AWS NAT-NetWork-Firwalld配置(一)

# 一、`VPC`及`NAT`网关配置

# 1.1.`VPC`创建

# 关联互联网网关

# 1.2.创建子网

子网名称	子网网段	备注
public-10-subnet	10.0.10.0/24	公共子网10网段
public-20-subnet	10.0.20.0/24	公共子网20网段
private-30-subnet	10.0.30.0/24	私有子网30网段
private-40-subnet	10.0.40.0/24	私有子网40网段
firewalld-50-subnet	10.0.50.0/24	net firewalld 50网段
firewalld-60-subnet	10.0.60.0/24	net firewalld 60网段

# 1.3.创建路由表

路由表名称	管理子网	路由配置	备注
M10-Public-route	public-10-subnet、public-20-subnet	0.0.0.0/0 关联上互联网网关 10.0.0.0/0 关联 local 本地路由	共有子网路由表
M10-private-route	private-30-subnet、private-40-subnet	0.0.0.0/0 关联上 NAT网关 10.0.0.0/0 关联 local 本地路由	私有子网路由表

# M10-Public-route

# M10-private-route

# 1.4.创建`NAT`网关

# 申请弹性`IP`

# 创建`NAT`网关

# 二、创建`EC2`测试`NAT`网关

# 2.1.创建安全组

# M10-public-subnet-sg

# M10-private-sg

# 2.2.创建服务器连接`key`

这里的key创建好了之后,会自动下载一分到本地电脑上.

# 2.3.创建测试`EC2`服务器

这里需要创建两台服务器,一台是放在"公共子网区域,并绑定有弹性IP";一台放在私有子网不提供公网IP

这里是做测试使用,可以选择免费套餐系列服务器及ami资源

# ec2-public-test

# 绑定公网`IP`

给ec2-public-test绑定弹性IP地址

# 本地连接服务器

本地使用客户端进行连接

# 手动创建`ssh`秘钥

这个时候需要手动创建链接秘钥,然后再将镜像做一个AMI镜像快照,一会儿使用镜像快照在私有子网创建一台服务器;来测试公网EC2到私网EC2 的ssh连接以及私网EC2通过NAT网关出外网访问

# 手动创建秘钥命令
## 一路回车即可
ssh-keygen -b 4096 -C ec2-user -f /root/.ssh/ec2-user.pem

# 查看创建好的秘钥
[root@ip-10-0-10-249 ~]# ls -al .ssh/
total 28
drwx------. 2 root root  175 Apr  7 07:06 .
dr-xr-x---. 3 root root  159 Apr  6 17:53 ..
-rw-------. 1 root root 1290 Apr  7 07:03 authorized_keys
-rw-------. 1 root root 3369 Apr  6 17:39 ec2-user.pem
-rw-r--r--. 1 root root  734 Apr  6 17:39 ec2-user.pem.pub
-rw-------. 1 root root  452 Apr  6 17:51 id_ed25519
-rw-r--r--. 1 root root  133 Apr  6 17:51 id_ed25519.pub
-rw-------. 1 root root  889 Apr  7 07:06 known_hosts
-rw-------. 1 root root  717 Apr  7 07:06 known_hosts.old
-rw-r--r--. 1 root root    0 Apr  6 17:29 known_hosts2

# 拷贝文件中的内容ec2-user.pem.pub,放入/home/ec2-user/.ssh/authorized_keys文件中
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfDrhV4LGsRZiWfGS/3FN6M8a4aiNJ0ELmPs6xlZH/j8q8y/Uy67QDmOj6KkHcVy/Sxvq0O0dC543JfLcDiWZUf5FKRHpV1p0FRjD1B4RwQsnFS+SD+AdtuF2yn/Tw1UelbMAfXXSdA90cY/ZFLk6lD/ud6Q/ewb+3hxqVHvbv4Wbv/QfQFXipdzSz8gT7ymVrCZX91Py8XfabxzWYTww8dIeVb1O+iSnMzv1yAE8lkyQnOUfD3xNPSydnMzw3bnkk3gWEb9tfFgh9HwXwtxKhqHfURowRNTtkVLX66i6CXqr03ERdtxcnxjDr3JMthUidUlNiwf8tcgI9w0tkaHQS2PUG6e6sWRvO+HRDWKYn7q0sugXbbfEBieRM/EDasLoBbx5AoUZo9li5Q19yU6fPImCpeRVpHYlchL4lTG9UzL453cl4xuYddJ2empGA69wYoxPpId91Kq8uvX3hLfq8oNp681F8thig7vLMo5x89lVJmRiNXlF0VgOARFRL477fujtDXLX2fyojj2VZGFLDdTUfOgrvCKFyLCHnFRmJx0WKBveym3IWvXZAH4/GuSk3wdeHVMuQDNMI27sNrSr+YF5R2T8Wb1ITLgdSLUj4Zbk++0GGkLnPAdRm6cwBXPZCd+PxOAQcu78X+je4oqrbg8CvCIy5bhjsCwN1GXvGoQ== ec2-user"  >> /home/ec2-user/.ssh/authorized_keys


# 本地指定秘钥测试ssh链接
ssh -i .ssh/ec2-user.pem  ec2-user@10.0.10.249

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# 制作`AMI`镜像

# ec2-private-test

私有子网测试EC2实例创建

# 2.4.`NAT`测试

这里要测试两个地方: 一个是通过带公网IP服务器ssh连接到私网服务器上;一个是使用私用服务器测试访问外部网站

# 本地登录公网`IP`服务器

ec2-public-test ---- 54.255.99.99

# 测试私网服务器`ssh`连接

ec2-private-test --- 10.0.30.22

# 指定链接秘钥
ssh -i .ssh/ec2-user.pem  ec2-user@10.0.30.22

1
2

# 测试私网服务器访问外网

服务器名称: ec2-private-test

内网IP： 10.0.30.22

# ping 外网测试
[root@ip-10-0-30-22 ~]# ping google.com
PING google.com (142.251.175.100) 56(84) bytes of data.
64 bytes from sh-in-f100.1e100.net (142.251.175.100): icmp_seq=1 ttl=55 time=2.39 ms
64 bytes from sh-in-f100.1e100.net (142.251.175.100): icmp_seq=2 ttl=55 time=2.10 ms
64 bytes from sh-in-f100.1e100.net (142.251.175.100): icmp_seq=3 ttl=55 time=2.06 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.064/2.184/2.391/0.146 ms

# curl 谷歌地址测试
[root@ip-10-0-30-22 ~]# curl -I https://google.com
HTTP/2 301 
location: https://www.google.com/
content-type: text/html; charset=UTF-8
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-SD4CYHqwKGOEhL_3Rb_Xqw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date: Sun, 07 Apr 2024 08:35:45 GMT
expires: Tue, 07 May 2024 08:35:45 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

# Telnet 80端口测试
[root@ip-10-0-30-22 ~]# telnet google.com 80
Trying 142.251.175.138...
Connected to google.com.
Escape character is '^]'.
quit
HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1555
Date: Sun, 07 Apr 2024 08:35:54 GMT

<!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 400 (Bad Request)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>400.</b> <ins>That’s an error.</ins>
  <p>Your client has issued a malformed or illegal request.  <ins>That’s all we know.</ins>
Connection closed by foreign host.

# telnet 443端口测试
[root@ip-10-0-30-22 ~]# telnet google.com 443
Trying 142.251.175.113...
Connected to google.com.
Escape character is '^]'.
quit
FConnection closed by foreign host.
[root@ip-10-0-30-22 ~]#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

# 注意内容

这里在本地测试了NAT网关的IP地址,从外部访问NAT网关的IP是否能成功

NAT GW IP: 52.221.177.42

# `telnet`端口测试

这里测试telnet 22端口,发现是通的

客户端连接测试

# `Nginx`服务测试

在私有子网中的EC2服务器上安装nginx服务,并启动服务测试

$ yum install nginx -y

$ system start nginx

$ netstat -nptl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5511/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2145/sshd: /usr/sbi 
tcp6       0      0 :::80                   :::*                    LISTEN      5511/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      2145/sshd: /usr/sbi

1
2
3
4
5
6
7
8
9
10
11

这里测试telnet 80端口,发现是通的

当时本地浏览器以及curl是无法正常访问服务的

# 总结

上面的两个测试结得到的结果,和私有服务中设定的安全组;出口规则有关联,但是如果调整收缩规则;又会导致私网服务器无法正常出去外网

目前来看,这种情况没有大碍

← K8S实践 AWS NAT-NetWork-Firwalld配置(二)→

AWS NAT-NetWork-Firwalld配置(一)

# 一、VPC及NAT网关配置

# 1.1.VPC创建

# 关联互联网网关

# 1.2.创建子网

# 1.3.创建路由表

# M10-Public-route

# M10-private-route

# 1.4.创建NAT网关

# 申请弹性IP

# 创建NAT网关

# 二、创建EC2测试NAT网关