iptables–nat
首先我们要明白nat有两种策略
- SNAT:出站策略
- DNAT:入站策略
接下来通过一个项目,帮助大家理解
具体实现方法:
- 中间的防火墙充当路由器,开启NAT功能
[root@localhost ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
- 在防火墙上做策略
(1) 出站策略
[root@localhost ~]# iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o ens37 -j SNAT --to-source 202.10.100.5
(2)入站策略
[root@localhost ~]# iptables -t nat -I PREROUTING -d 202.10.100.5 -p tcp --dport 80 -i ens37 -j DNAT --to-destination 192.168.1.10
效果验证
[root@localhost ~]# ping 192.168.2.30
PING 192.168.2.30 (192.168.2.30) 56(84) bytes of data.
64 bytes from 192.168.2.30: icmp_seq=1 ttl=63 time=1.83 ms
64 bytes from 192.168.2.30: icmp_seq=2 ttl=63 time=1.84 ms
64 bytes from 192.168.2.30: icmp_seq=3 ttl=63 time=2.17 ms
^C
--- 192.168.2.30 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.836/1.950/2.170/0.159 ms
[root@localhost ~]# curl http://192.168.2.20
123