侧边栏壁纸
博主头像
laoliyun

生活总是这样,不能叫人处处都满意,但我们还要热情地活下去,人活一生值得爱的东西很多,不要因为一个不满意就灰心。

  • 累计撰写 133 篇文章
  • 累计创建 44 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录

CentOS 通过snat进行上网

laoliyun
2024-02-22 / 0 评论 / 0 点赞 / 330 阅读 / 709 字
温馨提示:
本文最后更新于 2024-02-22,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

需求:#
有两台服务器,一台绑定了弹性公网IP,另外一台没有,需要内网服务器通过有弹性ip的机器代理进行上网。

CentOS7 通过snat进行上网
1开启专有网络VPC路由表静态路由
2启动带有EIP主机的服务器内核转发
3启动firewalld端口转发 masquerade: yes

启动防火墙
systemctl start firewalld      
systemctl status firewalld      
systemctl enable firewalld

firewall-cmd  --list-all

firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload

firewall-cmd  --list-all

开启IP伪装(也就是端口转发)
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

开启系统内核转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
[root@git ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.

public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 10445/udp 10445/tcp 10444/tcp 10443/tcp 22/tcp 80/tcp 443/tcp 6379/tcp 11211/tcp 18080/tcp 8081/tcp 32000/tcp 41598/tcp 4434/tcp 3343/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

CentOS6 通过snat进行上网
1开启专有网络VPC路由表静态路由
2启动带有EIP主机的服务器内核转发
3启动Iiptables SNAT端口转发

开启系统内核转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

[root@iZuf6coskvbx8g5u1kqdq5Z ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

保存规则到系统规则文件内
service iptables save

添加SNAT规则
专有网络:172.29.112.0/20
EIP服务器内网ip:172.29.114.240

先查看规则有没有
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:40:20 2024
*filter
:INPUT ACCEPT [94:23428]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93:18194]
COMMIT
# Completed on Thu Feb 22 14:40:20 2024

添加snat规则
iptables -t nat -I POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:43:51 2024
*nat
:PREROUTING ACCEPT [4:276]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [6:1936]
-A POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240 
COMMIT
# Completed on Thu Feb 22 14:43:51 2024
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:43:51 2024
*filter
:INPUT ACCEPT [836:167899]
:FORWARD ACCEPT [257:20300]
:OUTPUT ACCEPT [981:275726]
COMMIT
# Completed on Thu Feb 22 14:43:51 2024
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables |grep SNAT
-A POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240 
内网主机验证效果
[root@iZuf6coskvbx8g5u1kqdq4Z ~]# curl www.qq.com
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>stgw</center>
</body>
</html>

https://www.cnblogs.com/wiseo/p/13997948.html

0

评论区