【CentOS 7筆記44】iptables nat表和iptables規則備份和恢復,#

時間  2019-12-04
標籤 CentOS 7筆記44 iptables nat 規則 備份 恢復 欄目 系統網絡 简体版
原文   原文鏈接

shallow丿ove網絡

iptables nat

  • nat表應用
  • A機器兩塊網卡ens33(192.168.133.130)、ens37(192.168.100.1),ens33能夠上外網,ens37僅僅是內部網絡,B機器只有ens37(192.168.100.100),和A機器ens37能夠通訊互聯。
  • 需求1:能夠讓B機器鏈接外網
  • A機器上打開路由轉發 echo "1" > /proc/sys/net/ipv4/ip_forward
  • A上執行iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
  • B上設置網關爲192.168.100.1
  • 需求2:C機器只能和A通訊,讓C機器能夠直接連通B機器的22端口
  • A上打開路由轉發echo "1" > /proc/sys/net/ipv4/ip_forward
  • A上執行iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
  • A上執行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.133.130
  • B上設置網關爲192.168.100.1

內網Linux鏈接外網

首先Linux主機1 設置 添加網卡tcp

輸入圖片說明

輸入圖片說明

輸入圖片說明

輸入圖片說明

輸入圖片說明

輸入圖片說明

Linux主機2 取消 啓動時鏈接,而後一切同上oop

輸入圖片說明

這時Linux主機B終端鏈接會失敗,由於ip更改或取消rest

  • Linux主機A
[root@localhost ~]# ifconfig
	eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet 192.168.9.134  netmask 255.255.255.0  broadcast 192.168.9.255
			inet6 fe80::20c:29ff:fe0a:e7fc  prefixlen 64  scopeid 0x20<link>
			ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)
			RX packets 429  bytes 30383 (29.6 KiB)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 77  bytes 13013 (12.7 KiB)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

	eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet 192.168.9.139  netmask 255.255.255.0  broadcast 192.168.9.255
			ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)

	ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet6 fe80::20c:29ff:fe0a:e706  prefixlen 64  scopeid 0x20<link>
			ether 00:0c:29:0a:e7:06  txqueuelen 1000  (Ethernet)
			RX packets 41  bytes 14022 (13.6 KiB)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 14  bytes 2172 (2.1 KiB)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

	lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
			inet 127.0.0.1  netmask 255.0.0.0
			inet6 ::1  prefixlen 128  scopeid 0x10<host>
			loop  txqueuelen 0  (Local Loopback)
			RX packets 2  bytes 196 (196.0 B)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 2  bytes 196 (196.0 B)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

設置臨時ipcode

[root@localhost ~]# ifconfig ens37 192.168.100.1/24
[root@localhost ~]# ifconfig
	eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet 192.168.9.134  netmask 255.255.255.0  broadcast 192.168.9.255
			inet6 fe80::20c:29ff:fe0a:e7fc  prefixlen 64  scopeid 0x20<link>
			ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)
			RX packets 557  bytes 39888 (38.9 KiB)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 118  bytes 18957 (18.5 KiB)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

	eno16777736:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet 192.168.9.139  netmask 255.255.255.0  broadcast 192.168.9.255
			ether 00:0c:29:0a:e7:fc  txqueuelen 1000  (Ethernet)

	ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
			inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
			inet6 fe80::20c:29ff:fe0a:e706  prefixlen 64  scopeid 0x20<link>
			ether 00:0c:29:0a:e7:06  txqueuelen 1000  (Ethernet)
			RX packets 41  bytes 14022 (13.6 KiB)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 25  bytes 4907 (4.7 KiB)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

	lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
			inet 127.0.0.1  netmask 255.0.0.0
			inet6 ::1  prefixlen 128  scopeid 0x10<host>
			loop  txqueuelen 0  (Local Loopback)
			RX packets 2  bytes 196 (196.0 B)
			RX errors 0  dropped 0  overruns 0  frame 0
			TX packets 2  bytes 196 (196.0 B)
			TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • Linux主機B
ifconfig
ifdown ens33
ifconfig ens37 192.168.100.100/24
ifconfig
ping 192.168.100.1
  • Windows主機
C:\Users\Administrator>ping 192.168.100.1

	正在 Ping 192.168.100.1 具備 32 字節的數據:
	請求超時。
	請求超時。
	請求超時。
	請求超時。

	192.168.100.1 的 Ping 統計信息:
		數據包: 已發送 = 4,已接收 = 0,丟失 = 4 (100% 丟失),

C:\Users\Administrator>ping 192.168.100.100

	正在 Ping 192.168.100.100 具備 32 字節的數據:
	請求超時。
	請求超時。
	請求超時。
	請求超時。

	192.168.100.100 的 Ping 統計信息:
		數據包: 已發送 = 4,已接收 = 0,丟失 = 4 (100% 丟失),
  • Linux主機B
ping 192.168.9.134
ping www.baidu.com
  • Linux主機A

打開端口轉發圖片

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 
	0
[root@localhost ~]# echo "1" > !$
	echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# !cat
	cat /proc/sys/net/ipv4/ip_forward 
	1
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE
[root@localhost ~]# iptables -t nat -nvL
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         

	Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
		0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0

這裏我出現了一個很嚴重的問題,Linux主機A的網卡不爲ens33,只顧一味照抄是很是嚴重的錯誤!!!ip

  • Linux主機B
route -n
route add default gw 192.168.100.1
route -n
ping 192.168.9.134

終端鏈接內網Linux

端口映射路由

  • Linux主機A
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward 
	1
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE 
[root@localhost ~]# iptables -t nat -nvL
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	
	Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	
	Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	
	Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination 
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.9.134 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22

指把進來的包,轉發到192.168.100.100的22端口,同時回來的包也要做操做get

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.9.134

iptables 規則備份和恢復

  • 保存和備份iptables規則
  • service iptables save #將規則保存到/etc/sysconfig/iptables
  • 把iptables規則備份到my.ipt文件中
  • iptables-save > my.ipt
  • 恢復剛纔備份的規則
  • iptables-restore < my.ipt

臨時備份it

[root@localhost ~]# iptables-save > /tmp/ipt.txt
[root@localhost ~]# cat /tmp/ipt.txt 
# Generated by iptables-save v1.4.21 on Sat Dec  2 03:21:24 2017
*nat
:PREROUTING ACCEPT [42:3651]
:INPUT ACCEPT [3:268]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.100.0/24 -o eno16777736 -j MASQUERADE
COMMIT
# Completed on Sat Dec  2 03:21:24 2017
# Generated by iptables-save v1.4.21 on Sat Dec  2 03:21:24 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:8880]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Dec  2 03:21:24 2017

恢復

[root@localhost ~]# iptables -t nat -F
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@localhost ~]# iptables-restore < /tmp/ipt.txt
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eno16777736  192.168.100.0/24     0.0.0.0/0

永久備份

cp備份/etc/sysconfig/iptables

總結:設置兩臺主機內網Linux的IP地址,而且同一個網段內可以通訊/proc/sys/net/ipv4/ip_forward,鏈接主機ip設置iptables規則,而且在主機B設置網關和DNS,實現內網Linux內通訊到訪問外網

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程