iptables实现SNAT和DNAT,并对规则持久保存
SNAT:
Internet-host:
[root@internet-host html]service iptables stop
[root@internet-host html]yum install httpd -y
[root@internet-host html]echo internet Server > /var/www/html/index.html
[root@internet-host html]#hostname -I
10.0.0.6
[root@internet-host html]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
lan-host:
[root@lan-host ~]#hostname -I
192.168.100.7
[root@lan-host ~]# route add default gw 192.168.100.8 dev eth0
[root@lan-host ~]# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.8 0.0.0.0 UG 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
Firewall:
[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT
--to-source 10.0.0.8
[root@firewall-host ~]#iptables -vnL -t nat
[root@CentOS8 ~]# iptables -vnL -t nat
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
21 1356 SNAT all -- * * 192.168.100.0/24 0.0.0.0/0 to:10.0.0.8
lan-host:
[root@lan-host ~]#curl 10.0.0.6
internet Server
[root@internet-host ~]#curl 192.168.100.7
curl: (7) Failed to connect to 192.168.100.7: Network is unreachable
[root@lan-host ~]#ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.535 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=2.07 ms
64 bytes from 10.0.0.6: icmp_seq=3 ttl=63 time=1.24 ms
64 bytes from 10.0.0.6: icmp_seq=4 ttl=63 time=1.26 ms
64 bytes from 10.0.0.6: icmp_seq=5 ttl=63 time=0.804 ms
internet-host:
[root@internet-host html]# tail /var/log/httpd/access_log
10.0.0.8 - - [24/Jul/2022:23:37:04 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
10.0.0.8 - - [24/Jul/2022:23:37:05 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
[root@internet-host html]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:54:44.591977 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 160, length 64
23:54:44.592017 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 160, length 64
23:54:45.594044 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 21455, seq 161, length 64
23:54:45.594083 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 21455, seq 161, length 64
DNAP:
Firewall:
[root@firewall ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@firewall ~]#sysctl -p
[root@firewall ~]#iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80
-j DNAT --to-destination 10.0.0.7
[root@firewall ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port
Peer Address:Port LISTEN 0 128 0.0.0.0:22
0.0.0.0:*
LISTEN 0 100 127.0.0.1:25
0.0.0.0:*
LISTEN 0 128 [::]:22
[::]:*
LISTEN 0 100 [::1]:25
[::]:*
[root@internet ~]# curl 192.168.0.8
lanserver1
[root@lanserver1 ~]#tail /var/log/httpd/access_log
[root@lanserver1 ~]# service httpd stop
Redirecting to /bin/systemctl stop httpd.service
[root@internet ~]# curl 192.168.0.8
curl: (7) couldn't connect to host
[root@firewall ~]# iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.17
[root@internet ~]# curl 192.168.0.8
lanserver2
对规则持久保存:
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables
[root@firewall ~]# vim /etc/rc.d/rc.local
#!/bin/bash
iptables-restore < /etc/sysconfig/iptables
[root@firewall ~]# chmod +x /etc/rc.d/rc.local