警告:本文只适用于实验环境,切忌在生产环境配置。
场景
有网关服务器:
- 内网网卡配置IPv4地址192.168.137.100连接内网网段192.168.137.0/24;
- 外网网卡配置IPv4地址192.168.153.150连接外网网段192.168.153.0/24。
内网服务器两台:
- node1: 配置网卡地址192.168.137.101;
- node2: 配置网卡地址192.168.137.102。
解决方法
1. 检查网关服务器上的IPv4转发
Linux系统缺省并没有打开IP转发功能执行,使用cat /proc/sys/net/ipv4/ip_forward命令检查并将值修改为1。
~ cat /proc/sys/net/ipv4/ip_forward
0
~ echo 1 > /proc/sys/net/ipv4/ip_forward
➜ ~ cat /proc/sys/net/ipv4/ip_forward
1
这种方法重启服务器后会失效,可以修改配置文件/etc/sysctl.conf使得重启有效。
➜ ~ vim /etc/sysctl.conf
###################省略#####################
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
###################省略#####################
2. 修改网关防火墙状态
在网关服务器上做NAT转换,将内网服务器地址192.168.137.101和192.168.137.102转换。
iptables -t nat -A POSTROUTING -s 192.168.137.102 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.137.101 -j MASQUERADE
使用iptables -t nat -L查看此时防火墙状态:
➜ ~ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- node1 anywhere
MASQUERADE all -- node2 anywhere
使用iptables-save -t nat 保存nat表,文件保存为/etc/iptables/rules.v4。
➜ iptables-save -t nat > /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Fri Aug 30 15:20:22 2019
*nat
:PREROUTING ACCEPT [43:3395]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.137.101/32 -j MASQUERADE
-A POSTROUTING -s 192.168.137.102/32 -j MASQUERADE
COMMIT
# Completed on Fri Aug 30 15:20:22 2019
使用iptables-restore < /etc/iptables/rules.v4 从备份文件中读取防火墙策略。
➜ ~ iptables-restore < /etc/iptables/rules.v4
➜ ~ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- node2 anywhere
MASQUERADE all -- node1 anywhere
3. 内网机配置默认网关
在内网机上设置默认网关为网关机上外网网卡IP,此处为192.168.137.100。Ubuntu 18.04 LTS 使用 Netplan作为网络管理软件,配置文件为vim /etc/netplan/*.yaml(自动生成,文件名可能不同)。
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eno1:
addresses: [ 192.168.137.101/24 ]
gateway4: 192.168.137.100
nameservers:
addresses:
- "8.8.8.8"
ib1:
addresses: [10.0.0.1/24]
使用命令netplan apply是网络配置生效。
4. 检查NAT是否生效
使用ip route检查内网机路由:
root@jay-Serv1:~# ip route
default via 192.168.137.100 dev eno1 proto static
10.0.0.0/24 dev ib1 proto kernel scope link src 10.0.0.1
192.168.137.0/24 dev eno1 proto kernel scope link src 192.168.137.101
可见默认路由的Gateway为网关服务器的IP地址192.168.137.100。
测试外网连接性
使用ping命令测试外网连通性:
root@jay-Serv1:~# ping cn.bing.com -c 4
PING a-0001.a-msedge.net (13.107.21.200) 56(84) bytes of data.
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=1 ttl=127 time=42.8 ms
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=2 ttl=127 time=41.4 ms
64 bytes from 13.107.21.200 (13.107.21.200): icmp_seq=4 ttl=127 time=40.1 ms
--- a-0001.a-msedge.net ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3011ms
rtt min/avg/max/mdev = 40.148/41.482/42.809/1.111 ms
