2. 程式人生 > >CentOS7 Firewall NAT 及端口映射

CentOS7 Firewall NAT 及端口映射

阿新 發佈:2017-08-15
centos7 firewall nat 端口映射

本節介紹用CentOS7的Firewalll來做NAT以及端口映射


實驗拓撲:

技術分享

因為我的環境裏CentOS7上有KVM虛擬機需要共享網卡上網,所以我把網卡都添加到了橋裏面,當然這裏也可以不用橋,直接用物理網口;


用nmcli創建橋,並添加網口到橋;然後給橋設置IP地址:


先創建兩個橋"br-ex"和"br-in"

[[email protected] ~]# nmcli con add type bridge con-name br-ex ifname br-ex autoconnect yes
Connection ‘br-ex‘ (2b823432-af25-497a-9b59-8b63709ef8ad) successfully added.
[[email protected] ~]# nmcli con add type bridge con-name br-in ifname br-in autoconnect yes
Connection ‘br-in‘ (e9c07ace-4182-41db-8208-7b93c139842f) successfully added.
[[email protected]
/* */ ~]# nmcli con show NAME UUID TYPE DEVICE Wired connection 1 8c368bb5-8050-355f-a513-49b5c4bca3f8 802-3-ethernet ens36 br-ex 2b823432-af25-497a-9b59-8b63709ef8ad bridge br-ex br-in e9c07ace-4182-41db-8208-7b93c139842f bridge br-in eno16777736 01ef745d-f2ee-421a-8dd5-4da36d509e2a 802-3-ethernet eno16777736 [[email protected]
/* */ ~]#

將網卡"ens36"加入到"br-in",將網卡"eno16777736"加入到"br-ex"

這裏首先刪除nmcli裏的connection

[[email protected] ~]# nmcli connection delete eno16777736 
Connection ‘eno16777736‘ (01ef745d-f2ee-421a-8dd5-4da36d509e2a) successfully deleted.
[[email protected] ~]# nmcli con delete "Wired connection 1" 
Connection ‘Wired connection 1‘ (8c368bb5-8050-355f-a513-49b5c4bca3f8) successfully deleted.
[[email protected] ~]#

然後將網卡添加到相應的橋中

[[email protected] ~]# nmcli connection add type bridge-slave con-name eno16777736 ifname eno16777736 autoconnect yes master br-ex
Connection ‘eno16777736‘ (cc6b32bf-4a23-42a1-af6e-85cf93f1686f) successfully added.
[[email protected] ~]# nmcli connection add type bridge-slave con-name ens36 ifname ens36 autoconnect yes master br-in
Connection ‘ens36‘ (2b7cf193-22eb-4b61-8887-1aed25b33fd1) successfully added.

[[email protected] ~]# nmcli con show
NAME         UUID                                  TYPE            DEVICE      
br-ex        2b823432-af25-497a-9b59-8b63709ef8ad  bridge          br-ex       
br-in        e9c07ace-4182-41db-8208-7b93c139842f  bridge          br-in       
eno16777736  cc6b32bf-4a23-42a1-af6e-85cf93f1686f  802-3-ethernet  eno16777736 
ens36        2b7cf193-22eb-4b61-8887-1aed25b33fd1  802-3-ethernet  ens36       
[[email protected] ~]#


次環境中外網的IP是自動獲取的,當然用固定的也是可以的


下面要設置NAT了

1、啟用IP轉發

[[email protected] ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[[email protected] ~]# sysctl -p    #使更改立即生效
net.ipv4.ip_forward = 1
[[email protected] ~]#


2、在Firewall中將橋放到相應的zone

[[email protected] ~]# firewall-cmd --zone=external --change-interface=br-ex --permanent 
The interface is under control of NetworkManager, setting zone to ‘external‘.
success
[[email protected] ~]# firewall-cmd --zone=internal --change-interface=br-in --permanent 
The interface is under control of NetworkManager, setting zone to ‘internal‘.
success
[[email protected] ~]#firewall-cmd --list-all-zones
...省略...
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: br-in
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: br-ex
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
  ...省略...

3、設置IP地址偽裝(讓所有內網的流量出去到外網源地址都偽裝成br-ex的地址)

[[email protected] ~]# firewall-cmd --zone=external --add-masquerade --permanent 
Warning: ALREADY_ENABLED: masquerade
success
[[email protected] ~]# firewall-cmd --zone=external --list-all
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: br-ex
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
  
  [[email protected] ~]# firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: br-in
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:


4、設置NAT

[[email protected] ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o br-ex -j MASQUERADE -s 10.1.1.0/24
success
[[email protected] ~]# firewall-cmd --reload    #reload Firewall讓配置生效
success

5、給"br-in"設置IP地址

[[email protected] ~]# nmcli con modify br-in ipv4.addresses 10.1.1.254/24 autoconnect yes ipv4.method manual
[[email protected] ~]# nmcli con up br-in
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/50)
[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-ex state UP qlen 1000
    link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-in state UP qlen 1000
    link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
4: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.127.129/24 brd 192.168.127.255 scope global dynamic br-ex
       valid_lft 1512sec preferred_lft 1512sec
    inet6 fe80::2ab1:e7db:9af:27f/64 scope link 
       valid_lft forever preferred_lft forever
19: br-in: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.254/24 brd 10.1.1.255 scope global br-in
       valid_lft forever preferred_lft forever
[[email protected] ~]# 
#這個時候br-in還沒有完全UP起來,稍等幾秒鐘再看
[[email protected] ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-ex state UP qlen 1000
    link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br-in state UP qlen 1000
    link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
4: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.127.129/24 brd 192.168.127.255 scope global dynamic br-ex
       valid_lft 1435sec preferred_lft 1435sec
    inet6 fe80::2ab1:e7db:9af:27f/64 scope link 
       valid_lft forever preferred_lft forever
19: br-in: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.254/24 brd 10.1.1.255 scope global br-in
       valid_lft forever preferred_lft forever
    inet6 fe80::5bec:cd7f:9ae7:12a5/64 scope link 
       valid_lft forever preferred_lft forever
       
#可以看到br-in已經UP起來了


6、到win7中測試

技術分享

技術分享

這裏因為沒有在CentOS7裏配置DHCP服務,所以win7需要手動配置IP

支持NAT設置完成


7、端口映射


這裏從外網訪問win7的遠程桌面(TCP3389號端口)為例

再外網訪問192.168.127.129的3389號端口,Firewall會將流量轉給win7(10.1.1.2)

[[email protected] ~]# firewall-cmd --zone=external --add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=10.1.1.2 --permanent 
success
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --zone=external --list-forward-ports 
port=3389:proto=tcp:toport=3389:toaddr=10.1.1.2
[[email protected] ~]#

配置win7的遠程桌面後驗證

技術分享

本文出自 “浪人” 博客,謝絕轉載!

CentOS7 Firewall NAT 及端口映射

相關推薦

CentOS7 Firewall NAT

centos7 firewall nat 端口映射本節介紹用CentOS7的Firewalll來做NAT以及端口映射實驗拓撲:因為我的環境裏CentOS7上有KVM虛擬機需要共享網卡上網,所以我把網卡都添加到了橋裏面,當然這裏也可以不用橋,直接用物理網口;用nmcli創建橋,並添加網口到橋;然後給橋設置IP地

iptables nat

兩種 設置問題 系統參數 ip訪問 原來 門戶網站 是什麽 最後一行 公網ip iptables nat及端口映射 發布: 2010-6-11 15:05 | 作者: admin | 來源: SF NetWork 門戶網站 iptables 應用初探(nat+三層訪問控制)

NAT靜態

NAT 端口映射端口映射是將一臺主機的內網IP地址映射成一個公網IP或者內網全局IP,當外網用戶訪問某一內網主機時,服務器將請求轉到本地局域網內部提供這種特定服務的主機;利用端口映射還可以將一臺外網IP地址機器的多個端口映射到內網的不同機器上的不同端口。端口映射分為動態和靜態,此處以靜態端口映射為例,針對如下

思科項目1實戰(vlan、靜態,單臂,浮動路由、vrrp/standby、nat,遠程等)

vlan vrrp 單臂路由 nat pc配地址:C1192.168.10.10192.168.10.1C2192.168.20.10192.168.20.1C3192.168.10.20192.168.10.1C4192.168.20.20192.168.20.1需求1:SW1(config

[VirtualBox] 1、NAT模式下

外網 question ... () 基礎知識 style network www 默認 1、VirtualBox中有4中網絡連接方式 VirtualBox中有4中網絡連接方式:NAT、Bridged Adapter、Internal、Host-only Adapt

達內NAT

達內 nat 端口映射 ipv4地址因為不夠用了,所以人們想出了好多緩解方案,其中就把ip地址分為公網ip和內網ip,其中內網ip是可以重復利用的,你家路由器網關是192.168.1.1,我家的路由器ip也可以是192.168.1.1。但是公網ip是外網唯一的,但我們內網跟外網通訊的時候,外網路由裏是沒

80被屏蔽解決方法,80穿透之NAT技術

sdn 映射 font statistic -c alt sso avi text 介紹一種NAT端口映射技術應用,達到80端口穿透目的,解決80端口被屏蔽的問題,也是80端口被屏蔽解決方法中經常用到的。 80端口穿透類似80端口轉發,因為80端口被屏蔽,在數據層面來說是

思科動態nat的應用,以及,外網的遠程管理,dhcp的架設

由器 routing 必須 註意 select 打開 add 遠程登錄 查找 動態nat的應用,以及端口映射,外網的遠程管理,dhcp的架設實驗拓撲圖:3.配置思路: 首先把內網配通,然後在網關設備R1上做nat的應用, #

iptables的nat表應用(默認路由指向、

查詢 localhost hat state icm cat ttl tab rop iptables nat表應用 nat表應用 A機器:雙網卡,ens33(ip:192.168.188.2)、ens37(ip:192.168.100.1),網卡ens33可以使用外網,

NAT

Linux win7 NAT端口映射 1、設置VMnet1,VMnet2 的IP;2、設置虛擬機win7的網絡;3、設置虛擬機Linux的網絡;4、建立拓補圖,模擬外網win7訪問內網Linux;5、配置路由器的兩端IP 6、配置NTA的端口模式,並啟用內外部端口的NTA;7訪問成功,ip和端口也

iptables filter表 案例、iptables nat表的路由功能 、

iptables linux filter linux iptables 具體詳解:http://www.cnblogs.com/nfyx/p/9017597.html 具體詳解:http://www.cnblogs.com/nfyx/p/9017597.htmliptable

ROS dst-nat限制訪問IP

ext sts 分享圖片 訪問限制 ros nat端口映射 ddr 進行 技術 需求:對外映射的端口希望能進行源IP訪問限制,這樣就能避免有些惡意的訪問或者掃描。一、映射...這個不多說了,網上一搜一大把!二、針對映射進行訪問限制:1、先做一些地址列表:firewall--

VMware NAT外網訪問虛擬機linux

src body centos etc 希望 有關 單擊 可能 什麽 本文目的: 一. SSH連接 二. 訪問HTTP    VMware Workstation提供了兩種虛擬機上網方式,一種bridge,一種NAT,bridge可以獲得公網地址,而NAT只能是內

PAT NAT

http div basic class 8.0 sharp 映射 pat nat group [Gw]acl 2000 #創建簡單ACL 編號2000 [Gw-acl-basic-2000]rule permit source 192.168.0.0 0.0.2

微信公眾號開發80解決方案

解決方案 微信開發 80端口映射 說明最近公司要搞微信公眾號開發,需要解決80端口映射的問題,看了網上好多老司機的方法,最終選擇ngrok比較符合公司的情況。微信公眾平臺開發,可參考:https://mp.weixin.qq.com/wiki 。微信公眾號接口只支持80接口。測試環境: wind

docker或啟動容器時報錯Error response from daemon: driver failed programming external connectivity on endpoint quirky_allen

prot 服務 sina des ram pla sys from localhost 現象: [[email protected] ~]# docker run -d -p 9000:80 centos:httpd /bin/sh -c /usr/local/

Docker(八):Docker

oot gre 指定 con 指定端口 docker ner 查看 names 1、隨機映射   docker run -P -d --name mynginx1 nginx   [[email protected] ~]# docker ps -l     CO

CPU的I/O和內存I/O

修改 繼續 進行 代碼 帶寬 中斷控制 讀寫操作 組成 地址 CPU在訪問內存時,通過數據總線和地址總線和內存交換信息,進行讀寫操作,這是內存映射I/O。 而當CPU訪問外接設備時,可通過內存映射和端口映射兩種方式進行I/O操作,通過內存映射訪問設備

淺談內存I/O(MMIO)與I/O(PMIO)的區別

processor order 不同 隔離 memory ref lang ng- same 最近在看NVMeDirect和SPDK的源碼,覺得有必要梳理一下MMIO和PMIO的區別。關於MMIO和PMIO,維基百科上是這麽講滴, Memory-mapped I/O (M

windows下開啟配置辦法

show 配置 nbsp nec window netsh show all 防火墻 映射 #1.添加一個端口映射 netsh interface portproxy add v4tov4 listenaddress=大網IP listenport=端口 connecta