Eduardo Lucio提出的问题 -computer

Eduardo Lucio

Asked: 2021-06-29 12:01:04 +0800 CST

网关问题 - “ping”有效，“curl”无效

5

我们有一个[S]SRV_GATEWAY服务器，带有两个 NIC（[I]WAN/INT_LAN和[I]PRIV_LAN），配置为专用网络（[N]PRIV_LAN）的 GATEWAY、DNS 和 DHCP。

服务器[S]SRV_GATEWAY访问互联网（它使用自己作为 DNS），所有其他服务器（[S]PRIV_SRV_X ）使用服务器[S]SRV_GATEWAY提供的 DHCP、DNS 和 GATEWAY 。

网络布局...

                     [N]WAN/INT_LAN (10.2.0.0/24)
                      ↕
                     [I]WAN/INT_LAN
                  [S]SRV_GATEWAY
                     [I]PRIV_LAN
                      ↕
                     [N]PRIV_LAN (10.3.0.0/24)
                      ↕
       ...............................
       ↕              ↕              ↕
      [S]PRIV_SRV_0  [S]PRIV_SRV_1  [S]PRIV_SRV_0
                     [S]PRIV_SRV_2  [S]PRIV_SRV_0
                     [S]PRIV_SRV_3
    
     _ [N] - Network;
     _ [I] - Network Interface;
     _ [S] - Server.
    
     _ [N]WAN/INT_LAN - Has internet access;
     _ [N]PRIV_LAN - Private network.

问题：为什么我们可以ping在 Internet 上成功运行服务器，但无法使用curl服务器[S]PRIV_SRV_0访问相同的服务器（请参阅下面的输出）？

    [root@okd4-bootstrap core]# ping -c 2 www.google.com
    PING www.google.com (172.217.18.196) 56(84) bytes of data.
    64 bytes from ham02s14-in-f196.1e100.net (172.217.18.196): icmp_seq=1 ttl=113 time=10.5 ms
    64 bytes from par10s38-in-f4.1e100.net (172.217.18.196): icmp_seq=2 ttl=113 time=10.6 ms
    
    --- www.google.com ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1001ms
    rtt min/avg/max/mdev = 10.500/10.548/10.597/0.048 ms

    [root@okd4-bootstrap core]# curl http://www.google.com
    curl: (7) Failed to connect to www.google.com port 80: No route to host

额外的：

SRV_GATEWAY如何设置为 GATEWAY：

服务器SRV_GATEWAY已通过命令配置为 GATEWAY...

启用IP 转发...

tee "/etc/sysctl.d/ip_forward.conf" << EOF
net.ipv4.ip_forward=1
EOF
sysctl -w net.ipv4.ip_forward=1

在 NIC ens3 ( [I]WAN/INT_LAN ) 上设置一个出站 NAT 网关，目标是在 CIDR 10.3.0.0/24 中配置的屏蔽设备...

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens3 -j MASQUERADE -s 10.3.0.0/24
firewall-cmd --reload

从服务器[S]PRIV_SRV_0获得的一些信息：

[root@okd4-bootstrap core]# cat /etc/resolv.conf | grep -i '^nameserver' | head -n1 | cut -d ' ' -f2
10.3.0.14

[root@okd4-bootstrap core]# ip r
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG    100    0        0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U     100    0        0 ens3

[root@okd4-bootstrap core]# netstat -r -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.3.0.14       0.0.0.0         UG        0 0          0 ens3
10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0 ens3

[root@okd4-bootstrap core]# ping -c 2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=113 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=113 time=11.0 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.769/10.891/11.013/0.122 ms

[root@okd4-bootstrap core]# cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 10.3.0.14
search okd.local

[root@okd4-bootstrap core]# tracepath 8.8.8.8
 1?: [LOCALHOST]                      pmtu 1500
 1:  api-int.mbr.okd.local                                 0.526ms 
 1:  api-int.mbr.okd.local                                 0.855ms 
 2:  okd4-services.okd.local                               1.842ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# tracepath www.google.com
 1?: [LOCALHOST]                      pmtu 1500
 1:  api.mbr.okd.local                                     0.481ms 
 1:  api-int.mbr.okd.local                                 0.562ms 
 2:  api.mbr.okd.local                                     0.553ms !H
     Resume: pmtu 1500 

[root@okd4-bootstrap core]# ip route show
default via 10.3.0.14 dev ens3 proto dhcp metric 100 
10.3.0.0/24 dev ens3 proto kernel scope link src 10.3.0.4 metric 100 

[root@okd4-bootstrap core]# nslookup www.google.com
Server:         10.3.0.14
Address:        10.3.0.14#53

Non-authoritative answer:
Name:   www.google.com
Address: 172.217.18.196
Name:   www.google.com
Address: 2a00:1450:4007:805::2004

[root@okd4-bootstrap core]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

谢谢！=D

Eduardo Lucio

Asked: 2021-06-22 10:37:25 +0800 CST

如何从网络上的服务配置我的服务器的主机名？我应该使用什么？DHCP？一个DNS？两个都？

5

我正在尝试建立一种以集中方式配置服务器主机名的方法，即从网络上的某些服务进行配置。

我知道有三个名称可以标识服务器...

瞬态：从网络配置中接收；
静态：由内核提供；
漂亮：由用户提供。

所以我希望我的CentOS 7/8服务器使用临时主机名作为其名称。实际上，当登录终端时，它会向我显示从网络获得的名称......

[user_name@my-net-hostname ~]$

...并且机器至少可以通过名称识别自己...

[user_name@my-net-hostname ~]$ ping -c 4 my-net-hostname
PING my-net-hostname.my.domain (10.3.0.4) 56(84) bytes of data.
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=2 ttl=64 time=0.086 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=3 ttl=64 time=0.077 ms
64 bytes from my-net-hostname.my.domain (10.3.0.4): icmp_seq=4 ttl=64 time=0.098 ms

--- my-net-hostname.my.domain ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.077/0.113/0.193/0.046 ms

注意：在上述情况下，此主机名是在 DHCP 中定义的，并且还有一个知道名称“my-net-hostname”的 DNS。

注意：在我看来，正确的方法是使用 DHCP 和 DNS，也就是说，一个定义服务器名称（主机名），另一个定义在哪里可以找到该服务器，但我很难确认这一点信息。

问题：如何从网络上的服务配置我的服务器的主机名？我应该使用什么？DHCP？一个DNS？两个都？

谢谢！=D

[参考文献：https://askubuntu.com/questions/104918/how-to-get-the-hostname-from-a-dhcp-server，https://codingbee.net/rhcsa/rhcsa-configuring -hostnames-and-dns , https://www.redhat.com/sysadmin/set-hostname-linux ]

Eduardo Lucio

Asked: 2021-06-12 13:48:48 +0800 CST

KVM 虚拟机网络 - Guest-guest/VM-VM only 网络（无主机/管理程序访问，无出站连接）

6

我知道使用virsh命令可以创建多种类型的网络（例如“NAT 网络”），正如我们在这些 URL 中看到的那样……

KVM 网络管理
 KVM 默认基于 NAT 的网络（第 33 页）

问题：如何创建一个只有来宾/VM 有连接、没有出站连接和没有主机/管理程序连接的网络 ( lan_n )？

注意：与其他资源的连接将由pfSense防火墙服务器提供，该服务器将有权访问具有出站连接和其他资源的另一个网络 ( wan_n )。

Network layout...

                [N]wan_n
                 ↕
                [I]wan_n
            [V]pfsense_vm
                [I]lan_n
                 ↕
                [N]lan_n
                 ↕
   .............................
   ↕             ↕             ↕
  [V]some_vm_0  [V]some_vm_1  [V]some_vm_4
                [V]some_vm_2  [V]some_vm_5
                [V]some_vm_3

 _ [N] - Network;
 _ [I] - Network Interface;
 _ [V] - Virtual Machine.

注意：主机/管理程序操作系统是CentOS 7。

谢谢！=D

Eduardo Lucio

Asked: 2021-02-12 07:50:26 +0800 CST

tesseract - 构建和安装 (`configure`, `make`, `make install`...) tesseract 版本 3 (tesseract-ocr-3.XX.XX)

5

问题：

我正在尝试在 Ubuntu Server 20.04 LTS 上构建和安装 ( configure, make, make install...) tesseract版本 3 ( tesseract-ocr-3.02.02) 并且发生以下错误...

构建和安装命令...

tar -zxvf tesseract-ocr-3.02.02.tar.gz
cd ./tesseract-ocr-3.02.02
./autogen.sh
./configure
make -j 4 && make install
ldconfig

错误输出...

[...]
-I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp  -fPIC -DPIC -o .libs/con_comp.o
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT con_comp.lo -MD -MP -MF .deps/con_comp.Tpo -c con_comp.cpp -o con_comp.o >/dev/null 2>&1
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I.. -O3 -DNDEBUG -DUSE_STD_NAMESPACE -I../cutil -I../ccutil -I../ccstruct -I../dict -I../ccmain -I../classify -I../textord -I../wordrec -I../neural_networks/runtime -I../image -I../viewer -I/usr/local/include/leptonica -g -O2 -MT classifier_factory.lo -MD -MP -MF .deps/classifier_factory.Tpo -c classifier_factory.cpp -o classifier_factory.o >/dev/null 2>&1
mv -f .deps/char_samp.Tpo .deps/char_samp.Plo
mv -f .deps/con_comp.Tpo .deps/con_comp.Plo
mv -f .deps/classifier_factory.Tpo .deps/classifier_factory.Plo
make[2]: Leaving directory '/usr/local/lib/tesseract-ocr/cube'
make[1]: *** [Makefile:481: all-recursive] Error 1
make[1]: Leaving directory '/usr/local/lib/tesseract-ocr'
make: *** [Makefile:390: all] Error 2

问题：

我该怎么做才能获得有关此错误的更多信息？

重要的：

用于构建和安装 tesseract ( configure, make, make install...) 的方法是一个标准且众所周知的过程......因此，基于此，我认为有已知的方法可以获取更多信息，以便我们可以诊断正在发生的事情。互联网上几乎没有关于这个特定错误的信息，所以我真的需要帮助。

谢谢！=D

Eduardo Lucio

Asked: 2021-01-16 14:20:01 +0800 CST

python3.2 - 错误：root：未找到哈希 md5 的代码

6

我们有一个遗留应用程序，它需要 Python 3.2 版才能工作。为此，我们编译并安装Python 3.2 版。

我们能够在Ubuntu 20.04.1 LTS上成功编译和安装 3.2 版 Python ，但是我们开始遇到使用Python“hashlib”库的问题，如下面的摘录所示......

root@sinj:/usr/local/src/lbginst# /usr/local/lb/py32/bin/python3.2 -c "import hashlib;m=hashlib.md5();print(m.hexdigest())"
ERROR:root:code for hash md5 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type md5
ERROR:root:code for hash sha1 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha1
ERROR:root:code for hash sha224 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 141, in <module>
    globals()[__func_name] = __get_hash(__func_name)
  File "/usr/local/lb/py32/lib/python3.2/hashlib.py", line 91, in __get_builtin_constructor
    raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'md5'

问题：我们如何解决提出的问题？

注意 I：在互联网上查阅了数十个资源后，我们开始怀疑与libssl.so libcrypto.so二进制文件有关的某些内容。
注二：我们如何诊断正在发生的事情的信息也非常受欢迎！

谢谢！=D

更新：另一个症状是在构建过程中出现此消息（make，make install）......

Failed to build these modules:
_hashlib           _ssl

Eduardo Lucio

Asked: 2019-12-11 13:27:39 +0800 CST

Manjaro (KDE) 作为 rdp 服务器运行

6

简单的问题，但很难解决......到目前为止...... =|

如何使Manjaro (KDE)作为 rdp服务器工作？

注意： 我- 我们非常喜欢 rdp 协议，并且过去曾将它与其他 Linux 发行版 (Ubuntu) 一起用作服务器，但我们很难让 rdp 在 Manjaro (KDE) 作为服务器上工作； II - 我们知道远程访问还有许多其他选项，但我们的使用现实要求我们使用 RDP，所以请我们要求所有答案都专门针对 rdp 解决方案。

谢谢！=D

关于该主题的有趣链接：

https://forum.manjaro.org/t/xrdp-cant-get-plasma-to-start-after-initial-logging-into-xrdp-xorg-session/110678

https://forum.manjaro.org/t/not-able-to-rdp-from-windows-to-manjaro-vm-via-xrdp-xorg/94357/2

https://wiki.archlinux.org/index.php/xrdp

更新：

我们一直在努力让 rdp (xrdp) 与 Manjaro KDE (KDE5) 一起工作，但我们遇到了很多困难...... =|

我们在互联网上使用了大量的文档和信息，尤其是在这些链接中......

https://raw.githubusercontent.com/Microsoft/linux-vm-tools/master/arch/install-config.sh

https://www.hiroom2.com/2019/06/15/ubuntu-1904-xrdp-kde-en/

显然可以使 xrdp 与 KDE 5 一起使用，但我们无法使其与 Manjaro KDE 一起使用...

现在的情况：

. 登录 xrdp-sesman

less +F /var/log/xrdp-sesman.log

[20191211-14:03:27] [DEBUG] Closed socket 8 (AF_INET 127.0.0.1:3350)
[20191211-14:03:27] [INFO ] Xorg :10 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log  
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [CORE ] waiting for window manager (pid 5102) to exit
[20191211-14:03:37] [ERROR] X server for display 10 startup timeout
[20191211-14:03:37] [ERROR] another Xserver might already be active on display 10 - see log
[20191211-14:03:37] [DEBUG] aborting connection...
[20191211-14:03:37] [CORE ] window manager (pid 5102) did exit, cleaning up session
[20191211-14:03:37] [INFO ] calling auth_stop_session and auth_end from pid 5101
[20191211-14:03:37] [DEBUG] cleanup_sockets:
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdp_chansrv_socket_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: deleting /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [DEBUG] cleanup_sockets: failed to delete /tmp/.xrdp/xrdpapi_10
[20191211-14:03:37] [INFO ] ++ terminated session:  username eduardolac, display :10.0, session_pid 5101, ip 192.168.12.1:33886 - socket: 1

. 记录 xrdp

less +F /var/log/xrdp.log

[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] xrdp_mm_module_cleanup
[20191211-14:05:19] [INFO ] Socket 12: AF_INET connection received from 192.168.12.1 port 34186
[20191211-14:05:19] [DEBUG] Closed socket 12 (AF_INET 192.168.12.253:3389)
[20191211-14:05:19] [DEBUG] Closed socket 11 (AF_INET 0.0.0.0:3389)
[20191211-14:05:19] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20191211-14:05:19] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20191211-14:05:19] [DEBUG] TLSv1.3 enabled
[20191211-14:05:19] [DEBUG] TLSv1.2 enabled
[20191211-14:05:19] [DEBUG] Security layer: requested 3, selected 0
[20191211-14:05:19] [INFO ] connected client computer name: eduardo-nb
[20191211-14:05:19] [INFO ] adding channel item name cliprdr chan_id 1004 flags 0xc0a00000
[20191211-14:05:19] [INFO ] adding channel item name drdynvc chan_id 1005 flags 0xc0800000
[20191211-14:05:19] [INFO ] Non-TLS connection established from 192.168.12.1 port 34186: encrypted with standard RDP security
[20191211-14:05:19] [DEBUG] xrdp_00001455_wm_login_mode_event_00000001
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Cannot find keymap file /etc/xrdp/km-00000416.ini
[20191211-14:05:19] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20191211-14:05:19] [WARN ] local keymap file for 0x00000416 found and doesn't match built in keymap, using local keymap file
[20191211-14:05:20] [DEBUG] Closed socket 23 (AF_UNIX)

. 雷米娜行为

它在两个屏幕之间振荡，因为这个图像......

Eduardo Lucio

Asked: 2019-09-21 08:58:00 +0800 CST

Samba 客户端和 Windows 10 主页 - “NT_STATUS_LOGON_FAILURE”/“访问被拒绝”

3

我正在尝试使用 Samba 客户端从Windows 10 Home访问文件共享。但是会发生以下错误...

1# - smbclient

[root@eduardo-nb eduardo]# smbclient -L 192.168.0.5 -W WORKGROUP -U eduardo
Enter WORKGROUP\eduardo's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

2# - 海豚

注意：获得共享访问权限的唯一方法是按照此处描述的过程...

文件共享不起作用

...包括允许访问“所有人”和“关闭密码保护共享”。

问题：我想与我现有的 Windows 10 家庭用户（具有管理特权）访问此共享...那么可能发生什么？

谢谢！=D

[参考：https : //askubuntu.com/q/47291/134723，https : //askubuntu.com/q/109507/134723，https: //answers.microsoft.com/en-us/windows/forum/全部 /文件共享-不工作/e6df6ac5-bb5a-41b3-8253-bd59b49d94bd，https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/samba-client-and-windows- 10-home/a7502032-240a-4fc8-a756-132d46831adf?tm=1568998329476]

更新我：我的/etc/samba/smb.conf...

@harrymc

[global]
   workgroup = WORKGROUP
   server string = Samba Server
   allow insecure wide links = yes
   printcap name = /etc/printcap
   load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50
   security = user
   dns proxy = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

[eduardo]
   follow symlinks = yes
   wide links = yes
   comment = Manjaro Linux Samba share
   path = /home/eduardo
   available = yes
   valid users = eduardo
   read only = no
   browseable = yes
   public = no
   writeable = yes

Eduardo Lucio

Asked: 2019-08-23 12:17:27 +0800 CST

firewall-cmd - 添加转发端口不起作用

12

我有一个带有多个虚拟机（来宾）的 KVM 服务器（主机）。

我的目标是我的主机将端口 222 转发到运行 ssh 服务的来宾的端口 22。

这有效...

iptables -I OUTPUT -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -d 0.0.0.0/0 -j ACCEPT
iptables -t nat -I PREROUTING -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22

这行不通...

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter OUTPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter INPUT 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --direct --add-rule ipv4 nat PREROUTING 0 -d 0.0.0.0/0 -p tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
firewall-cmd --reload

这也行不通...

firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

问题：为什么设置的规则firewall-cmd不起作用？

注一：这firewall-cmd是CentOS 7默认的防火墙服务。这在我看来是一个无解的问题！我搜索了很多很多论坛，但没有任何效果！我开始相信这是一个限制或错误firewall-cmd......

注二：我知道它ssh本身提供了使这成为可能的方法，但我真的希望这个过程对用户直接访问来宾是“透明的”。

[参考： https : //serverfault.com/q/915257/276753，https : //serverfault.com/q/980223/276753，https : //sebastianblade.com/how-to-modify-ssh-port- in-centos7/， https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/， https://www.centos.org/论坛/viewtopic.php?f=50&t=71454 ]

症状：

命令...

ssh root@[HOST_IP] -p 222

...返回以下错误...

ssh：连接到主机 172.16.13.8 端口 222：连接被拒绝

更新一：

@mwfearnley iptables-保存输出...

iptables-save -工作...

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*nat
:PREROUTING ACCEPT [1:70]
:INPUT ACCEPT [1:70]
:OUTPUT ACCEPT [2:146]
:POSTROUTING ACCEPT [3:206]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*mangle
:PREROUTING ACCEPT [672:77587]
:INPUT ACCEPT [610:68993]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [655:151604]
:POSTROUTING ACCEPT [713:159490]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*security
:INPUT ACCEPT [609:68793]
:FORWARD ACCEPT [58:7886]
:OUTPUT ACCEPT [660:152010]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*raw
:PREROUTING ACCEPT [672:77587]
:OUTPUT ACCEPT [655:151604]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:17 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:17 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j ACCEPT
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:17 2019

iptables-save -不工作......

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*nat
:PREROUTING ACCEPT [1:72]
:INPUT ACCEPT [1:72]
:OUTPUT ACCEPT [5:371]
:POSTROUTING ACCEPT [5:371]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -p tcp -m tcp --dport 222 -j DNAT --to-destination 10.1.0.9:22
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*mangle
:PREROUTING ACCEPT [12:1319]
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [1:60]
:OUTPUT ACCEPT [12:1070]
:POSTROUTING ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*security
:INPUT ACCEPT [11:1259]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1070]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*raw
:PREROUTING ACCEPT [12:1319]
:OUTPUT ACCEPT [12:1070]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:16 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:16 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FORWARD_direct -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A INPUT_direct -j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT_direct -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:16 2019

iptables-save -不要太工作......

[root@localhost ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*nat
:PREROUTING ACCEPT [5:371]
:INPUT ACCEPT [1:67]
:OUTPUT ACCEPT [2:134]
:POSTROUTING ACCEPT [2:134]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.1.0.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -o br0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 10.1.0.9:22
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*mangle
:PREROUTING ACCEPT [17:1649]
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [5:364]
:OUTPUT ACCEPT [10:3037]
:POSTROUTING ACCEPT [14:3341]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_public_allow -p tcp -m tcp --dport 222 -j MARK --set-xmark 0x64/0xffffffff
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*security
:INPUT ACCEPT [12:1285]
:FORWARD ACCEPT [4:304]
:OUTPUT ACCEPT [10:3037]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*raw
:PREROUTING ACCEPT [17:1649]
:OUTPUT ACCEPT [10:3037]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -i br0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Aug 22 11:59:36 2019
# Generated by iptables-save v1.4.21 on Thu Aug 22 11:59:36 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:2813]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.1.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens33 -g FWDI_public
-A FORWARD_IN_ZONES -i br0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o ens33 -g FWDO_public
-A FORWARD_OUT_ZONES -o br0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i ens33 -g IN_public
-A INPUT_ZONES -i br0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Aug 22 11:59:36 2019

更新二：

“works”的 FORWARD 中的第一条规则是 ACCEPT。这允许转发每个数据包。其他人有接受 DNAT 数据包的规则，但在链的后面。所以......如果我们找出为什么这有效......我们也许能够解决问题......

iptables -I FORWARD -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

......为什么这不是......

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT
firewall-cmd --permanent --zone=public --add-forward-port=port=222:proto=tcp:toport=22:toaddr=10.1.0.9
firewall-cmd --reload

网关问题 - “ping”有效，“curl”无效

如何从网络上的服务配置我的服务器的主机名？我应该使用什么？DHCP？一个DNS？两个都？

KVM 虚拟机网络 - Guest-guest/VM-VM only 网络（无主机/管理程序访问，无出站连接）

tesseract - 构建和安装 (`configure`, `make`, `make install`...) tesseract 版本 3 (tesseract-ocr-3.XX.XX)

python3.2 - 错误：root：未找到哈希 md5 的代码

Manjaro (KDE) 作为 rdp 服务器运行

Samba 客户端和 Windows 10 主页 - “NT_STATUS_LOGON_FAILURE”/“访问被拒绝”

firewall-cmd - 添加转发端口不起作用

如何减少“vmmem”进程的消耗？

从 Microsoft Stream 下载视频

Google Chrome DevTools 无法解析 SourceMap：chrome-extension

Windows 照片查看器因为内存不足而无法运行？

支持结束后如何激活 WindowsXP？

远程桌面间歇性冻结

子网掩码 /32 是什么意思？

鼠标指针在 Windows 中按下的箭头键上移动？

VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

Eduardo Lucio's questions