Centos
CentOS iptables NAT,客戶端無法從區域網路連接到廣域網
我有以下配置:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:e0:4c:68:31:a8 brd ff:ff:ff:ff:ff:ff inet 192.168.3.1/24 brd 192.168.3.255 scope global enp2s0 valid_lft forever preferred_lft forever inet6 fe80::2e0:4cff:fe68:31a8/64 scope link valid_lft forever preferred_lft forever 3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:e0:4c:68:31:a9 brd ff:ff:ff:ff:ff:ff inet 192.168.1.130/24 brd 192.168.1.255 scope global noprefixroute dynamic enp3s0 valid_lft 85920sec preferred_lft 85920sec inet6 fe80::b8df:4b68:a402:677c/64 scope link noprefixroute valid_lft forever preferred_lft forever
- enp3s0 是廣域網
- enp2s0 是連接到客戶端 PC 的本地網路。
我想做它,以便客戶端可以訪問網際網路。目前連接到 enp2s0 的客戶端可以 ping 伺服器,反之亦然。
我已經執行了命令
echo 1 > /proc/sys/net/ipv4/ip_forward
並確保已設置並遵循此處的說明:https ://www.revsys.com/writings/quicktips/nat.html
sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE sudo iptables -A FORWARD -i enp3s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT
我已經重新連接了客戶端(不確定是否有必要)並嘗試連接到伺服器之外:
$ ping google.com ping: google.com: Temporary failure in name resolution $ ping 8.8.8.8 connect: Network is unreachable
其他教程建議只執行第一行
sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
。我在執行後兩個步驟之前嘗試連接,但沒有什麼不同。我還需要做些什麼來創建 NAT 以便客戶端可以訪問網際網路嗎?
編輯:預設路線也是正確的:
$ ip route default via 192.168.1.1 dev enp3s0 proto dhcp metric 100 169.254.0.0/16 dev enp2s0 scope link metric 1002 192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.130 metric 100 192.168.3.0/24 dev enp2s0 proto kernel scope link src 192.168.3.1
iptables -L 的輸出是:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_public all -- anywhere anywhere [goto] FWDI_public all -- anywhere anywhere [goto] FWDI_public all -- anywhere anywhere [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_public all -- anywhere anywhere [goto] FWDO_public all -- anywhere anywhere [goto] FWDO_public all -- anywhere anywhere [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_public (3 references) target prot opt source destination FWDI_public_log all -- anywhere anywhere FWDI_public_deny all -- anywhere anywhere FWDI_public_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain FWDI_public_allow (1 references) target prot opt source destination Chain FWDI_public_deny (1 references) target prot opt source destination Chain FWDI_public_log (1 references) target prot opt source destination Chain FWDO_public (3 references) target prot opt source destination FWDO_public_log all -- anywhere anywhere FWDO_public_deny all -- anywhere anywhere FWDO_public_allow all -- anywhere anywhere Chain FWDO_public_allow (1 references) target prot opt source destination Chain FWDO_public_deny (1 references) target prot opt source destination Chain FWDO_public_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all -- anywhere anywhere [goto] IN_public all -- anywhere anywhere [goto] IN_public all -- anywhere anywhere [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination Chain IN_public (3 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW Chain IN_public_deny (1 references) target prot opt source destination Chain IN_public_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination
您需要忽略並撤消基於過時教程所做的更改。
您正在使用帶有 firewalld 的 CentOS 7,所以您需要做的就是告訴 firewalld 在與您的外部介面對應的區域上啟用偽裝。
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 masquerade' [--permanent]
您還需要將內部介面分配給除
public
. 編輯/etc/sysconfig/network-scripts/ifcfg-enp2s0
和設置ZONE=internal
或其他一些區域。