02SNAT和DNAT经典案例

SNAT和DNAT经典案例

02SNAT和DNAT经典案例_第1张图片

1、要求
  • 外网主机访问防火墙11.135的80端口,转换为内网服务器的25.132的80端口服务
  • 内网出去的源地址转换为11.135的地址
2、环境需要
  • 三台CentOS7
  • 三台能互相通信

02SNAT和DNAT经典案例_第2张图片

一、环境部署

1、三台CentOS7基础配置

  • 内网服务器的配置
#修改成静态IP
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="7f087dc4-11ef-4b12-87ba-fb174e47e355"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.25.132
NETMASK=255.255.255.0
GATEWAY=192.168.25.135			#网关指向iptables防火墙
#打开80端口的服务可以访问
[root@localhost ~]# /opt/lampp/lampp start
Starting XAMPP for Linux 5.6.40-1...
XAMPP: Starting Apache...ok.
XAMPP: Starting MySQL...ok.
XAMPP: Starting ProFTPD...ok.
  • 访问查看服务是否启动
    02SNAT和DNAT经典案例_第3张图片

  • 这里没搭建过的可以之前的教程

  • 源码安装httpd

  • iptables防火墙配置

添加第二个网卡
02SNAT和DNAT经典案例_第4张图片

02SNAT和DNAT经典案例_第5张图片

#防火墙IP可以DHCP也可以设置静态
#开启允许转发
[root@localhost ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@localhost ~]# cat /etc/sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
#启动一下刚刚配置的
[root@localhost ~]# sysctl -p /etc/sysctl.conf 
net.ipv4.ip_forward = 1
  • 外网的主机
  • 直接桥接真实网络
[root@CentOS7-4 ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:ea:ee:fe:64  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.11.38  netmask 255.255.255.0  broadcast 192.168.11.255
        inet6 fe80::fda6:6bd9:e8be:4183  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b6:ef:bb  txqueuelen 1000  (Ethernet)
        RX packets 13533  bytes 1791081 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 405  bytes 35952 (35.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 8  bytes 832 (832.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 832 (832.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  • 验证互相通信
#内网主机ping防火墙
[root@localhost ~]# ping 192.168.25.135
PING 192.168.25.135 (192.168.25.135) 56(84) bytes of data.
64 bytes from 192.168.25.135: icmp_seq=1 ttl=64 time=1.33 ms
64 bytes from 192.168.25.135: icmp_seq=2 ttl=64 time=0.283 ms
64 bytes from 192.168.25.135: icmp_seq=3 ttl=64 time=0.370 ms
64 bytes from 192.168.25.135: icmp_seq=4 ttl=64 time=0.477 ms
#防火墙ping外网主机
[root@localhost ~]# ping 192.168.11.38
PING 192.168.11.38 (192.168.11.38) 56(84) bytes of data.
64 bytes from 192.168.11.38: icmp_seq=1 ttl=64 time=0.382 ms
64 bytes from 192.168.11.38: icmp_seq=2 ttl=64 time=0.293 ms
64 bytes from 192.168.11.38: icmp_seq=3 ttl=64 time=0.794 ms
2、部署iptables策略
#入站目标地址是11.135的80端口把目标地址转换成25.135
[root@localhost ~]# iptables -t nat -I PREROUTING -d 192.168.11.135 -p tcp --dport 80 -i ens35 -j DNAT --to 192.168.25.135 
#出站的源ip地址是25.132转换成源地址为11.135
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.25.132 -o ens35 -j SNAT --to-source 192.168.11.135 
3、验证
#使用外网主机访问防火墙
[root@CentOS7-4 ~]# curl 192.168.11.135

用wireshark抓包看看

02SNAT和DNAT经典案例_第6张图片

也可以使用本机的浏览器去访问

可以把内网服务器和iptables放在vlan1里面形成一个内网

02SNAT和DNAT经典案例_第7张图片

你可能感兴趣的:(环境部署,服务器,linux,运维)