SNAT和DNAT策略与应用

防火墙

[root@zhong ~]# iptables -t nat -I POSTROUTING -s 192.168.100.1/24 -o ens36 -j SNAT --to-source 192.168.200.120
[root@zhong ~]# iptables -t nat -L POSTROUTING 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.100.0/24     anywhere             to:192.168.200.120
[root@zhong ~]# ping 192.168.200.130
PING 192.168.200.130 (192.168.200.130) 56(84) bytes of data.
64 bytes from 192.168.200.130: icmp_seq=1 ttl=64 time=0.287 ms
64 bytes from 192.168.200.130: icmp_seq=2 ttl=64 time=0.436 ms
[root@zhong ~]# iptables -t nat -A PREROUTING -i ens36 -d 192.168.200.120 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.110
[root@zhong ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             server2              tcp dpt:http to:192.168.100.110

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.100.0/24     anywhere             to:192.168.200.120 

客户机内网安装测试

[root@yi ~]# yum -y install httpd
[root@yi ~]# echo "this is my dog." > /var/www/html/index.html
[root@yi ~]# systemctl start httpd
[root@yi ~]# systemctl stop firewalld
[root@yi ~]# setenforce 0
[root@yi ~]# netstat -anpt | grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      55966/httpd  中间防火墙

客户机外网访问

[root@er ~]# curl http://192.168.200.120
this is my dog.