目錄
專案簡介
專案詳細代碼如下
一、拓撲結構圖如下
二、實作SNAT并配置好服務器的IP
三、配置好客戶機內網的IP
四、安裝好Docker,并啟動nginx和MySQL的Docker容器
五、配置DNAT策略
六、測驗DNAT是否實作成功
專案簡介
- 專案名稱:基于iptables的SNAT+DNAT與Docker容器發布的專案
- 專案環境:CentOS8,Docker,MySQL(5.7.35),nginx,iptables等
- 專案描述:通過模擬企業的環境,發布內網服務器,讓內網服務器實作網路鏈接;同時采取Docker容器構建自己的web和MySQL應用
- 專案步驟
- 規劃整個專案的拓撲結構和IP地址
- 安裝好3臺服務器系統,根據拓撲圖的規劃配置IP地址,并安裝好Docker軟體
- 在網關服務器上實作SNAT讓內網的服務器實作上網功能,同時配置內網服務器的ip、網關和dns
- 在內網服務器上啟動nginx和MySQL的Docker容器,測驗容器是否能正常訪問
- 在網關服務器上完成配置DNAT策略,并開啟路由功能
- 進行測驗,檢驗專案效果,使用curl或chrome測驗web服務是否成功,使用SQLyog的測驗MySQL容器是否成功,
- 專案心得
- 明白了專案拓撲圖的重要性,依次才能完成好各項步驟
- 進一步加強了對iptables和Docker容器的理解與掌握
- 對于多臺服務器的功能實作有了一定的經驗
- 增強了自身的網路troubleshooting能力
- 提升了自己shell編程能力,更懂得了shell編程時嚴謹的重要性
- 遇到的問題
- 網關服務器外的兩臺客戶機連不上XSHELL同時不能ping通外網地址,是由于網關服務器的防火墻功能未關閉
- 在Windows添加路由時,CMD始終是別不了route add命令,是由于未使用管理用方式打開CMD
- 由于不夠細致,有時較長的iptables的命令出現漏掉選項等情況,導致命令無法執行,需要進一步提升嚴謹性
-
專案詳細代碼如下
-
一、拓撲結構圖如下
-
-
二、實作SNAT并配置好服務器的IP
主機:root@server
客戶機1:root@web-mysql
客戶機2:root@web-mysql-2
-
1.配置好網關服務器的SNAT策略: [root@server /]# cd /lianxi [root@server lianxi]# mkdir 0813 [root@server lianxi]# ls 0813 [root@server 0813]# vim snat.sh snat.sh [root@server 0813]# cat snat.sh #!/bin/bash #open route function echo 1 >/proc/sys/net/ipv4/ip_forward #clear iptables rules iptables -F iptables -t nat -F iptables -P INPUT ACCEPT #start snat #iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j SNAT --tosource 192.168.2.200 iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j MASQUERADE [root@server 0813]# vim snat.sh [root@server 0813]# cat snat.sh #!/bin/bash #stop firewalld service service firewalld stop # selinux policy setenforce 0 #open route function echo 1 >/proc/sys/net/ipv4/ip_forward #clear iptables rules iptables -F iptables -t nat -F iptables -P INPUT ACCEPT #start snat #iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j SNAT --tosource 192.168.2.200 iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j MASQUERADE [root@server 0813]# bash snat.sh Redirecting to /bin/systemctl stop firewalld.service [root@server 0813]# iptables -L -t nat -n # 查看iptables的規則 Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.50.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@server 0813]#注意:
此時需要在windows里添加一條路由,從而方便我們ssh到內網的服務器里
命令:route add 192.168.20.0/24 192.168.50.200
三、配置好客戶機內網的IP
# 配置root@web-mysql的IP
[root@web-mysql network-scripts]# cd /etc/sysconfig/network-scripts/
[root@web-mysql network-scripts]# ls
ifcfg-ens33
[root@web-mysql network-scripts]# vim ifcfg-ens33
[root@web-mysql network-scripts]# cat ifcfg-ens33
BOOTPROTO="none"
NAME="ens33"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.50.100
PREFIX=24
GATEWAY=192.168.2.200
DNS1=114.114.114.114
DNS2=192.168.50.200
[root@web-mysql network-scripts]# ifup ens33
[root@web-mysql network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0d:bc:42 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.100/24 brd 192.168.50.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe0d:bc42/64 scope link
valid_lft forever preferred_lft forever
[root@web-mysql network-scripts]# ^C
# 同理配置root@web-mysql的IP
[root@web-mysql-2 ~]# cd /etc/sysconfig/network-scripts/
[root@web-mysql-2 network-scripts]# ls
ifcfg-ens33
[root@web-mysql-2 network-scripts]# cat ifcfg-ens33
BOOTPROTO="none"
NAME="ens33"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.50.101
PREFIX=24
GATEWAY=192.168.50.200
DNS1=114.114.114.114
DNS2=192.168.50.200
[root@web-mysql-2 network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:bf:ff:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.50.101/24 brd 192.168.50.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:febf:ffdc/64 scope link
valid_lft forever preferred_lft forever
[root@web-mysql-2 network-scripts]#
四、安裝好Docker,并啟動nginx和MySQL的Docker容器
客戶機一:
[root@web-mysql ~]# yum remove docker \
> docker-client \
> docker-client-latest \
> docker-common \
> docker-latest \
> docker-latest-logrotate \
> docker-logrotate \
> docker-engine
未找到匹配的引數: docker
未找到匹配的引數: docker-client
未找到匹配的引數: docker-client-latest
未找到匹配的引數: docker-common
未找到匹配的引數: docker-latest
未找到匹配的引數: docker-latest-logrotate
未找到匹配的引數: docker-logrotate
未找到匹配的引數: docker-engine
沒有軟體包需要移除,
依賴關系解決,
無需任何處理,
完畢!
[root@web-mysql ~]# yum install -y yum-utils
[root@web-mysql ~]# yum-config-manager \
> --add-repo \
> http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
添加倉庫自:http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@web-mysql ~]# yum install docker-ce docker-ce-cli containerd.io
……
完畢!
[root@web-mysql ~]#
[root@web-mysql ~]# systemctl start docker
[root@web-mysql ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@web-mysql ~]# docker pull mysql:5.7.35
[root@web-mysql ~]# docker pull nginx
[root@web-mysql ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx latest dd34e67e3371 25 hours ago 133MB
mysql 5.7.35 6c20ffa54f86 26 hours ago 448MB
[root@web-mysql ~]# docker run -d --name chao-nginx-1 -p 80:80 nginx #創建nginx鏡像為基礎的容器,實作web功能
d98d2891a17bd60d8736728aa2f748030665080804d838e6104e486e959eaff3
[root@web-mysql ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d98d2891a17b nginx "/docker-entrypoint.…" 7 seconds ago Up 5 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp chao-nginx-1
[root@web-mysql ~]# ss -anplut|grep 80 #查看埠情況(法一)
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("docker-proxy",pid=5583,fd=4))
tcp LISTEN 0 128 [::]:80 [::]:* users:(("docker-proxy",pid=5587,fd=4))
[root@web-mysql ~]# yum install net-tools -y
[root@web-mysql ~]# netstat -anplut|grep 80 #查看埠情況(法二)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5583/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 5587/docker-proxy
[root@web-mysql ~]# curl 192.168.50.100:80 #查看容器是否創建成功
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@web-mysql ~]# docker exec -it chao-nginx-1 /bin/bash
root@d98d2891a17b:/# cd /usr/share/nginx/html/
root@d98d2891a17b:/usr/share/nginx/html# ls
50x.html index.html
root@d98d2891a17b:/usr/share/nginx/html# echo "Welcome To ChaoChao's world!" >index.html #更改index.html檔案
root@d98d2891a17b:/usr/share/nginx/html# 客戶機2同理,現展示客戶機2實作mysql容器:
[root@web-mysql-2 ~]# docker pull mysql:5.7.35
5.7.35: Pulling from library/mysql
Digest: sha256:7cf2e7d7ff876f93c8601406a5aa17484e6623875e64e7acc71432ad8e0a3d7e
Status: Image is up to date for mysql:5.7.35
docker.io/library/mysql:5.7.35
[root@web-mysql-2 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
mysql 5.7.35 6c20ffa54f86 26 hours ago 448MB
[root@web-mysql-2 ~]# docker run -d --name chao-mysql -e MYSQL_ROOT_PASSWORD='chao123456' -p 3306:3306 mysql:5.7.35
a0d5fa963fba9b8a3bd1789d34ead90a7abbef2b93bf91b157758f131364e9b0
[root@web-mysql-2 ~]# mysql -uroot -pchao123456 -h 192.168.50.101
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.35 MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
五、配置DNAT策略
在網關服務器上配置DNAT策略:
[root@server 0813]# vim dnat.sh
[root@server 0813]# cat dnat.sh
#!/bin/bash
#stop firewalld service
service firewalld stop
# selinux policy
setenforce 0
#open route function
echo 1 >/proc/sys/net/ipv4/ip_forward
#clear iptables rules
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
#start snat
#iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j SNAT --tosource 192.168.2.200
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o ens33 -j MASQUERADE
#DNAT policy -->web
iptables -t nat -A PREROUTING -d 192.168.2.200 -p tcp --dport 80 -j DNAT --to-destination 192.168.50.100:80
#DNAT policy -->mysql
iptables -t nat -A PREROUTING -d 192.168.2.200 -p tcp --dport 3306 -j DNAT --to-destination 192.168.50.101:3306
[root@server 0813]#
[root@server 0813]# bash dnat.sh
Redirecting to /bin/systemctl stop firewalld.service
[root@server 0813]# iptables -t nat -L -n #查看是否實作DNAT
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 192.168.2.200 tcp dpt:80 to:192.168.50.100:80
DNAT tcp -- 0.0.0.0/0 192.168.2.200 tcp dpt:3306 to:192.168.50.101:3306
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.50.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server 0813]# 六、測驗DNAT是否實作成功
對于客戶機一的web功能:
測驗方法一:在另一臺客戶機上訪問客戶機一的地址
[root@docker ~]# curl 192.168.50.100
Welcome To ChaoChao's world!
[root@docker ~]#
測驗方法二:在瀏覽器上訪問客戶機一的地址
對于客戶機二的mysql功能:
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/294913.html
標籤:其他
上一篇:前端開發趣味之五子棋小游戲(JS+Node+Websocket)可分房間對戰
下一篇:SDN已死