iptables/netfilter
利用filter表的FORWARD链,可以充当网络防火墙:
注意的问题:
(1) 请求-响应报文均会经由FORWARD链,要注意规则的方向性
(2) 如果要启用conntrack机制,建议将双方向的状态为ESTABLISHED的报文直接放行
NAT的实现分为下面类型:
SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问
外部网络,实现地址伪装,请求报文:修改源IP
DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给外
部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
环境准备:
web1服务器:172.31.0.17
web2服务器:172.31.0.27
模拟外网:192.168.0.100 # 仅主机模式
防火墙服务器:172.31.0.37 # 添加一个网卡仅主机模式192.168.0.106
两台web安装软件:
# 安装并启动
[root@localhost ~]# yum install httpd -y ; echo 172.31.0.17 > /var/www/html/index.html;systemctl start httpd
[root@localhost ~]# yum install httpd -y ; echo 172.31.0.27 > /var/www/html/index.html;systemctl start httpd
# 两台web的网关必须指向防火墙服务器的eth0网卡
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.37 0.0.0.0 UG 100 0 0 eth0
172.31.0.0 0.0.0.0 255.255.0.0 U 100 0 0 eth0
配置防火墙服务器
# 172.31.0.37
# 开启路由转发功能
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
tcpdump抓包分析问题
# 172.31.0.27
[root@localhost ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:48:08.680084 IP 192.168.0.100 > 172.31.0.27: ICMP echo request, id 2237, seq 1, length 64
21:48:08.680693 IP 172.31.0.27 > 192.168.0.100: ICMP echo reply, id 2237, seq 1, length 64
21:48:09.721779 IP 192.168.0.100 > 172.31.0.27: ICMP echo request, id 2237, seq 2, length 64
21:48:09.721947 IP 172.31.0.27 > 192.168.0.100: ICMP echo reply, id 2237, seq 2, length 64
模