需求:#
有两台服务器,一台绑定了弹性公网IP,另外一台没有,需要内网服务器通过有弹性ip的机器代理进行上网。
CentOS7 通过snat进行上网
1开启专有网络VPC路由表静态路由
2启动带有EIP主机的服务器内核转发
3启动firewalld端口转发 masquerade: yes
启动防火墙
systemctl start firewalld
systemctl status firewalld
systemctl enable firewalld
firewall-cmd --list-all
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all
开启IP伪装(也就是端口转发)
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
开启系统内核转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
[root@git ~]# firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 10445/udp 10445/tcp 10444/tcp 10443/tcp 22/tcp 80/tcp 443/tcp 6379/tcp 11211/tcp 18080/tcp 8081/tcp 32000/tcp 41598/tcp 4434/tcp 3343/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
CentOS6 通过snat进行上网
1开启专有网络VPC路由表静态路由
2启动带有EIP主机的服务器内核转发
3启动Iiptables SNAT端口转发
开启系统内核转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
保存规则到系统规则文件内
service iptables save
添加SNAT规则
专有网络:172.29.112.0/20
EIP服务器内网ip:172.29.114.240
先查看规则有没有
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:40:20 2024
*filter
:INPUT ACCEPT [94:23428]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93:18194]
COMMIT
# Completed on Thu Feb 22 14:40:20 2024
添加snat规则
iptables -t nat -I POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:43:51 2024
*nat
:PREROUTING ACCEPT [4:276]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [6:1936]
-A POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240
COMMIT
# Completed on Thu Feb 22 14:43:51 2024
# Generated by iptables-save v1.4.7 on Thu Feb 22 14:43:51 2024
*filter
:INPUT ACCEPT [836:167899]
:FORWARD ACCEPT [257:20300]
:OUTPUT ACCEPT [981:275726]
COMMIT
# Completed on Thu Feb 22 14:43:51 2024
[root@iZuf6coskvbx8g5u1kqdq5Z ~]# cat /etc/sysconfig/iptables |grep SNAT
-A POSTROUTING -s 172.29.112.0/20 -j SNAT --to-source 172.29.114.240
内网主机验证效果
[root@iZuf6coskvbx8g5u1kqdq4Z ~]# curl www.qq.com
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>stgw</center>
</body>
</html>
评论区