背景:
伺服器A:103.110.114.8/192.168.1.8,有外網ip,是IDC的一臺伺服器
伺服器B:192.168.1.150,沒有外網ip,A伺服器是它的宿主機,能相互ping通
伺服器C:192.168.9.120,是公司的一臺伺服器,能上網。
伺服器C可以直接ssh登陸A伺服器,但是不能直接登陸伺服器B,因為它們處在兩個不同的區域網內。
現在要求能從伺服器C上ssh登陸伺服器B,並且做ssh無密碼信任跳轉關係。
這就需要用到iptables的NAT埠轉發功能了~~~~~
思路:
讓伺服器C先訪問伺服器A上的20022埠,然後NAT轉發到伺服器B的ssh埠(22埠)
----------------------------------------------------------------------------------------------
下面是在宿主機A上(192.168.1.8)的操作:
1)先開啟ip路由轉發功能
[root@linux-node1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
或者
[root@linux-node1 ~]# cat /etc/sysctl.conf
..........
net.ipv4.ip_forward = 1
[root@linux-node1 ~]# sysctl -p
2)設定iptables的NAT轉發功能
[root@linux-node1 ~]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 20022 -j DNAT --to-destination 192.168.1.150:22
[root@linux-node1 ~]# iptables -t nat -A POSTROUTING -d 192.168.1.150/32 -p tcp -m tcp --sport 22 -j SNAT --to-source 192.168.1.8
[root@linux-node1 ~]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 20022 -j ACCEPT
[root@linux-node1 ~]# service iptables save
[root@linux-node1 ~]# service iptables restart
nat埠轉發設定成功後,/etc/sysconfig/iptables檔案裡要註釋掉下面兩行!不然nat轉發會有問題!一般如上面在nat轉發規則設定好並save和restart防火牆之後就會自動在/etc/sysconfig/iptables檔案裡刪除掉下面兩行內容了。
[root@linux-node1 ~]# vim /etc/sysconfig/iptables
..........
#-A INPUT -j REJECT --reject-with icmp-host-prohibited //這兩行最好是註釋掉。在一般的白名單設定中,如果這兩行不註釋,也會造成iptables對埠的設定無效
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
[root@linux-node1 ~]# service iptables restart
----------------------------------------------------------------------------------------------
下面是在伺服器B上(192.168.1.150)的操作:
1)首先關閉防火牆
[root@dev-new-test1 ~]# service iptables stop
2)設定閘道器為宿主機的內網ip(內網閘道器地址一定要保持和宿主機內網閘道器地址一致!如果沒有內網閘道器地址,那麼就把它的閘道器設定成宿主機的內網ip地址!)
[root@dev-new-test1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
......
GATEWAY=192.168.1.8
......
[root@dev-new-test1 ~]# /etc/init.d/network restart
[root@dev-new-test1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.1.8 0.0.0.0 UG 0 0 0 eth0
----------------------------------------------------------------------------------------------
最後在公司伺服器C上測試:看看能否登陸到虛擬機器上
[root@redmine ~]# ssh -p20022 103.110.114.8
The authenticity of host '[103.10.86.8]:20022 ([103.10.86.8]:20022)' can't be established.
RSA key fingerprint is f8:a9:d1:cb:52:e8:8b:ed:8b:d2:1a:86:06:1a:fd:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[103.10.86.8]:20022' (RSA) to the list of known hosts.
root@103.110.114.8's password:
[root@dev-new-test1 ~]# ifconfig #檢視,已經成功登陸進來了!
eth0 Link encap:Ethernet HWaddr FA:16:3E:9D:F3:17
inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe9d:f317/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27047404 errors:0 dropped:0 overruns:0 frame:0
TX packets:6401069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67605283704 (62.9 GiB) TX bytes:566935277 (540.6 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:87025 errors:0 dropped:0 overruns:0 frame:0
TX packets:87025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:65978795 (62.9 MiB) TX bytes:65978795 (62.9 MiB)
可以把伺服器C的公鑰id_rsa.pub內容拷貝到虛擬機器上的authorized_keys檔案內,這樣從C機器就能ssh無密碼登陸到虛擬機器B上了。
--------------------------------------------------------------------
下面貼出幾個其他轉口的轉發規則(本機開啟ip路由轉發,目標機器注意防火牆和閘道器設定):
本機(192.168.1.7)的19200轉發到192.168.1.160的9200
[root@kvm-server conf]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 19200 -j DNAT --to-destination 192.168.1.160:9200
[root@kvm-server conf]# iptables -t nat -A POSTROUTING -d 192.168.1.160/32 -p tcp -m tcp --sport 9200 -j SNAT --to-source 192.168.1.7
[root@kvm-server conf]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 19200 -j ACCEPT
本機(192.168.1.7)的33066轉發到192.168.1.160的3306
[root@kvm-server conf]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 33066 -j DNAT --to-destination 192.168.1.160:3306
[root@kvm-server conf]# iptables -t nat -A POSTROUTING -d 192.168.1.160/32 -p tcp -m tcp --sport 3306 -j SNAT --to-source 192.168.1.7
[root@kvm-server conf]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 33066 -j ACCEPT
本機(192.168.1.7)的8880轉發到192.168.1.1的8080
[root@kvm-server conf]# iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8880 -j DNAT --to-destination 192.168.1.160:8080
[root@kvm-server conf]# iptables -t nat -A POSTROUTING -d 192.168.1.160/32 -p tcp -m tcp --sport 8080 -j SNAT --to-source 192.168.1.7
[root@kvm-server conf]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 8880 -j ACCEPT