我有一个如下所示的网络:
MyPC:eth0 10.208.65.80/18
机器 A(Linux,运行 Web 服务器) eth0 10.208.65.101/18 eth1 192.168.2.1/24
防火墙区域:
sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
m100 (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces: eth0 eth1 lo
sources:
services: mdns ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" protocol value="icmp" accept
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
机器 B(运行 Web 服务器)eth0:192.168.2.2/24
我配置了以下内容: MyPC 上的路由:ip route add 192.168.2.0/24 via 10.208.65.101
在机器 A 上启用了 ipforwarding:echo 1 >> /proc/sys/net/ipv4/ip_forward
防火墙配置:
sudo firewall-cmd --permanent --zone=m100 --add-masquerade
sudo firewall-cmd --permanent --zone=m100 --add-forward
#allow forwarding to host 192.168.2.2
sudo firewall-cmd --permanent --zone=m100 --add-forward-port=port=1-65535:proto=tcp:toport=1-65535:toaddr=192.168.2.2
sudo firewall-cmd --permanent --zone=m100 --add-forward-port=port=1-65535:proto=udp:toport=1-65535:toaddr=192.168.2.2
#allow forwarding of icmp(ping):
sudo firewall-cmd --permanent --zone=m100 --add-rich-rule='rule family="ipv4" protocol value="icmp" accept'
sudo firewall-cmd --reload
通过这个,我可以在 MyPC 上打开浏览器并导航到 192.168.2.2 并获取机器 B 提供的页面。
我想修改 -add-forward-port 规则,以便转发到 192.168.2.0/24 的所有内容。而不仅仅是单个主机。
我尝试删除 toaddr= 但当我这样做并导航到 192.168.2.2 时,我得到了从机器 A 提供的页面。
答案1
不要使用--add-forward-port。这会设置 DNAT 规则(人们称之为“端口转发”)——实际上不是转发本身,而是翻译。
如果你的接口在同一个区域,--add-forward应该足以启用区域内转发。
如果它们位于不同的区域,您可能必须添加自定义规则(我发现的示例都使用 iptables 语法;虽然我使用 nftables,但我不知道如何使用基于 nftables 的防火墙来执行此操作)。
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o eno1 -i eno2 -j ACCEPT
如果我没记错的话,NAT 会隐藏一个网络吗?
不完全是。人们通常将此与 NAT 联系起来,但实际上这是因为 1) 缺少路由和 2) 防火墙。NAT 的存在只是“掩盖”了缺少路由的问题,以至于事情似乎在一个方向上有效,但在另一个方向上通常无效。
话虽如此,你绝对不应该如果可以避免,请在网络中间使用 NAT。