linux DNAT & SNAT
iptables--- nat(地址转换)环境
1.机器一
192.168.1.3(公网)
192.168.183.127(内网)
2.机器二
192.168.183.128(内网)
实验前我在vm虚拟机上添加一个网口,有ip地址但是却没有配置文件
可以这么做
nmcli con show (查看设备唯一标识符uuid)
ip addr(网卡硬件MAC地址)
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3
HWADDR=00:0c:29:ab:38:87
防火墙规则,调用内核的安全策略。
# iptables -t filter -L(默认查看filter表里的列)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L(这次试验使用到的表--nat表)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ssh登陆转换dnat(目标地址转换,公网ip--->内网ip,意思就是你想访问目标地址转变了)
机器一:
# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes(之前做过证书登陆,这里改成yes)
# service iptables stop
iptables: Setting chains to policy ACCEPT: filter nat
iptables: Flushing firewall rules:
iptables: Unloading modules:
# echo 1 > ip_forward(立即生效)
# cat ip_forward
1
# pwd
/proc/sys/net/ipv4
# vim /etc/sysctl.conf (永久生效)
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# sysctl -p (刷新sysctl.conf文件)
net.ipv4.ip_forward = 1
机器二:
# ifdown ens33 (确保不会通过此网卡连接)
# vim /etc/sysconfig/network-scripts/ifcfg-ens37
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3 (这里网关指向机器一公网ip)
HWADDR=00:0c:29:ab:38:87
~
# iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 22 -j DNAT --to-destination
192.168.18.128:22
**测试**: (这里使用的是XSHELL)
Connecting to 192.168.1.3:22...(登陆的是1.3)
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Fri May4 18:32:54 2018 from 192.168.1.138
# ifconfig (成功转换到18.128上面)
ens33: flags=4163mtu 1500
ether 00:0c:29:ab:38:7dtxqueuelen 1000(Ethernet)
RX packets 350bytes 37643 (36.7 KiB)
RX errors 0dropped 1overruns 0frame 0
TX packets 124bytes 18169 (17.7 KiB)
TX errors 0dropped 0 overruns 0carrier 0collisions 0
ens37: flags=4163mtu 1500
inet 192.168.18.128netmask 255.255.255.0broadcast 192.168.18.255
inet6 fe80::20c:29ff:feab:3887prefixlen 64scopeid 0x20
ether 00:0c:29:ab:38:87txqueuelen 1000(Ethernet)
RX packets 271bytes 38878 (37.9 KiB)
RX errors 0dropped 0overruns 0frame 0
TX packets 198bytes 54004 (52.7 KiB)
TX errors 0dropped 0 overruns 0carrier 0collisions 0
lo: flags=73mtu 65536
inet 127.0.0.1netmask 255.0.0.0
inet6 ::1prefixlen 128scopeid 0x10
looptxqueuelen 0(Local Loopback)
RX packets 40bytes 3448 (3.3 KiB)
RX errors 0dropped 0overruns 0frame 0
TX packets 40bytes 3448 (3.3 KiB)
TX errors 0dropped 0 overruns 0carrier 0collisions 0
ssh登陆转换snat(源地址转换,内网ip--->公网ip,意思就是你所使用源ip地址转变了)
这里稍微改下iptbales协议即可
# iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3
*(原本192.168.18.128是不可以访问外网的,这里就以pingwww.baidu.com为例。看下效果图即可)
1.128这台机器resolv.conf文件dns服务器先指定好
2.没添加snat协议时:
http://i2.运维网.com/images/blog/201805/04/d5b01b53ec7faba7022720173989c024.png
3.添加iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3协议后:
http://i2.运维网.com/images/blog/201805/04/240d4429aaafeef177892c668c378ec9.png
明天分享下web的搭建。。
页:
[1]