iptables的nat表應用(默認路由指向、端口映射)
阿新 • • 發佈:2018-01-26
查詢 localhost hat state icm cat ttl tab rop iptables nat表應用
nat表應用
A機器:雙網卡,ens33(ip:192.168.188.2)、ens37(ip:192.168.100.1),網卡ens33可以使用外網,網卡ens37只能用內網;
B機器:單網卡ens37(ip:192.168.100.100),可以與A機器的ens37相連通信;
C機器:單網卡ens37(ip:192.168.100.101),與B機器連接;
NAT默認路由指向
需求1:讓B機器連接外網;
也就是將0.0.0.0/0網段指向A機器的ens33網卡的下一跳,即可實現192.168.100.0/24上網;
1、打開端口轉發模式
查詢(將 /proc/sys/net/ipv4/ip_forward設置為1為轉發,默認為0);
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@shu-test ~]#打開端口轉發
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@shu-test ~]#2、在機器A上增加規則
(記住B機器的網關必須指向機器A的ens37也就是192.168.100.1)
iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE在機器A上增加nat 將源地址192.168.100.0/24的所有路由(數據包)指向ens33出去
[root@shu-test ~]# iptables -F [root@shu-test ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 659 packets, 67162 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 18 packets, 1935 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes) pkts bytes target prot opt in out source destination 42 3201 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0 [root@shu-test ~]#
3、測試:
如果能ping通機器A的ens33網卡,而ping不通外網,可以清空下iptables -F配置的規則;
機器B上ping www.hao123.com
[root@localhost ~]# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms
^C
--- 192.168.188.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms
[root@localhost ~]# ping www.hao123.com
PING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data.
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms
^C
--- hao123.n.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms
[root@localhost ~]#端口映射
需求2:C機器只能和A通信,讓C機器可以直接通過B機器22端口;(端口映射)
1、打開A機器的端口轉發功能;
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]#2、清空和刪除所有配置
使用iptables -F與 -D 命令,詳情見前文章
3、在A機器上添加規則
iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
將192.168.100.101的22端口 映射到A機器的ens33的1122端口上,
使外網通過訪問192.168.188.2:1122來達到訪問機器C(ip:192.168.100.101)的22端口;
[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
[root@shu-test ~]#
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 13 packets, 1072 bytes)
pkts bytes target prot opt in out source destination
5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 6 packets, 549 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes)
pkts bytes target prot opt in out source destination
113 8561 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@shu-test ~]#4、在A機器上添加回包規則
iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
將從192.168.100.101的過來的包,返回給192.168.188.2;
有來有回
[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
122 9236 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 SNAT all -- * * 192.168.100.101 0.0.0.0/0 to:192.168.188.2
[root@shu-test ~]#5、測試
在Windows本機測試(使用tcping工具)
C:\Users\Administrator.USER-20170617IG>tcping 192.168.188.2 1122
Probing 192.168.188.2:1122/tcp - Port is open - time=24.733ms
Probing 192.168.188.2:1122/tcp - Port is open - time=4.718ms
Probing 192.168.188.2:1122/tcp - Port is open - time=4.639ms
Probing 192.168.188.2:1122/tcp - Port is open - time=4.886ms
Ping statistics for 192.168.188.2:1122
4 probes sent.
4 successful, 0 failed.
Approximate trip times in milli-seconds:
Minimum = 4.639ms, Maximum = 24.733ms, Average = 9.744ms
C:\Users\Administrator.USER-20170617IG>ping 192.168.100.101
正在 Ping 192.168.100.101 具有 32 字節的數據:
請求超時。
請求超時。
請求超時。
請求超時。
192.168.100.101 的 Ping 統計信息:
數據包: 已發送 = 4,已接收 = 0,丟失 = 4 (100% 丟失),
C:\Users\Administrator.USER-20170617IG>在Windows上直接ssh 192.168.188.2:1122
Connecting to 192.168.188.2:1122...
Connection established.
To escape to local shell, press ‘Ctrl+Alt+]‘.
Last login: Thu Jan 25 22:22:33 2018 from 192.168.188.1
[root@shu002 ~]# w
23:02:45 up 43 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 22:20 11:09 0.29s 0.29s -bash
root pts/0 192.168.188.1 23:02 5.00s 0.07s 0.04s w
[root@shu002 ~]#
[root@shu002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:20:41:c3 txqueuelen 1000 (Ethernet)
RX packets 636 bytes 67857 (66.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 333 bytes 45907 (44.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.101 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::d347:6274:ae3f:7255 prefixlen 64 scopeid 0x20<link>
inet6 fe80::f39c:81b9:efac:5b41 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:20:41:cd txqueuelen 1000 (Ethernet)
RX packets 289 bytes 27155 (26.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 341 bytes 34283 (33.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5712 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5712 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@shu002 ~]#一次性定義iptables規則
創建文件
vi /usr/local/sbin/iptables.sh內容:
#! /bin/bash
ipt="/usr/sbin/iptables"
$ipt -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -s 192.168.188.0/24 -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT執行文件
sh /usr/local/sbin/iptables.sh測試:
可以ssh該機器的22端口,但不能ping通(icmp被禁);
[root@shu-test ~]# iptables -nvL
Chain INPUT (policy DROP 12 packets, 936 bytes)
pkts bytes target prot opt in out source destination
91 7272 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 192.168.133.0/24 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 72 packets, 8232 bytes)
pkts bytes target prot opt in out source destination
[root@shu-test ~]#C:\Users\Administrator.USER-20170617IG>ping 192.168.188.2
正在 Ping 192.168.188.2 具有 32 字節的數據:
請求超時。
請求超時。
請求超時。
請求超時。
192.168.188.2 的 Ping 統計信息:
數據包: 已發送 = 4,已接收 = 0,丟失 = 4 (100% 丟失),
C:\Users\Administrator.USER-20170617IG>意義:拒絕所有,只放行192.168.133.0/24的22端口,允許訪問80端口與21端口;
iptables的nat表應用(默認路由指向、端口映射)