目录
1、内部网络中的pc1采用SNAT访问外部互联网,但是无法ping到内部网关。
3、互联网主机pc2能够访问s1区域的服务器,但是不能够进行ping和ssh连接。
一、操作前准备:
1、准备4个Rocky8虚拟机
2、网络规划
内部PC1位于内网区域,地址段为: 192.168.1.0/24,pc1地址为:192.168.1.1/24,网关地址为:192.168.1.254/24
服务器S1位于服务器区域,地址段为: 192.168.2.0/24,pc1地址为:192.168.2.1/24,网关地址为:192.168.2.254/24
PC2位于互联网区域,模拟外部互联网,地址段为:10.0.0.0/8,pc2地址为:10.0.0.1/8
Linux防火墙的三块网卡为别连接不同的网络区域,地址分别为 :ens33 192.168.1.254/24;ens34 10.0.0.100/8;ens35 192.168.2.254/24
防火墙要求
内部网络中的pc1采用SNAT访问外部互联网,但是无法ping到内部网关。
内部网络服务器s1通过DNAT发布服务到互联网。
互联网主机pc2能够访问s1区域的服务器,但是不能够进行ping和ssh连接。
虚拟机配置
内部网络PC1
[root@pc1 ~]# cd /etc/sysconfig/network-scripts/ [root@pc1 network-scripts]# ls ifcfg-ens33 [root@pc1 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.1.1 PREFIX=24 GATEWAY=192.168.1.254 ~
#关闭NetworkManager、firewalld和selinux,后面虚拟机配置同样操作该步骤# [root@pc1 network-scripts]# systemctl stop NetworkManager [root@pc1 network-scripts]# systemctl stop firewalld [root@pc1 network-scripts]# setenforce 0
[root@pc1 network-scripts]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:5b:74:6c brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.1.1/24 brd 192.168.1.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe5b:746c/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:3f:34:5d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
服务器s1
[root@s1 ~]# cd /etc/sysconfig/network-scripts/ [root@s1 network-scripts]# ls ifcfg-ens33 [root@s1 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.2.1 PREFIX=24 GATEWAY=192.168.2.254 ~ ~
#关闭NetworkManager、firewalld和selinux# [root@s1 network-scripts]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:65:02:34 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.2.1/24 brd 192.168.2.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe65:234/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:3f:34:5d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
外部网络pc2
[root@pc2 ~]# cd /etc/sysconfig/network-scripts/ [root@pc2 network-scripts]# ls ifcfg-ens33 [root@pc2 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=10.0.0.1 PREFIX=8 ~
#关闭NetworkManager、firewalld和selinux# [root@pc2 network-scripts]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:97:34:23 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 10.0.0.1/8 brd 10.255.255.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe97:3423/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:3f:34:5d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
Linux防火墙sf1
##增加两块网卡##
[root@sf1 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:97:34:23 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.58.133/24 brd 10.255.255.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe97:3423/64 scope link valid_lft forever preferred_lft forever 3: ens34: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 00:0c:29:97:34:2d brd ff:ff:ff:ff:ff:ff altname enp2s2 4: ens37: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 00:0c:29:97:34:37 brd ff:ff:ff:ff:ff:ff altname enp2s5 5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:3f:34:5d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever [root@sf1 ~]# cd /etc/sysconfig/network-scripts/ [root@sf1 network-scripts]# ls ifcfg-有线连接_1 ifcfg-ens33 [root@sf1 network-scripts]# cp ifcfg-ens33 ifcfg-en34 [root@sf1 network-scripts]# cp ifcfg-ens33 ifcfg-en37 [root@sf1 network-scripts]# ls ifcfg-有线连接_1 ifcfg-ens33 ifcfg-ens34 ifcfg-ens37 [root@sf1 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.1.254 PREFIX=24 [root@sf1 network-scripts]# vim ifcfg-ens34 TYPE=Ethernet BOOTPROTO=static NAME=ens34 DEVICE=ens34 ONBOOT=yes IPADDR=192.168.2.254 PREFIX=24 [root@sf1 network-scripts]# vim ifcfg-ens37 TYPE=Ethernet BOOTPROTO=static NAME=ens37 DEVICE=ens37 ONBOOT=yes IPADDR=10.0.0.100 PREFIX=8 ~ [root@s1 ~]# vim /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 1
#关闭NetworkManager、firewalld和selinux# [root@sf1 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:53:17:48 brd ff:ff:ff:ff:ff:ff altname enp2s1 inet 192.168.1.254/24 brd 192.168.1.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe53:1748/64 scope link valid_lft forever preferred_lft forever 3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:53:17:52 brd ff:ff:ff:ff:ff:ff altname enp2s2 inet 192.168.2.254/24 brd 192.168.2.255 scope global noprefixroute ens34 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe53:1752/64 scope link valid_lft forever preferred_lft forever 4: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:53:17:5c brd ff:ff:ff:ff:ff:ff altname enp2s5 inet 10.0.0.100/8 brd 10.255.255.255 scope global noprefixroute ens37 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe53:175c/64 scope link valid_lft forever preferred_lft forever 5: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:3f:34:5d brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever
更改网络模式:
pc1:选用VMnet2
s1:选用VMnet3
pc2:选用VMnet4
sf1:分别选用VMnet2、选用VMnet3、选用VMnet4
sf1:
二、操作前连接测试
#pc1网络测试# [root@pc1 ~]# ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=0.531 ms 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=0.683 ms 64 bytes from 192.168.2.1: icmp_seq=3 ttl=63 time=0.722 ms 64 bytes from 192.168.2.1: icmp_seq=4 ttl=63 time=1.20 ms ^C --- 192.168.2.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3070ms rtt min/avg/max/mdev = 0.531/0.784/1.202/0.252 ms [root@pc1 ~]# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. ^C --- 10.0.0.1 ping statistics --- 8 packets transmitted, 0 received, 100% packet loss, time 7190ms [root@pc1 ~]# ping 10.0.0.100 PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data. 64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.254 ms 64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.602 ms 64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.374 ms ^C --- 10.0.0.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2080ms rtt min/avg/max/mdev = 0.254/0.410/0.602/0.144 ms #ping 192.168.2.1和ping 10.0.0.100通了,但ping 10.0.0.1不通#
#s1网络测试# [root@s1 ~]# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=63 time=0.537 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=63 time=1.78 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=63 time=0.746 ms ^C --- 192.168.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2017ms rtt min/avg/max/mdev = 0.537/1.020/1.777/0.542 ms [root@s1 ~]# ping 10.0.0.100 PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data. 64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.311 ms 64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=1.32 ms 64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.426 ms ^C --- 10.0.0.100 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2037ms rtt min/avg/max/mdev = 0.311/0.687/1.324/0.452 ms [root@s1 ~]# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. ^C --- 10.0.0.1 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2050ms #ping 192.168.1.1和ping 10.0.0.100通了,但ping 10.0.0.1不通#
#pc2网络测试# [root@pc2 ~]# ping 192.168.1.1 connect: 网络不可达 [root@pc2 ~]# ping 192.168.2.1 connect: 网络不可达 [root@pc2 ~]# ping 192.168.1.254 connect: 网络不可达 [root@pc2 ~]# ping 192.168.2.254 connect: 网络不可达 [root@pc2 ~]# ping 10.0.0.100 PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data. 64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.278 ms 64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.280 ms 64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.412 ms 64 bytes from 10.0.0.100: icmp_seq=4 ttl=64 time=0.565 ms ^C --- 10.0.0.100 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3108ms rtt min/avg/max/mdev = 0.278/0.383/0.565/0.120 ms #ping 192.168.1.1和ping 192.168.2.1和ping 192.168.1.254和ping 192.168.2.254不通,但ping 10.0.0.100能通#
三、操作成果
1、内部网络中的pc1采用SNAT访问外部互联网,但是无法ping到内部网关。
[root@sf1 ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ens37 -j SNAT --to 10.0.0.100 [root@sf1 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 0.0.0.0/0 to:10.0.0.100 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LIBVIRT_PRT (0 references) target prot opt source destination [root@pc1 ~]# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=63 time=2.23 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=63 time=0.915 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=63 time=1.53 ms ^C --- 10.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2010ms rtt min/avg/max/mdev = 0.915/1.559/2.229/0.537 ms [root@pc1 ~]# curl 10.0.0.1 2025/02/04
[root@pc1 ~]# ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. 64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.265 ms 64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=0.530 ms 64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=0.390 ms 64 bytes from 192.168.1.254: icmp_seq=4 ttl=64 time=0.598 ms ^C --- 192.168.1.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3111ms rtt min/avg/max/mdev = 0.265/0.445/0.598/0.131 ms [root@sf1 ~]# iptables -t filter -A INPUT -p icmp --icmp-type 8 -j DROP [root@sf1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LIBVIRT_INP (0 references) target prot opt source destination [root@pc1 ~]# ping 192.168.1.254 PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data. ^C --- 192.168.1.254 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2048ms [root@pc1 ~]# curl 10.0.0.1 2025/02/04
2、内部网络服务器s1通过DNAT发布服务到互联网。
[root@pc2 yum.repos.d]# curl 10.0.0.100 curl: (7) Failed to connect to 10.0.0.100 port 80: 拒绝连接 [root@sf1 ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.2.1:80 ##或者## [root@sf1 ~]# iptables -t nat -A PREROUTING -i ens37 -d 10.0.0.100 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.1 [root@pc2 yum.repos.d]# curl 10.0.0.100 2025/6/3