iptables的NAT配置

1.环境介绍:

克隆虚拟机,命名为网关并添加网卡(第一块eth0外网桥接,第二块eth1内网host-only),克隆虚拟机并命名为内网主机网卡为host-only。

2.网关上配置NAT:

1)配置网关的ip地址:

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE="eth0"

HWADDR="00:0C:29:29:82:db"

NM_CONTROLLED="no"

ONBOOT="yes"

BOOTPROTO=dhcp


[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE="eth1"

HWADDR="00:0C:29:29:82:e5"

NM_CONTROLLED="no"

ONBOOT="yes"

BOOTPROTO=static

IPADDR=192.168.100.95

NETMASK=255.255.255.0

DNS1=192.168.100.95

2).开启路由功能:

[root@localhost ~]# echo nameserver 202.106.0.20 > /etc/resolv.conf   ##设置dns

[root@localhost ~]# sed '/ip_forward/s/0/1/g' /etc/sysctl.conf && sysctl -p  ##开启路由功能

[root@localhost ~]# ip a sh eth0   ##查看外网自动获取的ip:192.168.20.107/24

3).配置SNAT:

/etc/init.d/iptables stop  ##清空防火墙规则

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j SNAT --to-source 192.168.20.107  ##SNAT配置

iptables -t nat -L -n   ##查看nat表中的规则

iptables -L   ##查看filter表的规则

iptables -P INPUT DROP   ##设置默认规则

iptables -P FORWARD DROP  

iptables -P OUTPUT ACCEPT

iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT   ##允许内网转发

iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -L -n

iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.250:80  ##发布web

iptables -L -n -t nat

iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 20:21 -j DNAT --to-destination 192.168.100.250  ##发布ftp

iptables -L -n -t nat

modprobe ip_nat_ftp   ##加载ftp的模块

lsmod |grep ftp   ##查看模块

iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 3333 -j DNAT --to-destination 192.168.100.250:22  ##发布ssh

/etc/init.d/iptables  save  ##保存防火墙规则

cat  /etc/sysconfig/iptables

3.配置内网服务器:

1)配置ip及服务:

ifconfig eth1 192.168.100.250

route add default 192.168.100.95

route -n

mount /dev/cdrom /mnt

yum -y install httpd vsftpd 

/etc/init.d/sshd  restart

/etc/init.d/httpd restart

/etc/init.d/vsftpd restart


2)配置服务器主机型防火墙:

/etc/init.d/iptables  stop

iptables -P INPUT DROP   ##设置默认规则

iptables -P FORWARD DROP  

iptables -P OUTPUT ACCEPT

iptables -A INPUT -m multiport -p tcp --dport 20:22,80  -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/etc/init.d/iptables save


4.测试:

真机访问:

http://192.168.20.107

ssh -p 3333 [email protected]

ftp 192.168.20.107