配置iptables防火墙(二)

  DNAT策略的应用

  1、清空所有表的防火墙

  [root@s2 ~]# iptables -F

  [root@s2 ~]# iptables -t nat -F

  [root@s2 ~]# iptables -t raw -F

  [root@s2 ~]# iptables -t mangle -F

  2、在网关防火墙上 两块网卡

  [root@s2 ~]# ifconfig

  eth0      Link encap:Ethernet  HWaddr 00:0C:29:87:17:A0

  inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0

  inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

  RX packets:53 errors:0 dropped:0 overruns:0 frame:0

  TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

  collisions:0 txqueuelen:1000

  RX bytes:5525 (5.3 KiB)  TX bytes:13431 (13.1 KiB)

  Interrupt:59 Base address:0x2000

  eth1      Link encap:Ethernet  HWaddr 00:0C:29:87:17:AA

  inet addr:200.100.100.1  Bcast:200.100.100.255  Mask:255.255.255.0

  确认网关上可以ping通内网客户机,外网 客户机

  [root@s2 ~]# ping 192.168.10.3

  PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.

  64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms

  — 192.168.10.3 ping statistics —

  1 packets transmitted, 1 received, 0% packet loss, time 0ms

  rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms

  [root@s2 ~]# ping 200.100.100.2

  PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.

  64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms

  64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms

  64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms

  — 200.100.100.2 ping statistics —

  3 packets transmitted, 3 received, 0% packet loss, time 1999ms

  rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms

  3、确认开启路由转发

  [root@s2 ~]# vi /etc/sysctl.conf

  net.ipv4.ip_forward = 1

  [root@s2 ~]# sysctl -p

  net.ipv4.ip_forward = 1

  net.ipv4.conf.default.rp_filter = 1

  net.ipv4.conf.default.accept_source_route = 0

  kernel.sysrq = 0

  kernel.core_uses_pid = 1

  net.ipv4.tcp_syncookies = 1

  kernel.msgmnb = 65536

  kernel.msgmax = 65536

  kernel.shmmax = 4294967295

  kernel.shmall = 268435456

  4、在网关上添加DNAT映射,对于访问网关80端口的数据包,将目标地址改为网站服务器的ip地址的内网IP地址

  [root@s2 ~]# iptables -t nat -A PREROUTING -i eth1 -d 200.100.100.1 -p tcp –dport 80 -j DNAT –to-destination 192.168.10.3

  5、外网用户访问内网的Web服务器测试下

  SNAT策略应用

  1、清空所有表的防火墙

  [root@s2 ~]# iptables -F

  [root@s2 ~]# iptables -t nat -F

  [root@s2 ~]# iptables -t raw -F

  [root@s2 ~]# iptables -t mangle -F

  2、在网关防火墙上 两块网卡

  [root@s2 ~]# ifconfig

  eth0      Link encap:Ethernet  HWaddr 00:0C:29:87:17:A0

  inet addr:192.168.10.10  Bcast:192.168.10.255  Mask:255.255.255.0

  inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link

  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

  RX packets:53 errors:0 dropped:0 overruns:0 frame:0

  TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

  collisions:0 txqueuelen:1000

  RX bytes:5525 (5.3 KiB)  TX bytes:13431 (13.1 KiB)

  Interrupt:59 Base address:0x2000

  eth1      Link encap:Ethernet  HWaddr 00:0C:29:87:17:AA

  inet addr:200.100.100.1  Bcast:200.100.100.255  Mask:255.255.255.0

  确认网关上可以ping通内网客户机,外网 客户机

  [root@s2 ~]# ping 192.168.10.3

  PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.

  64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms

  — 192.168.10.3 ping statistics —

  1 packets transmitted, 1 received, 0% packet loss, time 0ms

  rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms

  [root@s2 ~]# ping 200.100.100.2

  PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.

  64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms

  64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms

  64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms

  — 200.100.100.2 ping statistics —

  3 packets transmitted, 3 received, 0% packet loss, time 1999ms

  rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms

  3、确认开启路由转发

  [root@s2 ~]# vi /etc/sysctl.conf

  net.ipv4.ip_forward = 1

  [root@s2 ~]# sysctl -p

  net.ipv4.ip_forward = 1

  net.ipv4.conf.default.rp_filter = 1

  net.ipv4.conf.default.accept_source_route = 0

  kernel.sysrq = 0

  kernel.core_uses_pid = 1

  net.ipv4.tcp_syncookies = 1

  kernel.msgmnb = 65536

  kernel.msgmax = 65536

  kernel.shmmax = 4294967295

  kernel.shmall = 268435456

  6、为局域网访问Internet的数据的包采用SNAT策略,将源地址更改为服务器的公网的IP

  地址

  [root@s2 ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT –to-source 200.100.100.1

  7、内网客户机访问外网Web服务器测试

 

发表评论

邮箱地址不会被公开。 必填项已用*标注