First, the project training requirements:
1, to prepare three PC, an SSH client PC1, PC2 a firewall and an SSH SSH server PC3.
2, through the switch LAN consists of three machines, the same logical IP network segment can communicate with each other.
3, PC firewall in SSH
Do the firewall settings to achieve the ssh port forwarding. SSH Telnet SSH client firewall PC1 PC2, however, PC2 through port forwarding, PC1 actually log in to the SSH server PC3.
Second, the project topology:
实训步骤:1、iptables解决方法:
(1)PC1的配置:
[root@sshclient~]# nmcli con mod eth0 ipv4.method manual ipv4.addresses"192.168.1.1/24"
[root@sshclient~]# nmcli con down eth0
[root@sshclient~]# nmcli con up eth0
Connectionsuccessfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
[root@sshclient~]# ip addr show dev eth0
3:eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast stateUP qlen 1000
link/ether 00:0c:29:55:ea:1a brdff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scopeglobal eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe55:ea1a/64 scopelink
(2) PC2 configuration
A, the basic configuration
[root @ sshfirewall ~] # nmcli con mod eth0 ipv4.method manual ipv4.addresses "192.168.1.10/24"
[root@sshfirewall~]# nmcli con down eth0
[root@sshfirewall~]# nmcli con up eth0
Connectionsuccessfully activated (D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/4)
[root@sshfirewall~]# ip addr show dev eno33554992
2:eno33554992: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_faststate UP qlen 1000
link/ether 00:0c:29:57:8f:25 brdff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255scope global eno33554992
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe57:8f25/64 scopelink
valid_lft forever preferred_lft forever
B、端口转发的配置
[root@sshfirewall~]# systemctl stop firewalld
[root@sshfirewall~]# systemctl mask firewalld
Createdsymlink from /etc/systemd/system/firewalld.service to /dev/null.
[root@sshfirewall~]# systemctl start iptables
[root@sshfirewall~]# systemctl enable iptables
Createdsymlink from /etc/systemd/system/basic.target.wants/iptables.service to/usr/lib/systemd/system/iptables.service.
[root@sshfirewall~]# iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp--dport 22 -j DNAT --to 192.168.1.254:22
[root@sshfirewall~]# iptables -A FORWARD -d 192.168.1.254 -p tcp --dport22 -j ACCEPT
[root@sshfirewall~]# iptables -t nat -A POSTROUTING -s 192.168.1.1/24 -d0/0 -j MASQUERADE
(3) PC3 configuration
assumptions PC3 SSH service has been turned on (enabled by default)
Basic configuration:
[root @ sshserver ~] # nmcli CON MOD eth1 ipv4.method Manual ipv4.addresses "192.168.1.254/24"
[root@sshserver~]# nmcli con down eth1
[root@sshserver~]# nmcli con up eth1
Connectionsuccessfully activated (D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/2)
[root@sshserver~]# ip addr show dev eno16777736
2:eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_faststate UP qlen 1000
link/ether 00:0c:29:86:f7:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe86:f7a3/64 scopelink
valid_lft forever preferred_lft forever
(4)结果测试:
[root@sshclient~]# ssh [email protected]
Theauthenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSAkey fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Areyou sure you want to continue connecting (yes/no)? yes
Warning
ermanently added '192.168.1.10' (ECDSA) to the list of known hosts.br/>[email protected]'spassword:
Lastlogin: Fri Jul 20 19:46:54 2018
[the root @ sshserver ~] # hostname
sshserver
[the root @ sshserver ~] # IP addr Show dev eno16777736
2: eno16777736: <BROADCAST, the MULTICAST, the UP, LOWER_UP> MTU 1500 qdisc allows users to pfifo_faststate the UP of qlen 1000
Link / ether 00: 0c: 29: 86: f7: a3 brdff: FF: FF: FF: FF: FF
inet 192.168.1.254/24 brd 192.168.1.255scope, Ltd. Free Join eno16777736
valid_lft Forever Forever preferred_lft
inet6 fe80 :: 20c: 29ff: fe86: f7a3 / 64-scopelink
valid_lft Forever preferred_lft forever
from hostname machine name and ip address, you can see PC1 through SSH remote login to the ssh server PC3.
QQ online Zabbix Q group 177,428,068