123

系统（脱产）/Linux/15.firwalld.md

@@ -132,4 +132,69 @@ firewalld预置了107个网络服务的规则，我们用到这些网络服务
 ```shell
 # firewall-cmd --add-masquerade --permanent
 # firewall-cmd --reload
+```
+
+## 小实验
+
+用linux的firewalld防火墙实现nat效果，拓扑如下  
+
+Server有两块网卡，第一块网卡连接nat网络能上网，第二块网卡连接仅主机模式，不能上网  
+Client有一块网卡连接仅主机模式，不能上网  
+
+实现效果，使得Client能上网  
+
+首先，编辑/etc/sysctl.conf，在Server上开启ipv4路由转发内核功能
+
+```shell
+# grep -v ^# /etc/sysctl.conf
+net.ipv4.ip_forward = 1
+
+# sysctl -p
+net.ipv4.ip_forward = 1
+```
+
+然后设置防火墙，开启区域伪装
+
+```shell
+# firewall-cmd --add-masquerade --permanent
+# firewall-cmd --reload
+```
+
+给Server的仅主机模式的网卡设置一个固定IP，这个IP就是Client指向的网关
+
+```shell
+# nmcli connection modify ens37 ifname ens37 autoconnect yes ipv4.method manual ipv4.addresses 192.168.109.254/24 ipv4.dns 114.114.114.114
+# ifdown ens37 && ifup ens37
+```
+
+设置Client网卡的IP
+
+```shell
+# cat /etc/sysconfig/network-scripts/ifcfg-ens33
+TYPE=Ethernet
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=none
+DEFROUTE=yes
+NAME=ens33
+UUID=d108d6ee-dfc5-4f44-9aa4-f2714bbd1987
+DEVICE=ens33
+ONBOOT=yes
+IPADDR=192.168.109.101
+NETMASK=255.255.255.0
+GATEWAY=192.168.109.254
+DNS1=114.114.114.114
+
+# systemctl restart network
+# ping baidu.com
+# ping -c 4 baidu.com
+PING baidu.com (123.125.115.110) 56(84) bytes of data.
+64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=1 ttl=127 time=33.2 ms
+64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=2 ttl=127 time=32.8 ms
+64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=3 ttl=127 time=33.0 ms
+64 bytes from 123.125.115.110 (123.125.115.110): icmp_seq=4 ttl=127 time=34.9 ms
+
+--- baidu.com ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3010ms
+rtt min/avg/max/mdev = 32.824/33.510/34.904/0.828 ms
 ```