firewall-cmd设置NAT转换

配置ipv4转发

修改servera配置文件/etc/sysctl.conf ，修改参数为1

net.ipv4.ip_forward = 1

配置生效： sysctl -p

修改网卡的zone

[root@192-168-109-110 ~]# firewall-cmd --permanent --zone=external --change-interface=ens160

The interface is under control of NetworkManager, setting zone to 'external'.

success

设置IP地址伪装（SNAT）

[root@192-168-109-110 ~]# firewall-cmd --zone=external --add-masquerade --permanent

Warning: ALREADY_ENABLED: masquerade

success

添加富规则，将source为192.168.109.0/24网段来的数据包伪装成external(即ens160)地址

[root@192-168-109-110 ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.109.0/24 masquerade'

success

重启防火墙使配置生效

[root@192-168-109-110 ~]# firewall-cmd --reload

success

测试效果：

[root@192-168-109-115 ~]# ping www.baidu.com

ping: www.baidu.com: Name or service not known

[root@192-168-109-115 ~]# ping www.baidu.com

PING www.a.shifen.com (182.61.200.6) 56(84) bytes of data.

64 bytes from 182.61.200.6 (182.61.200.6): icmp_seq=1 ttl=52 time=51.6 ms

64 bytes from 182.61.200.6 (182.61.200.6): icmp_seq=2 ttl=52 time=72.8 ms

^C

--- www.a.shifen.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 3ms

rtt min/avg/max/mdev = 51.627/62.194/72.762/10.570 ms