新网创想网站建设,新征程启航
为企业提供网站建设、域名注册、服务器等服务
配置iptables防火墙(二)
创新互联建站专业为企业提供利川网站建设、利川做网站、利川网站设计、利川网站制作等企业网站建设、网页设计与制作、利川企业网站模板建站服务,10余年利川做网站经验,不只是建网站,更提供有价值的思路和整体网络服务。DNAT策略的应用
1、清空所有表的防火墙
[root@s2 ~]# iptables -F
[root@s2 ~]# iptables -t nat -F
[root@s2 ~]# iptables -t raw -F
[root@s2 ~]# iptables -t mangle -F
2、在网关防火墙上 两块网卡
[root@s2 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:87:17:A0
inet addr:192.168.10.10 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5525 (5.3 KiB) TX bytes:13431 (13.1 KiB)
Interrupt:59 Base address:0x2000
eth2 Link encap:Ethernet HWaddr 00:0C:29:87:17:AA
inet addr:200.100.100.1 Bcast:200.100.100.255 Mask:255.255.255.0
确认网关上可以ping通内网客户机,外网 客户机
[root@s2 ~]# ping 192.168.10.3
PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.
64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms
--- 192.168.10.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms
[root@s2 ~]# ping 200.100.100.2
PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.
64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms
64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms
64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms
--- 200.100.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms
3、确认开启路由转发
[root@s2 ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@s2 ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
4、在网关上添加DNAT映射,对于访问网关80端口的数据包,将目标地址改为网站服务器的ip地址的内网IP地址
[root@s2 ~]# iptables -t nat -A PREROUTING -i eth1 -d 200.100.100.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.3
5、外网用户访问内网的Web服务器测试下
SNAT策略应用
1、清空所有表的防火墙
[root@s2 ~]# iptables -F
[root@s2 ~]# iptables -t nat -F
[root@s2 ~]# iptables -t raw -F
[root@s2 ~]# iptables -t mangle -F
2、在网关防火墙上 两块网卡
[root@s2 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:87:17:A0
inet addr:192.168.10.10 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe87:17a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5525 (5.3 KiB) TX bytes:13431 (13.1 KiB)
Interrupt:59 Base address:0x2000
eth2 Link encap:Ethernet HWaddr 00:0C:29:87:17:AA
inet addr:200.100.100.1 Bcast:200.100.100.255 Mask:255.255.255.0
确认网关上可以ping通内网客户机,外网 客户机
[root@s2 ~]# ping 192.168.10.3
PING 192.168.10.3 (192.168.10.3) 56(84) bytes of data.
64 bytes from 192.168.10.3: icmp_seq=1 ttl=128 time=1.22 ms
--- 192.168.10.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.225/1.225/1.225/0.000 ms
[root@s2 ~]# ping 200.100.100.2
PING 200.100.100.2 (200.100.100.2) 56(84) bytes of data.
64 bytes from 200.100.100.2: icmp_seq=1 ttl=64 time=1.68 ms
64 bytes from 200.100.100.2: icmp_seq=2 ttl=64 time=0.375 ms
64 bytes from 200.100.100.2: icmp_seq=3 ttl=64 time=0.175 ms
--- 200.100.100.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.175/0.744/1.682/0.668 ms
3、确认开启路由转发
[root@s2 ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@s2 ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
6、为局域网访问Internet的数据的包采用SNAT策略,将源地址更改为服务器的公网的IP
地址
[root@s2 ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 200.100.100.1
7、内网客户机访问外网Web服务器测试
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。