next up previous contents
Next: 可執行檔 Up: Netfilter Previous: Masquerading and Port Forwarding   Contents


*NAT 設定與測試

  1. 測試環境:
    kvm7 eth0 192.168.122.7 對外
         eth1 192.168.10.7  對內
    
    kvm6 eth0 192.168.10.6 經由 kvm7 的 eth1 上網    
    kvm5 eth0 192.168.10.5 經由 kvm7 的 eth1 上網
    
  2. 目前使用的 zone 為 public 沒有 masquerade 功能,kvm6 無法上網。
    [root@kvm7 ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: eth0 eth1
      sources: 
      services: dhcpv6-client ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 
    
    [root@kvm6 ~]# ping -c2 163.17.10.1
    PING 163.17.10.1 (163.17.10.1) 56(84) bytes of data.
    
    --- 163.17.10.1 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 10999ms
    
  3. public zone 永久加上 masquerade 功能且重新載入,kvm6 已經可以上網。
    [root@kvm7 ~]# firewall-cmd --permanent --add-masquerade 
    success
    [root@kvm7 ~]# firewall-cmd --reload 
    success
    [root@kvm7 ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: eth0 eth1
      sources: 
      services: dhcpv6-client ssh
      ports: 
      masquerade: yes
      forward-ports: 
      icmp-blocks: 
      rich rules: 
    
    [root@kvm6 ~]# ping -c2 163.17.10.1
    PING 163.17.10.1 (163.17.10.1) 56(84) bytes of data.
    64 bytes from 163.17.10.1: icmp_seq=1 ttl=52 time=13.8 ms
    64 bytes from 163.17.10.1: icmp_seq=2 ttl=52 time=13.1 ms
    
    --- 163.17.10.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1015ms
    rtt min/avg/max/mdev = 13.113/13.472/13.831/0.359 ms
    
  4. 使用 direct rule 暫時加上只能上校內網站,注意 FORWARD 後接的數字為優先序,對防火牆的規則很重要。kvm6 測試如預期可以上校內網站,但不能連上校外。
    [root@kvm7 ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 10 -s 192.168.10.0/24 -j REJECT
    success
    [root@kvm7 ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -d 163.17.0.0/16 -j ACCEPT
    success
    [root@kvm7 ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -d 120.110.0.0/16 -j ACCEPT
    success
    
    [root@kvm7 ~]# firewall-cmd --direct --get-all-rules 
    ipv4 filter FORWARD 10 -s 192.168.10.0/24 -j REJECT
    ipv4 filter FORWARD 0 -d 163.17.0.0/16 -j ACCEPT
    ipv4 filter FORWARD 1 -d 120.110.0.0/16 -j ACCEPT
    
    [root@kvm6 ~]# ping -c2 163.17.10.1
    PING 163.17.10.1 (163.17.10.1) 56(84) bytes of data.
    64 bytes from 163.17.10.1: icmp_seq=1 ttl=52 time=13.1 ms
    64 bytes from 163.17.10.1: icmp_seq=2 ttl=52 time=19.0 ms
    
    --- 163.17.10.1 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1020ms
    rtt min/avg/max/mdev = 13.189/16.136/19.084/2.950 ms
    
    [root@kvm6 ~]# ping -c2 120.110.10.84
    PING 120.110.10.84 (120.110.10.84) 56(84) bytes of data.
    64 bytes from 120.110.10.84: icmp_seq=2 ttl=52 time=13.4 ms
    
    --- 120.110.10.84 ping statistics ---
    2 packets transmitted, 1 received, 50% packet loss, time 10999ms
    rtt min/avg/max/mdev = 13.433/13.433/13.433/0.000 ms
    
    [root@kvm6 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    From 192.168.10.254 icmp_seq=1 Destination Port Unreachable
    From 192.168.10.254 icmp_seq=2 Destination Port Unreachable
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
    
  5. 暫時改用 block zone,kvm6 無法上網。
    [root@kvm7 ~]# firewall-cmd --set-default-zone=block 
    success
    
    [root@kvm6 ~]# ping -c2 163.17.10.1
    PING 163.17.10.1 (163.17.10.1) 56(84) bytes of data.
    
    --- 163.17.10.1 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 10999ms
    
  6. 改用 public zone 且使用 direct rule 暫時加入最優先規則讓 192.168.10.6 可以不受限制的上網,此功能可以做為管理機 (老師機) 放行用,因此雖然限制只能上校內網站,kvm6 不受影響還是連上校外。
    [root@kvm7 ~]# firewall-cmd --set-default-zone=public 
    success
    
    [root@kvm7 ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD -10 -s 192.168.10.6/32 -j ACCEPT
    success
    [root@kvm7 ~]# firewall-cmd --direct --get-all-rules 
    ipv4 filter FORWARD 10 -s 192.168.10.0/24 -j REJECT
    ipv4 filter FORWARD 0 -d 163.17.0.0/16 -j ACCEPT
    ipv4 filter FORWARD 1 -d 120.110.0.0/16 -j ACCEPT
    ipv4 filter FORWARD -10 -s 192.168.10.6/32 -j ACCEPT
    
    [root@kvm6 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=23.4 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=23.4 ms
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1025ms
    rtt min/avg/max/mdev = 23.440/23.467/23.494/0.027 ms
    
  7. 預設 zone 設定為 block,則 kvm6 無法對外連線。
    [root@kvm7 ~]# firewall-cmd --set-default-zone=block 
    success
    
    [root@kvm6 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 11000ms
    
  8. 在最優先放行管理機的規則後加入一條完全拒絶封包的規格,則只有管理機可以上網。
    [root@kvm7 ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD -9 -s 192.168.10.0/24 -j REJECT
    success
    [root@kvm7 ~]# firewall-cmd --direct --get-all-rules ipv4 filter FORWARD 0 -d 163.17.0.0/16 -j ACCEPT
    ipv4 filter FORWARD 1 -d 120.110.0.0/16 -j ACCEPT
    ipv4 filter FORWARD 10 -s 192.168.10.0/24 -j REJECT
    ipv4 filter FORWARD -10 -s 192.168.10.6/32 -j ACCEPT
    ipv4 filter FORWARD -9 -s 192.168.10.0/24 -j REJECT
    
    [root@kvm5 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    From 192.168.10.5 icmp_seq=1 Destination Port Unreachable
    From 192.168.10.5 icmp_seq=2 Destination Port Unreachable
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
    
    [root@kvm6 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=23.5 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=23.1 ms
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1024ms
    rtt min/avg/max/mdev = 23.195/23.386/23.577/0.191 ms
    
  9. 移除兩條限制上網的規格,則所有機器都可以上網。
    [root@kvm7 ~]# firewall-cmd --direct --remove-rule ipv4 filter FORWARD -9 -s 192.168.10.0/24 -j REJECT
    [root@kvm7 ~]# firewall-cmd --direct --remove-rule ipv4 filter FORWARD 10 -s 192.168.10.0/24 -j REJECT
    success
    [root@kvm7 ~]# firewall-cmd --direct --get-all-rules 
    ipv4 filter FORWARD -10 -s 192.168.10.6/32 -j ACCEPT
    ipv4 filter FORWARD 0 -d 163.17.0.0/16 -j ACCEPT
    ipv4 filter FORWARD 1 -d 120.110.0.0/16 -j ACCEPT
    
    [root@kvm6 ~]# ping -c2 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=23.5 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=23.1 ms
    
    --- 8.8.8.8 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1024ms
    rtt min/avg/max/mdev = 23.195/23.386/23.577/0.191 ms
    


2017-11-30