SNAT和DNAT经典案例
1、要求
- 外网主机访问防火墙11.135的80端口,转换为内网服务器的25.132的80端口服务
- 内网出去的源地址转换为11.135的地址
2、环境需要
- 三台CentOS7
- 三台能互相通信
一、环境部署
1、三台CentOS7基础配置
- 内网服务器的配置
#修改成静态IP
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="7f087dc4-11ef-4b12-87ba-fb174e47e355"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.25.132
NETMASK=255.255.255.0
GATEWAY=192.168.25.135 #网关指向iptables防火墙
#打开80端口的服务可以访问
[root@localhost ~]# /opt/lampp/lampp start
Starting XAMPP for Linux 5.6.40-1...
XAMPP: Starting Apache...ok.
XAMPP: Starting MySQL...ok.
XAMPP: Starting ProFTPD...ok.
-
访问查看服务是否启动
-
这里没搭建过的可以之前的教程
-
iptables防火墙配置
添加第二个网卡
#防火墙IP可以DHCP也可以设置静态
#开启允许转发
[root@localhost ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@localhost ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
#启动一下刚刚配置的
[root@localhost ~]# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
- 外网的主机
- 直接桥接真实网络
[root@CentOS7-4 ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:ea:ee:fe:64 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.11.38 netmask 255.255.255.0 broadcast 192.168.11.255
inet6 fe80::fda6:6bd9:e8be:4183 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b6:ef:bb txqueuelen 1000 (Ethernet)
RX packets 13533 bytes 1791081 (1.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 405 bytes 35952 (35.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 8 bytes 832 (832.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 832 (832.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- 验证互相通信
#内网主机ping防火墙
[root@localhost ~]# ping 192.168.25.135
PING 192.168.25.135 (192.168.25.135) 56(84) bytes of data.
64 bytes from 192.168.25.135: icmp_seq=1 ttl=64 time=1.33 ms
64 bytes from 192.168.25.135: icmp_seq=2 ttl=64 time=0.283 ms
64 bytes from 192.168.25.135: icmp_seq=3 ttl=64 time=0.370 ms
64 bytes from 192.168.25.135: icmp_seq=4 ttl=64 time=0.477 ms
#防火墙ping外网主机
[root@localhost ~]# ping 192.168.11.38
PING 192.168.11.38 (192.168.11.38) 56(84) bytes of data.
64 bytes from 192.168.11.38: icmp_seq=1 ttl=64 time=0.382 ms
64 bytes from 192.168.11.38: icmp_seq=2 ttl=64 time=0.293 ms
64 bytes from 192.168.11.38: icmp_seq=3 ttl=64 time=0.794 ms
2、部署iptables策略
#入站目标地址是11.135的80端口把目标地址转换成25.135
[root@localhost ~]# iptables -t nat -I PREROUTING -d 192.168.11.135 -p tcp --dport 80 -i ens35 -j DNAT --to 192.168.25.135
#出站的源ip地址是25.132转换成源地址为11.135
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.25.132 -o ens35 -j SNAT --to-source 192.168.11.135
3、验证
#使用外网主机访问防火墙
[root@CentOS7-4 ~]# curl 192.168.11.135
用wireshark抓包看看
也可以使用本机的浏览器去访问
可以把内网服务器和iptables放在vlan1里面形成一个内网