iptables的NAT配置
1.环境介绍:
克隆虚拟机,命名为网关并添加网卡(第一块eth0外网桥接,第二块eth1内网host-only),克隆虚拟机并命名为内网主机网卡为host-only。
2.网关上配置NAT:
1)配置网关的ip地址:
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
HWADDR="00:0C:29:29:82:db"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO=dhcp
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE="eth1"
HWADDR="00:0C:29:29:82:e5"
NM_CONTROLLED="no"
ONBOOT="yes"
BOOTPROTO=static
IPADDR=192.168.100.95
NETMASK=255.255.255.0
DNS1=192.168.100.95
2).开启路由功能:
[root@localhost ~]# echo nameserver 202.106.0.20 > /etc/resolv.conf ##设置dns
[root@localhost ~]# sed '/ip_forward/s/0/1/g' /etc/sysctl.conf && sysctl -p ##开启路由功能
[root@localhost ~]# ip a sh eth0 ##查看外网自动获取的ip:192.168.20.107/24
3).配置SNAT:
/etc/init.d/iptables stop ##清空防火墙规则
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o eth0 -j SNAT --to-source 192.168.20.107 ##SNAT配置
iptables -t nat -L -n ##查看nat表中的规则
iptables -L ##查看filter表的规则
iptables -P INPUT DROP ##设置默认规则
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT ##允许内网转发
iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L -n
iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.250:80 ##发布web
iptables -L -n -t nat
iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 20:21 -j DNAT --to-destination 192.168.100.250 ##发布ftp
iptables -L -n -t nat
modprobe ip_nat_ftp ##加载ftp的模块
lsmod |grep ftp ##查看模块
iptables -t nat -A PREROUTING -i eth0 -d 192.168.20.107 -p tcp --dport 3333 -j DNAT --to-destination 192.168.100.250:22 ##发布ssh
/etc/init.d/iptables save ##保存防火墙规则
cat /etc/sysconfig/iptables
3.配置内网服务器:
1)配置ip及服务:
ifconfig eth1 192.168.100.250
route add default 192.168.100.95
route -n
mount /dev/cdrom /mnt
yum -y install httpd vsftpd
/etc/init.d/sshd restart
/etc/init.d/httpd restart
/etc/init.d/vsftpd restart
2)配置服务器主机型防火墙:
/etc/init.d/iptables stop
iptables -P INPUT DROP ##设置默认规则
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m multiport -p tcp --dport 20:22,80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/etc/init.d/iptables save
4.测试:
真机访问:
http://192.168.20.107
ssh -p 3333 [email protected]
ftp 192.168.20.107