夜间模式
记录两种内网 linux 上网的方式
环境
网络环境如下:
机器 1(可上外网):
enp0s3: 192.168.100.55/24(可上网的网卡)
enp0s8: 192.168.56.103/24(内网)
机器 2(内网):
enp0s3: 192.168.56.101/24
想达到的效果:机器 2 通过机器 1 访问外网
NAT 上网
清理可能会影响 NAT 的规则
bash
## reset the default policies in the filter table.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
## reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
## reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
## flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
## erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X## reset the default policies in the filter table.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
## reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
## reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
## flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
## erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X配置 nat 服务
bash
## Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
## Disable ICMP redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -p
iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.56.0/24 -j SNAT --to 192.168.100.55
service iptables save
service iptables restart## Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
## Disable ICMP redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -p
iptables -t nat -A POSTROUTING -o enp0s3 -s 192.168.56.0/24 -j SNAT --to 192.168.100.55
service iptables save
service iptables restart设置内网机器的网关
bash
route add default gw 192.168.56.103route add default gw 192.168.56.103NAT 服务完整的 iptables 设置
bash
## cat /etc/sysconfig/iptables
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*raw
:PREROUTING ACCEPT [14276:898910]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*mangle
:PREROUTING ACCEPT [14276:898910]
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
:POSTROUTING ACCEPT [20661:3699464]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*filter
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*nat
:PREROUTING ACCEPT [51:4059]
:INPUT ACCEPT [2:458]
:POSTROUTING ACCEPT [33:3264]
:OUTPUT ACCEPT [33:3264]
-A POSTROUTING -s 192.168.56.0/24 -o enp0s3 -j SNAT --to-source 192.168.100.55
COMMIT
## Completed on Sun Mar 7 03:07:59 2021## cat /etc/sysconfig/iptables
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*raw
:PREROUTING ACCEPT [14276:898910]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*mangle
:PREROUTING ACCEPT [14276:898910]
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
:POSTROUTING ACCEPT [20661:3699464]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*filter
:INPUT ACCEPT [14131:882622]
:FORWARD ACCEPT [145:16288]
:OUTPUT ACCEPT [20516:3683176]
COMMIT
## Completed on Sun Mar 7 03:07:59 2021
## Generated by iptables-save v1.8.4 on Sun Mar 7 03:07:59 2021
*nat
:PREROUTING ACCEPT [51:4059]
:INPUT ACCEPT [2:458]
:POSTROUTING ACCEPT [33:3264]
:OUTPUT ACCEPT [33:3264]
-A POSTROUTING -s 192.168.56.0/24 -o enp0s3 -j SNAT --to-source 192.168.100.55
COMMIT
## Completed on Sun Mar 7 03:07:59 2021阿里 ECS 的 NAT 配置
由于阿里 ECS 可以在网页端配置自定义路由,配置过程有些变化
首先需要打开内核转发,方式同上。
然后去阿里云控制台 专有网络->路由表 添加自定义路由:
目标网段 0.0.0.0/0 下一跳地址设置为可上网的 ECS。
最后应用 iptables 规则:
bash
## iptables 的规则如下
## 172.16.0.0/16 为内网网段
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADE## iptables 的规则如下
## 172.16.0.0/16 为内网网段
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j MASQUERADEsquid 代理上网
安装 squid
bash
dnf install squid -ydnf install squid -ybash
vim /etc/squid/squid.conf
## 默认配置是只允许内网网段访问
## 端口3128vim /etc/squid/squid.conf
## 默认配置是只允许内网网段访问
## 端口3128配置防火墙
bash
systemctl stop firewald.service
systemctl disable firewald.service
yum install iptables-services iptables-devel -y
systemctl enable iptables.service
systemctl start iptables.service
iptables -I INPUT 1 -s 192.168.56.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 3128 -j DROPsystemctl stop firewald.service
systemctl disable firewald.service
yum install iptables-services iptables-devel -y
systemctl enable iptables.service
systemctl start iptables.service
iptables -I INPUT 1 -s 192.168.56.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 3128 -j DROP客户机代理设置
编辑 .bashrc
bash
export http_proxy=http://192.168.56.103:3128
export https_proxy=http://192.168.56.103:3128export http_proxy=http://192.168.56.103:3128
export https_proxy=http://192.168.56.103:3128bash
## 应用环境变量
source .bashrc## 应用环境变量
source .bashrc