网页和站点的区别,搭建网站用什么语言,wordpress公众号模板,视频制作软件电脑版本节介绍用CentOS7的Firewalll来做NAT以及端口映射实验拓扑:因为我的环境里CentOS7上有KVM虚拟机需要共享网卡上网#xff0c;所以我把网卡都添加到了桥里面#xff0c;当然这里也可以不用桥#xff0c;直接用物理网口#xff1b;用nmcli创建桥#xff0c;并添加网口到桥所以我把网卡都添加到了桥里面当然这里也可以不用桥直接用物理网口用nmcli创建桥并添加网口到桥然后给桥设置IP地址先创建两个桥br-ex和br-in[rootlocalhost ~]# nmcli con add type bridge con-name br-ex ifname br-ex autoconnect yes
Connection br-ex (2b823432-af25-497a-9b59-8b63709ef8ad) successfully added.
[rootlocalhost ~]# nmcli con add type bridge con-name br-in ifname br-in autoconnect yes
Connection br-in (e9c07ace-4182-41db-8208-7b93c139842f) successfully added.
[rootlocalhost ~]# nmcli con show
NAME UUID TYPE DEVICE
Wired connection 1 8c368bb5-8050-355f-a513-49b5c4bca3f8 802-3-ethernet ens36
br-ex 2b823432-af25-497a-9b59-8b63709ef8ad bridge br-ex
br-in e9c07ace-4182-41db-8208-7b93c139842f bridge br-in
eno16777736 01ef745d-f2ee-421a-8dd5-4da36d509e2a 802-3-ethernet eno16777736
[rootlocalhost ~]#将网卡ens36加入到br-in,将网卡eno16777736加入到br-ex这里首先删除nmcli里的connection[rootlocalhost ~]# nmcli connection delete eno16777736
Connection eno16777736 (01ef745d-f2ee-421a-8dd5-4da36d509e2a) successfully deleted.
[rootlocalhost ~]# nmcli con delete Wired connection 1
Connection Wired connection 1 (8c368bb5-8050-355f-a513-49b5c4bca3f8) successfully deleted.
[rootlocalhost ~]#然后将网卡添加到相应的桥中[rootlocalhost ~]# nmcli connection add type bridge-slave con-name eno16777736 ifname eno16777736 autoconnect yes master br-ex
Connection eno16777736 (cc6b32bf-4a23-42a1-af6e-85cf93f1686f) successfully added.
[rootlocalhost ~]# nmcli connection add type bridge-slave con-name ens36 ifname ens36 autoconnect yes master br-in
Connection ens36 (2b7cf193-22eb-4b61-8887-1aed25b33fd1) successfully added.[rootlocalhost ~]# nmcli con show
NAME UUID TYPE DEVICE
br-ex 2b823432-af25-497a-9b59-8b63709ef8ad bridge br-ex
br-in e9c07ace-4182-41db-8208-7b93c139842f bridge br-in
eno16777736 cc6b32bf-4a23-42a1-af6e-85cf93f1686f 802-3-ethernet eno16777736
ens36 2b7cf193-22eb-4b61-8887-1aed25b33fd1 802-3-ethernet ens36
[rootlocalhost ~]#此环境中外网的IP是自动获取的当然用固定的也是可以的下面要设置NAT了1、启用IP转发[rootlocalhost ~]# echo net.ipv4.ip_forward 1 /etc/sysctl.conf
[rootlocalhost ~]# sysctl -p #使更改立即生效
net.ipv4.ip_forward 1
[rootlocalhost ~]#2、在Firewall中将桥放到相应的zone[rootlocalhost ~]# firewall-cmd --zoneexternal --change-interfacebr-ex --permanent
The interface is under control of NetworkManager, setting zone to external.
success
[rootlocalhost ~]# firewall-cmd --zoneinternal --change-interfacebr-in --permanent
The interface is under control of NetworkManager, setting zone to internal.
success
[rootlocalhost ~]#firewall-cmd --list-all-zones
...省略...
internal (active)target: defaulticmp-block-inversion: nointerfaces: br-insources: services: dhcpv6-client mdns samba-client sshports: protocols: masquerade: noforward-ports: sourceports: icmp-blocks: rich rules: external (active)target: defaulticmp-block-inversion: nointerfaces: br-exsources: services: sshports: protocols: masquerade: yesforward-ports: sourceports: icmp-blocks: rich rules: ...省略...3、设置IP地址伪装让所有内网的流量出去到外网源地址都伪装成br-ex的地址[rootlocalhost ~]# firewall-cmd --zoneexternal --add-masquerade --permanent
Warning: ALREADY_ENABLED: masquerade
success
[rootlocalhost ~]# firewall-cmd --zoneexternal --list-all
external (active)target: defaulticmp-block-inversion: nointerfaces: br-exsources: services: sshports: protocols: masquerade: yesforward-ports: sourceports: icmp-blocks: rich rules: [rootlocalhost ~]# firewall-cmd --zoneinternal --list-all
internal (active)target: defaulticmp-block-inversion: nointerfaces: br-insources: services: dhcpv6-client mdns samba-client sshports: protocols: masquerade: noforward-ports: sourceports: icmp-blocks: rich rules:4、设置NAT[rootlocalhost ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o br-ex -j MASQUERADE -s 10.1.1.0/24
success
[rootlocalhost ~]# firewall-cmd --reload #reload Firewall让配置生效
success5、给br-in设置IP地址[rootlocalhost ~]# nmcli con modify br-in ipv4.addresses 10.1.1.254/24 autoconnect yes ipv4.method manual
[rootlocalhost ~]# nmcli con up br-in
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/50)
[rootlocalhost ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eno16777736: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br-ex state UP qlen 1000link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
3: ens36: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br-in state UP qlen 1000link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
4: br-ex: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP qlen 1000link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ffinet 192.168.127.129/24 brd 192.168.127.255 scope global dynamic br-exvalid_lft 1512sec preferred_lft 1512secinet6 fe80::2ab1:e7db:9af:27f/64 scope link valid_lft forever preferred_lft forever
19: br-in: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN qlen 1000link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ffinet 10.1.1.254/24 brd 10.1.1.255 scope global br-invalid_lft forever preferred_lft forever
[rootlocalhost ~]#
#这个时候br-in还没有完全UP起来稍等几秒钟再看
[rootlocalhost ~]# ip a
1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eno16777736: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br-ex state UP qlen 1000link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ff
3: ens36: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast master br-in state UP qlen 1000link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ff
4: br-ex: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP qlen 1000link/ether 00:0c:29:07:82:16 brd ff:ff:ff:ff:ff:ffinet 192.168.127.129/24 brd 192.168.127.255 scope global dynamic br-exvalid_lft 1435sec preferred_lft 1435secinet6 fe80::2ab1:e7db:9af:27f/64 scope link valid_lft forever preferred_lft forever
19: br-in: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc noqueue state UP qlen 1000link/ether 00:0c:29:07:82:20 brd ff:ff:ff:ff:ff:ffinet 10.1.1.254/24 brd 10.1.1.255 scope global br-invalid_lft forever preferred_lft foreverinet6 fe80::5bec:cd7f:9ae7:12a5/64 scope link valid_lft forever preferred_lft forever#可以看到br-in已经UP起来了6、到win7中测试这里因为没有在CentOS7里配置DHCP服务所以win7需要手动配置IP至此NAT设置完成7、端口映射这里从外网访问win7的远程桌面TCP3389号端口为例再外网访问192.168.127.129的3389号端口Firewall会将流量转给win710.1.1.2[rootlocalhost ~]# firewall-cmd --zoneexternal --add-forward-portport3389:prototcp:toport3389:toaddr10.1.1.2 --permanent
success
[rootlocalhost ~]# firewall-cmd --reload
success
[rootlocalhost ~]# firewall-cmd --zoneexternal --list-forward-ports
port3389:prototcp:toport3389:toaddr10.1.1.2
[rootlocalhost ~]#配置win7的远程桌面后验证 转载于:https://blog.51cto.com/anspace/1956403
