iptables之SNAT与DNAT
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了iptables之SNAT与DNAT相关的知识,希望对你有一定的参考价值。
Centos6.x NAT路由转发
一、网络拓扑结构
二、实验环境
2.1、NAT服务器
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.2、客户机端
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
三、服务配置
3.1、NAT服务器配置
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.2、内网客户端配置
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
四、NAT服务器配置
4.1、开启路由转发
临时转发生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久转发生效:
(1)[[email protected] ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[[email protected] ~]# vim /etc/sysctl.conf
将net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[[email protected] ~]# sysctl -p //保存执行
在客户机测试
[[email protected] ~]# ping 10.0.0.100 //ping通说明开启成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.2、配置NAT转发
服务器端
iptables-t nat -F //清除原有的nat表中的规则
iptables -F //清除原有的filter有中的规则
iptables -P FORWARD ACCEPT //允许IP转发
(1)静态IP
[[email protected] ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.1.0/24 0.0.0.0/0 to:10.0.0.100
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)动态IP
[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
客户端测试
[[email protected] ~]# ping www.baidu.com //ping通说明NAT路由转发实验成功
PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.
64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms
64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms
64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms
64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3371ms
rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms
Centos6.x NAT多路由转发
一、网络拓扑结构
二、实验环境
2.1、NAT服务器( R1 )
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.2、NAT服务器( R2 )
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.2.3 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
2.3、客户机端
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.2.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
三、服务配置
3.1、NAT服务器配置( R1 )
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.2、NAT服务器配置( R2 )
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.3
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.3、内网客户端配置
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.100
NETMASK=255.255.255.0
GATEWAY=172.16.2.3
IPV6INIT=no
USERCTL=no
四、NAT服务器配置
4.1、开启路由转发(R1)
临时转发生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久转发生效:
(1)[[email protected] ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[[email protected] ~]# vim /etc/sysctl.conf
将net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[[email protected] ~]# sysctl -p //保存执行
在R2上测试
[[email protected] ~]# ping 10.0.0.100 //ping通说明开启成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.2、开启路由转发(R2)
临时转发生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久转发生效:
(1)[[email protected] ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[[email protected] ~]# vim /etc/sysctl.conf
将net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[[email protected] ~]# sysctl -p //保存执行
在客户机上测试
[[email protected] ~]# ping 172.16.1.10 //ping通说明开启成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.3、配置NAT转发
服务器端(R1)
iptables-t nat -F //清除原有的nat表中的规则
iptables -F //清除原有的filter有中的规则
iptables -P FORWARD ACCEPT //允许IP转发
(1)静态IP
[[email protected] ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.1.0/24 0.0.0.0/0 to:10.0.0.100
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)动态IP
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
服务器端(R2)
iptables-t nat -F //清除原有的nat表中的规则
iptables -F //清除原有的filter有中的规则
iptables -P FORWARD ACCEPT //允许IP转发
(1)静态IP
[[email protected] ~]# iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -j SNAT --to 172.16.1.10
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.2.0/24 0.0.0.0/0 to:172.16.1.10
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)动态IP
[[email protected] ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
客户端测试
[[email protected] ~]# ping www.baidu.com //ping通说明NAT路由转发实验成功
PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.
64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms
64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms
64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms
64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3371ms
rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms
Centos6.x配置NAT实现网络地址转换
一、网络拓扑结构
二、实验环境
2.1、客户机端(PC1)
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:0A:9E:EA
inet addr:10.0.0.101 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe0a:9eea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:350 errors:0 dropped:0 overruns:0 frame:0
TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28635 (27.9 KiB) TX bytes:17098 (16.6 KiB)
2.2、NAT服务器( R1 )
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.3、NAT服务器( R2 )
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.2.3 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
2.4、客户机端(PC2)
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[[email protected] ~]# uname -r
2.6.32-431.el6.x86_64
[[email protected] ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.2.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
三、服务配置
3.1、客户端配置(PC1)
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.101
NETMASK=255.255.255.0
DNS2=223.5.5.5
GATEWAY=10.0.0.2
DNS1=10.0.0.2
IPV6INIT=no
USERCTL=no
3.2、NAT服务器配置( R1 )
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.3、NAT服务器配置( R2 )
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.3
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.4、客户端配置(PC2)
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.100
NETMASK=255.255.255.0
GATEWAY=172.16.2.3
IPV6INIT=no
USERCTL=no
四、NAT服务器配置及检测
4.1、配置前在客户机(PC1)检测(此时ttl值为64)
[[email protected] ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=5.43 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.417 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.425 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2261ms
rtt min/avg/max/mdev = 0.417/2.092/5.435/2.363 ms
4.2、外网NAT服务器(R1)
[[email protected] ~]# iptables -t nat -I PREROUTING -d 10.0.0.100/32 -i eth0 -j DNAT --to 172.16.2.100
[[email protected] ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 15 packets, 2560 bytes)
pkts bytes target prot opt in out source destination
1 84 DNAT all -- eth0 * 0.0.0.0/0 10.0.0.100 to:172.16.2.100
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
209 14349 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 5 packets, 343 bytes)
pkts bytes target prot opt in out source destination
4.3、配置前在客户机(PC1)检测(此时ttl值发生变化)
[[email protected] ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=127 time=5.51 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=127 time=1.29 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=127 time=1.29 ms
^C
--- 10.0.0.100 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6817ms
rtt min/avg/max/mdev = 1.113/1.837/5.512/1.502 ms
总结:
网络防火墙 eth0:外网网卡
内防外:
动态IP:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
静态IP:iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to-source 202.10.19.1
外访内:
iptables -t nat -A PREROUTING -i eth0 -d 202.10.19.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.10
以上是关于iptables之SNAT与DNAT的主要内容,如果未能解决你的问题,请参考以下文章