首页 > 代码库 > Firewalld防火墙:端口转发与流量均衡
Firewalld防火墙:端口转发与流量均衡
环境:CentOS7
端口转发功能可以将原本到某端口的数据包转发到其他端口:
firewall-cmd --permanent --zone=<区域> --add-forward-port=port=<源端口号>:proto=<协议>:toport=<目标端口号>:toaddr=<目标IP地址>
将访问192.168.10.10主机888端口的请求转发至22端口:
先将ssh服务添加到public区域中:
[root@localhost ~]# firewall-cmd --zone=public --add-service=ssh
success
//另:删除ssh服务为:[root@localhost ~]# firewall-cmd --zone=public --remove-service=ssh
success
[root@linuxprobe ~]# firewall-cmd --permanent--zone=public --add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10
success
//另:删除该服务为:[root@linuxprobe ~]# firewall-cmd --permanent--zone=public --remove-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168.10.10
使用客户机的ssh命令访问192.168.10.10主机的888端口:
[root@linuxprobe ~]# ssh -p 888 192.168.10.10
The authenticity of host ‘[192.168.10.10]:888([192.168.10.10]:888)‘ can‘t be established.
ECDSA key fingerprint isb8:25:88:89:5c:05:b6:dd:ef:76:63:ff:1a:54:02:1a.
Are you sure you want to continue connecting(yes/no)? yes
Warning: Permanently added ‘[192.168.10.10]:888‘(ECDSA) to the list of known hosts.
root@192.168.10.10‘s password:
Last login: Sun Jul 19 21:43:48 2015 from192.168.10.10
最后结果:
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports: port=888:proto=tcp:toport=22:toaddr=192.168.1.234
icmp-blocks:
rich rules:
流量均衡技术,比如将一台主机作为网站的前端服务器,将访问流量分流至内网中3台不同的主机上。
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.10.10:80
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.10.11:80
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.10.12:80
本文出自 “firisok” 博客,请务必保留此出处http://6123268.blog.51cto.com/6113268/1912146
Firewalld防火墙:端口转发与流量均衡