firewall-cmd设置NAT转换

配置ipv4转发

修改servera配置文件/etc/sysctl.conf ，修改参数为1

net.ipv4.ip_forward = 1

配置生效： sysctl -p

修改网卡的zone
[root@192-168-109-110 ~]# firewall-cmd --permanent --zone=external --change-interface=ens160
The interface is under control of NetworkManager, setting zone to 'external'.
success

设置IP地址伪装（SNAT）
[root@192-168-109-110 ~]# firewall-cmd --zone=external --add-masquerade --permanent
Warning: ALREADY_ENABLED: masquerade
success

添加富规则，将source为192.168.109.0/24网段来的数据包伪装成external(即ens160)地址
[root@192-168-109-110 ~]# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.109.0/24 masquerade'
success

重启防火墙使配置生效
[root@192-168-109-110 ~]# firewall-cmd --reload
success

测试效果：
[root@192-168-109-115 ~]# ping www.baidu.com
ping: www.baidu.com: Name or service not known

[root@192-168-109-115 ~]# ping www.baidu.com
PING www.a.shifen.com (182.61.200.6) 56(84) bytes of data.
64 bytes from 182.61.200.6 (182.61.200.6): icmp_seq=1 ttl=52 time=51.6 ms
64 bytes from 182.61.200.6 (182.61.200.6): icmp_seq=2 ttl=52 time=72.8 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 51.627/62.194/72.762/10.570 ms

标签：zone,firewall,cmd,192,--,109,168,NAT,root
来源： https://www.cnblogs.com/baixisuozai/p/15560776.html