系统相关
首页 > 系统相关> > 5.iptables实现SNAT和DNAT,并对规则持久保存

5.iptables实现SNAT和DNAT,并对规则持久保存

作者:互联网

iptables实现SNAT和DNAT,并对规则持久保存

SNAT:

 

 

Internet-host:

[root@internet-host html]service iptables stop

[root@internet-host html]yum install httpd -y

[root@internet-host html]echo internet Server > /var/www/html/index.html

[root@internet-host html]#hostname -I

10.0.0.6

[root@internet-host html]# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0

0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

 

 

 

lan-host:

[root@lan-host ~]#hostname -I

192.168.100.7

[root@lan-host ~]# route add default gw 192.168.100.8 dev eth0

[root@lan-host ~]# route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.100.8   0.0.0.0         UG    100    0        0 eth0

192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0

 

 

 

 

 

 

 

Firewall:

[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT

--to-source 10.0.0.8 

[root@firewall-host ~]#iptables -vnL -t nat

[root@CentOS8 ~]# iptables -vnL -t nat

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

   21  1356 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.8

 

lan-host:

[root@lan-host ~]#curl 10.0.0.6

internet Server

[root@internet-host ~]#curl 192.168.100.7

curl: (7) Failed to connect to 192.168.100.7: Network is unreachable

[root@lan-host ~]#ping 10.0.0.6

PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.

64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.535 ms

64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=2.07 ms

64 bytes from 10.0.0.6: icmp_seq=3 ttl=63 time=1.24 ms

64 bytes from 10.0.0.6: icmp_seq=4 ttl=63 time=1.26 ms

64 bytes from 10.0.0.6: icmp_seq=5 ttl=63 time=0.804 ms

 

internet-host:

[root@internet-host html]# tail /var/log/httpd/access_log

10.0.0.8 - - [24/Jul/2022:23:37:04 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"

10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"

10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"

 

[root@internet-host html]# tcpdump -i eth0 -nn icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

23:54:44.591977 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 160, length 64

23:54:44.592017 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 160, length 64

23:54:45.594044 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 161, length 64

23:54:45.594083 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 161, length 64

 

DNAP:

 

 

Firewall:

[root@firewall ~]#vim /etc/sysctl.conf

net.ipv4.ip_forward=1

[root@firewall ~]#sysctl -p

 

[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80

-j DNAT --to-destination 10.0.0.7

 

 

[root@firewall ~]#ss -ntl

State         Recv-Q         Send-Q                 Local Address:Port           

      Peer Address:Port        LISTEN        0              128                          0.0.0.0:22             

           0.0.0.0:*           

LISTEN        0              100                        127.0.0.1:25             

           0.0.0.0:*           

LISTEN        0              128                             [::]:22             

              [::]:*           

LISTEN        0              100                           [::1]:25             

              [::]:*     

 

[root@internet ~]# curl 192.168.0.8

lanserver1

[root@lanserver1 ~]#tail /var/log/httpd/access_log

 

 

[root@lanserver1 ~]# service httpd stop

Redirecting to /bin/systemctl stop httpd.service

 

[root@internet ~]# curl 192.168.0.8

curl: (7) couldn't connect to host

 

[root@firewall ~]# iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.17

 

[root@internet ~]# curl 192.168.0.8

lanserver2

 

 

 

对规则持久保存:

 

[root@firewall ~]# iptables-save > /etc/sysconfig/iptables

 

[root@firewall ~]# vim /etc/rc.d/rc.local

#!/bin/bash

iptables-restore < /etc/sysconfig/iptables  

 

[root@firewall ~]# chmod +x /etc/rc.d/rc.local

             

 

标签:iptables,SNAT,DNAT,10.0,0.0,0.8,host,internet,root
来源: https://www.cnblogs.com/biaoming534/p/16515250.html