Centos

CentOS iptables NAT,客戶端無法從區域網路連接到廣域網

  • December 4, 2018

我有以下配置:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host 
      valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether 00:e0:4c:68:31:a8 brd ff:ff:ff:ff:ff:ff
   inet 192.168.3.1/24 brd 192.168.3.255 scope global enp2s0
      valid_lft forever preferred_lft forever
   inet6 fe80::2e0:4cff:fe68:31a8/64 scope link 
      valid_lft forever preferred_lft forever
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether 00:e0:4c:68:31:a9 brd ff:ff:ff:ff:ff:ff
   inet 192.168.1.130/24 brd 192.168.1.255 scope global noprefixroute dynamic enp3s0
      valid_lft 85920sec preferred_lft 85920sec
   inet6 fe80::b8df:4b68:a402:677c/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
  • enp3s0 是廣域網
  • enp2s0 是連接到客戶端 PC 的本地網路。

我想做它,以便客戶端可以訪問網際網路。目前連接到 enp2s0 的客戶端可以 ping 伺服器,反之亦然。

我已經執行了命令

echo 1 > /proc/sys/net/ipv4/ip_forward

並確保已設置並遵循此處的說明:https ://www.revsys.com/writings/quicktips/nat.html

sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
sudo iptables -A FORWARD -i enp3s0 -o enp2s0 -m state  --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT

我已經重新連接了客戶端(不確定是否有必要)並嘗試連接到伺服器之外:

$ ping google.com
ping: google.com: Temporary failure in name resolution

$ ping 8.8.8.8
connect: Network is unreachable

其他教程建議只執行第一行sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE。我在執行後兩個步驟之前嘗試連接,但沒有什麼不同。

我還需要做些什麼來創建 NAT 以便客戶端可以訪問網際網路嗎?

編輯:預設路線也是正確的:

$ ip route
default via 192.168.1.1 dev enp3s0 proto dhcp metric 100 
169.254.0.0/16 dev enp2s0 scope link metric 1002 
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.130 metric 100 
192.168.3.0/24 dev enp2s0 proto kernel scope link src 192.168.3.1 

iptables -L 的輸出是:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (3 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (3 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (3 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination 

您需要忽略並撤消基於過時教程所做的更改。

您正在使用帶有 firewalld 的 CentOS 7,所以您需要做的就是告訴 firewalld 在與您的外部介面對應的區域上啟用偽裝。

firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 masquerade' [--permanent]

(看看為什麼我不推薦使用--add-masquerade

您還需要將內部介面分配給除public. 編輯/etc/sysconfig/network-scripts/ifcfg-enp2s0和設置ZONE=internal或其他一些區域。

引用自:https://serverfault.com/questions/939477