linux

centos NAT 설정

sysman 2020. 12. 13. 12:18

FW_Linux세팅 

네트웍 세팅

[root@techpicnic ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens192
UUID=b46d5ee3-372f-42ac-ace7-f533bec27930
DEVICE=ens192
ONBOOT=yes
IPADDR=x.x.x.116
PREFIX=27
GATEWAY=x.x.x.97
DNS1=168.126.63.1
IPV6_PRIVACY=no
ZONE=external
wq!

[root@techpicnic ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=y.y.y.254
PREFIX=24
GATEWAY=x.x.x.116
DNS1=168.126.63.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens224
UUID=a1393c78-10f9-446d-b690-00cffb72404e
DEVICE=ens224
ONBOOT=yes
ZONE=internal
wq!

다른 대역 추가시

다른대역 네트워크 추가

[parkuv@techpicnic ~]$ vi /etc/sysconfig/network-scripts/ifcfg-ens256
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=192.168.200.254
PREFIX=24
GATEWAY=203.255.252.116
DNS1=168.126.63.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens256
UUID=
DEVICE=ens256
ONBOOT=yes
ZONE=internal


# firewall-cmd --reload
# netstat -rn //확인
# firewall-cmd --get-active-zones
...
internal
  interfaces: ens256 ens224

 

zone 세팅

[root@dlp ~]# firewall-cmd --get-active-zone
public
  interfaces: ens224 ens192

# change zone
[root@dlp ~]# nmcli connection modify ens224 connection.zone internal
[root@dlp ~]# nmcli connection modify ens192 connection.zone external
[root@dlp ~]# firewall-cmd --get-active-zone
external
  interfaces: ens192
internal
  interfaces: ens224

 

external 세팅

# set IP Masquerading
[root@dlp ~]# firewall-cmd --zone=external --add-masquerade --permanent
success
[root@dlp ~]# firewall-cmd --reload
success

[root@dlp ~]# firewall-cmd --zone=external --query-masquerade
yes
masquerade가 설정되면 자동으로 ip_forward가 enable함
[root@dlp ~]# cat /proc/sys/net/ipv4/ip_forward
1

 

ip_forward 가 1로 안되어 있으면 명령어 넣음

#echo "1" > /proc/sys/net/ipv4/ip_forward 

또는

vi /etc/sysctl.conf

net.ipv4.ip_forward= 1 해줌

 

external 필요시 추가 세팅

포트 포워딩(외부 영역의 22 포트로 들어오는 패킷이 로컬 1234 포트로 전달되도록 구성 / 저장옵션 --permanent 추가

[root@dlp ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1111
success
[root@dlp ~]# firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=1111:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

 

 

 

외부 영역의 22 포트로 들어오는 패킷이 22 포트의 다른 호스트 [y.y.y.31]로 전달되도록 구성

[root@dlp ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=y.y.y.31
success
[root@dlp ~]# firewall-cmd --list-all --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=y.y.y.31
  source-ports:
  icmp-blocks:
  rich rules:

삭제 : # firwall-cmd -zone=external --remove-forward-port=port=xxxx:proto=tcp:toport=xxxx:toaddr=y.y.y.y

 

 

internal 세팅

[root@dlp ~]# firewall-cmd --zone=internal --add-masquerade --permanent
success
[root@dlp ~]# firewall-cmd --reload
success
[root@dlp ~]# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens192 -j MASQUERADE
[root@dlp ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens224 -o ens192 -j ACCEPT
[root@dlp ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens192 -o ens224 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

SERVER 세팅

[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=ens192
DEVICE=ens192
ONBOOT=yes
IPADDR=y.y.y.10
PREFIX=24
NETMASK=255.255.255.0
GATEWAY=y.y.y.254
DNS1=168.126.63.1
DNS2=210.220.163.82
wq!

ip route change default via x.x.x.254 (임시적용) 또는
route add default gw x.x.x.254 dev ens192 (임시적용)또는

echo 'GATEWAY=x.x.x.254' >> /etc/sysconfig/network (영구적용)
systemctl restart network
 

[root@localhost ~]# ip route
default via x.x.x.254 dev ens192 proto static metric 100


'linux' 카테고리의 다른 글

Centos - dhcp server 설정  (0) 2020.12.20
centos6 이하 nat 설정  (0) 2020.12.13
linux - 기본II  (0) 2020.12.07
centos8 vi 편집기  (0) 2020.12.02
linux - 기본 I  (0) 2020.12.01