Xenserver环境:
一:环境准备
内网:192.168.2.100
外网:x.x.x.x
1.1:登陆XenCenter
1.2:进入Xenserver中的Networking选项
1.3:点选下边的Configure...按钮,进入Configure IP Addresses对话框
1.4:点选Add IP address新建虚拟交换机
1.5:Network 1 网卡连接外网
Network 2 网卡连接内网虚拟交换机
二:建立Centos7虚拟机并配置网卡
2.1:vim /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
#BOOTPROTO=dhcp
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth1
#UUID=dd48994a-7f5c-44c1-a8d3-107f4e4b579f
DEVICE=eth1
#ONBOOT=no
ONBOOT=yes
IPADDR=x.x.x.x(固定IP或可联通外网的IP)
NETMASK=255.255.255.x
GATEWAY=x.x.x.x
DNS1=8.8.8.8
DNS2=x.x.x.x
2.2:vim /etc/sysconfig/network-scripts/ifcfg-eth2
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
#BOOTPROTO=dhcp
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth3
#UUID=34b419e0-ca01-4ca4-964b-45d2a9973002
DEVICE=eth3
#ONBOOT=no
ONBOOT=yes
IPADDR=192.168.2.100
NETMASK=255.255.255.0
2.3:ping baidu.com
三:配置ipv4转发
3.1:查看IPv4转发状态,默认为0即关闭状态
cat /proc/sys/net/ipv4/ip_forward
3.2:开启转发
echo 1 > /proc/sys/net/ipv4/ip_forward
四:借助iptables做地址转发:
4.1:配置iptables做SNAT,基于源的数据包转发
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
4.2:192.168.2.0网段的虚拟机,需要上外网,只要把网关配置成192.168.2.100即可
五:加开机运行:
5.1:为了防止重启后这些配置失效,将这两条命令加入到rc.local中,使其开机自动运行,
vim /etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
5.2:因为CentOS7开始,rc.local默认没有执行权限,还要加一条命令
chmod +x /etc/rc.d/rc.local
重启测试:reboot
六:iptables配置:
vim iptables.sh
#!/bin/sh
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s x.x.x.x -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 67 --in-interface xenapi -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
iptables -t nat -A PREROUTING -i eth1 -p tcp -d x.x.x.x --dport 30022 -j DNAT --to-destination 192.168.2.100:22
iptables -A FORWARD -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
service iptables save
systemctl restart iptables.service
注意:
iptables -P INPUT ACCEPT这条规则必须先运行,否则会连接不上
iptables -A FORWARD -j ACCEPT这条规则与POSTROUTING配套使用
开启ip转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to-source x.x.x.x
写入开机启动:
chmod +x /etc/rc.d/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward
端口转发:
iptables -t nat -A PREROUTING -i eth1 -p tcp -d x.x.x.x --dport 30022 -j DNAT --to-destination 192.168.2.100:22