(1). 前言

在生产上,一般只有堡垒机和Nginx服务器有外网IP,其余机器,有时需要上网(比如yum安装软件或升级),没有外网IP很不方便,可是,每台机器都有外网IP又很浪费资源.
能否:让内网所有的机器,在进行访问外网时,都转发给有外网IP流量的机器,让它(堡垒机)帮忙实现网络代理呢?

(2). 机器准备

机器名称 内网IP 内网IP 描述
tomcat-1 10.211.55.100 10.37.129.3 能上外网
tomcat-2   10.37.129.4 不能上外网

(3). 检查机器信息

# 1. 检查tomcat-1 IP地址信息(10.211.55.100/10.37.129.3)
#       tomcat-1有两张网卡.
[root@tomcat-1 ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:26:27:cd brd ff:ff:ff:ff:ff:ff
    inet 10.211.55.100/24 brd 10.211.55.255 scope global noprefixroute eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:df:fd:ee brd ff:ff:ff:ff:ff:ff
    inet 10.37.129.3/24 brd 10.37.129.255 scope global noprefixroute dynamic eth1

# 2.检查tomcat-2 IP地址信息
[root@tomcat-2 ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:37:e8:a6 brd ff:ff:ff:ff:ff:ff
    inet 10.37.129.4/24 brd 10.37.129.255 scope global noprefixroute eth0
	   
# 3. 要先证实:tomcat-1可以与tomcat-2互相方问.
#    tomcat-1可以访问外网
#    tomcat-2不可以访问外网
[root@tomcat-1 ~]# ping www.baidu.com
PING www.a.shifen.com (183.232.231.174) 56(84) bytes of data.
64 bytes from 183.232.231.174 (183.232.231.174): icmp_seq=1 ttl=128 time=51.4 ms

[root@tomcat-2 ~]# ping www.baidu.com
connect: Network is unreachable

(4). tomcat-1配置

#1. 开启防火墙并加入开机自启动
[root@tomcat-1 ~]# systemctl enable firewalld.service
[root@tomcat-1 ~]# systemctl restart firewalld.service

#2. 开启IPV4功能并检查
[root@tomcat-1 ~]# echo "net.ipv4.ip_forward = 1"  >> /etc/sysctl.d/99-sysctl.conf
[root@tomcat-1 ~]# sysctl -p
net.ipv4.ip_forward = 1

# 3. 添加只允许10.37.129.4这台主机访问
[root@tomcat-1 ~]# firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.37.129.4/24 service name=ssh accept' --permanent

# 4. 开启ip伪装,为后面的主机提供共享上网
[root@tomcat-1 ~]# firewall-cmd --add-masquerade  --permanent

# 5. 重启firewall生效
[root@tomcat-1 ~]# firewall-cmd --reload

(4). tomcat-2配置

# 1. 先测试能否ping通外网
[root@tomcat-2 ~]# ping www.baidu.com
connect: Network is unreachable

# 2. 查看IP信息(10.37.129.4)
[root@tomcat-2 ~]# ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:1c:42:37:e8:a6 brd ff:ff:ff:ff:ff:ff
    inet 10.37.129.4/24 brd 10.37.129.255 scope global noprefixroute eth0


# 3. 配置网卡对应的网关(10.37.129.3)和DNS
[root@tomcat-2 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0
# Generated by parse-kickstart
DEVICE=eth0
IPV6INIT=yes
BOOTPROTO=static
UUID=4aedf84c-f65f-49f5-bc7f-75cad2fc4d7b
ONBOOT=yes
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME="System eth0"
IPADDR=10.37.129.4
PREFIX=24
# 重点是下面这一行(把网关,指向能上外网的机器)
GATEWAY=10.37.129.3
DNS1=10.211.55.1
DNS2=10.37.129.1

# 4. 重启网卡
[root@tomcat-2 ~]# ifdown eth0; ifup eth0

# 5. 测试能否ping能外网?
[root@tomcat-2 ~]# ping www.baidu.com
PING www.a.shifen.com (183.232.231.172) 56(84) bytes of data.
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=1 ttl=127 time=61.6 ms
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=2 ttl=127 time=220 ms