{"id":262,"date":"2022-03-13T14:42:17","date_gmt":"2022-03-13T06:42:17","guid":{"rendered":"http:\/\/feel.name\/?p=262"},"modified":"2022-03-13T18:43:17","modified_gmt":"2022-03-13T10:43:17","slug":"centos-7%e5%bd%93%e7%ab%af%e5%8f%a3%e8%bd%ac%e5%8f%91%e4%b8%ad%e8%bd%ac%e8%ae%be%e7%bd%ae","status":"publish","type":"post","link":"https:\/\/feel.name\/?p=262","title":{"rendered":"Centos 7\u5f53\u7aef\u53e3\u8f6c\u53d1\u4e2d\u8f6c\u8bbe\u7f6e"},"content":{"rendered":"\n

\u73af\u5883\u5982\u4e0b<\/p>\n\n\n\n

Test1<\/p>\n\n\n\n

[root@Test1 ~]# cat \/etc\/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@Test1 ~]# ip a | grep inet
inet 127.0.0.1\/8 scope host lo
inet6 ::1\/128 scope host
inet 192.168.0.90\/24 brd 192.168.0.255 scope global noprefixroute ens33
inet6 fe80::d61e:a246:be6a:ae7a\/64 scope link noprefixroute<\/p>\n\n\n\n

Test2<\/p>\n\n\n\n

[root@TEST2 ~]# cat \/etc\/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@TEST2 ~]# ifconfig | grep inet
inet 192.168.0.91 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a219:7b90:d53f:40d3 prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<\/p>\n\n\n\n

\u4e2d\u8f6c\u673a<\/p>\n\n\n\n

[root@zhongzhuanji ~]# cat \/etc\/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@zhongzhuanji ~]# ifconfig |grep inet
inet 192.168.0.66 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a175:ab7e:9c90:4cbf prefixlen 64 scopeid 0x20
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<\/p>\n\n\n\n

\u5b9e\u73b0\u529f\u80fd Test1 Test2 \u5f7c\u6b64\u95f4\u901a\u8fc7zhongzhuanji\u8fd9\u53f0\u6765\u5b9e\u73b0ssh\u901a\u4fe1<\/p>\n\n\n\n

Test1 Test2 ssh\u7aef\u53e3\u66f4\u6539\u4e3a2222 <\/p>\n\n\n\n

Test1 \u8bbf\u95ee zhongzhuanji tcp 2222\u7aef\u53e3\u5c31\u80fd\u8bbf\u95ee\u5230Test2\u7684ssh\u7aef\u53e32222<\/p>\n\n\n\n

Test2 \u8bbf\u95ee zhongzhuanji tcp 2222\u7aef\u53e3\u5c31\u80fd\u8bbf\u95ee\u5230Test1\u7684ssh\u7aef\u53e32222 <\/p>\n\n\n\n

\u4e2d\u8f6c\u673a\u4e0a\u64cd\u4f5c\u4e00\u4e0b\u547d\u4ee4\u5373\u53ef<\/p>\n\n\n\n

echo net.ipv4.ip_forward=1>>\/etc\/sysctl.conf
sysctl -p
firewall-cmd –permanent –add-masquerade
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.90 forward-port port=2222 protocol=tcp to-addr=192.168.0.91 to-port=2222’
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.91 forward-port port=2222 protocol=tcp to-addr=192.168.0.90 to-port=2222’
firewall-cmd –reload
firewall-cmd –list-all<\/p>\n\n\n\n

iptables<\/p>\n\n\n\n

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.90 –dport 2222 -j DNAT –to-destination 192.168.0.91:2222
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.91 –dport 2222 -j DNAT –to-destination 192.168.0.90:2222
iptables -t nat -A POSTROUTING -s 192.168.0.0\/255.255.255.0 -o ens33 -j MASQUERADE
iptables -nL
<\/p>\n\n\n\n

\u6d4b\u8bd5\u4e0b\u662f\u5426\u901a\u8fc7<\/p>\n\n\n\n

Test1\u4e0assh -p 2222 root@192.168.0.66\u80fd\u8bbf\u95eeTest2\u7684ssh\u5c31\u53ef\u4ee5\u3002<\/p>\n\n\n\n

Test2\u4e0assh -p 2222 root@192.168.0.66\u80fd\u8bbf\u95eeTest1\u7684ssh\u5c31\u53ef\u4ee5\u3002 <\/p>\n\n\n\n

\u9644\u8d60firewalld\u548ciptables\u7684\u547d\u4ee4<\/p>\n\n\n\n

1.firewalld\u7684\u57fa\u672c\u4f7f\u7528
\u542f\u52a8\uff1a  systemctl start firewalld
\u67e5\u770b\u72b6\u6001\uff1asystemctl status firewalld
\u505c\u6b62\uff1a  systemctl disable firewalld
\u7981\u7528\uff1a  systemctl stop firewalld
\u5728\u5f00\u673a\u65f6\u542f\u7528\u4e00\u4e2a\u670d\u52a1\uff1asystemctl enable firewalld.service
\u5728\u5f00\u673a\u65f6\u7981\u7528\u4e00\u4e2a\u670d\u52a1\uff1asystemctl disable firewalld.service
\u67e5\u770b\u670d\u52a1\u662f\u5426\u5f00\u673a\u542f\u52a8\uff1asystemctl is-enabled firewalld.service
\u67e5\u770b\u5df2\u542f\u52a8\u7684\u670d\u52a1\u5217\u8868\uff1asystemctl list-unit-files|grep enabled
\u67e5\u770b\u542f\u52a8\u5931\u8d25\u7684\u670d\u52a1\u5217\u8868\uff1asystemctl –failed<\/p>\n\n\n\n

2.\u914d\u7f6efirewalld-cmd
\u67e5\u770b\u7248\u672c\uff1a firewall-cmd –version
\u67e5\u770b\u5e2e\u52a9\uff1a firewall-cmd –help
\u663e\u793a\u72b6\u6001\uff1a firewall-cmd –state
\u67e5\u770b\u9632\u706b\u5899\u89c4\u5219\uff1a firewall-cmd –list-all
\u67e5\u770b\u6240\u6709\u6253\u5f00\u7684\u7aef\u53e3\uff1a firewall-cmd –zone=public –list-ports
\u66f4\u65b0\u9632\u706b\u5899\u89c4\u5219\uff1a firewall-cmd –reload
\u67e5\u770b\u533a\u57df\u4fe1\u606f:  firewall-cmd –get-active-zones
\u67e5\u770b\u6307\u5b9a\u63a5\u53e3\u6240\u5c5e\u533a\u57df\uff1a firewall-cmd –get-zone-of-interface=eth0
\u62d2\u7edd\u6240\u6709\u5305\uff1afirewall-cmd –panic-on
\u53d6\u6d88\u62d2\u7edd\u72b6\u6001\uff1a firewall-cmd –panic-off
\u67e5\u770b\u662f\u5426\u62d2\u7edd\uff1a firewall-cmd –query-panic<\/p>\n\n\n\n

3.\u901a\u8fc7firewall-cmd \u5f00\u653e\u7aef\u53e3
firewall-cmd –zone=public –add-port=80\/tcp –permanent   #\u4f5c\u7528\u57df\u662fpublic\uff0c\u5f00\u653etcp\u534f\u8bae\u768480\u7aef\u53e3\uff0c\u4e00\u76f4\u6709\u6548
firewall-cmd –zone=public –add-port=80-90\/tcp –permanent #\u4f5c\u7528\u57df\u662fpublic\uff0c\u6279\u91cf\u5f00\u653etcp\u534f\u8bae\u768480-90\u7aef\u53e3\uff0c\u4e00\u76f4\u6709\u6548
firewall-cmd –zone=public –add-port=80\/tcp  –add-port=90\/tcp –permanent #\u4f5c\u7528\u57df\u662fpublic\uff0c\u6279\u91cf\u5f00\u653etcp\u534f\u8bae\u768480\u300190\u7aef\u53e3\uff0c\u4e00\u76f4\u6709\u6548
firewall-cmd –zone=public –add-service=http –permanent #\u5f00\u653e\u7684\u670d\u52a1\u662fhttp\u534f\u8bae\uff0c\u4e00\u76f4\u6709\u6548
firewall-cmd –reload    # \u91cd\u65b0\u8f7d\u5165\uff0c\u66f4\u65b0\u9632\u706b\u5899\u89c4\u5219\uff0c\u8fd9\u6837\u624d\u751f\u6548\u3002\u901a\u8fc7systemctl restart firewall \u4e5f\u53ef\u4ee5\u8fbe\u5230
firewall-cmd –zone= public –query-port=80\/tcp  #\u67e5\u770btcp\u534f\u8bae\u768480\u7aef\u53e3\u662f\u5426\u751f\u6548
firewall-cmd –zone= public –remove-port=80\/tcp –permanent  # \u5220\u9664
firewall-cmd –list-services
firewall-cmd –get-services
firewall-cmd –add-service=<\/p>\n\n\n\n

4.\u4f7f\u7528\u5907\u5fd8
firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.4\/24″ service name=”http” accept’    \/\/\u8bbe\u7f6e\u67d0\u4e2aip\u8bbf\u95ee\u67d0\u4e2a\u670d\u52a1
firewall-cmd –permanent –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.4\/24″ service name=”http” accept’ \/\/\u5220\u9664\u914d\u7f6e
firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.0.1\/2 port port=80 protocol=tcp accept’     \/\/\u8bbe\u7f6e\u67d0\u4e2aip\u8bbf\u95ee\u67d0\u4e2a\u7aef\u53e3
firewall-cmd –permanent –remove-rich-rule ‘rule family=ipv4 source address=192.168.0.1\/2 port port=80 protocol=tcp accept’     \/\/\u5220\u9664\u914d\u7f6e<\/p>\n\n\n\n

firewall-cmd –query-masquerade  # \u68c0\u67e5\u662f\u5426\u5141\u8bb8\u4f2a\u88c5IP
firewall-cmd –add-masquerade    # \u5141\u8bb8\u9632\u706b\u5899\u4f2a\u88c5IP
firewall-cmd –remove-masquerade # \u7981\u6b62\u9632\u706b\u5899\u4f2a\u88c5IP<\/p>\n\n\n\n

firewall-cmd –add-forward-port=port=80:proto=tcp:toport=8080   # \u5c0680\u7aef\u53e3\u7684\u6d41\u91cf\u8f6c\u53d1\u81f38080
firewall-cmd –add-forward-port=proto=80:proto=tcp:toaddr=192.168.1.0.1 # \u5c0680\u7aef\u53e3\u7684\u6d41\u91cf\u8f6c\u53d1\u81f3192.168.0.1
firewall-cmd –add-forward-port=proto=80:proto=tcp:toaddr=192.168.0.1:toport=8080 # \u5c0680\u7aef\u53e3\u7684\u6d41\u91cf\u8f6c\u53d1\u81f3192.168.0.1\u76848080\u7aef\u53e3<\/p>\n\n\n\n

Centos7\u4ee5\u524d\u547d\u4ee4\u5907\u5fd8
1.\u5f00\u653e80\uff0c22\uff0c8080 \u7aef\u53e3
\/sbin\/iptables -I INPUT -p tcp –dport 80 -j ACCEPT
\/sbin\/iptables -I INPUT -p tcp –dport 22 -j ACCEPT
\/sbin\/iptables -I INPUT -p tcp –dport 8080 -j ACCEPT<\/p>\n\n\n\n

\u901a\u8fc7ip<\/p>\n\n\n\n

\/sbin\/iptables -I INPUT -s 123.45.6.7 -j  ACCEPT
2.\u4fdd\u5b58
\/etc\/rc.d\/init.d\/iptables save
3.\u67e5\u770b\u6253\u5f00\u7684\u7aef\u53e3
\/etc\/init.d\/iptables status
4.\u5173\u95ed\u9632\u706b\u5899
1\uff09 \u6c38\u4e45\u6027\u751f\u6548\uff0c\u91cd\u542f\u540e\u4e0d\u4f1a\u590d\u539f
\u5f00\u542f\uff1a chkconfig iptables on
\u5173\u95ed\uff1a chkconfig iptables off
2\uff09 \u5373\u65f6\u751f\u6548\uff0c\u91cd\u542f\u540e\u590d\u539f
\u5f00\u542f\uff1a service iptables start<\/p>\n\n\n\n

\u5173\u95ed\uff1a service iptables stop<\/h2>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

\u73af\u5883\u5982\u4e0b Test1 [root@Test1 ~]# cat \/etc\/redhat-releaseCentO…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-262","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=262"}],"version-history":[{"count":3,"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/262\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/262\/revisions\/265"}],"wp:attachment":[{"href":"https:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}