苏州网站建设的公司,免费网站制作三合一收款码,页面设计感想,如何开发网站7.1 网络准备 7.2 网络规划
1#xff09;虚拟网络编辑器
点击右下方“更改设置”#xff0c;点击“添加网络”假如vmnet3和vmnet4#xff0c;然后分别选择vmnet3和vmnet4#xff0c;设置为“仅主机模式”#xff0c;按③处处理#xff0c;去掉“使用DHCP”#xff0c;…7.1 网络准备 7.2 网络规划
1虚拟网络编辑器
点击右下方“更改设置”点击“添加网络”假如vmnet3和vmnet4然后分别选择vmnet3和vmnet4设置为“仅主机模式”按③处处理去掉“使用DHCP”子网分别设置为192.168.126.0/24和202.202.202.0/24。 图7- 1 虚拟机设置除了安装时的NAT网络外还有一个wifi的vmnet0桥接再添加vmnet3和vmnet4如图7-2所示vmnet3和vmnet都选择仅主机模式。 图7- 2 将宿主物理主机的网络连接里vmnet3和vmnet4分别设置为192.168.126.99/24、202.202.202.99/24。 图7- 3
设置虚拟机新增网卡ens37、ens38的ip地址 [rootlocalhost network-scripts]# ip a 1: …… 4: ens37: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:d3:92:d6 brd ff:ff:ff:ff:ff:ff inet 192.168.126.33/24 brd 192.168.126.255 scope global noprefixroute ens37 valid_lft forever preferred_lft forever inet6 fe80::7381:cf8f:5191:189b/64 scope link noprefixroute valid_lft forever preferred_lft forever 5: ens38: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:d3:92:e0 brd ff:ff:ff:ff:ff:ff inet 202.202.202.33/24 brd 202.202.202.255 scope global noprefixroute ens38 valid_lft forever preferred_lft forever inet6 fe80::3d32:1ff6:af6a:1a47/64 scope link noprefixroute valid_lft forever preferred_lft forever ……
测试一下和宿主机及外网的连通性 [rootlocalhost network-scripts]# ping 202.202.202.99 -c 2 PING 202.202.202.99 (202.202.202.99) 56(84) bytes of data. 64 bytes from 202.202.202.99: icmp_seq1 ttl128 time0.502 ms 64 bytes from 202.202.202.99: icmp_seq2 ttl128 time0.532 ms --- 202.202.202.99 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1009ms rtt min/avg/max/mdev 0.502/0.517/0.532/0.015 ms [rootlocalhost network-scripts]# ping 192.168.126.99 -c 2 PING 192.168.126.99 (192.168.126.99) 56(84) bytes of data. 64 bytes from 192.168.126.99: icmp_seq1 ttl128 time0.278 ms 64 bytes from 192.168.126.99: icmp_seq2 ttl128 time0.559 ms --- 192.168.126.99 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev 0.278/0.418/0.559/0.141 ms [rootlocalhost network-scripts]# ping www.baidu.com -c 2 PING www.a.shifen.com (183.2.172.185) 56(84) bytes of data. 64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq1 ttl128 time31.9 ms 64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq2 ttl128 time31.1 ms --- www.a.shifen.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev 31.183/31.555/31.927/0.372 ms
2容器网络ip规划
表7.1 IP规划 主 机 名 称 操作系统 IP地址 内网服务器intrasvr Centos 8 192.168.100.221VMnet3 natsvr Centos 8 IP1: 192.168.100.220VMnet3 IP2:202.202.202.1VMnet4 intersvr Centos 8 202.202.202.113VMnet4 wifi ens36 192.168.0.0/24
模拟内网nei ens37 192.168.100.0/24
模拟外网wai ens38 202.202.202.0/24 图7- 4
3要求
1. 配置SNAT保证内网用户能够正常访问公网IP。
2. 配置DNAT保证外网用户能够正常访问内网的SSH服务器。
3. 配置iptables防火墙
4步骤 注意请保证物理机连上互联网的情况下在intrasvr、natsvr两台服务器上安装iptables和iptables-servies两个软件包以便后续使用。intrasvr网关是natsvrnatsvr可以ping通intersvr但是intrasver无法ping通intersvr。
i准备工作
规划容器连接网络
192.168.100.0/24模拟内网202.202.202.0/24模拟外网
表7.2 对应的容器网络规划 网络/容器 Ip 连接特性 端口 安装包 neiw 192.168.100.0/24 macvlan/ens37 waiw 2i02.202.202.0/24 macvlan/ens38 intrasvr容器 192.168.100.221/24 Gateway:192.168.100.220 firewalld、iptables和iptables-servies natsvr容器 192.168.100.220/24 202.202.202.1/24 firewalld、iptables和iptables-servies intersvr容器 202.202.202.113/24
①创建与物理网wifi:192.168.0.0/24、neiw:192.168.126.0/24和waiw桥接的docker网络 docker network create -d macvlan --subnet192.168.0.0/24 --gateway192.168.0.1 -o parentens37 wifi docker network create -d macvlan --subnet192.168.126.0/24 --gateway192.168.126.99 -o parentens39 neiw docker network create -d macvlan --subnet202.202.202.0/24 --gateway202.202.202.99 -o parentens40 waiw [rootlocalhost ~]# docker network create -d macvlan --subnet192.168.0.0/24 --gateway192.168.0.1 -o parentens36 wifi ad56b3c0094aa88c08bca676dcd1980b6c92d7a9d4844f5ff44c7820edfd6790 [rootlocalhost ~]# docker network create -d macvlan --subnet192.168.126.0/24 --gateway192.168.126.99 -o parentens37 neiw c26169d5782d3f3d9ea3a2c4ff09480ef3f958f51d13eeab6449d6a110d1f1a2 [rootlocalhost ~]# docker network create -d macvlan --subnet202.202.202.0/24 --gateway202.202.202.99 -o parentens38 waiw 9fcfb8b1d1f1ccf2c17c1381530e899297bf16ae36ffaebfe5f5f950574f2c40 [rootlocalhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE e450e6350455 bridge bridge local 8cb34f3d18a1 host host local c26169d5782d neiw macvlan local 78b5e1889b1f none null local 9fcfb8b1d1f1 waiw macvlan local ad56b3c0094a wifi macvlan local
②在/目录下创建/cts8etc/yum.repos.d并将准备好存放在/wutool的CentOS-Base852111.repo的库文件拷进该文件夹这是为centos8.5.2111容器准备库文件然后创建表7.2所规划的三个容器intrasvr、natsvr、intersvr暂时IP桥接到wifi上初始化完成后再按表7.2内容实施 [rootlocalhost ~]# cp /wutool/CentOS-Base852111.repo /cts8etc/CentOS-Base852111.repo
③先准备三个和wifi桥接的三台容器CentOS:lastest docker run -itd -e “containerdocker” --privilegedtrue -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.21 --name intrasvr centos /usr/sbin/init docker run -itd -e “containerdocker” --privilegedtrue -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.20 --name natsvr centos /usr/sbin/init docker run -itd -e “containerdocker” --privilegedtrue -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.13 --name intersvr centos /usr/sbin/init
查看容器 图7- 5
④容器初始化
启动三个容器 [rootwuzz ~]# docker start intrasvr intersvr natsvr intrasvr intersvr natsvr
复制3个ssh登录窗口2、3、4然后在三个窗口中分别登录容器 图7- 6 docker exec -it intrasvr /bin/bash
查看ip更新yum源 图7- 7 失败了看错误好像要到ali网站的docker中心去报到而我们的容器都是虚拟网模拟的无法连外网。 图7- 8
宿主机是可以连外网的网络有个nat网络是连接外网的我们在centos主机上给三个容器连外网 [rootwuzz ~]# docker network connect nat intrasvr 图7- 9 更新 [root8753cfda310e /]# yum clean all Failed to set locale, defaulting to C.UTF-8 0 files removed [root8753cfda310e /]# yum makecache Failed to set locale, defaulting to C.UTF-8 Docker CE Stable - x86_64 235 kB/s | 66 kB 00:00 LocalRepo_BaseOS 60 MB/s | 2.6 MB 00:00 LocalRepository_AppStream 68 MB/s | 7.5 MB 00:00 Metadata cache created.
安装必要工具(最好所有的容器上都安) [root8753cfda310e /]# yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools NetworkManager firewalld iptables-services openssh-clients passwd openssl openssh-server initscripts dhcp-server dhcp-relay
⑤给容器安装ssh服务
由于docker安装的容器不支持SSH登录需要做ssh服务器架设 [root8753cfda310e /]# yum install passwd openssl openssh-server initscripts -y
编辑/etc/ssh/sshd_config注意红色部分没有的就自行添加 …… Port 22 AddressFamily any ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # This system is following system-wide crypto policy. The changes to # crypto properties (Ciphers, MACs, ...) will not have any effect here. # They will be overridden by command-line options passed to the server # on command line. # Please, check manual pages for update-crypto-policies(8) and sshd_config(5). # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes PermitEmptyPasswords yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes
#重启ssh [root8753cfda310e /]# service sshd restart Redirecting to /bin/systemctl restart sshd.service [root8753cfda310e /]# systemctl start sshd.service [root8753cfda310e /]# systemctl enable sshd.service [root8753cfda310e /]# passwd root Changing password for user root. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.
将容器中的/etc/ssh/sshd_config拷贝到宿主机的共享卷/wutool上其他容器再从共享卷拷贝到/etc/ssh/目录并按以上步骤重启sshd服务。
局域网中随便找个工具登陆容器这里用MobaXterm登陆容器 图7- 10
容器间相互登陆 图7- 11
⑥以表7.2规划的固定ip将natsvr连接neiw和waiwintrasvr连接neiwintersvr连接waiw
natsvr docker network connect --ip192.168.100.221 neiw natsvr docker network connect --ip202.202.202.1 waiw natsvr
intrasvr docker network connect --ip192.168.100.220 neiw intrasvr
intersvr docker network connect --ip202.202.202.113 waiw intersvr
给容器intrasvr增加网关192.168.100.221 route add default gw 192.168.100.221
在intrasvr上可以ping natsvr的两个ip但是无法ping通外网intersvr即 [rootintrasvr~]# ping natsvr (内) //通 [root intrasvr~]# ping natsvr (外) //通 [root intrasvr~]# ping intersvr //不通 [rootintrasvr /]# ping 192.168.100.221 -c 2 PING 192.168.100.221 (192.168.100.221) 56(84) bytes of data. 64 bytes from 192.168.100.221: icmp_seq1 ttl64 time0.383 ms 64 bytes from 192.168.100.221: icmp_seq2 ttl64 time0.120 ms --- 192.168.100.221 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1058ms rtt min/avg/max/mdev 0.120/0.251/0.383/0.132 ms [rootintrasvr /]# ping 202.202.202.1 -c 2 PING 202.202.202.1 (202.202.202.1) 56(84) bytes of data. 64 bytes from 202.202.202.1: icmp_seq1 ttl64 time0.072 ms 64 bytes from 202.202.202.1: icmp_seq2 ttl64 time0.119 ms --- 202.202.202.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1009ms rtt min/avg/max/mdev 0.072/0.095/0.119/0.025 ms [rootintrasvr /]# ping 202.202.202.113 -c 2 PING 202.202.202.113 (202.202.202.113) 56(84) bytes of data. From 192.168.100.221 icmp_seq1 Destination Host Prohibited From 192.168.100.221 icmp_seq2 Destination Host Prohibited --- 202.202.202.113 ping statistics --- 2 packets transmitted, 0 received, 2 errors, 100% packet loss, time 1005ms ⑦配置SNAT
在intrasvr和natsvr上关闭firewalld启动iptables [root nat-server ~]# systemctl stop firewalld [root nat-server ~]# systemctl start iptables
在natsvr上配置配置防火墙SNAT [root862b11cc5d84 /]# cat /proc/sys/net/ipv4/ip_forward
确认开启路由存储转发其值为1。如果为0则执行 [root862b11cc5d84 /]# echo 1 /proc/sys/net/ipv4/ip_forward
清空filter表查看filter表和nat 表 [root862b11cc5d84 /]# iptables -F [root862b11cc5d84 /]# iptables -L [root862b11cc5d84 /]# iptables -t nat -L
配置SNAT转换 [root862b11cc5d84 /]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 202.202.202.1 [rootnatsvr /]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.100.0/24 anywhere to:202.202.202.1 Chain OUTPUT (policy ACCEPT) target prot opt source destination 在内网intrasvr上测试SNAT配置是否成功在intrasvr上ping外部intersvr [rootintrasvr /]# ping 202.202.202.113 -c 2 PING 202.202.202.113 (202.202.202.113) 56(84) bytes of data. 64 bytes from 202.202.202.113: icmp_seq2 ttl63 time0.537 ms --- 202.202.202.113 ping statistics --- 2 packets transmitted, 1 received, 50% packet loss, time 1039ms rtt min/avg/max/mdev 0.537/0.537/0.537/0.000 ms 测试内网ping公网 [root8753cfda310e /]# ping www.baidu.com -c 2 PING www.a.shifen.com (183.2.172.42) 56(84) bytes of data. 64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq2 ttl127 time30.3 ms --- www.a.shifen.com ping statistics --- 2 packets transmitted, 1 received, 50% packet loss, time 1062ms rtt min/avg/max/mdev 30.323/30.323/30.323/0.000 ms
转了几次后时延有点大。
⑧配置DNAT
情景描述如果外网要登录natsvr的话自动转换目的地址202.202.202.1到192.168.100.221的SSH服务上。
开启iptables防火墙并清空filter表并查看filter表 [root8753cfda310e /]# systemctl start iptables [root8753cfda310e /]# iptables -F [root8753cfda310e /]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
在filter表INPUT链中添加规则 [root8753cfda310e /]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
在防火墙nat-server上配置DNAT iptables -t nat -A PREROUTING -d 202.202.202.1 -p tcp --dport 22 -j DNAT --to-destination 192.168.100.221:22 [rootnatsvr /]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT [rootnatsvr /]# iptables -t nat -A PREROUTING -d 202.202.202.1 -p tcp --dport 22 -j DNAT --to-destination 192.168.100.221:22 [rootnatsvr /]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
在intersvr上远程登录docker容器查看配置是否生效 [rootintersvr /]# ssh 202.202.202.1 The authenticity of host 202.202.202.1 (202.202.202.1) cant be established. ECDSA key fingerprint is SHA256:YM49UWmdsfNjsYC/jkskneFwWiK5eBodfPvRM2OOT60. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 202.202.202.1 (ECDSA) to the list of known hosts. root202.202.202.1s password: Last login: Tue Oct 8 13:37:24 2024 from 202.202.202.1
至此完成了防火墙的基本配置和NAT部署。
