Centos 7当端口转发中转设置

环境如下

Test1

[root@Test1 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@Test1 ~]# ip a | grep inet
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 192.168.0.90/24 brd 192.168.0.255 scope global noprefixroute ens33
inet6 fe80::d61e:a246:be6a:ae7a/64 scope link noprefixroute

Test2

[root@TEST2 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@TEST2 ~]# ifconfig | grep inet
inet 192.168.0.91 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a219:7b90:d53f:40d3 prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10

中转机

[root@zhongzhuanji ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@zhongzhuanji ~]# ifconfig |grep inet
inet 192.168.0.66 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a175:ab7e:9c90:4cbf prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10

实现功能 Test1 Test2 彼此间通过zhongzhuanji这台来实现ssh通信

Test1 Test2 ssh端口更改为2222

Test1 访问 zhongzhuanji tcp 2222端口就能访问到Test2的ssh端口2222

Test2 访问 zhongzhuanji tcp 2222端口就能访问到Test1的ssh端口2222

中转机上操作一下命令即可

echo net.ipv4.ip_forward=1>>/etc/sysctl.conf
sysctl -p
firewall-cmd –permanent –add-masquerade
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.90 forward-port port=2222 protocol=tcp to-addr=192.168.0.91 to-port=2222’
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.91 forward-port port=2222 protocol=tcp to-addr=192.168.0.90 to-port=2222’
firewall-cmd –reload
firewall-cmd –list-all

iptables

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.90 –dport 2222 -j DNAT –to-destination 192.168.0.91:2222
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.91 –dport 2222 -j DNAT –to-destination 192.168.0.90:2222
iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ens33 -j MASQUERADE
iptables -nL

测试下是否通过

Test1上ssh -p 2222 root@192.168.0.66能访问Test2的ssh就可以。

Test2上ssh -p 2222 root@192.168.0.66能访问Test1的ssh就可以。

附赠firewalld和iptables的命令

1.firewalld的基本使用
启动：  systemctl start firewalld
查看状态：systemctl status firewalld
停止：  systemctl disable firewalld
禁用：  systemctl stop firewalld
在开机时启用一个服务：systemctl enable firewalld.service
在开机时禁用一个服务：systemctl disable firewalld.service
查看服务是否开机启动：systemctl is-enabled firewalld.service
查看已启动的服务列表：systemctl list-unit-files|grep enabled
查看启动失败的服务列表：systemctl –failed

2.配置firewalld-cmd
查看版本： firewall-cmd –version
查看帮助： firewall-cmd –help
显示状态： firewall-cmd –state
查看防火墙规则： firewall-cmd –list-all
查看所有打开的端口： firewall-cmd –zone=public –list-ports
更新防火墙规则： firewall-cmd –reload
查看区域信息:  firewall-cmd –get-active-zones
查看指定接口所属区域： firewall-cmd –get-zone-of-interface=eth0
拒绝所有包：firewall-cmd –panic-on
取消拒绝状态： firewall-cmd –panic-off
查看是否拒绝： firewall-cmd –query-panic

3.通过firewall-cmd 开放端口
firewall-cmd –zone=public –add-port=80/tcp –permanent   #作用域是public，开放tcp协议的80端口，一直有效
firewall-cmd –zone=public –add-port=80-90/tcp –permanent #作用域是public，批量开放tcp协议的80-90端口，一直有效
firewall-cmd –zone=public –add-port=80/tcp  –add-port=90/tcp –permanent #作用域是public，批量开放tcp协议的80、90端口，一直有效
firewall-cmd –zone=public –add-service=http –permanent #开放的服务是http协议，一直有效
firewall-cmd –reload    # 重新载入，更新防火墙规则，这样才生效。通过systemctl restart firewall 也可以达到
firewall-cmd –zone= public –query-port=80/tcp  #查看tcp协议的80端口是否生效
firewall-cmd –zone= public –remove-port=80/tcp –permanent  # 删除
firewall-cmd –list-services
firewall-cmd –get-services
firewall-cmd –add-service=

4.使用备忘
firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.4/24″ service name=”http” accept’    //设置某个ip访问某个服务
firewall-cmd –permanent –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.4/24″ service name=”http” accept’ //删除配置
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.1/2 port port=80 protocol=tcp accept’     //设置某个ip访问某个端口
firewall-cmd –permanent –remove-rich-rule ‘rule family=ipv4 source address=192.168.0.1/2 port port=80 protocol=tcp accept’     //删除配置

firewall-cmd –query-masquerade  # 检查是否允许伪装IP
firewall-cmd –add-masquerade    # 允许防火墙伪装IP
firewall-cmd –remove-masquerade # 禁止防火墙伪装IP

firewall-cmd –add-forward-port=port=80:proto=tcp:toport=8080   # 将80端口的流量转发至8080
firewall-cmd –add-forward-port=proto=80:proto=tcp:toaddr=192.168.1.0.1 # 将80端口的流量转发至192.168.0.1
firewall-cmd –add-forward-port=proto=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # 将80端口的流量转发至192.168.0.1的8080端口

Centos7以前命令备忘
1.开放80，22，8080 端口
/sbin/iptables -I INPUT -p tcp –dport 80 -j ACCEPT
/sbin/iptables -I INPUT -p tcp –dport 22 -j ACCEPT
/sbin/iptables -I INPUT -p tcp –dport 8080 -j ACCEPT

通过ip

/sbin/iptables -I INPUT -s 123.45.6.7 -j  ACCEPT
2.保存
/etc/rc.d/init.d/iptables save
3.查看打开的端口
/etc/init.d/iptables status
4.关闭防火墙
1） 永久性生效，重启后不会复原
开启： chkconfig iptables on
关闭： chkconfig iptables off
2） 即时生效，重启后复原
开启： service iptables start

关闭： service iptables stop