linux DNAT & SNAT

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux DNAT & SNAT相关的知识,希望对你有一定的参考价值。

iptables --- nat(地址转换)

环境
1.机器一
192.168.1.3(公网)
192.168.183.127(内网)

2.机器二
192.168.183.128(内网)

实验前我在vm虚拟机上添加一个网口,有ip地址但是却没有配置文件
可以这么做

nmcli con show (查看设备唯一标识符uuid)
ip addr  (网卡硬件MAC地址)

BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3
HWADDR=00:0c:29:ab:38:87

防火墙规则,调用内核的安全策略。

[[email protected] ~]# iptables -t filter -L  (默认查看filter表里的列)
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    
[[email protected] ~]# iptables -t nat -L  (这次试验使用到的表--nat表)
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

ssh 登陆转换 dnat(目标地址转换,公网ip--->内网ip,意思就是你想访问目标地址转变了)

机器一:
[[email protected] ~]# vim /etc/ssh/sshd_config  
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes  (之前做过证书登陆,这里改成yes)

[[email protected] ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter nat      [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[[email protected] ipv4]# echo 1 > ip_forward  (立即生效)
[[email protected] ipv4]# cat ip_forward 
1
[[email protected] ipv4]# pwd
/proc/sys/net/ipv4

[[email protected] ipv4]# vim /etc/sysctl.conf (永久生效)
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
[[email protected] ipv4]# sysctl -p (刷新sysctl.conf文件)
net.ipv4.ip_forward = 1
机器二:
[[email protected] ~]# ifdown ens33 (确保不会通过此网卡连接)

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens37 

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3   (这里网关指向机器一公网ip)
HWADDR=00:0c:29:ab:38:87
~                            
[[email protected] ~]# iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 22 -j DNAT --to-destination 

192.168.18.128:22
**测试**: (这里使用的是XSHELL)
Connecting to 192.168.1.3:22...  (登陆的是1.3)
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.

Last login: Fri May  4 18:32:54 2018 from 192.168.1.138
[[email protected] ~]# ifconfig   (成功转换到18.128上面)
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:ab:38:7d  txqueuelen 1000  (Ethernet)
        RX packets 350  bytes 37643 (36.7 KiB)
        RX errors 0  dropped 1  overruns 0  frame 0
        TX packets 124  bytes 18169 (17.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.18.128  netmask 255.255.255.0  broadcast 192.168.18.255
        inet6 fe80::20c:29ff:feab:3887  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ab:38:87  txqueuelen 1000  (Ethernet)
        RX packets 271  bytes 38878 (37.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 198  bytes 54004 (52.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 40  bytes 3448 (3.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 3448 (3.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ssh 登陆转换 snat(源地址转换,内网ip--->公网ip,意思就是你所使用源ip地址转变了)

这里稍微改下iptbales协议即可

[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3
*(原本192.168.18.128是不可以访问外网的,这里就以ping www.baidu.com为例。看下效果图即可)


1.128这台机器resolv.conf文件dns服务器先指定好
2.没添加snat协议时:
技术分享图片
3.添加 iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3 协议后:
技术分享图片


明天分享下web的搭建。。

以上是关于linux DNAT & SNAT的主要内容,如果未能解决你的问题,请参考以下文章

DNAT && SNAT

Linux防火墙iptables之SNAT与DNAT

dnat & snat

iptables DNAT &SNAT

Linux-SNAT和DNAT

linux基础之iptables SNAT和DNAT