iptables 实现网络防火墙功能

最新推荐文章于 2024-07-26 10:07:20 发布

kingdom_xu

最新推荐文章于 2024-07-26 10:07:20 发布

阅读量923

点赞数 1

分类专栏： Linux运维文章标签： linux

本文链接：https://blog.csdn.net/kingdom_xu/article/details/108651091

版权

Linux运维专栏收录该内容

37 篇文章 8 订阅

订阅专栏

1 iptables 实现网络防火墙功能

1.1 环境准备

在这里插入图片描述

准备四台主机

两台CentOS 7，一台CentOS 8，一台CentOS 6

Internet：192.168.0.6/24 仅主机模式，网关：192.168.0.8

Firewall：NAT模式 eth0：10.0.0.8/24 eth1：192.168.0.8/24

LanServer-1：10.0.0.7/24 NAT模式，网关：10.0.0.8

LanServer-2：10.0.0.17/24 NAT模式，网关：10.0.0.8

注意：firewall上要开启ip_forward转发功能

测试各主机的连通性：

[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=0.927 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.927/0.927/0.927/0.000 ms

[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.96 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.966/1.966/1.966/0.000 ms

在这里插入图片描述

1.2 在Internet、LanServer-1和LanServer-2上配置httpd服务

[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd

[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd

[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start

#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website

1.3 在防火墙上添加规则，实现公司内部局域网可以访问外网Internet的所有服务，而外网也能访问内网的所有服务

#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -R FORWARD 1 -d 10.0.0.0/24 -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.19 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.191/2.191/2.191/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=0.823 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C

在这里插入图片描述

1.4 实现公司内网可以访问指定的外网http服务，外网不能访问指定的内网http服务

#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#测试验证Internet外网可以访问内网的http服务，而内网不能访问外网的http服务
[root@LanServer-1 ~]# curl 192.168.0.6
curl: (7) Failed connect to 192.168.0.6:80; Connection refused
[root@LanServer-2 ~]# curl 192.168.0.6
curl: (7) Failed connect to 192.168.0.6:80; Connection refused

在这里插入图片描述

注意：这样外网虽然可以访问内网，但存在安全隐患

1.5 实现外网不能ping 同内网，而内网可以ping 同外网

#在firewall上配置规则
#icmp类型：0是响应报文，8是请求报文
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p icmp --icmp-type 8 -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p icmp --icmp-type 0 -j ACCEPT 
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#测试验证
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.03 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.033/1.033/1.033/0.000 ms
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.21 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.214/1.214/1.214/0.000 ms
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   74  6216 ACCEPT     icmp --  *      *       0.0.0.0/0            10.0.0.0/24          icmptype 0
  119  9996 ACCEPT     icmp --  *      *       10.0.0.0/24          0.0.0.0/0            icmptype 8
   16  1898 ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0            tcp spt:80
   27  2106 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24          tcp dpt:80
   76  6032 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

在这里插入图片描述

1.6 实现外网不能访问内网的http服务，但内网可以访问外网的http服务

#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#测试验证
[root@LanServer-1 ~]# curl  192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   20  2220 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24          tcp spt:80
   26  1732 ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0            tcp dpt:80
   22  1528 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

在这里插入图片描述

在原有规则的基础上，接下来实现外网可以访问LanServer-1上的http服务

#在firewall上追加规则
[root@firewall ~]#iptables -I FORWARD 3 -d 10.0.0.7 -p tcp --dport 80 -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD 3 -s 10.0.0.7 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.0.7/32 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.7/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#测试验证
[root@LanServer-1 ~]# curl  192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  3885 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24          tcp spt:80
   41  2761 ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0            tcp dpt:80
   24  2844 ACCEPT     tcp  --  *      *       10.0.0.7             0.0.0.0/0            tcp spt:80
   38  3006 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.7             tcp dpt:80
   52  3696 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

在这里插入图片描述

实现内网可以访问外网的所有服务，但外网只能访问LanServer-1上的http服务

#清空原有规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD -m state  -s 10.0.0.0/24 --state NEW -j ACCEPT 
[root@firewall ~]#iptables -I FORWARD 3 -d 10.0.0.7 -p tcp --dport 80 -j ACCEPT 
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.7/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable

#验证测试
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.25 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.251/2.251/2.251/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.80 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.800/1.800/1.800/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C

在这里插入图片描述

注意：此方法还是存在安全隐患

2. iptables 实现NAT的实战案例

在这里插入图片描述

2.1 案例1：实现SNAT

目的：
实现内网可以访问外网，而外网不能访问内网

2.1.1 环境准备

准备四台主机

两台CentOS 7，一台CentOS 8，一台CentOS 6

internet：192.168.0.6/24 仅主机模式，#不需要配置网关

Firewall：NAT模式 eth0：10.0.0.8/24 eth1：192.168.0.8/24

LanServer-1：10.0.0.7/24 NAT模式，网关：10.0.0.8

LanServer-2：10.0.0.17/24 NAT模式，网关：10.0.0.8

2.1.2 在Internet、LanServer-1和LanServer-2上配置http服务

[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd

[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd

[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start

#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website

2.1.3 在firewall上配置规则

注意：firewall上要开启ip_forward转发功能

[root@firewall ~]#iptables -F
#针对专线静态公共IP
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.0.8
[root@firewall ~]#iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.0.8
#针对拨号网络和专线静态公共IP，建议使用此方法，此方法更适用
#[root@firewall ~]#iptables -t nat -R POSTROUTING 1 -s 10.0.0.0/24 -j MASQUERADE

2.1.4 测试验证

[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.91 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.915/2.915/2.915/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.33 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.337/2.337/2.337/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C

在这里插入图片描述

2.2 案例2：实现DNAT

2.2.1 环境准备

准备四台主机

两台CentOS 7，一台CentOS 8，一台CentOS 6

internet：192.168.0.6/24 仅主机模式，#不需要配置网关

Firewall：NAT模式 eth0：10.0.0.8/24 eth1：192.168.0.8/24

LanServer-1：10.0.0.7/24 NAT模式，网关：10.0.0.8

LanServer-2：10.0.0.17/24 NAT模式，网关：10.0.0.8

2.2.2 在Internet、LanServer-1和LanServer-2上配置http服务

[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd

[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd

[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start

#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website

2.2.3 在firewall上配置规则

注意：firewall上要开启ip_forward转发功能

[root@firewall ~]#iptables -t nat -R PREROUTING 1 -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7
[root@firewall ~]#iptables -S -t nat 
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -d 192.168.0.8/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.7
-A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

2.2.4 测试验证

[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.91 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.915/2.915/2.915/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.33 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.337/2.337/2.337/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C

在这里插入图片描述

2.3 案例3：实现redirect本地端口转发

2.3.1 环境准备

#同上配置

2.3.2 在Internet、LanServer-1和LanServer-2上配置http服务

#同上配置

2.3.3 在firewall上配置规则

#同上配置

2.3.4 在LanServer-1上配置本地转发规则

#修改80端口号为8080
[root@LanServer-1 ~]# vim /etc/httpd/conf/httpd.conf
Listen 8080
[root@LanServer-1 ~]# systemctl restart httpd
[root@LanServer-1 ~]# ss -ntl
State       Recv-Q Send-Q      Local Address:Port                     Peer Address:Port              
LISTEN      0      100             127.0.0.1:25                                  *:*                  
LISTEN      0      128                     *:22                                  *:*                  
LISTEN      0      100                 [::1]:25                               [::]:*                  
LISTEN      0      128                  [::]:8080                             [::]:*                  
LISTEN      0      128                  [::]:22                               [::]:*     

#注意：由于在本机上转发端口，所以不需要开启ip_forward转发功能
[root@LanServer-1 ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

2.3.5 测试验证

[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.19 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.197/1.197/1.197/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.93 ms

--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.931/1.931/1.931/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C

在这里插入图片描述

3. NAT综合实验案例

目的：
实现SNAT和DNAT的综合案例
能让LanSer1和RemSer互相通信

在这里插入图片描述

3.1 环境准备

四台主机：两台CentOS 8，一台CentOS 6，一台CentOS 7
LanSer：192.168.0.6/24 网关：192.168.0.8 仅主机vmnet1
RemSer：172.16.0.7/24 网关：172.16.0.18 仅主机vmnet6
firewall-1：eth0：10.0.0.8/24 eth1：192.168.0.8/24 NAT模式
firewall-2：eth0：10.0.0.18/24 eth1：172.16.0.18/24 NAT模式

3.2 在LanSer和RemSer上配置http服务

[root@LanSer ~]#yum -y install httpd;echo LanSer website > /var/www/html/index.html;service httpd start;chkconfig httpd on
[root@RemSer ~]#yum -y install httpd;echo RemSer website > /var/www/html/index.html;systecm enable --now httpd

#测试验证http服务
[root@LanSer ~]#curl 127.0.0.1
LanSer website
[root@RemSer ~]#curl 127.0.0.1
RemSer website

3.3 配置规则

#开启ip_forward转发功能
[root@firewall-1 ~]#echo 1 > /proc/sys/net/ipv4/ip_forward

#先实现LanSer能访问RemSer的http服务
#在firewall-1上配置SNAT
[root@firewall-1 ~]#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#在firewall-2上配置DNAT
[root@firewall-2 ~]#iptables -t nat -A PREROUTING -d 10.0.0.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.7:80

#验证测试
[root@LanSer ~]#curl 10.0.0.18
RemSer website

在这里插入图片描述

#开启ip_forward转发功能
[root@firewall-2 ~]#echo 1 > /proc/sys/net/ipv4/ip_forward

#再实现RemSer能访问LanSer的http服务
#在firewal-2上配置SNAT
[root@firewall-2 ~]#iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
#在firewall-1上配置DNAT
[root@firewall-1 ~]#iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.6:80

#验证测试
[root@RemSer ~]#curl 10.0.0.8
LanSer website

[外链图片转存中...(img-H0SiU5pt-1600341737249)]