自由屋推书网—热门的小说推荐平台!

你的位置: 首页 > linux

CentOS7配置iptables端口映射实现将客户端与另一台主机内的虚拟机服务连接

2022-05-07 15:31:44

各位看官朋友有没有遇到过这种访问情况: 自己有一台笔记本电脑A,还有一台主机B。自己把主机B刷成了linux服务器系统,并且在服务器内安装创建了一台KVM虚拟服务器C。 而这时需要用A连接访问C的部分服务功能,但是A只能访问B,而B却可以访问C,因为C桥接的是B的网卡可以访问互联网和A的地址,但是A却无法访问C。 这时候需要通过B的防火墙端口将A的访问转发给C。

使用的服务器版本:CentOS7

1、查看CentOS内核转发:

net.ipv4.ip_forward = 1还是0 (1为开启)

[root@localhost ~]# sysctl -a | grep "ip_forward"
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.eth0.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0.stable_secret"
sysctl: reading key "net.ipv6.conf.virbr0-nic.stable_secret"
sysctl: reading key "net.ipv6.conf.vnet0.stable_secret"

手动写死开启状态,编辑sysctl.conf文件,将net.ipv4.ip_forward = 1 添加:

[root@localhost ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).

net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1

2、查看iptables防火墙状态:

[root@localhost ~]# systemctl status iptables.service
Unit iptables.service could not be found.
[root@localhost ~]# systemctl status iptables
Unit iptables.service could not be found.
#没有该服务,需要使用yum安装iptables服务

[root@localhost ~]# yum makecache
已加载插件:fastestmirror, langpacks
base | 3.6 kB00:00:00
extras | 2.9 kB00:00:00
updates| 2.9 kB00:00:00
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
元数据缓存已建立
[root@localhost ~]# yum install iptables-services -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-35.el7 将被 安装
--> 正在处理依赖关系 iptables = 1.4.21-35.el7,它被软件包 iptables-services-1.4.21-35.el7.x86_64 需要
--> 正在检查事务
---> 软件包 iptables.x86_64.0.1.4.21-18.0.1.el7.centos 将被 升级
---> 软件包 iptables.x86_64.0.1.4.21-35.el7 将被 更新
--> 解决依赖关系完成

依赖关系解决

======================================================================================================================== Package架构版本源 大小
========================================================================================================================正在安装:
 iptables-servicesx86_641.4.21-35.el7 base 52 k
为依赖而更新:
 iptables x86_641.4.21-35.el7 base432 k

事务概要
========================================================================================================================安装1 软件包
升级 ( 1 依赖软件包)

总下载量:485 k
Downloading packages:
No Presto metadata available for base
(1/2): iptables-services-1.4.21-35.el7.x86_64.rpm|52 kB00:00:00
(2/2): iptables-1.4.21-35.el7.x86_64.rpm | 432 kB00:00:06
------------------------------------------------------------------------------------------------------------------------总计 76 kB/s | 485 kB00:00:06
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新: iptables-1.4.21-35.el7.x86_64 1/3
正在安装: iptables-services-1.4.21-35.el7.x86_642/3
清理: iptables-1.4.21-18.0.1.el7.centos.x86_643/3
验证中: iptables-services-1.4.21-35.el7.x86_641/3
验证中: iptables-1.4.21-35.el7.x86_64 2/3
验证中: iptables-1.4.21-18.0.1.el7.centos.x86_643/3

已安装:
iptables-services.x86_64 0:1.4.21-35.el7

作为依赖被升级:
iptables.x86_64 0:1.4.21-35.el7

完毕!
[root@localhost ~]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
 Active: inactive (dead)

查看 防火墙状态:

[root@localhost ~]# systemctl start iptables.service
[root@localhost ~]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
 Active: active (exited) since 五 2022-05-06 13:04:24 CST; 1s ago
Process: 6198 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 6198 (code=exited, status=0/SUCCESS)

5月 06 13:04:24 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
5月 06 13:04:24 localhost.localdomain iptables.init[6198]: iptables: Applying firewall rules: [确定]
5月 06 13:04:24 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

3、查看iptables访问策略列表:(可以看到目前是没有策略的,下面需要增加策略配置)

[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

增加一条DNAT策略:

[root@localhost ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 31447 -j DNAT --to 192.168.122.10:1521
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp--0.0.0.0/00.0.0.0/0tcp dpt:31447 to:192.168.122.10:1521

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

再增加一条SNAT最终转发链策略:

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -j SNAT --to-source 192.168.0.200
[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp--0.0.0.0/00.0.0.0/0tcp dpt:31447 to:192.168.122.10:1521

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all--192.168.122.0/24 0.0.0.0/0to:192.168.0.200

现在B主机的端口转发策略已经配置完成,可以进入C虚拟主机内开启相对应的服务和端口,我在B上配置的端口是B的31447到C的1521,很明显我是映射的数据库访问端口。那么现在开启C的1521端口来提供数据库访问:

[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@localhost ~]# firewall-cmd --add-port=1521/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 1521/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

现在C开启了1521端口。

4、使用相关访问工具连接C的数据库服务:

这里我就不给大家配图的 就是在A的工具上配置目标地址为B的IP地址,目标端口配置为B的映射端口:31447,注意不是1521,1521是通过B的31447端口转发过去的。配置完成后我们可以在C上查看一下本地网络端口情况:

[oracle@localhost ~]$ netstat -anptu | grep 1521
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp00 127.0.0.1:38026 127.0.0.1:1521ESTABLISHED 8033/ora_lreg_orcl
tcp6 00 :::1521 :::*LISTEN8345/tnslsnr
tcp6 00 127.0.0.1:1521127.0.0.1:38026 ESTABLISHED 8345/tnslsnr
tcp6 00 192.168.122.10:1521 192.168.0.198:55992 ESTABLISHED 8655/oracleorcl
#可以看到,这里最后有个192.168.0.198到的地址,是我的笔记本地址,已经正常访问到了C的服务

大家可以根据自己的需要来配置各种端口映射来保证只用端口访问服务的安全性。

CentOS7iptables

最新文章

最新推荐

编辑推荐

热门小说

热门文章

三国:蜀汉军师,长坂坡七进七出最新章完整版在线阅读【知乎】《和周贺也结婚十年》贺蓉周贺也完结版免费阅读我一个修仙宗,咋老被人扶贫?全文试读 李修闲王教授小说全本无弹窗《亲妈是千金,舅舅哥哥排队宠》全章节小说_黎嘉沅黎维全文阅读免费试读主角墨九林倾城小说主角名叫许泽明牧晴雪的小说顾今歌沈亦君小说 第4章小说命只剩两年,迟来的亲情林风txt全文在线阅读小说阮幼微宋淮笙在线阅读最新小说《蓄意交换》大结局阅读