本節介紹用CentOS7的Firewalll來做NAT以及端口映射
實驗拓撲:
因為我的環境里CentOS7上有KVM虛擬機需要共享網卡上網,所以我把網卡都添加到了橋里面,當然這里也可以不用橋,直接用物理網口;
用nmcli創建橋,并添加網口到橋;然后給橋設置IP地址:
先創建兩個橋"br-ex"和"br-in"
[root@localhost?~]#?nmcli?con?add?type?bridge?con-name?br-ex?ifname?br-ex?autoconnect?yes Connection?'br-ex'?(2b823432-af25-497a-9b59-8b63709ef8ad)?successfully?added. [root@localhost?~]#?nmcli?con?add?type?bridge?con-name?br-in?ifname?br-in?autoconnect?yes Connection?'br-in'?(e9c07ace-4182-41db-8208-7b93c139842f)?successfully?added. [root@localhost?~]#?nmcli?con?show NAME????????????????UUID??????????????????????????????????TYPE????????????DEVICE?????? Wired?connection?1??8c368bb5-8050-355f-a513-49b5c4bca3f8??802-3-ethernet??ens36??????? br-ex???????????????2b823432-af25-497a-9b59-8b63709ef8ad??bridge??????????br-ex??????? br-in???????????????e9c07ace-4182-41db-8208-7b93c139842f??bridge??????????br-in??????? eno16777736?????????01ef745d-f2ee-421a-8dd5-4da36d509e2a??802-3-ethernet??eno16777736? [root@localhost?~]#
將網卡"ens36"加入到"br-in",將網卡"eno16777736"加入到"br-ex"
這里首先刪除nmcli里的connection
[root@localhost?~]#?nmcli?connection?delete?eno16777736? Connection?'eno16777736'?(01ef745d-f2ee-421a-8dd5-4da36d509e2a)?successfully?deleted. [root@localhost?~]#?nmcli?con?delete?"Wired?connection?1"? Connection?'Wired?connection?1'?(8c368bb5-8050-355f-a513-49b5c4bca3f8)?successfully?deleted. [root@localhost?~]#
然后將網卡添加到相應的橋中
[root@localhost?~]#?nmcli?connection?add?type?bridge-slave?con-name?eno16777736?ifname?eno16777736?autoconnect?yes?master?br-ex Connection?'eno16777736'?(cc6b32bf-4a23-42a1-af6e-85cf93f1686f)?successfully?added. [root@localhost?~]#?nmcli?connection?add?type?bridge-slave?con-name?ens36?ifname?ens36?autoconnect?yes?master?br-in Connection?'ens36'?(2b7cf193-22eb-4b61-8887-1aed25b33fd1)?successfully?added.[root@localhost?~]#?nmcli?con?show NAME?????????UUID??????????????????????????????????TYPE????????????DEVICE?????? br-ex????????2b823432-af25-497a-9b59-8b63709ef8ad??bridge??????????br-ex??????? br-in????????e9c07ace-4182-41db-8208-7b93c139842f??bridge??????????br-in??????? eno16777736??cc6b32bf-4a23-42a1-af6e-85cf93f1686f??802-3-ethernet??eno16777736? ens36????????2b7cf193-22eb-4b61-8887-1aed25b33fd1??802-3-ethernet??ens36??????? [root@localhost?~]#
此環境中外網的IP是自動獲取的,當然用固定的也是可以的
下面要設置NAT了
1、啟用IP轉發
[root@localhost?~]#?echo?"net.ipv4.ip_forward?=?1"?>>?/etc/sysctl.conf [root@localhost?~]#?sysctl?-p????#使更改立即生效 net.ipv4.ip_forward?=?1 [root@localhost?~]#
2、在Firewall中將橋放到相應的zone
[root@localhost?~]#?firewall-cmd?--zone=external?--change-interface=br-ex?--permanent? The?interface?is?under?control?of?NetworkManager,?setting?zone?to?'external'. success [root@localhost?~]#?firewall-cmd?--zone=internal?--change-interface=br-in?--permanent? The?interface?is?under?control?of?NetworkManager,?setting?zone?to?'internal'. success [root@localhost?~]#firewall-cmd?--list-all-zones ...省略... internal?(active)target:?defaulticmp-block-inversion:?nointerfaces:?br-insources:?services:?dhcpv6-client?mdns?samba-client?sshports:?protocols:?masquerade:?noforward-ports:?sourceports:?icmp-blocks:?rich?rules:?external?(active)target:?defaulticmp-block-inversion:?nointerfaces:?br-exsources:?services:?sshports:?protocols:?masquerade:?yesforward-ports:?sourceports:?icmp-blocks:?rich?rules:?...省略...
3、設置IP地址偽裝(讓所有內網的流量出去到外網源地址都偽裝成br-ex的地址)
[root@localhost?~]#?firewall-cmd?--zone=external?--add-masquerade?--permanent? Warning:?ALREADY_ENABLED:?masquerade success [root@localhost?~]#?firewall-cmd?--zone=external?--list-all external?(active)target:?defaulticmp-block-inversion:?nointerfaces:?br-exsources:?services:?sshports:?protocols:?masquerade:?yesforward-ports:?sourceports:?icmp-blocks:?rich?rules:?[root@localhost?~]#?firewall-cmd?--zone=internal?--list-all internal?(active)target:?defaulticmp-block-inversion:?nointerfaces:?br-insources:?services:?dhcpv6-client?mdns?samba-client?sshports:?protocols:?masquerade:?noforward-ports:?sourceports:?icmp-blocks:?rich?rules:
4、設置NAT
[root@localhost?~]#?firewall-cmd?--permanent?--direct?--passthrough?ipv4?-t?nat?-I?POSTROUTING?-o?br-ex?-j?MASQUERADE?-s?10.1.1.0/24 success [root@localhost?~]#?firewall-cmd?--reload????#reload?Firewall讓配置生效 success
5、給"br-in"設置IP地址
[root@localhost?~]#?nmcli?con?modify?br-in?ipv4.addresses?10.1.1.254/24?autoconnect?yes?ipv4.method?manual [root@localhost?~]#?nmcli?con?up?br-in Connection?successfully?activated?(D-Bus?active?path:?/org/freedesktop/NetworkManager/ActiveConnection/50) [root@localhost?~]#?ip?a 1:?lo:?<LOOPBACK,UP,LOWER_UP>?mtu?65536?qdisc?noqueue?state?UNKNOWN?qlen?1link/loopback?00:00:00:00:00:00?brd?00:00:00:00:00:00inet?127.0.0.1/8?scope?host?lovalid_lft?forever?preferred_lft?foreverinet6?::1/128?scope?host?valid_lft?forever?preferred_lft?forever 2:?eno16777736:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?pfifo_fast?master?br-ex?state?UP?qlen?1000link/ether?00:0c:29:07:82:16?brd?ff:ff:ff:ff:ff:ff 3:?ens36:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?pfifo_fast?master?br-in?state?UP?qlen?1000link/ether?00:0c:29:07:82:20?brd?ff:ff:ff:ff:ff:ff 4:?br-ex:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?noqueue?state?UP?qlen?1000link/ether?00:0c:29:07:82:16?brd?ff:ff:ff:ff:ff:ffinet?192.168.127.129/24?brd?192.168.127.255?scope?global?dynamic?br-exvalid_lft?1512sec?preferred_lft?1512secinet6?fe80::2ab1:e7db:9af:27f/64?scope?link?valid_lft?forever?preferred_lft?forever 19:?br-in:?<NO-CARRIER,BROADCAST,MULTICAST,UP>?mtu?1500?qdisc?noqueue?state?DOWN?qlen?1000link/ether?00:0c:29:07:82:20?brd?ff:ff:ff:ff:ff:ffinet?10.1.1.254/24?brd?10.1.1.255?scope?global?br-invalid_lft?forever?preferred_lft?forever [root@localhost?~]#? #這個時候br-in還沒有完全UP起來,稍等幾秒鐘再看 [root@localhost?~]#?ip?a 1:?lo:?<LOOPBACK,UP,LOWER_UP>?mtu?65536?qdisc?noqueue?state?UNKNOWN?qlen?1link/loopback?00:00:00:00:00:00?brd?00:00:00:00:00:00inet?127.0.0.1/8?scope?host?lovalid_lft?forever?preferred_lft?foreverinet6?::1/128?scope?host?valid_lft?forever?preferred_lft?forever 2:?eno16777736:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?pfifo_fast?master?br-ex?state?UP?qlen?1000link/ether?00:0c:29:07:82:16?brd?ff:ff:ff:ff:ff:ff 3:?ens36:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?pfifo_fast?master?br-in?state?UP?qlen?1000link/ether?00:0c:29:07:82:20?brd?ff:ff:ff:ff:ff:ff 4:?br-ex:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?noqueue?state?UP?qlen?1000link/ether?00:0c:29:07:82:16?brd?ff:ff:ff:ff:ff:ffinet?192.168.127.129/24?brd?192.168.127.255?scope?global?dynamic?br-exvalid_lft?1435sec?preferred_lft?1435secinet6?fe80::2ab1:e7db:9af:27f/64?scope?link?valid_lft?forever?preferred_lft?forever 19:?br-in:?<BROADCAST,MULTICAST,UP,LOWER_UP>?mtu?1500?qdisc?noqueue?state?UP?qlen?1000link/ether?00:0c:29:07:82:20?brd?ff:ff:ff:ff:ff:ffinet?10.1.1.254/24?brd?10.1.1.255?scope?global?br-invalid_lft?forever?preferred_lft?foreverinet6?fe80::5bec:cd7f:9ae7:12a5/64?scope?link?valid_lft?forever?preferred_lft?forever#可以看到br-in已經UP起來了
6、到win7中測試
這里因為沒有在CentOS7里配置DHCP服務,所以win7需要手動配置IP
至此NAT設置完成
7、端口映射
這里從外網訪問win7的遠程桌面(TCP3389號端口)為例
再外網訪問192.168.127.129的3389號端口,Firewall會將流量轉給win7(10.1.1.2)
[root@localhost?~]#?firewall-cmd?--zone=external?--add-forward-port=port=3389:proto=tcp:toport=3389:toaddr=10.1.1.2?--permanent? success [root@localhost?~]#?firewall-cmd?--reload? success [root@localhost?~]#?firewall-cmd?--zone=external?--list-forward-ports? port=3389:proto=tcp:toport=3389:toaddr=10.1.1.2 [root@localhost?~]#
配置win7的遠程桌面后驗證
轉載于:https://blog.51cto.com/anspace/1956403
)
)
)
)
函數)
![python socket.error: [Errno 24] Too many open files](http://pic.xiahunao.cn/python socket.error: [Errno 24] Too many open files)
----讀書筆記)