripts]# cat ifcfg-ens33
BOOTPROTO=none
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.50.254
NETMASK=255.255.255.0
重启网络服务
[root@server network-scripts]# service network restart
Restarting network (via systemctl): [ 确定 ]
[root@server network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:62:e8:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.254/24 brd 192.168.50.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe62:e8d0/64 scope link
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:62:e8:da brd ff:ff:ff:ff:ff:ff
inet 192.168.2.188/24 brd 192.168.2.255 scope global noprefixroute ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe62:e8da/64 scope link
valid_lft forever preferred_lft forever4.开启SNAT和DNAT功能
编写脚本,实现SNAT和DNAT功能
[root@firewall nat]# cat snat_dnat.sh
#!/bin/bash
#开启路由功能
echo 1 >/proc/sys/net/ipv4/ip_forward
#清除防火墙规则
iptables -F
iptables -t nat -F
#开启snat功能
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens37 -j SNAT --to-source 192.168.2.188
#开启dnat功能
iptables -t nat -A PREROUTING -i ens37 -d 192.168.2.188 -p tcp --dport 22 -j DNAT --to-destination 192.168.50.60
iptables -t nat -A PREROUTING -i ens37 -d 192.168.2.188 -p tcp --dport 53 -j DNAT --to-destination 192.168.50.30
iptables -t nat -A PREROUTING -i ens37 -d 192.168.2.188 -p tcp --dport 80 -j DNAT --to-destination 192.168.50.40二、搭建跳板机,建立免密通道,通过跳板机去访问内网的其他服务器
1.跳板机服务器上生成密钥对
[root@Springboard .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:RwPsvRYZ/cRdqUv2JVlFKQovTUsDb+3B+27izeinC8c root@Springboard
The key's randomart image is:
+---[RSA 2048]----+
| ..... . oO|
| .oo++.ooo|
| . .O=+*oo |
| .o=*.+* .|
| S ooooo..|
| .o .... |
| . . E . |
| o.=o |
| o**+ |
+----[SHA256]-----+
[root@Springboard .ssh]# ls
id_rsa id_rsa.pub
2.上传公钥到其他服务器的root用户家目录下
ssh-copy-id -i id_rsa.pub root@192.168.50.20
ssh-copy-id -i id_rsa.pub root@192.168.50.30
ssh-copy-id -i id_rsa.pub root@192.168.50.40
ssh-copy-id -i id_rsa.pub root@192.168.50.50
3.内网服务器开启黑白名单,只能跳板机ssh到内网服务器
[root@nginx etc]# cat /etc/hosts.deny
sshd:192.168.50.60
[root@nginx etc]# cat /etc/hosts.allow
sshd:all
三、部署dns服务器,为整个集群提供域名解析功能,部署dhcp服务器,为整个集群分配IP地址
1.部署dns服务器
1.安装软件bind
yum install bind* -y
2.设置named服务开机启动,启动DNS服务
systemctl enable named && systemctl start named
3.查看进程和端口号
ps aux|grep named
netstat -anplut|grep named
4.修改/etc/named.conf配置文件,重启服务允许其他电脑能过来查询dns域名
[root@dns ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; # 修改
listen-on-v6 port 53 { any; }; # 修改
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; # 修改
重启named服务
[root@dns ~]# service named restart
Redirecting to /bin/systemctl restart named.service
5.修改配置文件,告诉named为sc.com提供域名解析
[root@dns named]# vim /etc/named.rfc1912.zones
zone "sc.com" IN {
type master;
file "sc.com.zone";
allow-update { none; };
};
6.创建sc.com.zone的数据文件
[root@dns named]# pwd
/var/named
[root@dns named]# ls
chroot chroot_sdb data dynamic dyndb-ldap named.ca named.empty named.localhost named.loopback
[root@dns named]# cp -a named.localhost sc.com.zone
[root@dns named]# ls
chroot chroot_sdb data dynamic dyndb-ldap named.ca named.empty named.localhost named.loopback sc.com.zone
7.编写sc.com.zone
[root@dns named]# cat sc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
www A 192.168.50.40
[root@dns named]# named-checkzone sc.com /var/named/sc.com.zone
zone sc.com/IN: loaded serial 0
OK
[root@dns named]# service named restart
8.所有机器上将dns服务器指向我们搭建的dns服务器
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.50.30
9.使用host查看是否能进行域名解析
[root@dns named]# host www.sc.com
www.sc.com has address 192.168.50.402.部署dhcp服务器
yum install dhcp -y
[root@dhcp ~]# cd /etc/dhcp
[root@dhcp dhcp]# ls
dhclient.d dhclient-exit-hooks.d dhcpd6.conf dhcpd.conf scripts
[root@dhcp dhcp]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp:是否覆盖"/etc/dhcp/dhcpd.conf"? y
编辑配置文件
只保留以下这段配置,搭建一个最简单的dhcp服务器。
[root@dhcp dhcp]# cat dhcpd.conf
# dhcpd.conf
log-facility local7;
# A slightly different configuration for an internal subnet.
subnet 192.168.50.0 netmask 255.255.255.0 {
range 192.168.50.2 192.168.50.100;
option domain-name-servers 114.114.114.114;
option routers 192.168.50.254;
default-lease-time 600;
max-lease-time 7200;
}
# 启动dhcp服务
[root@dhcp dhcp]# service dhcpd start
Redirecting to /bin/systemctl start dhcpd.service
关闭VMware虚拟机的dhcp服务
DHCP服务器查看分配的ip地址
cat /var/lib/dhcpd/dhcpd.leases四、部署mysql服务器,给整个集群提供数据支持
1.下载源码包
2.编写安装脚本
[root@mysql mysql]# cat install_mysql.sh
#!/bin/bash
#安装相关依赖
yum install cmake ncurses-devel gcc gcc-c++ vim lsof bzip2 openssl-devel ncurses-compat-libs -y
#解压mysql二进制安装包
tar xf mysql-5.7.41-linux-glibc2.12-x86_64.tar.gz
#移动解压后的文件到/usr/local下改名叫mysql
mv mysql-5.7.41-linux-glibc2.12-x86_64 /usr/local/mysql
#新建组和用户mysql
groupadd mysql
useradd -r -g mysql -s /bin/false mysql
#新建存放数据的目录
mkdir /data/mysql -p
#修改/data/mysql目录的权限归mysql用户和mysql组所有
chown mysql:mysql /data/mysql/
chmod 750 /data/mysql/
#进入/usr/local/mysql/bin目录
cd /usr/local/mysql/bin/
#初始化mysql
./mysqld --initialize --user=mysql --basedir=/usr/local/mysql/ --datadir=/data/mysql &>passwd.txt
#获得临时密码
tem_passwd=$(cat passwd.txt |grep "temporary"|awk '{print $NF}')
#临时修改PATH变量的值
export PATH=/usr/local/mysql/bin/:$PATH
#复制support-files里的mysql.server文件到/etc/init.d/目录下叫mysqld
cp ../support-files/mysql.server /etc/init.d/mysqld
#修改/etc/init.d/mysqld脚本文件里的datadir目录的值
sed -i '70c datadir=/data/mysql' /etc/init.d/mysqld
#生成/etc/my.cnf配置文件
cat >/etc/my.cnf <<EOF
[mysqld_safe]
[client]
socket=/data/mysql/mysql.sock
[mysqld]
socket=/data/mysql/mysql.sock
port = 3306
open_files_limit = 8192
innodb_buffer_pool_size = 512M
character-set-server=utf8
[mysql]
auto-rehash
prompt=\\u@\\d \\R:\\m mysql>
EOF
#修改内核的open file
echo "ulimit -n 1000000" >>/etc/rc.local
chmod +x /etc/rc.d/rc.local
#启动mysqld进程
service mysqld start
#将mysqld添加到linux系统里服务管理名单里
/sbin/chkconfig --add mysqld
#设置mysqld服务开机启动
/sbin/chkconfig mysqld on
#初次修改密码需要使用--connect-expired-password 选项 修改root用户的密码为Sanchuang123#
mysql -uroot -p$tem_passwd --connect-expired-password -e "set password='Sanchuang123#';"
#检验修改密码是否成功,如果有输出能看到mysql里的数据库,说明成功。
mysql -uroot -p'Sanchuang123#' -e "show databases;"
3.执行脚本
bash install_mysql.sh
五、搭建nginx服务器,提供web服务
1.编写一键安装nginx脚本
[root@nginx ~]# cat onekey_install_nginx.sh
#!/bin/bash
#新建一个文件夹用来存放下载的nginx源码包
mkdir -p /nginx
cd /nginx
#新建用户
useradd hanwei -s /sbin/nologin
#下载nginx源码包
yum install wget -y
wget http://nginx.org/download/nginx-1.25.2.tar.gz
#解压nginx源码包
tar xf nginx-1.25.2.tar.gz
#解决依赖关系
yum -y install openssl openssl-devel pcre pcre-devel gcc autoconf automake make
#编译前的配置
./configure --prefix=/usr/local/scnginx99 --user=hanwei --with-threads --with-http_ssl_module --with-http_v2_module --with-http_stub_status_module --with-stream
#编译,开启2个进程同时编译,速度会快些
make -j 2
#安装
make install
#启动nginx
/usr/local/scnginx99/sbin/nginx
#修改PATH变量
PATH=$PATH:/usr/local/scnginx99/sbin/
echo "PATH=$PATH:/usr/local/scnginx99/sbin/" >>/root/.bashrc
#设置nginx开机启动
echo "/usr/local/scnginx99/sbin/nginx" >>/etc/rc.local
chmod +x /etc/rc.d/rc.local
#关闭seLinux和firewalld
systemctl stop firewalld
#设置firewalld开机不启动
systemctl disable firewalld
#临时关闭seLinux
setenforce 0
#永久关闭seLinux
sed -i '/^SELINUX=/ s/enforcing/disabled/' /etc/selinux/config
2.执行脚本
bash onekey_install_nginx.sh 六、测试访问,使用Linux机器和windows机器ssh到跳板机,然后从跳板机上ssh到内网的服务器
1.直接ssh内网的服务器被拒绝
[root@client-test ~]# ssh root@192.168.50.40
ssh_exchange_identification: read: Connection reset by peer
[root@client-test ~]# ssh root@192.168.50.60
The authenticity of host '192.168.50.60 (192.168.50.60)' can't be established.
ECDSA key fingerprint is SHA256:NBsWUhu420ovbAZK0X5wAZHZYqrr5H7ilrqNbGka5UU.
ECDSA key fingerprint is MD5:0b:21:ef:0f:43:8a:9e:ac:c5:48:46:36:40:e4:13:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.50.60' (ECDSA) to the list of known hosts.
root@192.168.50.60's password:
Last login: Sun Aug 27 12:42:58 2023 from 192.168.50.70
2.先ssh到跳板机,然后从跳板机上ssh到内网的服务器
[root@Springboard ~]# ssh root@192.168.50.40
The authenticity of host '192.168.50.40 (192.168.50.40)' can't be established.
ECDSA key fingerprint is SHA256:BoRg+sAchJqF/jNZkvAiRZX9rShMM6mGmgl+ZMuAQ8s.
ECDSA key fingerprint is MD5:cc:51:64:1d:dc:ee:b3:0a:86:90:82:94:76:f2:10:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.50.40' (ECDSA) to the list of known hosts.
root@192.168.50.40's password:
Last login: Sun Aug 27 12:13:52 2023 from 192.168.50.60
[root@nginx ~]# exit
登出
Connection to 192.168.50.60 closed.windows上测试
扫一扫
4650
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
