中小型规模网站集群架构:iptables控制内网上网

： Ago linux运维群：93324526

---

前言：

你想上网，但是又不想别人攻击你，怎么办。那就让iptables拥有转发nat的功能吧。

管理机

modprobe iptable_filtermodprobe iptable_natmodprobe ip_conntrackmodprobe ip_conntrack_ftpmodprobe ip_nat_ftpmodprobe ipt_stateecho 'net.ipv4.ip_forward = 1' >> /etc/sysctl.confsysctl -piptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61

其他机子

sed -i 's#ONBOOT=yes#ONBOOT=no#g' /etc/sysconfig/network-scripts/ifcfg-eth0echo -e 'DNS1=223.5.5.5\nDNS2=8.8.8.8\nGATEWAY=172.16.1.61' >> /etc/sysconfig/network-scripts/ifcfg-eth1/etc/init.d/network restart

剧本

/etc/ansible/hosts

[in_net]

172.16.1.8

172.16.1.7

172.16.1.41

172.16.1.31

172.16.1.51

---- hosts: 172.16.1.61  tasks:  - name: "out network"    shell: modprobe iptable_nat;modprobe iptable_filter;modprobe ip_conntrack;modprobe ip_conntrack_ftp;modprobe ip_nat_ftp;modprobe ipt_state;echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf;sysctl -p;iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.61    ignore_errors: True- hosts: in_net  tasks:  - name: "change network"    shell: sed -i 's#ONBOOT=yes#ONBOOT=no#g' /etc/sysconfig/network-scripts/ifcfg-eth0;echo -e 'DNS1=223.5.5.5\nDNS2=8.8.8.8\nGATEWAY=172.16.1.61' >> /etc/sysconfig/network-scripts/ifcfg-eth1  - name: "rpcbind start..."    service:      name: network      state: started