本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
2.实现SNAT
范例: 实现SNAT
#启用路由转发
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewall ~]# sysctl -p
[root@firewall ~]# iptables -F FORWARD
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
539 41446 ACCEPT all -- * * 172.31.0.1 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@internal:~# ip route
default via 10.0.1.8 dev eth0 proto static
10.0.0.0/21 dev eth0 proto kernel scope link src 10.0.2.18
root@internal:~# ip route del default via 10.0.1.8 dev eth0 proto static
root@internal:~# ip route
10.0.0.0/21 dev eth0 proto kernel scope link src 10.0.2.18
root@internal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
[root@lanserver1 ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
^C
--- 10.0.2.18 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
#现在不能访问外网
#专线用这种写法
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 172.31.0.0/21 ! -d 172.31.0.0/21 -j SNAT --to-source 10.0.1.8
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 172.31.0.0/21 !172.31.0.0/21 to:10.0.1.8
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lanserver1 ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
64 bytes from 10.0.2.18: icmp_seq=1 ttl=63 time=0.991 ms
64 bytes from 10.0.2.18: icmp_seq=2 ttl=63 time=0.772 ms
^C
--- 10.0.2.18 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.772/0.881/0.991/0.113 ms
#现在可以访问外网
[root@lanserver1 ~]# ssh 10.0.2.18
The authenticity of host '10.0.2.18 (10.0.2.18)' can't be established.
ECDSA key fingerprint is SHA256:qpGGRZMZmKcuTZ1oJu+kOfhJttFGy7jgM1HTJTdRe7g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.18' (ECDSA) to the list of known hosts.
root@10.0.2.18's password:
root@internal:~# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.2.18:22 10.0.0.1:59919
ESTAB 0 0 172.31.2.18:22 172.31.0.1:59736
ESTAB 0 0 10.0.2.18:22 10.0.1.8:50948 # 可以看到是从10.0.1.8 访问的,不能看到内网ip
ESTAB 0 0 10.0.2.18:22 10.0.0.1:59920
ESTAB 0 0 172.31.2.18:22 172.31.0.1:59735
[root@firewall ~]# iptables -F -t nat
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lanserver ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
#删除规则就ping不通
#拨号网络和专线用MASQUERADE(伪装地址)
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 172.31.0.0/21 ! -d 172.31.0.0/21 -j MASQUERADE
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.31.0.0/21 !172.31.0.0/21
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lanserver1 ~]# ping 10.0.2.18
PING 10.0.2.18 (10.0.2.18) 56(84) bytes of data.
64 bytes from 10.0.2.18: icmp_seq=1 ttl=63 time=0.860 ms
64 bytes from 10.0.2.18: icmp_seq=2 ttl=63 time=0.806 ms
64 bytes from 10.0.2.18: icmp_seq=3 ttl=63 time=0.621 ms
^C
--- 10.0.2.18 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.621/0.762/0.860/0.104 ms
#现在可以访问外网
