我们有一个[S]SRV_网关具有两个 NIC 的服务器([I]广域网/INT_LAN和[I]PRIV_LAN) 配置为专用网络的 GATEWAY、DNS 和 DHCP ([N]PRIV_LAN)。
服务器[S]SRV_网关访问互联网(它将自身用作 DNS)和所有其他服务器([S]PRIV_SRV_X)使用服务器提供的 DHCP、DNS 和 GATEWAY[S]SRV_网关。
- 网络布局...
[N]WAN/INT_LAN (10.2.0.0/24)
↕
[I]WAN/INT_LAN
[S]SRV_GATEWAY
[I]PRIV_LAN
↕
[N]PRIV_LAN (10.3.0.0/24)
↕
...............................
↕ ↕ ↕
[S]PRIV_SRV_0 [S]PRIV_SRV_1 [S]PRIV_SRV_0
[S]PRIV_SRV_2 [S]PRIV_SRV_0
[S]PRIV_SRV_3
_ [N] - Network;
_ [I] - Network Interface;
_ [S] - Server.
_ [N]WAN/INT_LAN - Has internet access;
_ [N]PRIV_LAN - Private network.
问题:为什么我们可以成功地ping在互联网上访问服务器,但不能curl在服务器上使用相同的服务器[S]PRIV_SRV_0(见下面的输出)?
[root@okd4-bootstrap core]# ping -c 2 www.google.com
PING www.google.com (172.217.18.196) 56(84) bytes of data.
64 bytes from ham02s14-in-f196.1e100.net (172.217.18.196): icmp_seq=1 ttl=113 time=10.5 ms
64 bytes from par10s38-in-f4.1e100.net (172.217.18.196): icmp_seq=2 ttl=113 time=10.6 ms
--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.500/10.548/10.597/0.048 ms
[root@okd4-bootstrap core]# curl http://www.google.com
curl: (7) Failed to connect to www.google.com port 80: No route to host
额外的:
- 如何SRV_GATEWAY被设置为 GATEWAY:
服务器SRV_GATEWAY已通过命令配置为GATEWAY...
使能够IP 转发...
tee "/etc/sysctl.d/ip_forward.conf" << EOF
net.ipv4.ip_forward=1
EOF
sysctl -w net.ipv4.ip_forward=1
设置一个以 NIC ens3 为目标的出站 NAT 网关([I]广域网/INT_LAN) 在 CIDR 10.3.0.0/24 中配置的屏蔽设备...
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens3 -j MASQUERADE -s 10.3.0.0/24
firewall-cmd --reload
- 从服务器获取的一些信息[S]PRIV_SRV_0:
[root@okd4-bootstrap core]# cat /etc/resolv.conf | grep -i '^nameserver' | head -n1 | cut -d ' ' -f2
10.3.0.14
[root@okd4-bootstrap core]# ip r
default via 10.3.0.14 dev ens3 proto dhcp metric 100
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100
[root@okd4-bootstrap core]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.3.0.14 0.0.0.0 UG 100 0 0 ens3
10.3.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens3
[root@okd4-bootstrap core]# netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.3.0.14 0.0.0.0 UG 0 0 0 ens3
10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens3
[root@okd4-bootstrap core]# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=11.0 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.769/10.891/11.013/0.122 ms
[root@okd4-bootstrap core]# cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 10.3.0.14
search okd.local
[root@okd4-bootstrap core]# tracepath 8.8.8.8
1?: [LOCALHOST] pmtu 1500
1: api-int.mbr.okd.local 0.526ms
1: api-int.mbr.okd.local 0.855ms
2: okd4-services.okd.local 1.842ms !H
Resume: pmtu 1500
[root@okd4-bootstrap core]# tracepath www.google.com
1?: [LOCALHOST] pmtu 1500
1: api.mbr.okd.local 0.481ms
1: api-int.mbr.okd.local 0.562ms
2: api.mbr.okd.local 0.553ms !H
Resume: pmtu 1500
[root@okd4-bootstrap core]# ip route show
default via 10.3.0.14 dev ens3 proto dhcp metric 100
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100
[root@okd4-bootstrap core]# nslookup www.google.com
Server: 10.3.0.14
Address: 10.3.0.14#53
Non-authoritative answer:
Name: www.google.com
Address: 172.217.18.196
Name: www.google.com
Address: 2a00:1450:4007:805::2004
[root@okd4-bootstrap core]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
谢谢!=D
答案1
正如@user1686 指出的那样......
我问的是你的防火墙规则是否允许转发。就像 iptables 中的“FORWARD”链一样。
...缺少以下规则向前。
然而除此之外,有必要添加/启用化装舞会规则。
完整的解决方案:
启用 IP 转发...
tee "/etc/sysctl.d/ip_forward.conf" << EOF
net.ipv4.ip_forward=1
EOF
sysctl -w net.ipv4.ip_forward=1
将规则添加到防火墙(防火墙命令)...
模型
firewall-cmd --permanent --zone public --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o [WAN_NIC] -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i [LAN_NIC] -o [WAN_NIC] -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i [WAN_NIC] -o [LAN_NIC] -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --reload
例子
firewall-cmd --permanent --zone public --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens4 -o ens3 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i ens3 -o ens4 -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --reload
重要的:互联网上有几个例子建议将[广域网卡]和[局域网卡]不同区域的接口(外部的和内部的) 如图所示...
firewall-cmd --add-interface [WAN_NIC] --zone external
firewall-cmd --add-interface [LAN_NIC] --zone internal
...,但是我不想担心区域,因为我的所有防火墙规则都是默认的民众区域。因此,没有必要为该方案定义区域,所有内容都可以留在民众区。
谢谢!=D
[参考文献:https://www.server-world.info/en/note?os=CentOS_Stream_8&p=firewalld&f=2,https://www.comdivision.com/blog/centos-7-nat-router-basic-configuration,https: //blog.redbranch.net/2015/07/30/centos-7-as-nat-gateway-for-private-network/。 https://unix.stackexchange.com/a/550064/61742,https://forums.centos.org/viewtopic.php?t=53819#p227743,https://www.server-world.info/en/注意:os=CentOS_7&p=firewalld&f=2,https://serverfault.com/q/870902/276753]