螺蛳壳里做道场:老破机搭建的私人数据中心---Centos下Docker学习07(基于docker容器的防火墙及NAT企业实战)

时间:2024-10-12 11:48:37

7.1 网络准备

7.2 网络规划

1)虚拟网络编辑器

点击右下方“更改设置”,点击“添加网络”假如vmnet3和vmnet4,然后分别选择vmnet3和vmnet4,设置为“仅主机模式”,按③处处理,去掉“使用DHCP”,子网分别设置为192.168.126.0/24和202.202.202.0/24。

图7- 1

                   虚拟机设置,除了安装时的NAT网络外,还有一个wifi的vmnet0桥接,再添加vmnet3和vmnet4,如图7-2所示,vmnet3和vmnet都选择仅主机模式。

图7- 2

         将宿主物理主机的网络连接里vmnet3和vmnet4分别设置为192.168.126.99/24、202.202.202.99/24。

图7- 3

设置虚拟机新增网卡ens37ens38ip地址:

[root@localhost network-scripts]# ip a

1: ……

4: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:0c:29:d3:92:d6 brd ff:ff:ff:ff:ff:ff

    inet 192.168.126.33/24 brd 192.168.126.255 scope global noprefixroute ens37

       valid_lft forever preferred_lft forever

    inet6 fe80::7381:cf8f:5191:189b/64 scope link noprefixroute

       valid_lft forever preferred_lft forever

5: ens38: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 00:0c:29:d3:92:e0 brd ff:ff:ff:ff:ff:ff

    inet 202.202.202.33/24 brd 202.202.202.255 scope global noprefixroute ens38

       valid_lft forever preferred_lft forever

    inet6 fe80::3d32:1ff6:af6a:1a47/64 scope link noprefixroute

       valid_lft forever preferred_lft forever

……

测试一下和宿主机及外网的连通性:

[root@localhost network-scripts]# ping 202.202.202.99 -c 2

PING 202.202.202.99 (202.202.202.99) 56(84) bytes of data.

64 bytes from 202.202.202.99: icmp_seq=1 ttl=128 time=0.502 ms

64 bytes from 202.202.202.99: icmp_seq=2 ttl=128 time=0.532 ms

--- 202.202.202.99 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1009ms

rtt min/avg/max/mdev = 0.502/0.517/0.532/0.015 ms

[root@localhost network-scripts]# ping 192.168.126.99 -c 2

PING 192.168.126.99 (192.168.126.99) 56(84) bytes of data.

64 bytes from 192.168.126.99: icmp_seq=1 ttl=128 time=0.278 ms

64 bytes from 192.168.126.99: icmp_seq=2 ttl=128 time=0.559 ms

--- 192.168.126.99 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1008ms

rtt min/avg/max/mdev = 0.278/0.418/0.559/0.141 ms

[root@localhost network-scripts]# ping www.baidu.com -c 2

PING www.a.shifen.com (183.2.172.185) 56(84) bytes of data.

64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=128 time=31.9 ms

64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=2 ttl=128 time=31.1 ms

--- www.a.shifen.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1008ms

rtt min/avg/max/mdev = 31.183/31.555/31.927/0.372 ms

2)容器网络ip规划

7.1 IP规划

操作系统

IP地址

内网服务器intrasvr

Centos 8

192.168.100.221VMnet3

natsvr

Centos 8

IP1: 192.168.100.220VMnet3

IP2:202.202.202.1VMnet4

intersvr

Centos 8

202.202.202.113VMnet4

wifi               :       ens36       192.168.0.0/24

模拟内网nei:       ens37     192.168.100.0/24

模拟外网wai:      ens38     202.202.202.0/24

图7- 4

3)要求

1. 配置SNAT保证内网用户能够正常访问公网IP

2. 配置DNAT保证外网用户能够正常访问内网的SSH服务器。

3. 配置iptables防火墙

4)步骤:

   注意:请保证物理机连上互联网的情况下,在intrasvrnatsvr两台服务器上安装iptablesiptables-servies两个软件包,以便后续使用。intrasvr网关是natsvrnatsvr可以pingintersvr,但是intrasver无法pingintersvr

i准备工作

规划容器连接网络

192.168.100.0/24模拟内网,202.202.202.0/24模拟外网

7.2 对应的容器网络规划

网络/容器

Ip

连接特性

端口

安装包

neiw

192.168.100.0/24

macvlan/ens37

waiw

2i02.202.202.0/24

macvlan/ens38

intrasvr容器

192.168.100.221/24

Gateway:192.168.100.220

firewalldiptablesiptables-servies

natsvr容器

192.168.100.220/24

202.202.202.1/24

firewalldiptablesiptables-servies

intersvr容器

202.202.202.113/24

①创建与物理网wifi:192.168.0.0/24、neiw:192.168.126.0/24和waiw桥接的docker网络

docker network create -d macvlan --subnet=192.168.0.0/24 --gateway=192.168.0.1 -o parent=ens37 wifi

docker network create -d macvlan --subnet=192.168.126.0/24 --gateway=192.168.126.99 -o parent=ens39 neiw

docker network create -d macvlan --subnet=202.202.202.0/24 --gateway=202.202.202.99 -o parent=ens40 waiw

[root@localhost ~]# docker network create -d macvlan --subnet=192.168.0.0/24 --gateway=192.168.0.1 -o parent=ens36 wifi

ad56b3c0094aa88c08bca676dcd1980b6c92d7a9d4844f5ff44c7820edfd6790

[root@localhost ~]# docker network create -d macvlan --subnet=192.168.126.0/24 --gateway=192.168.126.99 -o parent=ens37 neiw

c26169d5782d3f3d9ea3a2c4ff09480ef3f958f51d13eeab6449d6a110d1f1a2

[root@localhost ~]# docker network create -d macvlan --subnet=202.202.202.0/24 --gateway=202.202.202.99 -o parent=ens38 waiw

9fcfb8b1d1f1ccf2c17c1381530e899297bf16ae36ffaebfe5f5f950574f2c40

[root@localhost ~]# docker network ls

NETWORK ID     NAME      DRIVER    SCOPE

e450e6350455   bridge    bridge    local

8cb34f3d18a1   host      host      local

c26169d5782d   neiw      macvlan   local

78b5e1889b1f   none      null      local

9fcfb8b1d1f1   waiw      macvlan   local

ad56b3c0094a   wifi      macvlan   local

②在/目录下创建/cts8etc/yum.repos.d,并将准备好存放在/wutool的CentOS-Base852111.repo的库文件拷进该文件夹,这是为centos8.5.2111容器准备库文件,然后创建表7.2所规划的三个容器intrasvr、natsvr、intersvr(暂时IP桥接到wifi上,初始化完成后,再按表7.2内容实施)

[root@localhost ~]# cp /wutool/CentOS-Base852111.repo   /cts8etc/CentOS-Base852111.repo

③先准备三个和wifi桥接的三台容器(CentOS:lastest):

docker run -itd -e “container=docker” --privileged=true -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.21 --name intrasvr centos /usr/sbin/init

docker run -itd -e “container=docker” --privileged=true -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.20 --name natsvr centos /usr/sbin/init

docker run -itd -e “container=docker” --privileged=true -v /sys/fs/cgroup:/sys/fs/cgroup -v /wutool:/wutool -v /mnt:/mnt -v /cts8etc/yum.repos.d:/etc/yum.repos.d --net wifi --ip 192.168.0.13 --name intersvr centos /usr/sbin/init

查看容器

图7- 5

④容器初始化

启动三个容器

[root@wuzz ~]# docker start intrasvr intersvr natsvr

intrasvr

intersvr

natsvr

复制3个ssh登录窗口,2、3、4,然后在三个窗口中分别登录容器

图7- 6

docker exec -it intrasvr /bin/bash

查看ip,更新yum源

图7- 7

失败了!看错误好像要到ali网站的docker中心去报到,而我们的容器都是虚拟网模拟的,无法连外网。

图7- 8

宿主机是可以连外网的,网络有个nat网络是连接外网的,我们在centos主机上给三个容器连外网:

[root@wuzz ~]# docker network connect nat intrasvr

图7- 9

更新

[root@8753cfda310e /]# yum clean all

Failed to set locale, defaulting to C.UTF-8

0 files removed

[root@8753cfda310e /]# yum makecache

Failed to set locale, defaulting to C.UTF-8

Docker CE Stable - x86_64                                                                            235 kB/s |  66 kB     00:00

LocalRepo_BaseOS                                                                                      60 MB/s | 2.6 MB     00:00

LocalRepository_AppStream                                                                             68 MB/s | 7.5 MB     00:00

Metadata cache created.

安装必要工具(最好所有的容器上都安)

[root@8753cfda310e /]# yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools NetworkManager firewalld iptables-services openssh-clients passwd openssl openssh-server initscripts dhcp-server dhcp-relay

⑤给容器安装ssh服务

由于docker安装的容器不支持SSH登录,需要做ssh服务器架设:

[root@8753cfda310e /]# yum install passwd openssl openssh-server initscripts -y

编辑/etc/ssh/sshd_config,注意红色部分,没有的就自行添加

……

Port 22

AddressFamily any

ListenAddress 0.0.0.0

#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# This system is following system-wide crypto policy. The changes to

# crypto properties (Ciphers, MACs, ...) will not have any effect here.

# They will be overridden by command-line options passed to the server

# on command line.

# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).

# Logging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

PermitEmptyPasswords yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

PubkeyAuthentication yes

#重启ssh

[root@8753cfda310e /]# service sshd restart

Redirecting to /bin/systemctl restart sshd.service

[root@8753cfda310e /]# systemctl start sshd.service

[root@8753cfda310e /]# systemctl enable sshd.service

[root@8753cfda310e /]# passwd root

Changing password for user root.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

将容器中的/etc/ssh/sshd_config拷贝到宿主机的共享卷/wutool上,其他容器再从共享卷拷贝到/etc/ssh/目录,并按以上步骤重启sshd服务。

局域网中随便找个工具登陆容器,这里用MobaXterm登陆容器:

图7- 10

容器间相互登陆:

图7- 11

以表7.2规划的固定ipnatsvr连接neiwwaiwintrasvr连接neiwintersvr连接waiw

natsvr

docker network connect --ip=192.168.100.221 neiw natsvr

docker network connect --ip=202.202.202.1 waiw natsvr

intrasvr

docker network connect --ip=192.168.100.220 neiw intrasvr

intersvr

docker network connect --ip=202.202.202.113 waiw intersvr

给容器intrasvr增加网关192.168.100.221

route add default gw 192.168.100.221

在intrasvr上可以ping natsvr的两个ip但是无法ping通外网intersvr,即

[root@intrasvr~]# ping natsvr ()              //

[root@ intrasvr~]# ping natsvr ()              //

[root@ intrasvr~]# ping intersvr                //不通

[root@intrasvr /]# ping 192.168.100.221 -c 2

PING 192.168.100.221 (192.168.100.221) 56(84) bytes of data.

64 bytes from 192.168.100.221: icmp_seq=1 ttl=64 time=0.383 ms

64 bytes from 192.168.100.221: icmp_seq=2 ttl=64 time=0.120 ms

--- 192.168.100.221 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1058ms

rtt min/avg/max/mdev = 0.120/0.251/0.383/0.132 ms

[root@intrasvr /]# ping 202.202.202.1 -c 2

PING 202.202.202.1 (202.202.202.1) 56(84) bytes of data.

64 bytes from 202.202.202.1: icmp_seq=1 ttl=64 time=0.072 ms

64 bytes from 202.202.202.1: icmp_seq=2 ttl=64 time=0.119 ms

--- 202.202.202.1 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1009ms

rtt min/avg/max/mdev = 0.072/0.095/0.119/0.025 ms

[root@intrasvr /]# ping 202.202.202.113 -c 2

PING 202.202.202.113 (202.202.202.113) 56(84) bytes of data.

From 192.168.100.221 icmp_seq=1 Destination Host Prohibited

From 192.168.100.221 icmp_seq=2 Destination Host Prohibited

--- 202.202.202.113 ping statistics ---

2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1005ms

⑦配置SNAT

在intrasvr和natsvr上关闭firewalld,启动iptables

[root@ nat-server ~]# systemctl stop firewalld

[root@ nat-server ~]# systemctl start iptables

在natsvr上配置配置防火墙SNAT

[root@862b11cc5d84 /]# cat /proc/sys/net/ipv4/ip_forward

确认开启路由存储转发,其值为1。如果为0,则执行:

[root@862b11cc5d84 /]# echo 1 > /proc/sys/net/ipv4/ip_forward

清空filter表,查看filter表和nat 表:

[root@862b11cc5d84 /]# iptables -F

[root@862b11cc5d84 /]# iptables -L

[root@862b11cc5d84 /]# iptables -t nat -L

配置SNAT转换

[root@862b11cc5d84 /]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source  202.202.202.1

[root@natsvr /]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

SNAT       all  --  192.168.100.0/24     anywhere             to:202.202.202.1

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

在内网intrasvr上测试SNAT配置是否成功,intrasvrping外部intersvr

[root@intrasvr /]# ping 202.202.202.113 -c 2

PING 202.202.202.113 (202.202.202.113) 56(84) bytes of data.

64 bytes from 202.202.202.113: icmp_seq=2 ttl=63 time=0.537 ms

--- 202.202.202.113 ping statistics ---

2 packets transmitted, 1 received, 50% packet loss, time 1039ms

rtt min/avg/max/mdev = 0.537/0.537/0.537/0.000 ms

测试内网ping公网

[root@8753cfda310e /]# ping www.baidu.com -c 2

PING www.a.shifen.com (183.2.172.42) 56(84) bytes of data.

64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=2 ttl=127 time=30.3 ms

--- www.a.shifen.com ping statistics ---

2 packets transmitted, 1 received, 50% packet loss, time 1062ms

rtt min/avg/max/mdev = 30.323/30.323/30.323/0.000 ms

转了几次后,时延有点大。

⑧配置DNAT

情景描述:如果外网要登录natsvr的话,自动转换目的地址202.202.202.1192.168.100.221SSH服务上。

开启iptables防火墙,并清空filter表,并查看filter

[root@8753cfda310e /]# systemctl start iptables

[root@8753cfda310e /]# iptables -F

[root@8753cfda310e /]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

filterINPUT链中添加规则

[root@8753cfda310e /]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

在防火墙nat-server上配置DNAT

iptables -t nat -A PREROUTING -d 202.202.202.1 -p tcp --dport 22 -j DNAT --to-destination 192.168.100.221:22

[root@natsvr /]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[root@natsvr /]# iptables -t nat -A PREROUTING -d 202.202.202.1 -p tcp --dport 22 -j DNAT --to-destination 192.168.100.221:22

[root@natsvr /]# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

intersvr上远程登录docker容器查看配置是否生效:

[root@intersvr /]# ssh 202.202.202.1

The authenticity of host '202.202.202.1 (202.202.202.1)' can't be established.

ECDSA key fingerprint is SHA256:YM49UWmdsfNjsYC/jkskneFwWiK5eBodfPvRM2OOT60.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '202.202.202.1' (ECDSA) to the list of known hosts.

root@202.202.202.1's password:

Last login: Tue Oct  8 13:37:24 2024 from 202.202.202.1

至此,完成了防火墙的基本配置和NAT部署。