Centos7搭建软路由
Xenserver环境:
一:环境准备
内网:192.168.2.100
外网:x.x.x.x
1.1:登陆XenCenter
1.2:进入Xenserver中的Networking选项
1.3:点选下边的Configure...按钮,进入Configure IP Addresses对话框
1.4:点选Add IP address新建虚拟交换机
1.5:Network 1 网卡连接外网
Network 2 网卡连接内网虚拟交换机
二:建立Centos7虚拟机并配置网卡
2.1:vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no #BOOTPROTO=dhcp BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=eth1 #UUID=dd48994a-7f5c-44c1-a8d3-107f4e4b579f DEVICE=eth1 #ONBOOT=no ONBOOT=yes IPADDR=x.x.x.x(固定IP或可联通外网的IP) NETMASK=255.255.255.x GATEWAY=x.x.x.x DNS1=8.8.8.8 DNS2=x.x.x.x
2.2:vim /etc/sysconfig/network-scripts/ifcfg-eth2
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no #BOOTPROTO=dhcp BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=eth3 #UUID=34b419e0-ca01-4ca4-964b-45d2a9973002 DEVICE=eth3 #ONBOOT=no ONBOOT=yes IPADDR=192.168.2.100 NETMASK=255.255.255.0
2.3:ping baidu.com
三:配置ipv4转发
3.1:查看IPv4转发状态,默认为0即关闭状态
cat /proc/sys/net/ipv4/ip_forward
3.2:开启转发
echo 1 > /proc/sys/net/ipv4/ip_forward
四:借助iptables做地址转发:
4.1:配置iptables做SNAT,基于源的数据包转发
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
4.2:192.168.2.0网段的虚拟机,需要上外网,只要把网关配置成192.168.2.100即可
五:加开机运行:
5.1:为了防止重启后这些配置失效,将这两条命令加入到rc.local中,使其开机自动运行,
vim /etc/rc.d/rc.local
#!/bin/bash # THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES # # It is highly advisable to create own systemd services or udev rules # to run scripts during boot instead of using this file. # # In contrast to previous versions due to parallel execution during boot # this script will NOT be run after all other services. # # Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure # that this script will be executed during boot. touch /var/lock/subsys/local echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
5.2:因为CentOS7开始,rc.local默认没有执行权限,还要加一条命令
chmod +x /etc/rc.d/rc.local
重启测试:reboot
六:iptables配置:
vim iptables.sh
#!/bin/sh iptables -F iptables -X iptables -Z iptables -P INPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s x.x.x.x -j ACCEPT iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -p icmp --icmp-type any -j ACCEPT #iptables -A INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x iptables -t nat -A PREROUTING -i eth1 -p tcp -d x.x.x.x --dport 30022 -j DNAT --to-destination 192.168.2.100:22 iptables -A FORWARD -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP service iptables save systemctl restart iptables.service
注意:
iptables -P INPUT ACCEPT这条规则必须先运行,否则会连接不上
iptables -A FORWARD -j ACCEPT这条规则与POSTROUTING配套使用
开启ip转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
写入开机启动:
chmod +x /etc/rc.d/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward
端口转发:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d x.x.x.x --dport 30022 -j DNAT --to-destination 192.168.2.100:22