本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
3.实现DNAT
[root@lanserver1 ~]# curl 172.31.0.7
lan web site
root@internal:~# curl 172.31.0.7
curl: (7) Couldn't connect to server
#外部不能访问内部web服务
[root@firewall ~]# iptables -t nat -A PREROUTING -d 10.0.1.8 -p tcp --dport 80 -j DNAT --to-destination 172.31.0.7:80
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.1.8 tcp dpt:80 to:172.31.0.7:80
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 144 MASQUERADE all -- * * 172.31.0.0/21 !172.31.0.0/21
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@internal:~# curl 172.31.0.7
curl: (7) Couldn't connect to server
root@internal:~# curl 10.0.1.8
lan web site
#访问公网IP地址就能访问
[root@lanserver1 ~]# tail -f /var/log/httpd/access_log
10.0.2.18 - - [10/Nov/2021:18:15:29 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.58.0"
[root@firewall ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
root@internal:~# telnet 10.0.1.8 80
Trying 10.0.1.8...
Connected to 10.0.1.8.
Escape character is '^]'.
GET / HTTP/1.1
host: 1.1.1.1
HTTP/1.1 200 OK
Date: Wed, 10 Nov 2021 10:18:00 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Wed, 10 Nov 2021 08:55:27 GMT
ETag: "d-5d06b6333d6f6"
Accept-Ranges: bytes
Content-Length: 13
Content-Type: text/html; charset=UTF-8
lan web site
Connection closed by foreign host.
[root@lanserver1 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 172.31.0.7:22 172.31.0.1:59962
ESTAB 0 52 172.31.0.7:22 172.31.0.1:59961
ESTAB 0 0 [::ffff:172.31.0.7]:80 [::ffff:10.0.2.18]:39688
[root@firewall ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 299 ESTABLISHED src=172.31.1.8 dst=172.31.0.1 sport=22 dport=59400 src=172.31.0.1 dst=172.31.1.8 sport=59400 dport=22 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 88 TIME_WAIT src=10.0.2.18 dst=10.0.1.8 sport=39688 dport=80 src=172.31.0.7 dst=10.0.2.18 sport=80 dport=39688 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 55 TIME_WAIT src=10.0.2.18 dst=10.0.1.8 sport=39686 dport=80 src=172.31.0.7 dst=10.0.2.18 sport=80 dport=39686 [ASSURED] mark=0 zone=0 use=2
4.REDIRECT 转发
范例:
[root@lanserver1 ~]# vim /etc/httpd/conf/httpd.conf
Listen 8080
[root@lanserver1 ~]# systemctl restart httpd
[root@lanserver1 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:8080 [::]:*
root@internal:~# curl 10.0.1.8
curl: (7) Failed to connect to 10.0.1.8 port 80: Connection refused
#不能访问内网web服务
#在web服务器上设置规则,如果访问80转发到8080
[root@lanserver1 ~]# iptables -t nat -A PREROUTING -d 172.31.0.7 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@lanserver1 ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 172.31.0.7 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 124 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 124 bytes)
pkts bytes target prot opt in out source destination
root@internal:~# curl 10.0.1.8
lan web site
