飛塔防火牆 fortigate 配置DNAT和SNAT

1、實驗拓撲
 
實驗的目的：
配置SNAT後，內部服務器能夠成功訪問外部服務器，同時外部服務器看到的源IP是SNAT後的IP，56.56.56.1
配置DNAT後，外部服務器經過Virtual IP-56.56.56.52來訪問內部服務器的服務。

 

a.internal server 的eth0 網卡IP爲5.5.5.1/24，網關爲對端防火牆port2的IP:5.5.5.2/24
b.防火牆的port3接口6.6.6.1/24 鏈接外部網絡服務器的eth0 接口6.6.6.2/24

 

2、SNAT的配置
a.配置NAT 地址池(IP POOL)

config firewall ippool
    edit "56.56.56.1_overload"
        set startip 56.56.56.1
        set endip 56.56.56.1
    next
end

b.配置內部服務器訪問外部時的策略，並調用NAT地址池

edit 2
        set name "to-all-permit"
        set uuid 8d96be5c-6b90-51eb-aa29-9b7fc34ca6ca
        set srcintf "port2"    //內部接口
        set dstintf "port3"    //外部接口
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable   // 開啓NAT地址池功能
        set poolname "56.56.56.1_overload"   // 調用NAT地址池
        set nat enable       // 開啓NAT功能
    next

c.外部服務器配置到NAT地址段的靜態路由

[root@c6 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
56.56.56.0      6.6.6.1         255.255.255.0   UG    0      0        0 eth5

d.驗證SNAT配置是否正常

1.內部服務器網絡配置
[root@localhost ~]# ifconfig ens39
ens39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.5.5.1  netmask 255.255.255.0  broadcast 5.5.5.255
        inet6 fe80::20c:29ff:fe00:8058  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:00:80:58  txqueuelen 1000  (Ethernet)
        RX packets 5870  bytes 474480 (463.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 426  bytes 36317 (35.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         5.5.5.2         0.0.0.0         UG    0      0        0 ens39

2.內部服務器Ping 外部服務器
[root@localhost ~]# ping 6.6.6.2
PING 6.6.6.2 (6.6.6.2) 56(84) bytes of data.
64 bytes from 6.6.6.2: icmp_seq=1 ttl=63 time=1.50 ms
64 bytes from 6.6.6.2: icmp_seq=2 ttl=63 time=1.53 ms

3.在外部服務器抓包
[root@c6 ~]# ifconfig eth5
eth5      Link encap:Ethernet  HWaddr 00:0C:29:5B:93:45  
          inet addr:6.6.6.2  Bcast:6.6.6.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe5b:9345/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:443 errors:0 dropped:0 overruns:0 frame:0
          TX packets:583 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44908 (43.8 KiB)  TX bytes:52443 (51.2 KiB)
[root@c6 ~]# tcpdump -i eth5 -nnn -vvv 
tcpdump: listening on eth5, link-type EN10MB (Ethernet), capture size 65535 bytes
11:58:34.460576 IP (tos 0x0, ttl 63, id 65514, offset 0, flags [DF], proto ICMP (1), length 84)
    56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 1, length 64
11:58:34.460638 IP (tos 0x0, ttl 64, id 15653, offset 0, flags [none], proto ICMP (1), length 84)
    6.6.6.2 > 56.56.56.1: ICMP echo reply, id 9543, seq 1, length 64
11:58:35.461347 IP (tos 0x0, ttl 63, id 814, offset 0, flags [DF], proto ICMP (1), length 84)
    56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 2, length 64

e.SNAT實驗結論:
實驗符合預期，內部服務器能夠成功訪問外部服務器，同時外部服務器看到的源IP是SNAT後的IP 56.56.56.1。

 

3、配置DNAT
a.建立DNAT的Virtual IP（也就是外部網絡訪問內部服務時使用的目的IP）

config firewall vip
    edit "56.56.56.52-5.5.5.1"
        set uuid 34a97bc8-6b8a-51eb-8808-b94f5cd25dba
        set extip 56.56.56.52
        set extintf "port3"
        set portforward enable
        set mappedip "5.5.5.1"
        set extport 515
        set mappedport 515
    next
end

b.建立策略，並調用VIP

config firewall policy
    edit 1
        set name "test"
        set uuid 4f007e72-6b8a-51eb-3e87-d1cfe35c0b71
        set srcintf "port3"   // 外部接口
        set dstintf "port2"   // 內部接口
        set srcaddr "all"
        set dstaddr "56.56.56.52-5.5.5.1"
        set action accept
        set schedule "always"
        set service "ALL"
    next

c.<配置SNAT>中，外部服務器已經配置了到NAT地址段的路由，這裏就不贅述了

d.驗證DNAT是否正常

1.內部服務器開啓515端口

[root@localhost ~]# python -m SimpleHTTPServer 515
Serving HTTP on 0.0.0.0 port 515 ...
2.外部網絡服務器telnet  VIP的515 端口
[root@c6 ~]# telnet 56.56.56.52 515
Trying 56.56.56.52...
Connected to 56.56.56.52.
Escape character is '^]'.
^]
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code 400.
<p>Message: Bad request syntax ('^]').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>
Connection closed by foreign host.

3.內部服務器上抓包
[root@localhost ~]# tcpdump -i ens39 -nnn -vvv host 6.6.6.2
tcpdump: listening on ens39, link-type EN10MB (Ethernet), capture size 65535 bytes
16:37:24.291051 IP (tos 0x10, ttl 63, id 42541, offset 0, flags [DF], proto TCP (6), length 57)
    6.6.6.2.34980 > 5.5.5.1.515: Flags [P.], cksum 0x98df (correct), seq 2296234720:2296234725, ack 743420663, win 115, options [nop,nop,TS val 25389246 ecr 21012527], length 5
16:37:24.295944 IP (tos 0x0, ttl 64, id 4806, offset 0, flags [DF], proto TCP (6), length 52)
    5.5.5.1.515 > 6.6.6.2.34980: Flags [.], cksum 0x1634 (incorrect -> 0x9a9c), seq 1, ack 5, win 227, options [nop,nop,TS val 21079036 ecr 25389246], length 0

e.DNAT結論符合預期。外部網絡服務器經過VIP-56.56.56.52來訪問內部IP-5.5.5.1的服務.