linux DNAT & SNAT
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux DNAT & SNAT相关的知识,希望对你有一定的参考价值。
iptables --- nat(地址转换)
环境
1.机器一
192.168.1.3(公网)
192.168.183.127(内网)
2.机器二
192.168.183.128(内网)
实验前我在vm虚拟机上添加一个网口,有ip地址但是却没有配置文件
可以这么做
nmcli con show (查看设备唯一标识符uuid)
ip addr (网卡硬件MAC地址)
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3
HWADDR=00:0c:29:ab:38:87
防火墙规则,调用内核的安全策略。
[[email protected] ~]# iptables -t filter -L (默认查看filter表里的列)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[[email protected] ~]# iptables -t nat -L (这次试验使用到的表--nat表)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ssh 登陆转换 dnat(目标地址转换,公网ip--->内网ip,意思就是你想访问目标地址转变了)
机器一:
[[email protected] ~]# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes (之前做过证书登陆,这里改成yes)
[[email protected] ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter nat [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[[email protected] ipv4]# echo 1 > ip_forward (立即生效)
[[email protected] ipv4]# cat ip_forward
1
[[email protected] ipv4]# pwd
/proc/sys/net/ipv4
[[email protected] ipv4]# vim /etc/sysctl.conf (永久生效)
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
[[email protected] ipv4]# sysctl -p (刷新sysctl.conf文件)
net.ipv4.ip_forward = 1
机器二:
[[email protected] ~]# ifdown ens33 (确保不会通过此网卡连接)
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens37
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3 (这里网关指向机器一公网ip)
HWADDR=00:0c:29:ab:38:87
~
[[email protected] ~]# iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 22 -j DNAT --to-destination
192.168.18.128:22
**测试**: (这里使用的是XSHELL)
Connecting to 192.168.1.3:22... (登陆的是1.3)
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.
Last login: Fri May 4 18:32:54 2018 from 192.168.1.138
[[email protected] ~]# ifconfig (成功转换到18.128上面)
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:ab:38:7d txqueuelen 1000 (Ethernet)
RX packets 350 bytes 37643 (36.7 KiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 124 bytes 18169 (17.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.18.128 netmask 255.255.255.0 broadcast 192.168.18.255
inet6 fe80::20c:29ff:feab:3887 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ab:38:87 txqueuelen 1000 (Ethernet)
RX packets 271 bytes 38878 (37.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 198 bytes 54004 (52.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 3448 (3.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 3448 (3.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ssh 登陆转换 snat(源地址转换,内网ip--->公网ip,意思就是你所使用源ip地址转变了)
这里稍微改下iptbales协议即可
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3
*(原本192.168.18.128是不可以访问外网的,这里就以ping www.baidu.com为例。看下效果图即可)
1.128这台机器resolv.conf文件dns服务器先指定好
2.没添加snat协议时:
3.添加 iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3 协议后:
明天分享下web的搭建。。
以上是关于linux DNAT & SNAT的主要内容,如果未能解决你的问题,请参考以下文章