一、構建測試環境
三颱主機全部使用僅主機模式,並關閉對應的dhcp設定
# 臨時的配置
ip a a 192.168.30.100/24 dev ens33
ip rounte add default via 192.168.30.1 dev ens33
# 寫入檔案
nmcli conn add con-name default type ethernet autoconnect yes ip4 192.168.30.100/24 gw4 192.168.30.1 ifname ens33
ip a a 192.168.30.1/24 dev ens33
ip a a 10.0.0.1/8 dev ens37
# 寫入檔案
nmcli conn add con-name eth0 type ethernet autoconnect yes ip4 192.168.30.1/24 ifname ens33
nmcli conn add con-name eth1 type ethernet autoconnect yes ip4 10.0.0.1/8 ifname ens37
# 啟用路由**功能
echo 1 > /etc/sys/net/ipv4/ip_forward
# 或者
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
ip a a 10.0.0.100/8 dev ens33
ip rounte add default via 10.0.0.1 dev ens33
# 寫入檔案
nmcli conn add con-name default type ethernet autoconnect yes ip4 10.0.0.100/8 gw4 10.0.0.1 ifname ens33
iptables -vnl --line-numbers
chain input (policy accept 209 packets, 18373 bytes)
pkts bytes target prot opt in out source destination
chain forward (policy accept 26 packets, 2184 bytes)
pkts bytes target prot opt in out source destination
chain output (policy accept 49 packets, 8409 bytes)
pkts bytes target prot opt in out source destination
iptables -a forward -j rejectiptables -i forward -p tcp --dport 53 -j accept
iptables -i forward -p udp --dport 53 -j accept
iptables -i forward -m state --state established,related -j accept
iptables -i forward 2 -p tcp -m multiport --dports 139,445 -j accept
iptables -i forward 2 -p udp -m multiport --dports 139,445 -j accept
iptables -i forward 2 -p tcp --dport 21 -j accept
# centos7上需要載入 nf_conntrack_ftp 的模組
modprobe nf_conntrack_ftp
# 這個模組是vsftpd包帶的,將伺服器上的這三個檔案複製防火牆主機對應的位置
locate nf_conntrack_ftp
/usr/include/linux/netfilter/nf_conntrack_ftp.h
/usr/lib/modules/3.10.0-957.el7.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko.xz
/usr/src/kernels/3.10.0-957.el7.x86_64/include/linux/netfilter/nf_conntrack_ftp.h
/usr/src/kernels/3.10.0-957.el7.x86_64/include/uapi/linux/netfilter/nf_conntrack_ftp.h
iptables -i forward 2 -p tcp -m multiport --dports 22,23,80 -j acceptiptables -vnl --line-numbers
chain input (policy accept 17 packets, 1544 bytes)
num pkts bytes target prot opt in out source destination
chain forward (policy accept 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 55 4198 accept all -- * * 0.0.0.0/0 0.0.0.0/0 state related,established
2 3 180 accept tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21:23,80,139,445
3 2 116 accept udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
chain output (policy accept 11 packets, 2920 bytes)
num pkts bytes target prot opt in out source destination
CentOS 7 改用iptables作為防火牆
從centos 7開始系統預設使用的是firewall作為防火牆。關閉防火牆的方式與以往的有所不同。systemctl stop firewalld.servicesystemctl disable firewalld.serviceyum install iptables services y修改...
centos7使用iptables作為防火牆方法
centos7使用iptables作為防火牆方法 檢視firewalld狀態 systemctl status firewalld 將centos7預設的firewalld停止,並將iptables作為預設防火牆 關閉並禁用firewalld systemctl stop firewalld sys...
Iptables實現公網IP DNAT SNAT
iptables實現nat是最基本的功能,大部分家用路由都是基於其snat方式上網,使用iptables實現外網dnat也很簡單,不過經常會出現不能正常nat的現象。以下命令將客戶端訪問1.1.1.1的http資料dnat到2.2.2.2,很多人往往只做這一步,然後測試不能正常連線。1 iptabl...