我试图用firewalld设置一个CentOS 7虚拟机来在两个不同的子网之间路由stream量。
我有2个networking接口,外部networking的ens192和内部networking的ens224:
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:88:ba brd ff:ff:ff:ff:ff:ff inet 10.212.21.26/16 brd 10.212.255.255 scope global ens192 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe62:88ba/64 scope link valid_lft forever preferred_lft forever 3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:62:88:c4 brd ff:ff:ff:ff:ff:ff inet 192.168.99.1/16 brd 192.168.255.255 scope global ens224 valid_lft forever preferred_lft forever inet6 fe80::d301:8174:1d11:d550/64 scope link valid_lft forever preferred_lft forever 内部接口在内部区域:
$ sudo firewall-cmd --list-all --zone=internal internal (active) target: default icmp-block-inversion: no interfaces: ens224 sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
外部接口在启用伪装的外部区域中:
$ sudo firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: ssh ports: protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
内部接口的默认网关设置为外部接口的IP地址:
$ ip ro default via 10.212.0.10 dev ens192 proto static metric 100 default via 10.212.21.26 dev ens224 proto static metric 101 10.212.0.0/16 dev ens192 proto kernel scope link src 10.212.21.26 metric 100 10.212.21.26 dev ens224 proto static scope link metric 100 192.168.0.0/16 dev ens224 proto kernel scope link src 192.168.99.1 metric 100
数据包转发已打开:
$ sudo sysctl -a | grep net.ipv4.ip_forward net.ipv4.ip_forward = 1
从内部networking,我可以访问外部networking。 而从外部networking来说,我可以在内部networking上ping一个IP地址。 但是,尽pipe在两个区域都启用了ssh服务,但我无法从外部networkingssh到相同的内部IP地址。
我尝试了许多不同的富有规则/传递,没有运气。 请有人给我一个正确的方向指导?
谢谢。
编辑:
我删除了10.212.21.26路由并将SELinux模式设置为宽容:
sudo ip ro del 10.212.21.26 sudo setenforce permissive
我可以ping通:
$ ping 192.168.99.100 Pinging 192.168.99.100 with 32 bytes of data: Reply from 192.168.99.100: bytes=32 time<1ms TTL=63`
但是我不能ssh:
$ ssh -vvv 192.168.99.100 OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015 debug1: Reading configuration data /home/clay.rowland/.ssh/config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.99.100 [192.168.99.100] port 22. debug1: connect to address 192.168.99.100 port 22: Connection timed out ssh: connect to host 192.168.99.100 port 22: Connection timed out
经过大量的挖掘和键盘粉碎,我发现FORWARD链上的以下直接丰富规则将启用成功的ssh连接。 有人可能会提供更优雅的解决scheme。
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens224 -o ens192 -p tcp --sport 22 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens192 -o ens224 -p tcp --dport 22 -j ACCEPT