測試環境為 CentOS 8 x86_64
因為我的工作環境有兩個網段,其中 192.168.31.0/255.255.255.0 的 IP 透過 NAT( 192.168.31.133 ) 轉出去,但目前有一台 web server 放在 192.168.31.131 環境,從 192.168.88.x 網段的人無法與其相連,這時候可以透過 2 種方式.
- Apache ProxyPass & ProxyPassReverse – https://benjr.tw/103983
- NAT Port Forwarding 或 DNAT ( Destination Network Address Translation) – 這邊介紹
目的是把 Web Server IP:Port 192.168.31.131:80 NAT Port Forwarding 到 192.168.88.128:80 如下圖.
192.168.31.131
安裝 Apache Web Server .
[root@localhost ~]# yum install -y httpd
[root@localhost ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-07-21 12:03:23 CST; 5s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 6418 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
├─6418 /usr/sbin/httpd -DFOREGROUND
├─6419 /usr/sbin/httpd -DFOREGROUND
├─6420 /usr/sbin/httpd -DFOREGROUND
├─6421 /usr/sbin/httpd -DFOREGROUND
├─6422 /usr/sbin/httpd -DFOREGROUND
└─6423 /usr/sbin/httpd -DFOREGROUND
CentOS 8 搭配的 Apache 沒有預設網頁,可以自行建立 index.html 來測試.
[root@localhost ~]# echo Apache on CentOS 8 > /var/www/html/index.html
[root@localhost ~]# curl http://192.168.31.131 Apache on CentOS 8
如果連不上請先確一下 Firewall 的狀態.
[root@localhost ~]# systemctl stop firewalld
192.168.31.133 / 192.168.88.128
檢視一下 IPv4 Forwarding 是否開啟.
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
如果為 0 表示沒有啟動,須透過下面的方式來啟動.
[root@localhost ~]# sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 [root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
要下次開機也啟動,須寫到檔案
[root@localhost ~]# vi /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@localhost ~]# sysctl -p
目前網路狀狀態.
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.133 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::20c:29ff:fe62:edf8 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:62:ed:f8 txqueuelen 1000 (Ethernet)
RX packets 118 bytes 18731 (18.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 131 bytes 17346 (16.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.88.128 netmask 255.255.255.0 broadcast 192.168.88.255
inet6 fe80::c559:71a5:5f2d:d1fc prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:62:ed:02 txqueuelen 1000 (Ethernet)
RX packets 5 bytes 709 (709.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41 bytes 5135 (5.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:53:10:19 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
先清除 Iptables NAT 所有的 Rules.
[root@localhost ~]# iptables -F -t nat
-F, –flush [chain]
如果是清除單一 Rule 可透過以下指令檢視目前 rule 的行號.
[root@localhost ~]# iptables -t nat -v -L -n --line-number
如果知道是 PREROUTING 或是 POSTROUTING 可以指定.
[root@localhost ~]# iptables -t nat -v -L PREROUTING -n --line-number [root@localhost ~]# iptables -t nat -v -L POSTROUTING -n --line-number
依據行號來刪除.
[root@localhost ~]# iptables -t nat -D PREROUTING {rule number}
[root@localhost ~]# iptables -t nat -D POSTROUTING {rule number}
刪除後檢視是否正確.
[root@localhost ~]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LIBVIRT_PRT (0 references) target prot opt source destination
以 Web Port 80 為範例設定 NAT Port Forwarding 的規則也很簡單,收到 192.168.88.128:80 的封包都轉到 192.168.31.131:80,主要設定 NAT table 的 PREROUTING ( 針對進入網路介面卡封包的規則 DNAT : Destination NAT 與 REDIRECT )與 POSTROUTING ( 針對離開網路介面卡封包的規則 SNAT : Source NAT 與 MASQUERADE )
- PREROUTING 規則是針對到網路介面卡(ens37)的封包,當其他電腦要連線 80 埠時 (–dport 80) 轉送到 192.168.31.131:80 (Port 80).
[root@localhost ~]# iptables -t nat -A PREROUTING -i ens37 -p tcp --dport 80 -j DNAT --to-destination 192.168.31.131
- POSTROUTING 規則是針對封包離開網路介面卡(ens33)時,當 -d 目的地是 192.168.31.131 且為 80 埠時 (–dport 80) 轉成 192.168.31.133.
[root@localhost ~]# iptables -t nat -A POSTROUTING -o ens33 -p tcp --dport 80 -d 192.168.31.131 -j SNAT --to-source 192.168.31.133
其他常用的 Port.
- 遠端桌面 (Remote Desktop) – 3389
- Windows 網路芳鄰 – 139 (NetBIOS Session Service) 與 445 (Microsoft-DS)
檢視一下 NAT 的狀態.
[root@localhost ~]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.31.131 Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT tcp -- 0.0.0.0/0 192.168.31.131 tcp dpt:80 to:192.168.31.133 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain LIBVIRT_PRT (0 references) target prot opt source destination
192.168.88.129
從 192.168.88.129 就可以連到 192.168.31.131 的網頁了.
[root@localhost ~]# curl http://192.168.88.128:80 Apache on CentOS 8
沒有解決問題,試試搜尋本站其他內容