1 iptables 实现网络防火墙功能
1.1 环境准备
准备四台主机
两台CentOS 7,一台CentOS 8,一台CentOS 6
Internet:192.168.0.6/24 仅主机模式,网关:192.168.0.8
Firewall:NAT模式 eth0:10.0.0.8/24 eth1:192.168.0.8/24
LanServer-1:10.0.0.7/24 NAT模式,网关:10.0.0.8
LanServer-2:10.0.0.17/24 NAT模式,网关:10.0.0.8
注意:firewall上要开启ip_forward转发功能
测试各主机的连通性:
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=0.927 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.927/0.927/0.927/0.000 ms
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.96 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.966/1.966/1.966/0.000 ms
1.2 在Internet、LanServer-1和LanServer-2上配置httpd服务
[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd
[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd
[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website
1.3 在防火墙上添加规则,实现公司内部局域网可以访问外网Internet的所有服务,而外网也能访问内网的所有服务
#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -R FORWARD 1 -d 10.0.0.0/24 -j ACCEPT
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.19 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.191/2.191/2.191/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=0.823 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
1.4 实现公司内网可以访问指定的外网http服务,外网不能访问指定的内网http服务
#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#测试验证Internet外网可以访问内网的http服务,而内网不能访问外网的http服务
[root@LanServer-1 ~]# curl 192.168.0.6
curl: (7) Failed connect to 192.168.0.6:80; Connection refused
[root@LanServer-2 ~]# curl 192.168.0.6
curl: (7) Failed connect to 192.168.0.6:80; Connection refused
注意:这样外网虽然可以访问内网,但存在安全隐患
1.5 实现外网不能ping 同内网,而内网可以ping 同外网
#在firewall上配置规则
#icmp类型:0是响应报文,8是请求报文
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p icmp --icmp-type 8 -j ACCEPT
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p icmp --icmp-type 0 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#测试验证
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.03 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.033/1.033/1.033/0.000 ms
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.21 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.214/1.214/1.214/0.000 ms
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
74 6216 ACCEPT icmp -- * * 0.0.0.0/0 10.0.0.0/24 icmptype 0
119 9996 ACCEPT icmp -- * * 10.0.0.0/24 0.0.0.0/0 icmptype 8
16 1898 ACCEPT tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp spt:80
27 2106 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/24 tcp dpt:80
76 6032 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1.6 实现外网不能访问内网的http服务,但内网可以访问外网的http服务
#在firewall上配置规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -s 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT
[root@firewall ~]#iptables -I FORWARD -d 10.0.0.0/24 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20 2220 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/24 tcp spt:80
26 1732 ACCEPT tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp dpt:80
22 1528 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
在原有规则的基础上,接下来实现外网可以访问LanServer-1上的http服务
#在firewall上追加规则
[root@firewall ~]#iptables -I FORWARD 3 -d 10.0.0.7 -p tcp --dport 80 -j ACCEPT
[root@firewall ~]#iptables -I FORWARD 3 -s 10.0.0.7 -p tcp --sport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.0.0.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.0.7/32 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -d 10.0.0.7/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 3885 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/24 tcp spt:80
41 2761 ACCEPT tcp -- * * 10.0.0.0/24 0.0.0.0/0 tcp dpt:80
24 2844 ACCEPT tcp -- * * 10.0.0.7 0.0.0.0/0 tcp spt:80
38 3006 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7 tcp dpt:80
52 3696 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
实现内网可以访问外网的所有服务,但外网只能访问LanServer-1上的http服务
#清空原有规则
[root@firewall ~]#iptables -A FORWARD -j REJECT
[root@firewall ~]#iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@firewall ~]#iptables -I FORWARD -m state -s 10.0.0.0/24 --state NEW -j ACCEPT
[root@firewall ~]#iptables -I FORWARD 3 -d 10.0.0.7 -p tcp --dport 80 -j ACCEPT
[root@firewall ~]#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.7/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
#验证测试
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.25 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.251/2.251/2.251/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.80 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.800/1.800/1.800/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
注意:此方法还是存在安全隐患
2. iptables 实现NAT的实战案例
2.1 案例1:实现SNAT
目的:
实现内网可以访问外网,而外网不能访问内网
2.1.1 环境准备
准备四台主机
两台CentOS 7,一台CentOS 8,一台CentOS 6
internet:192.168.0.6/24 仅主机模式,#不需要配置网关
Firewall:NAT模式 eth0:10.0.0.8/24 eth1:192.168.0.8/24
LanServer-1:10.0.0.7/24 NAT模式,网关:10.0.0.8
LanServer-2:10.0.0.17/24 NAT模式,网关:10.0.0.8
2.1.2 在Internet、LanServer-1和LanServer-2上配置http服务
[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd
[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd
[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website
2.1.3 在firewall上配置规则
注意:firewall上要开启ip_forward转发功能
[root@firewall ~]#iptables -F
#针对专线静态公共IP
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.0.8
[root@firewall ~]#iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.0.8
#针对拨号网络和专线静态公共IP,建议使用此方法,此方法更适用
#[root@firewall ~]#iptables -t nat -R POSTROUTING 1 -s 10.0.0.0/24 -j MASQUERADE
2.1.4 测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.91 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.915/2.915/2.915/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.33 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.337/2.337/2.337/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
2.2 案例2:实现DNAT
2.2.1 环境准备
准备四台主机
两台CentOS 7,一台CentOS 8,一台CentOS 6
internet:192.168.0.6/24 仅主机模式,#不需要配置网关
Firewall:NAT模式 eth0:10.0.0.8/24 eth1:192.168.0.8/24
LanServer-1:10.0.0.7/24 NAT模式,网关:10.0.0.8
LanServer-2:10.0.0.17/24 NAT模式,网关:10.0.0.8
2.2.2 在Internet、LanServer-1和LanServer-2上配置http服务
[root@LanServer-1 ~]# yum -y install httpd;echo 10.0.0.7 website > /var/www/html/index.html;systemctl start httpd
[root@LanServer-2 ~]# yum -y install httpd;echo 10.0.0.17 website > /var/www/html/index.html;systemctl start httpd
[root@internet ~]# yum -y install httpd;echo 192.168.0.6 website > /var/www/html/index.html;service httpd start
#测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@internet ~]#curl 10.0.0.7;curl 10.0.0.17
10.0.0.7 website
10.0.0.17 website
2.2.3 在firewall上配置规则
注意:firewall上要开启ip_forward转发功能
[root@firewall ~]#iptables -t nat -R PREROUTING 1 -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7
[root@firewall ~]#iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -d 192.168.0.8/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.7
-A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
2.2.4 测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.91 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.915/2.915/2.915/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=2.33 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.337/2.337/2.337/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
2.3 案例3:实现redirect本地端口转发
2.3.1 环境准备
#同上配置
2.3.2 在Internet、LanServer-1和LanServer-2上配置http服务
#同上配置
2.3.3 在firewall上配置规则
#同上配置
2.3.4 在LanServer-1上配置本地转发规则
#修改80端口号为8080
[root@LanServer-1 ~]# vim /etc/httpd/conf/httpd.conf
Listen 8080
[root@LanServer-1 ~]# systemctl restart httpd
[root@LanServer-1 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:8080 [::]:*
LISTEN 0 128 [::]:22 [::]:*
#注意:由于在本机上转发端口,所以不需要开启ip_forward转发功能
[root@LanServer-1 ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
2.3.5 测试验证
[root@LanServer-1 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-1 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.19 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.197/1.197/1.197/0.000 ms
[root@LanServer-1 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
[root@LanServer-2 ~]# curl 192.168.0.6
192.168.0.6 website
[root@LanServer-2 ~]# ping -c1 192.168.0.6
PING 192.168.0.6 (192.168.0.6) 56(84) bytes of data.
64 bytes from 192.168.0.6: icmp_seq=1 ttl=63 time=1.93 ms
--- 192.168.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.931/1.931/1.931/0.000 ms
[root@LanServer-2 ~]# ssh 192.168.0.6
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
RSA key fingerprint is SHA256:e311kZO35oN41c/oLBg4RhkSuREAdJfOeImiBZ88Oa0.
RSA key fingerprint is MD5:f5:cb:dc:93:35:47:0e:5f:9a:06:c6:8e:d0:05:a2:20.
Are you sure you want to continue connecting (yes/no)? ^C
3. NAT综合实验案例
目的:
实现SNAT和DNAT的综合案例
能让LanSer1和RemSer互相通信
3.1 环境准备
四台主机:两台CentOS 8,一台CentOS 6,一台CentOS 7
LanSer:192.168.0.6/24 网关:192.168.0.8 仅主机vmnet1
RemSer:172.16.0.7/24 网关:172.16.0.18 仅主机vmnet6
firewall-1:eth0:10.0.0.8/24 eth1:192.168.0.8/24 NAT模式
firewall-2:eth0:10.0.0.18/24 eth1:172.16.0.18/24 NAT模式
3.2 在LanSer和RemSer上配置http服务
[root@LanSer ~]#yum -y install httpd;echo LanSer website > /var/www/html/index.html;service httpd start;chkconfig httpd on
[root@RemSer ~]#yum -y install httpd;echo RemSer website > /var/www/html/index.html;systecm enable --now httpd
#测试验证http服务
[root@LanSer ~]#curl 127.0.0.1
LanSer website
[root@RemSer ~]#curl 127.0.0.1
RemSer website
3.3 配置规则
#开启ip_forward转发功能
[root@firewall-1 ~]#echo 1 > /proc/sys/net/ipv4/ip_forward
#先实现LanSer能访问RemSer的http服务
#在firewall-1上配置SNAT
[root@firewall-1 ~]#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#在firewall-2上配置DNAT
[root@firewall-2 ~]#iptables -t nat -A PREROUTING -d 10.0.0.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.7:80
#验证测试
[root@LanSer ~]#curl 10.0.0.18
RemSer website
#开启ip_forward转发功能
[root@firewall-2 ~]#echo 1 > /proc/sys/net/ipv4/ip_forward
#再实现RemSer能访问LanSer的http服务
#在firewal-2上配置SNAT
[root@firewall-2 ~]#iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
#在firewall-1上配置DNAT
[root@firewall-1 ~]#iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.6:80
#验证测试
[root@RemSer ~]#curl 10.0.0.8
LanSer website