iptables实现SNAT和DNAT,并对规则持久保存

# 环境检查
[root@PC-1 ~]# hostname -I
192.168.100.11 
[root@PC-2 ~]# hostname -I
192.168.100.12 
eth1:192.168.100.13
[root@firewall ~]# 
eth0:10.0.0.13
eth1:192.168.100.13
[root@Server ~]# hostname -I
10.0.0.14
# 连接检查
[root@PC-1 ~]# ping 192.168.100.13
PING 192.168.100.13 (192.168.100.13) 56(84) bytes of data.
64 bytes from 192.168.100.13: icmp_seq=1 ttl=64 time=0.173 ms
64 bytes from 192.168.100.13: icmp_seq=2 ttl=64 time=0.229 ms
# 测试防火墙连通性
[root@firewall ~]# curl 10.0.0.14
Welcome Server 10.0.0.14
# 检查配置
[root@firewall ~]# iptables -vnL -t nat 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

1 实现SNAT,并保持永久规则

1.1 创建规则

# 启用路由转发
[root@firewall ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@firewall ~]# sysctl -p
net.ipv4.ip_forward = 1
# 配置防火墙
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 10.0.0.13
[root@firewall ~]# iptables -vnL -t nat 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1   116 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.13

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

# 测试效果 没问题
[root@PC-1 ~]# curl 10.0.0.14
Welcome Server 10.0.0.14
[root@PC-2 ~]# curl 10.0.0.14
Welcome Server 10.0.0.14

# 查看Server访问日志
[root@Server ~]# tail /var/log/nginx/access.log
10.0.0.13 - - [24/Nov/2022:15:27:46 +0800] "GET / HTTP/1.1" 200 26 "-" "curl/7.61.1" "-"
10.0.0.13 - - [24/Nov/2022:15:29:14 +0800] "GET / HTTP/1.1" 200 26 "-" "curl/7.61.1" "-"

# 查看序号(不用操作)
[root@firewall ~]# iptables -vnL -t nat --line-numbers
# 可以删除没用的信息(不用操作)
[root@firewall ~]# iptables -t nat -D POSTROUTING 2

1.2 永久保存

# 安装iptable-services
[root@firewall ~]# yum -y install iptables-services
# 备份配置
[root@firewall ~]# cp /etc/sysconfig/iptables{,.bak}
[root@firewall ~]# ll /etc/sysconfig/iptables*
-rw-------  1 root root  550 Aug 25  2021 /etc/sysconfig/iptables
-rw-------  1 root root  550 Nov 24 19:04 /etc/sysconfig/iptables.bak
-rw-------. 1 root root 2116 Aug 25  2021 /etc/sysconfig/iptables-config

# 查看备份情况
[root@firewall ~]# cat /etc/sysconfig/iptables.bak
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# 写入配置
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables

# 设置开机启动
[root@firewall ~]# systemctl enable iptables.service 
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.

# 重启后查看配置生效情况
[root@firewall ~]# reboot
[root@firewall ~]# iptables -nvL -t nat 
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.13

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

2 实现DNAT,并保持永久规则

2.1 DNAT实现

# 内网服务器搭建过程省略,直接测试
[root@firewall ~]# curl 192.168.100.12:8080
Welcome 192.168.100.12
# 未配置前测试不通
[root@Server ~]# curl 10.0.0.13:80
curl: (7) Failed to connect to 10.0.0.13 port 80: Connection refused

# 配置iptables
[root@firewall ~]# iptables -t nat -A PREROUTING -d 10.0.0.13 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.12:8080

# 查看配置
[root@firewall ~]# iptables -vnL -t nat --line-numbers 
Chain PREROUTING (policy ACCEPT 54 packets, 5812 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        2   120 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.0.13            tcp dpt:80 to:192.168.100.12:8080

Chain INPUT (policy ACCEPT 15 packets, 2210 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       26  1604 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.13

Chain OUTPUT (policy ACCEPT 6 packets, 360 bytes)
num   pkts bytes target     prot opt in     out     source               destination 

# 测试连通性
[root@node4 ~]# curl 10.0.0.13
Welcome 192.168.100.12

# 查看日志
[root@PC-2 ~]# tail -f /var/log/nginx/access.log
10.0.0.14 - - [24/Nov/2022:20:31:43 +0800] "GET / HTTP/1.1" 200 23 "-" "curl/7.61.1" "-"
10.0.0.14 - - [24/Nov/2022:20:41:05 +0800] "GET / HTTP/1.1" 200 23 "-" "curl/7.61.1" "-"

2.2 永久保存

# 写入配置 重启
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables
[root@firewall ~]# reboot

# 查看效果 重新启动后配置都在
[root@firewall ~]# iptables -vnL -t nat --line-numbers 
Chain PREROUTING (policy ACCEPT 11 packets, 672 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.0.13            tcp dpt:80 to:192.168.100.12:8080

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       10   620 SNAT       all  --  *      *       192.168.100.0/24     0.0.0.0/0            to:10.0.0.13

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

 

原文地址:http://www.cnblogs.com/feifa/p/16054526.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性