iptables nat 表應用

時間 2019-11-13

原文原文鏈接

nat 表應用

A 機器兩塊網卡 ens33(192.168.5.130),ens37(192.168.100.1),ens33能夠上外網，ens37僅僅是內部網絡，B機器只有ens37(192.168.100.100),和A機器ens37能夠相互通訊互聯。
需求1：可讓B機器鏈接外網
A機器上打開路由轉發echo "1">/proc/sys/net/ipv4/ip_forward
A上執行iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
B上設置網關爲192.168.100.1
需求2：C機器只能和A通訊，讓C機器能夠直接連通B機器的22端口
A上打開路由轉發 echo "1" >/proc/sys/net/ipv4/ip_forward
A上執iptables -t nat -A PREROUTING -d 192.168.5.130 -p tcp --dport 1122 -j DNAT --to 192.168.5.130
A上執行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
B上設置網關爲192.168.100.1

在虛擬機上添加網卡第二臺機器上添加一塊網卡 python

[root@xuexi-001 ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.130  netmask 255.255.255.0  broadcast 192.168.5.255
        inet6 fe80::9625:3e1d:12c7:4fe6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b3:a2:bf  txqueuelen 1000  (Ethernet)
        RX packets 120  bytes 10318 (10.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 8791 (8.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.150  netmask 255.255.255.0  broadcast 192.168.5.255
        ether 00:0c:29:b3:a2:bf  txqueuelen 1000  (Ethernet)

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::44c4:9bed:dd1f:6c01  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b3:a2:c9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22  bytes 3300 (3.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 72  bytes 5736 (5.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 72  bytes 5736 (5.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

設置A機器的第二塊網卡ens37網卡的IP 爲192.168.100.1網絡

[root@xuexi-001 ~]# ifconfig ens37 192.168.100.1/24  ······ 這樣設置IP 爲臨時生效，系統重啓後就失效了
[root@xuexi-001 ~]# ifconfig ens37
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:feb3:a2c9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b3:a2:c9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61  bytes 9802 (9.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

設置B機器的網卡ens37 的IP爲192.168.100.100tcp

[root@xuexi-001 ~]# ifconfig ens37 192.168.100.100/24  ······ 這樣設置IP 爲臨時生效，系統重啓後就失效了
[root@xuexi-001 ~]# ifconfig ens37
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::20c:29ff:feb3:a2c9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b3:a2:c9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61  bytes 9802 (9.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

已經知足需求AB兩臺機器能夠相互使用內網互聯，AB機器內網不能訪問外網。oop

需求1：可讓B機器鏈接外網rest

A機器上打開路由轉發echo "1">/proc/sys/net/ipv4/ip_forwardcode

/proc/sys/net/ipv4/ip_forward 這個配置文件默認是0 是關閉的須要改爲「1」，「1」表明打開路由轉發。blog

[root@xuexi-001 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@xuexi-001 ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@xuexi-001 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@xuexi-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@xuexi-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    52 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    52 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    52 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  117  8880 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  117  8880 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117  8880 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  117  8880 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0

B上設置網關爲192.168.100.1ip

[root@xuexi-001 ~]# route add default gw 192.168.100.1

B機器能夠鏈接公網通訊 B機器鏈接外網須要設置DNS，設置DNS須要配置文件 vi /etc/resolv.conf路由

需求2：C機器只能和A通訊，讓C機器能夠直接連通B機器的22端口get
A上打開路由轉發 echo "1" >/proc/sys/net/ipv4/ip_forward
A上執行iptables -t nat -A PREROUTING -d 192.168.5.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22

[root@xuexi-001 ~]# iptables -t nat -A PREROUTING -d 192.168.5.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22 
[root@xuexi-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  111  7144 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  111  7144 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  111  7144 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.5.130        tcp dpt:1122 to:192.168.100.100:22

A上執行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.5.130

[root@xuexi-001 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.5.130
[root@xuexi-001 ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  111  7144 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  111  7144 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  111  7144 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.5.130        tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  145 10993 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  151 11497 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  151 11497 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  151 11497 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 SNAT       all  --  *      *       192.168.100.100      0.0.0.0/0            to:192.168.5.130