概述
此篇文章记录,通过xl2tp二层传输协议,在阿里云服务器中启用 iptables 服务,把特定端口转发至公司ARM服务器的组网应用。
从而解决公司ARM服务器与阿里云服务器之间专用网络传输功能。
在CentOS 7或RHEL 7或Fedora中防火墙由firewalld来管理,系统默认开启 firewalld 服务;
系统一般都默认安装 iptables 工具,但没有开启 iptables.services 服务,如果使用 iptables 的功能,
可以关闭 firewalld 服务,并开启 iptables.services 服务。
实例如下:
关闭 firewall 功能
systemctl stop firewalld
systemctl mask firewalld
开启 iptables 服务
yum install iptables-services # 安装iptables-services
systemctl enable iptables # 设置开机启动
eg:
# 开启 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl start iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Fri 2021-12-24 10:51:06 CST; 1s ago
Process: 17134 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 17176 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 17176 (code=exited, status=0/SUCCESS)
Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Starting IPv4 firewall with iptables...
Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17176]: iptables: Applying firewall rules: [ OK ]
Dec 24 10:51:06 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Started IPv4 firewall with iptables.
# 停止 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl stop iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2021-12-24 10:50:49 CST; 7s ago
Process: 17134 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 17098 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 17098 (code=exited, status=0/SUCCESS)
Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Starting IPv4 firewall with iptables...
Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17098]: iptables: Applying firewall rules: [ OK ]
Dec 24 10:34:41 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Started IPv4 firewall with iptables.
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Stopping IPv4 firewall with iptables...
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17134]: iptables: Setting chains to policy ACCEPT: nat raw mangle filter [ OK ]
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ iptables.init[17134]: iptables: Flushing firewall rules: [ OK ]
Dec 24 10:50:49 iZ8vbdsaostzzry9mmk5lrZ systemd[1]: Stopped IPv4 firewall with iptables.
# 从新装载配置参数
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl reload iptables
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]#
# 保存设置,在centos系统中iptables-save 重启后内容会丢失,采用下面命令是没问题。
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
firewall 服务与 iptables 服务共同有效
如果要添加范围例外端口,如 1000-2000。需要启用区域端口和协议组合。
具体语法如下:
firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>]
eg:
firewall-cmd --zone=public --add-port=80/tcp --permanent (--permanent永久生效,没有此参数重启后失效)
firewall-cmd --zone=public --add-port=1000-2000/tcp --permanent
此篇记录文章选择是关闭 firewall 服务功能,使用 iptables 实现网络应用搭建。
iptables 规则配置如下
第一步 在 nat 表 PREROUTING 链 添加 DNAT 规则
# 外网访问 指定端口 9990 和 9991 阿里云固定IP 转发至 xl2tp 内网
iptables -t nat -A PREROUTING -p tcp -d 39.99.xx.xxx/255.255.255.255 -m tcp --dport 9990 -m comment --comment "@redirect[0]" -j DNAT --to-destination 172.168.1.128:9990
iptables -t nat -A PREROUTING -p tcp -d 39.99.xx.xxx/255.255.255.255 -m tcp --dport 9991 -m comment --comment "@redirect[0]" -j DNAT --to-destination 172.168.1.128:9991
iptables -t nat -A OUTPUT -j ACCEPT
# 访问外网 xl2tp内网ip 阿里云虚拟机出口 ip
iptables -t nat -A POSTROUTING -s 172.168.1.0/24 -j SNAT --to-source 172.26.43.146
第二步 在 filter 表 FORWARD 链 添加 转发 规则
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT
第三步 保存配置参数、并启动 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# service iptables save # 保存参数
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl start iptables # 启动 iptables 服务
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# iptables -L -v # filter 表 chains 内容
Chain INPUT (policy ACCEPT 43 packets, 2913 bytes)
pkts bytes target prot opt in out source destination
4079 213K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
3926 845K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1256 91699 ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7594 1941K ACCEPT all -- any any anywhere anywhere
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# iptables -L -v -t nat # nat 表 chains 内容
Chain PREROUTING (policy ACCEPT 111 packets, 7453 bytes)
pkts bytes target prot opt in out source destination
7 388 DNAT tcp -- any any anywhere anywhere tcp dpt:osm-oev /* @redirect[1] */ to:172.168.1.128:9991
0 0 DNAT udp -- any any anywhere anywhere udp dpt:osm-oev /* @redirect[1] */ to:172.168.1.128:9991
Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
732 49635 ACCEPT all -- any any anywhere anywhere
Chain POSTROUTING (policy ACCEPT 95 packets, 6734 bytes)
pkts bytes target prot opt in out source destination
253 17012 SNAT all -- any any 172.168.1.0/24 anywhere to:172.26.43.146
[root@iZ8vbdsaostzzry9mmk5lrZ ~]#
第四步 开启 centos系统 ip_forward 功能
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# cat /etc/sysctl.conf
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.ip_forward = 1 # 增加 ip_forward 配置
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
kernel.sysrq = 1
[root@iZ8vbdsaostzzry9mmk5lrZ xl2tpd]# systemctl restart network # 重启 centos 网络服务
第五步 配置ARM服务器路由表
阿里云IP ARM服务器局域网关
sudo route add -host 39.99.xx.xx gw 192.168.1.1 # ARM服务器通过局域建立xl2tp传输链路
XL2TP服务端IP地址
sudo route add default gw 172.168.1.99 # ARM服务器缺省路由、下一跳 IP 地址
sudo route del default gw 192.168.1.1 # 删除默认缺省路由条目
sudo route add -host 114.114.114.114 gw 172.168.1.99 # 测试路由条目
网络测试验证日志
使用过程因网络服务或网络变化,系统会自动添加缺省路由。通过 metric 值优选缺省路由也是可行的,路由信息如下:
# ARM服务器路由表
robot@ubuntu:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.168.1.99 0.0.0.0 UG 10 0 0 ppp0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp0s3
39.99.232.232 192.168.1.1 255.255.255.255 UGH 0 0 0 enp0s3
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.168.1.99 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
# 网络访问信息
robot@ubuntu:~$ ping www.qq.com
PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.22.57) 56(84) bytes of data.
64 bytes from 101.91.22.57 (101.91.22.57): icmp_seq=1 ttl=51 time=47.8 ms
64 bytes from 101.91.22.57 (101.91.22.57): icmp_seq=2 ttl=51 time=48.4 ms
^C
--- ins-r23tsuuf.ias.tencent-cloud.net ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 47.754/48.059/48.365/0.305 ms
# traceroute 路由选择是xl2tp的ip地址
robot@ubuntu:~$ traceroute www.qq.com
traceroute to www.qq.com (101.91.22.57), 30 hops max, 60 byte packets
1 172.168.1.99 (172.168.1.99) 15.899 ms 15.885 ms 15.920 ms
2 10.130.125.26 (10.130.125.26) 15.936 ms 10.130.123.26 (10.130.123.26) 15.967 ms 15.920 ms
3 11.73.0.97 (11.73.0.97) 15.908 ms 11.73.0.189 (11.73.0.189) 15.899 ms 11.73.0.37 (11.73.0.37) 15.846 ms
至此,网络环境搭建和测试就完成了。
在此提示:请记着在阿里云虚拟机管理、在端口转发中添加 9990 和 9991 端口,否则外网访问时,就被阿里云 firewall 阻止了。
参考连接:
https://blog.csdn.net/c233728461/article/details/52679558
https://blog.csdn.net/u011537073/article/details/82685586
https://www.jianshu.com/p/807fcc9197f3
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
