SNAT
拓扑图:
基础配置
实验准备:
firewall主机
[root@firewall ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=10.0.0.5
PREFIX=24
GATEWAY=10.0.0.2
DEFROUTE=yes
DNS1=10.0.0.2
DNS2=223.5.5.5
DNS3=211.136.20.203
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=91a133de-1837-4d97-9a1c-90fa4c71ebe5
DEVICE=ens33
ONBOOT=yes
[root@firewall ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens36
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.10.5
PREFIX=24
DEFROUTE=yes
NAME=ens36
DEVICE=ens36
ONBOOT=yes
#重新加载网卡配置
[root@centos8 ~]#nmcli con reload
[root@centos8 ~]#nmcli con up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f6:1b:96 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef6:1b96/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f6:1b:a0 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.5/24 brd 192.168.10.255 scope global noprefixroute ens36
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef6:1ba0/64 scope link
valid_lft forever preferred_lft forever
更改主机名
[root@centos8 ~]#hostname firewall
[root@centos8 ~]#bash
启用路由转发
[root@firewall ~]#sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@firewall ~]#cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
#使配置生效
[root@firewall ~]#sysctl -p
net.ipv4.ip_forward = 1
开启路由转发功能之后,10网段和192网段此时已经互通了
删掉默认的路由表
[root@firewall ~]#ip route
default via 10.0.0.2 dev ens33 proto static metric 100
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.5 metric 100
192.168.10.0/24 dev ens36 proto kernel scope link src 192.168.10.5 metric 101
[root@firewall ~]#ip route del default via 10.0.0.2 dev ens33 proto static metric 100
[root@firewall ~]#ip route
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.5 metric 100
192.168.10.0/24 dev ens36 proto kernel scope link src 192.168.10.5 metric 101
设置防火墙规则:
#除了10网段的网络访问都拒绝
[root@firewall ~]#iptables -A FORWARD ! -s 10.0.0.0/24 -d 10.0.0.0/24 -m state --state NEW -j REJECT
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 REJECT all -- * * !10.0.0.0/24 10.0.0.0/24 state NEW reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
#设置nat转换 在postrouting表中设置
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 10.0.0.5
#查看防火墙规则是否生效
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.10.0/24 0.0.0.0/0 to:10.0.0.5
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Lanserver1主机
[root@centos8 ~]#hostname lanserver1;bash
#网卡配置
[root@lanserver1 ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=10.0.0.6
NETMASK=255.255.255.0
GATEWAY=10.0.0.5
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=fe4d2230-1a83-467c-a338-eda6e7a5119a
DEVICE=ens33
ONBOOT=yes
#重新加载网卡配置
[root@centos8 ~]#nmcli con reload
[root@centos8 ~]#nmcli con up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
Lanserver2主机
[root@lanserver2 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=10.0.0.7
NETMASK=255.255.255.0
GATEWAY=10.0.0.5
DNS1=223.5.5.5
客户端:
注意客户端不配置网关
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
IPADDR=192.168.10.10
NETMASK=255.255.255.0
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="554f0ed4-9978-4844-85ee-97e4d68b5401"
DEVICE="ens33"
ONBOOT="yes"
[root@localhost ~]# ip route
192.168.10.0/24 dev ens33 proto kernel scope link src 192.168.10.10 metric 100
防火墙配置
#设置防火墙除了访问10网段外的地址自动使用公网地址 这里指的是防火墙的10.0.0.5地址
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
测试
lanserver1 ping192网段
[root@lanserver1 ~]#ping 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=1 ttl=63 time=0.935 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=63 time=0.515 ms
64 bytes from 192.168.10.10: icmp_seq=3 ttl=63 time=1.71 ms
64 bytes from 192.168.10.10: icmp_seq=4 ttl=63 time=1.84 ms
客户端抓包测试
[root@localhost ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:30:25.832929 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 1, length 64
14:30:25.832956 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 1, length 64
14:30:26.836322 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 2, length 64
14:30:26.836340 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 2, length 64
14:30:27.848660 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 3, length 64
14:30:27.848769 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 3, length 64
DNAT
在firewall中添加防火墙规则
[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.10.5 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.6
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.10.5 tcp dpt:80 to:10.0.0.6
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
192网段测试
[root@localhost ~]# curl 192.168.10.5
lanserver1
#查看lanserver1的访问日志,是可以看到源IP的
[root@lanserver1 ~]#tail /var/log/httpd/access_log -f
10.0.0.5 - - [13/Sep/2021:12:23:21 +0800] "GET / HTTP/1.1" 403 199691 "-" "curl/7.29.0"
192.168.10.10 - - [13/Sep/2021:18:52:42 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"
REDIRECT
本机端口重定向转发
更改server2的httpd默认监听端口
[root@lanserver1 conf]#grep "^Listen" /etc/httpd/conf/httpd.conf
Listen 9090
#重启服务
[root@lanserver1 conf]#systemctl restart httpd
[root@lanserver1 conf]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 10 10.0.0.6:53 0.0.0.0:*
LISTEN 0 10 127.0.0.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 128 127.0.0.1:953 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6011 0.0.0.0:*
LISTEN 0 128 *:9090 *:*
LISTEN 0 10 [::1]:53 [::]:*
#访问我的80端口,但是本机的httpd服务在9090端口上
[root@lanserver1 conf]#iptables -t nat -A PREROUTING -d 10.0.0.6 -p tcp --dport 80 -j REDIRECT --to-ports 9090
[root@lanserver1 conf]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.0.0.6 tcp dpt:80 redir ports 9090
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
客户端测试
[root@localhost ~]# curl 192.168.10.5
lanserver1
iptables持久化保存规则
#保存规则到文件
iptables-save /PATH/TO/FILE
#从文件中恢复规则
iptables-restore /PATH/TO/FILE
综合实验
Loading…