Alma8 NAT設定

2023年5月6日
| コメントはまだありません

・現状の確認(NATをサービスするサーバで実行)

[hoge@natman ~]$ sudo firewall-cmd –get-active-zone
libvirt
interfaces: virbr0
public
interfaces: ens3 ens4
[hoge@natman ~]$

[hoge@natman ~]$ ifconfig
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet xxx.xxx.122.5  netmask 255.255.255.0  broadcast xxx.xxx.122.255    <— External
inet6 fe80::5054:ff:feef:942d  prefixlen 64  scopeid 0x20<link>
ether 52:54:00:ef:94:2d  txqueuelen 1000  (Ethernet)
RX packets 21067  bytes 20899712 (19.9 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 5713  bytes 570993 (557.6 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet xxx.xxx.100.228  netmask 255.255.255.0  broadcast xxx.xxx.100.255  <— Internal
inet6 fe80::5054:ff:fe36:9b29  prefixlen 64  scopeid 0x20<link>
ether 52:54:00:36:9b:29  txqueuelen 1000  (Ethernet)
RX packets 5832  bytes 826901 (807.5 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 71  bytes 7346 (7.1 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1000  (Local Loopback)
RX packets 36  bytes 3060 (2.9 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 36  bytes 3060 (2.9 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
inet xxx.xxx.124.1  netmask 255.255.255.0  broadcast xxx.xxx.124.255
ether 52:54:00:8f:60:fb  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[hoge@natman ~]$

・ゾーン設定を変更
[hoge@natman ~]$
[hoge@natman ~]$ sudo nmcli connection modify ens4 connection.zone internal
[hoge@natman ~]$ sudo nmcli connection modify ens3 connection.zone external
[hoge@natman ~]$
[hoge@natman ~]$ sudo firewall-cmd –get-active-zone
external
interfaces: ens3
libvirt
interfaces: virbr0
public
interfaces: ens4
[hoge@natman ~]$

・external ゾーンにIP マスカレードを設定
[hoge@natman ~]$ sudo firewall-cmd –zone=external –add-masquerade –permanent
Warning: ALREADY_ENABLED: masquerade
success
[hoge@natman ~]$
[hoge@natman ~]$ sudo firewall-cmd –reload
success
[hoge@natman ~]$
[hoge@natman ~]$ sudo firewall-cmd –zone=external –query-masquerade
yes
[hoge@natman ~]$
[hoge@natman ~]$ sudo cat /proc/sys/net/ipv4/ip_forward
1
[hoge@natman ~]$

・internal ゾーンにIPマスカレードを設定(Internal ネットワーク [xxx.xxx.100.0/24] 内の任意のコンピュータから [natman] を経由して External 側へ出ていくパケットの転送/許可設定)

[hoge@natman ~]$
[hoge@natman ~]$ sudo firewall-cmd –zone=internal –add-masquerade –permanent
success
[hoge@natman ~]$ sudo firewall-cmd –reload
success
[hoge@natman ~]$

[hoge@natman ~]$ sudo firewall-cmd –direct –add-rule ipv4 nat POSTROUTING 0 -o
 ens3 -j MASQUERADE
success
[hoge@natman ~]$ sudo firewall-cmd –direct –add-rule ipv4 filter FORWARD 0 -i ens4 -o ens3 -j ACCEPT
success
[hoge@natman ~]$
[hoge@natman ~]$ sudo firewall-cmd –direct –add-rule ipv4 filter FORWARD 0 -i
ens3 -o ens4 -m state –state RELATED,ESTABLISHED -j ACCEPT
success
[hoge@natman ~]$

・NATをサービスされるサーバで実行

NATサーバの情報確認
[hoge@natman ~]$ sudo nmcli device show ens3
GENERAL.DEVICE:                         ens3
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         52:54:00:EF:94:2D
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (接続済み)
GENERAL.CONNECTION:                     ens3
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveC>
WIRED-PROPERTIES.CARRIER:               オン
IP4.ADDRESS[1]:                         xxx.xxx.122.5/24
IP4.GATEWAY:                            xxx.xxx.122.1
IP4.ROUTE[1]:                           dst = xxx.xxx.122.0/24, nh = 0.0.0.0, m>
IP4.ROUTE[2]:                           dst = 0.0.0.0/0, nh = xxx.xxx.122.1, mt>
IP4.DNS[1]:                             xxx.xxx.122.1                                   <ーーーExternalのDNS
IP6.ADDRESS[1]:                         fe80::5054:ff:feef:942d/64
IP6.GATEWAY:                            —
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
[hoge@natman ~]$
[hoge@natman ~]$
[hoge@natman ~]$ sudo nmcli device show ens4
GENERAL.DEVICE:                         ens4
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         52:54:00:36:9B:29
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (接続済み)
GENERAL.CONNECTION:                     ens4
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveC>
WIRED-PROPERTIES.CARRIER:               オン
IP4.ADDRESS[1]:                         xxx.xxx.100.228/24                              <ーーーinternalのIP
IP4.GATEWAY:                            —
IP4.ROUTE[1]:                           dst = xxx.xxx.100.0/24, nh = 0.0.0.0, m>
IP4.DNS[1]:                             xxx.xxx.100.1
IP4.DOMAIN[1]:                          isolate_net1
IP6.ADDRESS[1]:                         fe80::5054:ff:fe36:9b29/64
IP6.GATEWAY:                            —
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
[hoge@natman ~]$

NATのサービスをしているサーバのIP設定をgatewayに設定(この場合はxxx.xxx.100.228)&外側のDNSを設定
外部にping
ブラウザで外部にアクセス(例:www.google.com

Linux