測試環境為 CentOS 8 x86_64
不知道什麼時候 IPv4 預設 IP Forwarding 變成啟動 的 Enable (1).
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
或是檢視別網路裝置的 IP Fordwarding .
[root@localhost ~]# ll /proc/sys/net/ipv[46]/conf/*/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/all/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/default/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/ens33/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/lo/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/virbr0/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv4/conf/virbr0-nic/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/all/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/default/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/ens33/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/lo/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/virbr0/forwarding -rw-r--r--. 1 root root 0 Dec 7 17:32 /proc/sys/net/ipv6/conf/virbr0-nic/forwarding [root@localhost ~]# cat /proc/sys/net/ipv4/conf/ens33/forwarding 1 [root@localhost ~]# cat /proc/sys/net/ipv6/conf/ens33/forwarding 0
或是透過 sysctl 指令來查看
[root@localhost ~]# sysctl -a | grep ip_forward net.ipv4.ip_forward = 0 net.ipv4.ip_forward_update_priority = 1 net.ipv4.ip_forward_use_pmtu = 0 [root@localhost ~]# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
手動變更
透過 sysctl 指令可以手動變更.
[root@localhost ~]# sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0 [root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 0 [root@localhost ~]# cat /proc/sys/net/ipv4/conf/ens33/forwarding 0
Note : IP v6 名稱為 net.ipv6.conf.all.forwarding
或是
[root@localhost ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
設定檔
systemd-sysctl 服務是依據 sysctl.conf 設定檔.
[root@localhost ~]# systemctl is-enabled systemd-sysctl.service static
剛剛已經關閉,現在透過設定檔 + sysctl 指令來開啟.
[root@localhost ~]# vi /etc/sysctl.conf net.ipv4.ip_forward=1 [root@localhost ~]# sysctl -p net.ipv4.ip_forward = 1 [root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
這次把 IP Forward 關閉,並重新啟動 CentOS.
[root@localhost ~]# vi /etc/sysctl.conf net.ipv4.ip_forward=0 [root@localhost ~]# reboot
奇怪剛剛 IP Forwarding 不是已經設定為關閉 Disable (0) 了嗎?
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 1
目前看到 https://wiki.archlinux.org/title/Internet_sharing 說明,須關閉可以透過防火牆的方式來處理.
Warning: If the system uses systemd-networkd to control the network interfaces, a per-interface setting for IPv4 is not possible, i.e. systemd logic propagates any configured forwarding into a global (for all interfaces) setting for IPv4. The advised work-around is to use a firewall to forbid forwarding again on selective interfaces.
CentOS 8 之後可以使用 nftables 來設定防火牆,功能比傳統的 iptables 會更靈活.
[root@localhost ~]# nft list table ip nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 67 bytes 5434 jump LIBVIRT_PRT
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain LIBVIRT_PRT {
@nh,96,24 12626042 @nh,128,24 14680064 counter packets 2 bytes 159 return
@nh,96,24 12626042 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
meta l4proto tcp @nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade to :1024-65535
meta l4proto udp @nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade to :1024-65535
@nh,96,24 12626042 @nh,128,24 != 12626042 counter packets 0 bytes 0 masquerade
}
}
沒有解決問題,試試搜尋本站其他內容