12 ssh服务实践及时间同步和iptables
12 ssh服务实践及时间同步和iptables
1 SSH服务实践
1.1 scp和rsync
-
scp无法区分目标文件是否存在
-
rsync可以校验文件,根据文件的状态进行相应的传输
- 同时,rsync本身是用于做数据同步的,后续再考虑其他用途
#安装rsnyc
[root@rocky-11 ~]# dnf install rsync
#使用rsnyc进行数据传输
[root@rocky-11 ~]# rsync -av /etc/hosts test@10.0.0.10:
The authenticity of host '10.0.0.10 (10.0.0.10)' can't be established.
ED25519 key fingerprint is SHA256:45tZvWF1PBbCxvJpp3UTVuQjrtdkp0vPLkPVT5/UD0M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.10' (ED25519) to the list of known hosts.
test@10.0.0.10's password:
sending incremental file list
hosts
sent 481 bytes received 35 bytes 60.71 bytes/sec
total size is 384 speedup is 0.74
[root@rocky-11 ~]# rsync -av /etc/hosts test@10.0.0.10:
test@10.0.0.10's password:
sending incremental file list
sent 50 bytes received 12 bytes 13.78 bytes/sec
total size is 384 speedup is 6.19
1.2 SSH跨主机免密码认证
如果采用标准的跨主机免密码认证逻辑:
那么每个节点都需要:
自己的密钥对和对方的公钥
#生成公钥
[root@rocky-11 ~]# ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase for "/root/.ssh/id_ed25519" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:wMjGiDQS47GRapS+4Cbh/lJuAFXqJp/1IH9JyqVuvV0 root@rocky-11
The key's randomart image is:
+--[ED25519 256]--+
|+*o.. |
|+**= o |
|=+o = o |
|=+ . . |
|B.= o o S |
|.X B B . |
|+ * =.+ E |
| o +.... . |
| +o. ... |
+----[SHA256]-----+
#传输公钥到目标主机上
[root@rocky-11 ~]# ssh-copy-id test@10.0.0.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test@10.0.0.10's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'test@10.0.0.10'"
and check to make sure that only the key(s) you wanted were added.
#验证免密登录
[root@rocky-11 ~]# ssh test@10.0.0.10
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-100-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun Feb 8 07:37:24 AM UTC 2026
System load: 0.0 Processes: 216
Usage of /: 6.6% of 96.88GB Users logged in: 1
Memory usage: 7% IPv4 address for ens33: 10.0.0.10
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
65 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Last login: Sun Feb 8 05:43:10 2026 from 10.0.0.1
test@ubuntu-10:~$
1.3 多机互联认证
- 生成密钥对
- 本地互联
- scp .ssh文件到其他的主机
[root@rocky-11 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase for "/root/.ssh/id_rsa" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:n7E4ayl7mXVCpXhCNilIuSvmKP+tAPHSZQoEV37DyFs root@rocky-11
The key's randomart image is:
+---[RSA 3072]----+
|o..ooo . |
|.. ooo. = . |
|o *.E+ o o |
| = +.+ .o + |
|o + .. S+. |
| oo . oo+. |
| +.. o=+o |
|o .. .. *o |
|....o.o=. |
+----[SHA256]-----+
[root@rocky-11 ~]# ssh-copy-id root@127.0.0.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:gizSAASPVpm1weTc8j0a6kwOl1uzKHZ+2LIlV5M0cGk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@127.0.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.
[root@rocky-11 ~]# exit
注销
Last login: Sun Feb 8 13:43:12 2026 from 10.0.0.1
[root@rocky-11 ~]# ssh-copy-id root@10.0.0.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.11 (10.0.0.11)' can't be established.
ED25519 key fingerprint is SHA256:gizSAASPVpm1weTc8j0a6kwOl1uzKHZ+2LIlV5M0cGk.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: 127.0.0.1
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
[root@rocky-11 ~]# scp -r .ssh test@10.0.0.10
[root@rocky-11 ~]# scp -r .ssh test@10.0.0.10:
The authenticity of host '10.0.0.10 (10.0.0.10)' can't be established.
ED25519 key fingerprint is SHA256:45tZvWF1PBbCxvJpp3UTVuQjrtdkp0vPLkPVT5/UD0M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.10' (ED25519) to the list of known hosts.
test@10.0.0.10's password:
id_rsa 100% 2602 3.7MB/s 00:00
id_rsa.pub 100% 567 1.1MB/s 00:00
known_hosts 100% 1741 3.0MB/s 00:00
authorized_keys 100% 567 733.9KB/s 00:00
known_hosts.old 100% 1007 2.3MB/s 00:00
[root@rocky-11 ~]# ssh-copy-id root@10.0.0.12
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.12 (10.0.0.12)' can't be established.
ED25519 key fingerprint is SHA256:GrvPHtMvmx+MANvCJkMXn8DKTfU1UyBe2TkFToU9HPM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Authorized users only. All activities may be monitored and reported.
root@10.0.0.12's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.12'"
and check to make sure that only the key(s) you wanted were added.
1.4 SSH配置文件
#SSH配置文件
root@ubuntu-10:~# vim /etc/ssh/sshd_config
#Ubuntu下SSH配置root可登录
root@ubuntu-10:~# cat /etc/ssh/sshd_config | grep PermitRoot #修改此选项,重启服务即可
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin prohibit-password".
#Rocky下SSH配置root可登录
[root@rocky-11 ~]# cat /etc/ssh/sshd_config.d/01-permitrootlogin.conf | grep PermitRoot #以此文件为准,UI安装的时候勾选了root可登录
PermitRootLogin yes
[root@rocky-11 ~]# cat /etc/ssh/sshd_config | grep PermitRoot
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin prohibit-password".
#添加AllowUsers,将会允许指定用户登录
1.5 SSH服务常见的管理策略
- 建议使用非默认端口
- 禁止使用protocol version 1
- 限制可登录用户
- 设定空闲会话超时时长
- 利用防火墙设置ssh访问策略
- 仅监听特定的IP地址
- 基于口令认证时,使用强密码策略
- 使用基于密钥的认证
- 禁止使用空密码
- 禁止root用户直接登录
- 限制ssh的访问额度和并发在线数量
- 经常分析日志
1.6 sudo权限设置
设置sudo的方式:
- visudo
- vim /etc/sudoers
2 时间同步
2.1 date 及 timedatectl
- date:常规查看时间的方式
- timedatectl:更加高级的时间查看的命令,还可以更改时区等相关的信息
2.2 chrony
chrony是完整的ntp的实现。
root@ubuntu-10:~# apt install chrony -y
#查看NTP源
root@ubuntu-10:~# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- prod-ntp-5.ntp1.ps5.cano> 2 6 77 18 -15ms[ -15ms] +/- 110ms
^- alphyn.canonical.com 2 6 77 19 +8743us[+8743us] +/- 152ms
^- prod-ntp-4.ntp1.ps5.cano> 2 6 77 22 +22ms[ +24ms] +/- 111ms
^- prod-ntp-3.ntp1.ps5.cano> 2 6 77 20 +7516us[+7516us] +/- 132ms
^- 211.159.153.122 2 6 75 19 +3850us[+3850us] +/- 24ms
^* 103.40.14.12 2 6 77 20 +1480us[+2723us] +/- 32ms
^- tick.ntp.infomaniak.ch 1 6 105 75 +1505us[+2282us] +/- 140ms
^- tock.ntp.infomaniak.ch 1 6 77 20 +9370us[+9370us] +/- 127ms
#chrony配置文件所在位置
#Rocky
/etc/chrony.conf
#ubuntu
/etc/chrony/chrony.conf
#更改NTP源为阿里云的ntp1.aliyun.com
root@ubuntu-10:~# vim /etc/chrony/chrony.conf
.
.
.
# About using servers from the NTP Pool Project in general see (LP: #104525).
# Approved by Ubuntu Technical Board on 2011-02-08.
# See http://www.pool.ntp.org/join.html for more information.
#pool ntp.ubuntu.com iburst maxsources 4
#pool 0.ubuntu.pool.ntp.org iburst maxsources 1
#pool 1.ubuntu.pool.ntp.org iburst maxsources 1
#pool 2.ubuntu.pool.ntp.org iburst maxsources 2
server ntp1.aliyun.com iburst
.
.
.
#更改完成后保存上述文件,重启服务并验证
root@ubuntu-10:~# systemctl restart chrony
root@ubuntu-10:~# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 121.199.69.55 2 6 17 5 -121us[ -489us] +/- 19ms
#可考虑自建时间服务器定制,要做好基础的安全配置
allow 10.0.0.0/24 #仅允许10.0.0.0网段的主机访问本机的NTP
local stratum 10 #允许本机在不能与外网同步的情况下,还能提供服务
#将上述两行添加到远程NTP服务器配置的代码段下方即可
root@ubuntu-10:~# chronyc clients
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
===============================================================================
#将Rocky的chrony进行配置,直接指向到10.0.0.10主机,然后在10主机上进行核查
root@ubuntu-10:~# chronyc clients
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
===============================================================================
10.0.0.11 3 0 1 - 1 0 0 - -
#更改Rocky上的chrony配置
[root@rocky-11 ~]# vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
#pool 2.rocky.pool.ntp.org iburst
server 10.0.0.10 iburst
.
.
.
[root@rocky-11 ~]# systemctl restart chronyd
#若有服务器集群,可直接更改其他的服务器进行添加即可。
3 防火墙系列
3.1 防火墙和防水墙
- 防火墙:防止外部的恶意流量进入到内部空间
- 防水墙:防止内部的数据被泄露出去
WAF:web application firewall的实现方式
- 买机器
- nginx+lua+编程能力
3.2 防火墙基础知识
3.2.1 数据传输
3.2.2 iptables基础概念
iptables是netfilter框架的命令,我们可以通过iptables来控制netfilter框架【旧】
nft【netfilter table】是nftable框架的命令,我们可以通过nft命令来控制nftable框架【新】
考虑兼容性问题,现在命令方面依然可以通用【根据使用习惯,以iptables为主】
两个框架的效率差异只在高并发,大流量场景下才会凸显。
3.2.3 工具服务和iptables
| 系统 | 工具 | 区分点 |
|---|---|---|
| Rocky | Firewalld服务 | 开启后规则立即应用 |
| Ubuntu | ufw服务 | 开启后,需要设置或启用相应的规则 |
3.2.4 iptables和nft命令
3.2.4.1 nft
#查看规则
nft list ruleset
#清理规则
nft flush ruleset
3.2.4.2 iptables
#五表五链
#五表
五种场景
过滤场景: filter
地址转换: nat
数据更改: mangle
数据追踪: raw
数据上下文环境: security
优先级对比(从高到低):security-->raw-->mangle-->nat-->filter
#五链(chain)
INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING
#查看链的命令
iptables -t filter -vnl
iptables -t nat -vnl
iptables -t mangle -vnl
iptables -t raw -vnl
iptables -t security -vnl
#查看防火墙规则信息
iptables -vnL --line-number
#iptaoble规则说明
iptables 表 链 规则 处理动作
固定(五表) 固定(五链)
#以一行命令为例:
iptables -t filter -A INPUT -s 10.0.0.12 -j drop
在fileter中添加 规则类型为INPUT 源IP地址 动作行为
#规则保存
iptable-save
#清理规则
iptables -F
#还原规则
iptables-restore < a.rules
#链部分的操作命令:
-A 以追加方式,增加iptables规则
-I 以插入方式,增加iptables规则
-D 删除规则,删除原先的规则,下面的规则自动上移
-F 清空轻轨
-R 替换规则
-Z 清零规则计数
#规则的顺序
在一条链上,有多条规则,匹配条件中有交集,或者有包含关系,则这些规则要注意前后顺序。
需要精确匹配的,要往前放。
范围大的,往后放。
负责兜底的,放在最后。
#规则匹配
#普通匹配
[!]-s #源目标
[!]-d #目的地
[!]-p #协议类型
[!]-i #网络设备|只用于数据流入
[!]-o #网络设备|只用于数据流出
注意:
!用于取反
#扩展匹配
#例如:
iptables -A INPUT -s 10.0.0.12 -d 10.0.0.110 -p tcp --dport 21:23 -j REJECT
#允许10.0.0.12的信息发往10.0.0.110,但不允许访问10.0.0.110的21~23端口
iptables -A INPUT -s 10.0.0.12 -d 10.0.0.110 -p tcp -m multiport --dports 21,23 -j REJECT
#允许10.0.0.12的信息发往10.0.0.110,但不允许访问10.0.0.110的21和23端口
iptables -A INPUT -s 10.0.0.12 -d 10.0.0.110 -p tcp -m multiport --dports :23 -j REJECT
#允许10.0.0.12的信息发往10.0.0.110,但不允许访问10.0.0.110的0~23端口
iptables -A INPUT -s 10.0.0.12 -d 10.0.0.110 -p tcp -m multiport --dports 23: -j REJECT
#允许10.0.0.12的信息发往10.0.0.110,但不允许访问10.0.0.110的23~65535端口
#调用iprange模块来设置多个IP地址的拦截
iptables -A INPUT -m iprange --src-range 10.0.0.13-10.0.0.99 -p tcp --dport 80 -j REJECT
#通过string模块实现关键字的过滤
iptables -A OUTPUT -m string --algo kmp --from 62 --string "baidu" -j REJECT
#拦截对外发送的信息流,从62字节开始的内容中含有baidu的信息流一律拦截
#通过time扩展限制上网时间
iptables -A INPUT -m time --timestart 01:00 --timestop 4:00 -s 10.0.0.13 -j REJECT
#限制10.0.0.13主机01:00至04:00的上网
#通过connlimit来限制连接数量,可防止DOS攻击,但仅适用于单主机的IP地址防护,对于海量的IP地址攻击,这种方式不太好。
--connlimit-upto N #连接的数量小于等于N时匹配
--connlimit-above N #连接的数量大于N时匹配
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 2 -j REJECT
#主要适用于web应用
#通过limit来限制服务器上所有的连接数
iptables -t filter -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
#ICMP放行规则,前10个数据包不处理,后面每分钟放行20个,另需要默认的拒绝策略规则,即需要后续加上一条拒绝所有连接的策略
iptables -t filter -A INPUT -p icmp -j REJECT
#ICMP拒绝策略
#state模块状态监测,可以以TCP三次握手的状态来进行拦截
4 iptables网络防火墙SNAT综合运用
站在请求数据包的角度:
- 转换的是 源IP地址,那就是SNAT
- 转换的是 目标IP地址,那就是DNAT
以上图为例,进行防火墙的设置。先期进行相应的IP地址网卡等的设置
#对OpenEuler进行设置,已经安装nginx,方便试验,这里仅做本机验证
[root@openeuler24-13 ~]# curl localhost
Nginx Web Page from openeuler24-13
#将OpenEuler本地IP地址进行更改,方便访问
#将OpenEuler的网络从原先的NAT更改为仅主机模式后,对虚拟机的网络进行设置
#Rocky10-11主机默认配有路由,因此需要删除
#查看当前路由
root@rocky10-11:~# ip route list
default via 10.0.0.2 dev ens160 proto static metric 100
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.11 metric 100
#删除默认的路由
root@rocky10-11:~# ip route del default
#查看当前路由表
root@rocky10-11:~# ip route list
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.11 metric 100
#检测不同网段网络是否畅通
root@rocky10-11:~# ping 192.168.8.12
ping: connect: 网络不可达
root@rocky10-11:~# ip route list
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.11 metric 100
root@rocky10-11:~# ip route add default via 10.0.0.12 dev ens160
root@rocky10-11:~# ip route list
default via 10.0.0.12 dev ens160
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.11 metric 100
#对防火墙主机进行网络设置
#查看当前路由信息
test@ubuntu24-12:~$ ip route list
default via 10.0.0.2 dev ens33 proto static
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.12
192.168.8.0/24 dev ens37 proto kernel scope link src 192.168.8.12
#删除当前默认路由信息
test@ubuntu24-12:~$ sudo ip route del default
#查看当前路由信息
test@ubuntu24-12:~$ sudo ip route list
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.12
192.168.8.0/24 dev ens37 proto kernel scope link src 192.168.8.12
#查看当前主机的IP转发功能是否打开
test@ubuntu24-12:~$ sudo -i
root@ubuntu24-12:~# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
#临时将IP转发功能打开
root@ubuntu24-12:~# sysctl -w "net.ipv4.ip_forward = 1"
net.ipv4.ip_forward = 1
#在OpenEuler上使用tcpdump进行抓包,可以看到网络是畅通的,但丢弃了包
[root@openeuler24-13 ~]# tcpdump -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:39:34.984796 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 1, length 64
14:39:36.011673 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 2, length 64
14:39:37.036167 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 3, length 64
14:39:38.059470 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 4, length 64
14:39:39.084143 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 5, length 64
14:39:40.107718 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 6, length 64
14:39:41.132024 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 7, length 64
14:39:42.155783 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 8, length 64
14:39:43.179539 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 9, length 64
14:39:44.203652 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 10, length 64
14:39:45.227689 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 11, length 64
14:39:46.251672 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 12, length 64
14:39:47.275532 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 13, length 64
14:39:48.299612 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 14, length 64
14:39:49.324002 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 15, length 64
14:39:50.347772 IP 10.0.0.11 > 192.168.8.13: ICMP echo request, id 10, seq 16, length 64
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel
#因此,为了让网络畅通,需要对防火墙规则进行定制,采用的是SNAT
#10网段发送过来的目标非10网段的流量,全部用SNAT转换为192.168.8.12【该地址必须是真实存在的】的IP地址
root@ubuntu24-12:~# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 192.168.8.12
#rockyLinux可以访问OpenEuler了
root@rocky10-11:~# curl 192.168.8.13
Nginx Web Page from openeuler24-13
root@rocky10-11:~# ping 192.168.8.13
PING 192.168.8.13 (192.168.8.13) 56(84) 字节的数据。
64 字节,来自 192.168.8.13: icmp_seq=1 ttl=63 时间=0.846 毫秒
64 字节,来自 192.168.8.13: icmp_seq=2 ttl=63 时间=0.845 毫秒
64 字节,来自 192.168.8.13: icmp_seq=3 ttl=63 时间=0.504 毫秒
^C
--- 192.168.8.13 ping 统计 ---
已发送 3 个包, 已接收 3 个包, 0% packet loss, time 2034ms
rtt min/avg/max/mdev = 0.504/0.731/0.846/0.160 ms
#还可以根据上述的SNAT的转换规则,转换成一个IP地址段
root@ubuntu24-12:~# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 192.168.8.12-192.168.8.15
#也可以将流量指定到ens37设备进行转发,同时将原先80端口的流量转发到192.168.8.12的8080端口上
root@ubuntu24-12:~# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -o ens37 -p tcp --dport 80 -j SNAT --to-source 192.168.8.12:8080
#tips:之前删除默认路由后导致无法联网,iptables无法安装,添加路由后解决问题。
root@ubuntu24-12:~# ip route add default via 10.0.0.2 dev ens33
浙公网安备 33010602011771号