iptables之SNAT與DNAT
Centos6.x NAT路由轉發vim
1、網絡拓撲結構服務器
2、實驗環境網絡
2.一、NAT服務器app
[root@Andy ~]# cat /etc/redhat-release tcp
CentOS release 6.5 (Final)編輯器
[root@Andy ~]# uname -r ide
2.6.32-431.el6.x86_64測試
[root@Andy ~]# ifconfig spa
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85 orm
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.二、客戶機端
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
3、服務配置
3.一、NAT服務器配置
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好網關,不然沒法上網(在虛擬機的網絡編輯器能找到網關)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(無網關)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.二、內網客戶端配置
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
4、NAT服務器配置
4.一、開啓路由轉發
臨時轉發生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久轉發生效:
(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[root@Andy ~]# vim /etc/sysctl.conf
將net.ipv4.ip_forward的值從0改成1,不然服務器將不會進行包轉發
[root@Andy ~]# sysctl -p //保存執行
在客戶機測試
[root@Andy ~]# ping 10.0.0.100 //ping通說明開啓成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.二、配置NAT轉發
服務器端
iptables-t nat -F //清除原有的nat表中的規則
iptables -F //清除原有的filter有中的規則
iptables -P FORWARD ACCEPT //容許IP轉發
(1)靜態IP
[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.1.0/24 0.0.0.0/0 to:10.0.0.100
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)動態IP
[root@Andy ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
客戶端測試
[root@Andy ~]# ping www.baidu.com //ping通說明NAT路由轉發實驗成功
PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.
64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms
64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms
64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms
64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3371ms
rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms
Centos6.x NAT多路由轉發
1、網絡拓撲結構
2、實驗環境
2.一、NAT服務器( R1 )
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.二、NAT服務器( R2 )
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.2.3 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
2.三、客戶機端
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.2.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
3、服務配置
3.一、NAT服務器配置( R1 )
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好網關,不然沒法上網(在虛擬機的網絡編輯器能找到網關)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(無網關)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.二、NAT服務器配置( R2 )
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(無網關)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.3
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.三、內網客戶端配置
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.100
NETMASK=255.255.255.0
GATEWAY=172.16.2.3
IPV6INIT=no
USERCTL=no
4、NAT服務器配置
4.一、開啓路由轉發(R1)
臨時轉發生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久轉發生效:
(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[root@Andy ~]# vim /etc/sysctl.conf
將net.ipv4.ip_forward的值從0改成1,不然服務器將不會進行包轉發
[root@Andy ~]# sysctl -p //保存執行
在R2上測試
[root@Andy ~]# ping 10.0.0.100 //ping通說明開啓成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.二、開啓路由轉發(R2)
臨時轉發生效:
echo 1>/proc/sys/net/ipv4/ip_forward
永久轉發生效:
(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
(2)[root@Andy ~]# vim /etc/sysctl.conf
將net.ipv4.ip_forward的值從0改成1,不然服務器將不會進行包轉發
[root@Andy ~]# sysctl -p //保存執行
在客戶機上測試
[root@Andy ~]# ping 172.16.1.10 //ping通說明開啓成功
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2512ms
rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms
4.3、配置NAT轉發
服務器端(R1)
iptables-t nat -F //清除原有的nat表中的規則
iptables -F //清除原有的filter有中的規則
iptables -P FORWARD ACCEPT //容許IP轉發
(1)靜態IP
[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.1.0/24 0.0.0.0/0 to:10.0.0.100
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)動態IP
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
服務器端(R2)
iptables-t nat -F //清除原有的nat表中的規則
iptables -F //清除原有的filter有中的規則
iptables -P FORWARD ACCEPT //容許IP轉發
(1)靜態IP
[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -j SNAT --to 172.16.1.10
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
5 353 SNAT all -- * * 172.16.2.0/24 0.0.0.0/0 to:172.16.1.10
Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)
pkts bytes target prot opt in out source destination
(2)動態IP
[root@Andy ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
客戶端測試
[root@Andy ~]# ping www.baidu.com //ping通說明NAT路由轉發實驗成功
PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.
64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms
64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms
64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms
64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms
^C
--- www.a.shifen.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3371ms
rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms
Centos6.x配置NAT實現網絡地址轉換
1、網絡拓撲結構
2、實驗環境
2.一、客戶機端(PC1)
[root@appex ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@appex ~]# uname -r
2.6.32-431.el6.x86_64
[root@appex ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:0A:9E:EA
inet addr:10.0.0.101 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe0a:9eea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:350 errors:0 dropped:0 overruns:0 frame:0
TX packets:168 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28635 (27.9 KiB) TX bytes:17098 (16.6 KiB)
2.二、NAT服務器( R1 )
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.1.100 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:684 (684.0 b) TX bytes:636 (636.0 b)
2.三、NAT服務器( R2 )
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.1.10 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:8F
inet addr:172.16.2.3 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
2.四、客戶機端(PC2)
[root@Andy ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[root@Andy ~]# uname -r
2.6.32-431.el6.x86_64
[root@Andy ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:ED:85
inet addr:172.16.2.100 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:89 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9993 (9.7 KiB) TX bytes:9848 (9.6 KiB)
3、服務配置
3.一、客戶端配置(PC1)
[root@appex ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.101
NETMASK=255.255.255.0
DNS2=223.5.5.5
GATEWAY=10.0.0.2
DNS1=10.0.0.2
IPV6INIT=no
USERCTL=no
3.二、NAT服務器配置( R1 )
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=10.0.0.100
NETMASK=255.255.255.0
GATEWAY=10.0.0.2 //配好網關,不然沒法上網(在虛擬機的網絡編輯器能找到網關)
DNS1=10.0.0.2
DNS2=223.5.5.5
IPV6INIT=no
USERCTL=no
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(無網關)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.100
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.三、NAT服務器配置( R2 )
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.1.10
NETMASK=255.255.255.0
GATEWAY=172.16.1.100
IPV6INIT=no
USERCTL=no
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(無網關)
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.3
NETMASK=255.255.255.0
IPV6INIT=no
USERCTL=no
3.四、客戶端配置(PC2)
[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=172.16.2.100
NETMASK=255.255.255.0
GATEWAY=172.16.2.3
IPV6INIT=no
USERCTL=no
4、NAT服務器配置及檢測
4.一、配置前在客戶機(PC1)檢測(此時ttl值爲64)
[root@appex ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=5.43 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.417 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.425 ms
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2261ms
rtt min/avg/max/mdev = 0.417/2.092/5.435/2.363 ms
4.二、外網NAT服務器(R1)
[root@Andy ~]# iptables -t nat -I PREROUTING -d 10.0.0.100/32 -i eth0 -j DNAT --to 172.16.2.100
[root@Andy ~]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 15 packets, 2560 bytes)
pkts bytes target prot opt in out source destination
1 84 DNAT all -- eth0 * 0.0.0.0/0 10.0.0.100 to:172.16.2.100
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
209 14349 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 5 packets, 343 bytes)
pkts bytes target prot opt in out source destination
4.3、配置前在客戶機(PC1)檢測(此時ttl值發生變化)
[root@appex ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=127 time=5.51 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=127 time=1.29 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=127 time=1.29 ms
^C
--- 10.0.0.100 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6817ms
rtt min/avg/max/mdev = 1.113/1.837/5.512/1.502 ms
總結:
網絡防火牆 eth0:外網網卡
內防外:
動態IP:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
靜態IP:iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 202.10.19.1
外訪內:
iptables -t nat -A PREROUTING -i eth0 -d 202.10.19.1 -p tcp --dport 80 -j DNAT --to 192.168.0.10
- 1. iptables的snat與dnat
- 2. iptables DNAT 與 SNAT 詳解
- 3. iptables--SNAT、DNAT實踐
- 4. iptables-snat-dnat-設置
- 5. iptables SNAT/DNAT測試
- 6. iptables之snat與dnat的經典應用
- 7. iptables中DNAT與SNAT的理解
- 8. iptables端口轉發SNAT與DNAT
- 9. SNAT與DNAT
- 10. linux之SNAT和DNAT
- 更多相關文章...
- • XSL-FO 與 XSLT - XSL-FO 教程
- • PHP - AJAX 與 PHP - PHP教程
- • 互聯網組織的未來:剖析GitHub員工的任性之源
- • Composer 安裝與使用
-
每一个你不满意的现在,都有一个你没有努力的曾经。