记录两种内网linux上网的方式

# 环境

网络环境如下:

机器 1(可上外网):

enp0s3: 192.168.100.55/24(可上网的网卡)

enp0s8: 192.168.56.103/24(内网)

机器 2(内网):

enp0s3: 192.168.56.101/24

想达到的效果:机器 2 通过机器 1 访问外网

# NAT 上网

# 清理可能会影响 NAT 的规则

# reset the default policies in the filter table.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# 配置 nat 服务

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
# Disable ICMP redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -p
iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.56.0/24 -j SNAT --to 192.168.100.55
service iptables save
service iptables restart
1
2
3
4
5
6
7
8
9

# 设置内网机器的网关

route add default gw 192.168.56.103
1

# NAT 服务完整的 iptables 设置

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.8.4 on Sun Mar  7 03:07:59 2021
*raw
:PREROUTING ACCEPT [14276:898910]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
# Completed on Sun Mar  7 03:07:59 2021
# Generated by iptables-save v1.8.4 on Sun Mar  7 03:07:59 2021
*mangle
:PREROUTING ACCEPT [14276:898910]
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
:POSTROUTING ACCEPT [20661:3699464]
COMMIT
# Completed on Sun Mar  7 03:07:59 2021
# Generated by iptables-save v1.8.4 on Sun Mar  7 03:07:59 2021
*filter
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
# Completed on Sun Mar  7 03:07:59 2021
# Generated by iptables-save v1.8.4 on Sun Mar  7 03:07:59 2021
*nat
:PREROUTING ACCEPT [51:4059]
:INPUT ACCEPT [2:458]
:POSTROUTING ACCEPT [33:3264]
:OUTPUT ACCEPT [33:3264]
-A POSTROUTING -s 192.168.56.0/24 -o enp0s3 -j SNAT --to-source 192.168.100.55
COMMIT
# Completed on Sun Mar  7 03:07:59 2021
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# 阿里 ECS 的 NAT 配置

由于阿里 ECS 可以在网页端配置自定义路由,配置过程有些变化

首先需要打开内核转发,方式同上。

然后去阿里云控制台 专有网络->路由表 添加自定义路由:

目标网段 0.0.0.0/0 下一跳地址设置为可上网的 ECS。

最后应用 iptables 规则:

# iptables 的规则如下
# 172.16.0.0/16 为内网网段
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE
1
2
3

# squid 代理上网

# 安装 squid

dnf install squid -y
1
vim /etc/squid/squid.conf
# 默认配置是只允许内网网段访问
# 端口3128
1
2
3

# 配置防火墙

systemctl stop firewald.service
systemctl disable firewald.service
yum install iptables-services iptables-devel -y
systemctl enable iptables.service
systemctl start iptables.service
iptables -I INPUT 1 -s 192.168.56.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 3128 -j DROP
1
2
3
4
5
6
7

# 客户机代理设置

编辑 .bashrc

export http_proxy=http://192.168.56.103:3128
export https_proxy=http://192.168.56.103:3128
1
2
# 应用环境变量
source .bashrc
1
2