Because the company in the computer room hosting server IP is not enough, but also for security considerations, so that a number of virtual nodes can not directly access the Internet, so I xenserver physical nodes through the use of iptables NAT function made a simple implementation
[Root@xenserver-cukxsegi ~]# sysctl net.ipv4.ip_forward=1 #开启转发
[Root@xenserver-cukxsegi ~]# Echo ' net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf #让重启不失效
[Root@xenserver-cukxsegi ~]# iptables-p FORWARD DROP #将FORWARD链的策略设置为DROP, this is done to achieve the control of IP on the intranet, You can add a rule when you allow access to the Internet, and no IP in the rule will be able to access the Internet.
[Root@xenserver-cukxsegi ~]# iptables-a forward-m State--state established,related-j ACCEPT #这条规则规定允许任何地址到任何地址的确认包和关 Package Adoption
[Root@xenserver-cukxsegi ~]# iptables-t nat-a postrouting-s 10.1.1.0/24-j SNAT The--to #这条规则做了一个SNAT, that is, the source address conversion, the future Convert from 10.1.1.0/24 address to 60.1.1.1
# (Deven: Because it is the intranet, so for the proxy server postrouting (after the routed package should change the source address to 60.1.1.1, otherwise the package cannot be returned))
[Root@xenserver-cukxsegi ~]# iptables-a forward-s 10.10.10.0/24-j ACCEPT #允许10.10.10.0/24 section of the Internet
[Root@xenserver-cukxsegi ~]# iptables-a forward-s 10.100.100.0/24-j ACCEPT #允许10.100.100.0/24 section of the Internet
[Root@xenserver-cukxsegi ~]# iptables-a forward-s 10.20.20.20-d 8.8.8.8-j ACCEPT #允许10.20.20.20 This IP energy and 8.8.8.8 communication
[Root@xenserver-cukxsegi ~]# iptables-a forward-s 10.30.30.0/24-p tcp-m multiport--dports 80,443-j ACCEPT #允许10.30.3 0.0/24 This network segment can access the Web page
[root@dt-vm-node51/etc/dhcp]# iptables-t nat-a prerouting-d 172.100.220.51-p tcp--dport 5122-j DNAT--to-destinatio N 10.100.100.51:22992
[root@dt-vm-node51/etc/dhcp]# iptables-t nat-a postrouting-d 10.100.100.51-p tcp--dport 22992-j SNAT--to 10.0.0.1
The above command implements the 22 port that accesses the 172.100.220.51 to the 10.100.100.51 22992 port of the intranet.