标签:iptables SNAT DNAT 10.0 0.0 0.8 host internet root
iptables实现SNAT和DNAT,并对规则持久保存
SNAT:
Internet-host:
[root@internet-host html]service iptables stop
[root@internet-host html]yum install httpd -y
[root@internet-host html]echo internet Server > /var/www/html/index.html
[root@internet-host html]#hostname -I
10.0.0.6
[root@internet-host html]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
lan-host:
[root@lan-host ~]#hostname -I
192.168.100.7
[root@lan-host ~]# route add default gw 192.168.100.8 dev eth0
[root@lan-host ~]# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.8 0.0.0.0 UG 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
Firewall:
[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT
--to-source 10.0.0.8
[root@firewall-host ~]#iptables -vnL -t nat
[root@CentOS8 ~]# iptables -vnL -t nat
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21 1356 SNAT all -- * * 192.168.100.0/24 0.0.0.0/0 to:10.0.0.8
lan-host:
[root@lan-host ~]#curl 10.0.0.6
internet Server
[root@internet-host ~]#curl 192.168.100.7
curl: (7) Failed to connect to 192.168.100.7: Network is unreachable
[root@lan-host ~]#ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.535 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=2.07 ms
64 bytes from 10.0.0.6: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 10.0.0.6: icmp_seq=4 ttl=63 time=1.26 ms
64 bytes from 10.0.0.6: icmp_seq=5 ttl=63 time=0.804 ms
internet-host:
[root@internet-host html]# tail /var/log/httpd/access_log
10.0.0.8 - - [24/Jul/2022:23:37:04 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
[root@internet-host html]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:54:44.591977 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 160, length 64
23:54:44.592017 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 160, length 64
23:54:45.594044 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 161, length 64
23:54:45.594083 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 161, length 64
DNAP:
Firewall:
[root@firewall ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@firewall ~]#sysctl -p
[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80
-j DNAT --to-destination 10.0.0.7
[root@firewall ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port
Peer Address:Port LISTEN 0 128 0.0.0.0:22
0.0.0.0:*
LISTEN 0 100 127.0.0.1:25
0.0.0.0:*
LISTEN 0 128 [::]:22
[::]:*
LISTEN 0 100 [::1]:25
[::]:*
[root@internet ~]# curl 192.168.0.8
lanserver1
[root@lanserver1 ~]#tail /var/log/httpd/access_log
[root@lanserver1 ~]# service httpd stop
Redirecting to /bin/systemctl stop httpd.service
[root@internet ~]# curl 192.168.0.8
curl: (7) couldn't connect to host
[root@firewall ~]# iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.17
[root@internet ~]# curl 192.168.0.8
lanserver2
对规则持久保存:
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables
[root@firewall ~]# vim /etc/rc.d/rc.local
#!/bin/bash
iptables-restore < /etc/sysconfig/iptables
[root@firewall ~]# chmod +x /etc/rc.d/rc.local
标签:iptables,SNAT,DNAT,10.0,0.0,0.8,host,internet,root 来源: https://www.cnblogs.com/biaoming534/p/16515250.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。