配置iptables防火墻（二）

配置iptables防火墻（二）

DNAT策略的應用

1、清空所有表的防火墻

[root@s2 ~]# iptables -F

[root@s2 ~]# iptables -t nat -F

[root@s2 ~]# iptables -t raw -F

[root@s2 ~]# iptables -t mangle -F

2、在網關防火墻上 兩塊網卡

[root@s2 ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:87:17:A0  

         inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

         RX packets:53 errors:0 dropped:0 overruns:0 frame:0

         TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:5525 (5.3 KiB)  TX bytes:13431 (13.1 KiB)

         Interrupt:59 Base address:0x2000

eth2      Link encap:Ethernet  HWaddr 00:0C:29:87:17:AA  

         inet addr:200.100.100.1  Bcast:200.100.100.255  Mask:255.255.255.0

確認網關上可以ping通內網客戶機，外網 客戶機

[root@s2 ~]# ping 192.168.10.3

PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.

64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms

--- 192.168.10.3 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms

[root@s2 ~]# ping 200.100.100.2

PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.

64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms

64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms

64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms

--- 200.100.100.2 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 1999ms

rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms

3、確認開啟路由轉發

[root@s2 ~]# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

[root@s2 ~]# sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 4294967295

kernel.shmall = 268435456

4、在網關上添加DNAT映射，對于訪問網關80端口的數據包，將目標地址改為網站服務器的ip地址的內網IP地址

[root@s2 ~]# iptables -t nat -A PREROUTING -i eth1 -d 200.100.100.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.3

5、外網用戶訪問內網的Web服務器測試下

SNAT策略應用

1、清空所有表的防火墻

[root@s2 ~]# iptables -F

[root@s2 ~]# iptables -t nat -F

[root@s2 ~]# iptables -t raw -F

[root@s2 ~]# iptables -t mangle -F

2、在網關防火墻上 兩塊網卡

[root@s2 ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:87:17:A0  

         inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

         RX packets:53 errors:0 dropped:0 overruns:0 frame:0

         TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:5525 (5.3 KiB)  TX bytes:13431 (13.1 KiB)

         Interrupt:59 Base address:0x2000

eth2      Link encap:Ethernet  HWaddr 00:0C:29:87:17:AA  

         inet addr:200.100.100.1  Bcast:200.100.100.255  Mask:255.255.255.0

確認網關上可以ping通內網客戶機，外網 客戶機

[root@s2 ~]# ping 192.168.10.3

PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.

64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms

--- 192.168.10.3 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms

[root@s2 ~]# ping 200.100.100.2

PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.

64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms

64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms

64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms

--- 200.100.100.2 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 1999ms

rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms

3、確認開啟路由轉發

[root@s2 ~]# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

[root@s2 ~]# sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 4294967295

kernel.shmall = 268435456

6、為局域網訪問Internet的數據的包采用SNAT策略，將源地址更改為服務器的公網的IP

地址

[root@s2 ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 200.100.100.1

7、內網客戶機訪問外網Web服務器測試