CentOS8 iptables之NAT

SNAT

拓扑图:
在这里插入图片描述

基础配置

实验准备:
firewall主机

[root@firewall ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=10.0.0.5
PREFIX=24
GATEWAY=10.0.0.2
DEFROUTE=yes
DNS1=10.0.0.2
DNS2=223.5.5.5
DNS3=211.136.20.203
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=91a133de-1837-4d97-9a1c-90fa4c71ebe5
DEVICE=ens33
ONBOOT=yes
[root@firewall ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens36
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.10.5
PREFIX=24
DEFROUTE=yes
NAME=ens36
DEVICE=ens36
ONBOOT=yes

#重新加载网卡配置
[root@centos8 ~]#nmcli con reload
[root@centos8 ~]#nmcli con up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

[root@centos8 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:f6:1b:96 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/24 brd 10.0.0.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:1b96/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:f6:1b:a0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.5/24 brd 192.168.10.255 scope global noprefixroute ens36
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef6:1ba0/64 scope link
       valid_lft forever preferred_lft forever

更改主机名

[root@centos8 ~]#hostname firewall
[root@centos8 ~]#bash

启用路由转发

[root@firewall ~]#sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@firewall ~]#cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1

#使配置生效
[root@firewall ~]#sysctl -p
net.ipv4.ip_forward = 1

开启路由转发功能之后,10网段和192网段此时已经互通了
删掉默认的路由表

[root@firewall ~]#ip route
default via 10.0.0.2 dev ens33 proto static metric 100
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.5 metric 100
192.168.10.0/24 dev ens36 proto kernel scope link src 192.168.10.5 metric 101
[root@firewall ~]#ip route del default via 10.0.0.2 dev ens33 proto static metric 100
[root@firewall ~]#ip route
10.0.0.0/24 dev ens33 proto kernel scope link src 10.0.0.5 metric 100
192.168.10.0/24 dev ens36 proto kernel scope link src 192.168.10.5 metric 101

设置防火墙规则:

#除了10网段的网络访问都拒绝
[root@firewall ~]#iptables -A FORWARD ! -s 10.0.0.0/24 -d 10.0.0.0/24 -m state --state NEW -j REJECT
[root@firewall ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 REJECT     all  --  *      *      !10.0.0.0/24          10.0.0.0/24          state NEW reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

#设置nat转换 在postrouting表中设置
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 10.0.0.5
#查看防火墙规则是否生效
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.10.0/24      0.0.0.0/0            to:10.0.0.5

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Lanserver1主机

[root@centos8 ~]#hostname lanserver1;bash
#网卡配置
[root@lanserver1 ~]#cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=10.0.0.6
NETMASK=255.255.255.0
GATEWAY=10.0.0.5
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
UUID=fe4d2230-1a83-467c-a338-eda6e7a5119a
DEVICE=ens33
ONBOOT=yes
#重新加载网卡配置
[root@centos8 ~]#nmcli con reload
[root@centos8 ~]#nmcli con up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

Lanserver2主机

[root@lanserver2 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=10.0.0.7
NETMASK=255.255.255.0
GATEWAY=10.0.0.5
DNS1=223.5.5.5

客户端:
注意客户端不配置网关

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
IPADDR=192.168.10.10
NETMASK=255.255.255.0
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="554f0ed4-9978-4844-85ee-97e4d68b5401"
DEVICE="ens33"
ONBOOT="yes"

[root@localhost ~]# ip route
192.168.10.0/24 dev ens33 proto kernel scope link src 192.168.10.10 metric 100

防火墙配置

#设置防火墙除了访问10网段外的地址自动使用公网地址 这里指的是防火墙的10.0.0.5地址
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
测试

lanserver1 ping192网段

[root@lanserver1 ~]#ping 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=1 ttl=63 time=0.935 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=63 time=0.515 ms
64 bytes from 192.168.10.10: icmp_seq=3 ttl=63 time=1.71 ms
64 bytes from 192.168.10.10: icmp_seq=4 ttl=63 time=1.84 ms

客户端抓包测试

[root@localhost ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:30:25.832929 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 1, length 64
14:30:25.832956 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 1, length 64
14:30:26.836322 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 2, length 64
14:30:26.836340 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 2, length 64
14:30:27.848660 IP 192.168.10.5 > 192.168.10.10: ICMP echo request, id 29439, seq 3, length 64
14:30:27.848769 IP 192.168.10.10 > 192.168.10.5: ICMP echo reply, id 29439, seq 3, length 64

DNAT

在firewall中添加防火墙规则

[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.10.5 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.6
[root@firewall ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.10.5         tcp dpt:80 to:10.0.0.6

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    84 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

192网段测试

[root@localhost ~]# curl 192.168.10.5
lanserver1

#查看lanserver1的访问日志,是可以看到源IP的
[root@lanserver1 ~]#tail /var/log/httpd/access_log -f
10.0.0.5 - - [13/Sep/2021:12:23:21 +0800] "GET / HTTP/1.1" 403 199691 "-" "curl/7.29.0"

192.168.10.10 - - [13/Sep/2021:18:52:42 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"

REDIRECT

本机端口重定向转发
更改server2的httpd默认监听端口

[root@lanserver1 conf]#grep "^Listen" /etc/httpd/conf/httpd.conf
Listen  9090

#重启服务
[root@lanserver1 conf]#systemctl restart httpd
[root@lanserver1 conf]#ss -ntl
State         Recv-Q        Send-Q               Local Address:Port               Peer Address:Port        Process
LISTEN        0             10                        10.0.0.6:53                      0.0.0.0:*
LISTEN        0             10                       127.0.0.1:53                      0.0.0.0:*
LISTEN        0             128                        0.0.0.0:22                      0.0.0.0:*
LISTEN        0             5                        127.0.0.1:631                     0.0.0.0:*
LISTEN        0             100                      127.0.0.1:25                      0.0.0.0:*
LISTEN        0             128                      127.0.0.1:953                     0.0.0.0:*
LISTEN        0             128                      127.0.0.1:6010                    0.0.0.0:*
LISTEN        0             128                      127.0.0.1:6011                    0.0.0.0:*
LISTEN        0             128                              *:9090                          *:*
LISTEN        0             10                           [::1]:53                         [::]:*
#访问我的80端口,但是本机的httpd服务在9090端口上
[root@lanserver1 conf]#iptables -t nat -A PREROUTING -d 10.0.0.6 -p tcp --dport 80 -j REDIRECT --to-ports 9090
[root@lanserver1 conf]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            10.0.0.6             tcp dpt:80 redir ports 9090

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

客户端测试

[root@localhost ~]# curl 192.168.10.5
lanserver1

iptables持久化保存规则

#保存规则到文件
iptables-save /PATH/TO/FILE
#从文件中恢复规则
iptables-restore /PATH/TO/FILE

综合实验

Loading…

  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值