Centos6.x NAT路由转发

一、网络拓扑结构

iptables之SNAT与DNAT_第1张图片

二、实验环境

2.1、NAT服务器

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:8F  

          inet addr:172.16.1.100  Bcast:172.16.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:684 (684.0 b)  TX bytes:636 (636.0 b)

 2.2、客户机端

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:172.16.1.10  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

三、服务配置

3.1、NAT服务器配置

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=10.0.0.100

NETMASK=255.255.255.0

GATEWAY=10.0.0.2  //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)

DNS1=10.0.0.2

DNS2=223.5.5.5

IPV6INIT=no

USERCTL=no

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.100

NETMASK=255.255.255.0

IPV6INIT=no

USERCTL=no

3.2、内网客户端配置

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.10

NETMASK=255.255.255.0

GATEWAY=172.16.1.100

IPV6INIT=no

USERCTL=no

四、NAT服务器配置

4.1、开启路由转发

临时转发生效:

echo 1>/proc/sys/net/ipv4/ip_forward

永久转发生效:

(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf 

(2)[root@Andy ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[root@Andy ~]# sysctl -p
 //保存执行

在客户机测试

[root@Andy ~]# ping 10.0.0.100  //ping通说明开启成功

PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.

64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms

64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms

64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms

^C

--- 10.0.0.100 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2512ms

rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms

4.2、配置NAT转发

服务器端

iptables-t nat -F  //清除原有的nat表中的规则

iptables -F  //清除原有的filter有中的规则

iptables -P FORWARD ACCEPT  //允许IP转发

(1)静态IP

[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)

 pkts bytes target     prot opt in     out     source     destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)

 pkts  bytes  target    prot  opt  in   out    source     destination         

  5   353   SNAT     all    --   *    *  172.16.1.0/24   0.0.0.0/0  to:10.0.0.100

Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)

 pkts bytes target     prot opt in     out     source     destination              

(2)动态IP

[root@Andy ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source    destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts  bytes  target     prot  opt  in   out     source   destination         

 0    0  MASQUERADE  all   --   *   eth0     0.0.0.0/0    0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source     destination         

客户端测试

[root@Andy ~]# ping www.baidu.com  //ping通说明NAT路由转发实验成功

PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.

64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms

64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms

64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms

64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms

^C

--- www.a.shifen.com ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3371ms

rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms

Centos6.x NAT多路由转发

一、网络拓扑结构

iptables之SNAT与DNAT_第2张图片

二、实验环境

2.1、NAT服务器( R1 )

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:8F  

          inet addr:172.16.1.100  Bcast:172.16.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:684 (684.0 b)  TX bytes:636 (636.0 b)

 2.2、NAT服务器( R2 )

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:172.16.1.10  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:8F  

          inet addr:172.16.2.3  Bcast:172.16.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

 

2.3、客户机端

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:172.16.2.100  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

三、服务配置

3.1、NAT服务器配置( R1 )

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=10.0.0.100

NETMASK=255.255.255.0

GATEWAY=10.0.0.2  //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)

DNS1=10.0.0.2

DNS2=223.5.5.5

IPV6INIT=no

USERCTL=no

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.100

NETMASK=255.255.255.0

IPV6INIT=no

USERCTL=no

3.2、NAT服务器配置( R2 )

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.10

NETMASK=255.255.255.0

GATEWAY=172.16.1.100

IPV6INIT=no

USERCTL=no

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.2.3

NETMASK=255.255.255.0

IPV6INIT=no

USERCTL=no

3.3、内网客户端配置

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.2.100

NETMASK=255.255.255.0

GATEWAY=172.16.2.3

IPV6INIT=no

USERCTL=no

四、NAT服务器配置

4.1、开启路由转发(R1)

临时转发生效:

echo 1>/proc/sys/net/ipv4/ip_forward

永久转发生效:

(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf 

(2)[root@Andy ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[root@Andy ~]# sysctl -p
 //保存执行

R2上测试

[root@Andy ~]# ping 10.0.0.100  //ping通说明开启成功

PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.

64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms

64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms

64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms

^C

--- 10.0.0.100 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2512ms

rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms

4.2、开启路由转发(R2)

临时转发生效:

echo 1>/proc/sys/net/ipv4/ip_forward

永久转发生效:

(1)[root@Andy ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf 

(2)[root@Andy ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward的值从0改为1,否则服务器将不会进行包转发
[root@Andy ~]# sysctl -p
 //保存执行

在客户机上测试

[root@Andy ~]# ping 172.16.1.10  //ping通说明开启成功

PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.

64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=0.137 ms

64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.068 ms

64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.071 ms

^C

--- 10.0.0.100 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2512ms

rtt min/avg/max/mdev = 0.068/0.092/0.137/0.031 ms

4.3、配置NAT转发

服务器端(R1)

iptables-t nat -F  //清除原有的nat表中的规则

iptables -F  //清除原有的filter有中的规则

iptables -P FORWARD ACCEPT  //允许IP转发

(1)静态IP

[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -j SNAT --to 10.0.0.100

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)

 pkts bytes target     prot opt in     out     source        destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)

 pkts  bytes  target    prot  opt  in   out    source       destination         

  5   353   SNAT     all    --   *    *    172.16.1.0/24   0.0.0.0/0   to:10.0.0.100

Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)

 pkts bytes target     prot opt in     out     source        destination              

(2)动态IP

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source       destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts  bytes  target     prot  opt  in   out     source     destination         

 0    0  MASQUERADE  all   --   *   eth0     0.0.0.0/0    0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source       destination         

服务器端(R2)

iptables-t nat -F  //清除原有的nat表中的规则

iptables -F  //清除原有的filter有中的规则

iptables -P FORWARD ACCEPT  //允许IP转发

(1)静态IP

[root@Andy ~]# iptables -t nat -I POSTROUTING -s 172.16.2.0/24 -j SNAT --to 172.16.1.10

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 7 packets, 1009 bytes)

 pkts bytes target     prot opt in     out     source       destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 206 bytes)

 pkts  bytes  target    prot  opt  in   out    source      destination         

  5   353   SNAT     all    --   *    *    172.16.2.0/24   0.0.0.0/0   to:172.16.1.10

Chain OUTPUT (policy ACCEPT 3 packets, 206 bytes)

 pkts bytes target     prot opt in     out     source      destination              

(2)动态IP

[root@Andy ~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source       destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts  bytes  target     prot  opt  in   out     source      destination         

 0    0  MASQUERADE  all   --   *   eth0     0.0.0.0/0     0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source        destination

客户端测试

[root@Andy ~]# ping www.baidu.com  //ping通说明NAT路由转发实验成功

PING www.a.shifen.com (180.149.132.151) 56(84) bytes of data.

64 bytes from 180.149.132.151: icmp_seq=1 ttl=127 time=11.3 ms

64 bytes from 180.149.132.151: icmp_seq=2 ttl=127 time=3.44 ms

64 bytes from 180.149.132.151: icmp_seq=3 ttl=127 time=4.69 ms

64 bytes from 180.149.132.151: icmp_seq=4 ttl=127 time=3.05 ms

^C

--- www.a.shifen.com ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3371ms

rtt min/avg/max/mdev = 3.057/5.642/11.367/3.361 ms

Centos6.x配置NAT实现网络地址转换

一、网络拓扑结构

iptables之SNAT与DNAT_第3张图片

二、实验环境

2.1、客户机端(PC1)

[root@appex ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@appex ~]# uname -r

2.6.32-431.el6.x86_64

[root@appex ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:0A:9E:EA  

          inet addr:10.0.0.101  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fe0a:9eea/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:350 errors:0 dropped:0 overruns:0 frame:0

          TX packets:168 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:28635 (27.9 KiB)  TX bytes:17098 (16.6 KiB)

2.2、NAT服务器( R1 )

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:8F  

          inet addr:172.16.1.100  Bcast:172.16.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:684 (684.0 b)  TX bytes:636 (636.0 b)

 2.3、NAT服务器( R2 )

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:172.16.1.10  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:8F  

          inet addr:172.16.2.3  Bcast:172.16.1.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed8f/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2 errors:0 dropped:0 overruns:0 frame:0

          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0

 

2.4、客户机端(PC2)

[root@Andy ~]# cat /etc/redhat-release

CentOS release 6.5 (Final)

[root@Andy ~]# uname -r

2.6.32-431.el6.x86_64

[root@Andy ~]# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:E4:ED:85  

          inet addr:172.16.2.100  Bcast:10.0.0.255  Mask:255.255.255.0

          inet6 addr: fe80::20c:29ff:fee4:ed85/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:89 errors:0 dropped:0 overruns:0 frame:0

          TX packets:80 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:9993 (9.7 KiB)  TX bytes:9848 (9.6 KiB)

三、服务配置

3.1、客户端配置(PC1)

[root@appex ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=10.0.0.101

NETMASK=255.255.255.0

DNS2=223.5.5.5

GATEWAY=10.0.0.2

DNS1=10.0.0.2

IPV6INIT=no

USERCTL=no

3.2、NAT服务器配置( R1 )

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=10.0.0.100

NETMASK=255.255.255.0

GATEWAY=10.0.0.2  //配好网关,否则无法上网(在虚拟机的网络编辑器能找到网关)

DNS1=10.0.0.2

DNS2=223.5.5.5

IPV6INIT=no

USERCTL=no

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.100

NETMASK=255.255.255.0

IPV6INIT=no

USERCTL=no

3.3、NAT服务器配置( R2 )

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.1.10

NETMASK=255.255.255.0

GATEWAY=172.16.1.100

IPV6INIT=no

USERCTL=no

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1(无网关)

DEVICE=eth1

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.2.3

NETMASK=255.255.255.0

IPV6INIT=no

USERCTL=no

3.4、客户端配置(PC2)

[root@Andy ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

TYPE=Ethernet

ONBOOT=yes

NM_CONTROLLED=yes

BOOTPROTO=none

IPADDR=172.16.2.100

NETMASK=255.255.255.0

GATEWAY=172.16.2.3

IPV6INIT=no

USERCTL=no

四、NAT服务器配置及检测

4.1、配置前在客户机(PC1)检测(此时ttl值为64)

[root@appex ~]# ping 10.0.0.100

PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.

64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=5.43 ms

64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.417 ms

64 bytes from 10.0.0.100: icmp_seq=3 ttl=64 time=0.425 ms

^C

--- 10.0.0.100 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2261ms

rtt min/avg/max/mdev = 0.417/2.092/5.435/2.363 ms

4.2、外网NAT服务器(R1)

[root@Andy ~]# iptables -t nat -I PREROUTING -d 10.0.0.100/32 -i eth0 -j DNAT --to 172.16.2.100    

[root@Andy ~]# iptables -t nat -L -nv

Chain PREROUTING (policy ACCEPT 15 packets, 2560 bytes)

 pkts  bytes  target   prot  opt  in   out   source     destination         

  1    84   DNAT     all  --   eth0   *    0.0.0.0/0   10.0.0.100     to:172.16.2.100

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts  bytes  target     prot  opt  in     out     source    destination         

  209 14349 MASQUERADE  all  --   *      eth0    0.0.0.0/0      0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5 packets, 343 bytes)

 pkts bytes target     prot opt in     out     source          destination             

4.3、配置前在客户机(PC1)检测(此时ttl值发生变化)

[root@appex ~]# ping 10.0.0.100

PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.

64 bytes from 10.0.0.100: icmp_seq=1 ttl=127 time=5.51 ms

64 bytes from 10.0.0.100: icmp_seq=2 ttl=127 time=1.29 ms

64 bytes from 10.0.0.100: icmp_seq=3 ttl=127 time=1.29 ms

^C

--- 10.0.0.100 ping statistics ---

7 packets transmitted, 7 received, 0% packet loss, time 6817ms

rtt min/avg/max/mdev = 1.113/1.837/5.512/1.502 ms

总结:

网络防火墙    eth0:外网网卡

内防外:

动态IP:iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

静态IP:iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 202.10.19.1

外访内:

iptables -t nat -A PREROUTING -i eth0 -d 202.10.19.1 -p tcp --dport 80 -j DNAT --to 192.168.0.10