Xenserver之Xenserver 7通过配置防火墙iptables实现内网共享上网和端口映射

  • A+
摘要

由于公司在机房托管的服务器IP不够用了,同时也为了安全考虑,让一批虚拟节点不能直接上网,于是我就在Xenserver物理节点上通过使用iptables的nat功能做了个简易实现

[root@xenserver-cukxsegi ~]# sysctl net.ipv4.ip_forward=1 #开启转发
[root@xenserver-cukxsegi ~]# echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf #让重启不失效
[root@xenserver-cukxsegi ~]# iptables -P FORWARD DROP #将FORWARD链的策略设置为DROP,这样做的目的是做到对内网ip的控制,你允许哪一个访问internet就可以增加一个规则,不在规则中的ip将无法访问internet.
[root@xenserver-cukxsegi ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT   #这条规则规定允许任何地址到任何地址的确认包和关联包通过
[root@xenserver-cukxsegi ~]# iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -j SNAT --to 60.1.1.1 #这条规则做了一个SNAT,也就是源地址转换,将来自172.16.0.0/16的地址转换为60.1.1.1
#(Deven:因为是让内网上网,因此对于代理服务器而言POSTROUTING(经过路由之后的包应该要把源地址改变为60.1.1.1,否则包无法返回))
[root@xenserver-cukxsegi ~]# iptables -I FORWARD 2 -s 172.16.0.0/16 -j ACCEPT #允许10.10.10.0/24段的网络上网
[root@xenserver-cukxsegi ~]# iptables -A FORWARD -s 10.100.100.0/24 -j ACCEPT #允许10.100.100.0/24段的网络上网
[root@xenserver-cukxsegi ~]# iptables -A FORWARD -s 10.20.20.20 -d 8.8.8.8 -j ACCEPT #允许10.20.20.20这个IP能和8.8.8.8通信
[root@xenserver-cukxsegi ~]# iptables -A FORWARD -s 10.30.30.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT #允许10.30.30.0/24这个网段能访问网页

Xenserver之Xenserver 7通过配置防火墙iptables实现内网共享上网和端口映射

Xenserver之Xenserver 7通过配置防火墙iptables实现内网共享上网和端口映射

[root@DT-VM-Node51 /etc/dhcp]# iptables -t nat -A PREROUTING -d 172.100.220.51 -p tcp --dport 5122 -j DNAT --to-destination 10.100.100.51:22992
[root@DT-VM-Node51 /etc/dhcp]# iptables -t nat -A POSTROUTING -d 10.100.100.51 -p tcp --dport 22992 -j SNAT --to 10.0.0.1

上面的命令实现了把访问172.100.220.51的22端口转发到内网的10.100.100.51的22992端口
Xenserver之Xenserver 7通过配置防火墙iptables实现内网共享上网和端口映射

Xenserver 7.2的初始防火墙规则

# Generated by iptables-save v1.4.21 on Sat Aug 19 04:21:43 2017
*nat
:PREROUTING ACCEPT [89:5976]
:INPUT ACCEPT [24:816]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.0.0/16 -j SNAT --to-source 139.99.9.51
COMMIT
# Completed on Sat Aug 19 04:21:43 2017
# Generated by iptables-save v1.4.21 on Sat Aug 19 04:21:43 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11009:480925]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.0.0/16 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -i xenapi -p udp -m udp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 694 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m multiport --dports 5404,5405 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 19 04:21:43 2017
lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: