环境:CentOS 6.4(最小化安装)
SNAT测试:
地址规划:
| Node | IP address | GW |
| EndUser | 192.168.101.241/24 | 192.168.101.1 |
iptables | eth1:192.168.101.1/24 eth0:192.168.100.242/24 | 192.168.100.1 |
EndUser:
[root@EndUser ~]# tail -n 5 /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static IPADDR=192.168.101.241 NETMASK=255.255.255.0 GATEWAY=192.168.101.1 DNS1=114.114.114.114 [root@EndUser ~]#
测试网关:
[root@EndUser ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 1002 0 0 eth0 default 192.168.101.1 0.0.0.0 UG 0 0 0 eth0 [root@EndUser ~]# ping 192.168.101.1 -c 4 PING 192.168.101.1 (192.168.101.1) 56(84) bytes of data. 64 bytes from 192.168.101.1: icmp_seq=1 ttl=64 time=0.315 ms 64 bytes from 192.168.101.1: icmp_seq=2 ttl=64 time=0.340 ms 64 bytes from 192.168.101.1: icmp_seq=3 ttl=64 time=0.320 ms 64 bytes from 192.168.101.1: icmp_seq=4 ttl=64 time=0.317 ms --- 192.168.101.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3001ms rtt min/avg/max/mdev = 0.315/0.323/0.340/0.010 ms [root@EndUser ~]# ping 192.168.100.242 -c 4 PING 192.168.100.242 (192.168.100.242) 56(84) bytes of data. 64 bytes from 192.168.100.242: icmp_seq=1 ttl=64 time=0.557 ms 64 bytes from 192.168.100.242: icmp_seq=2 ttl=64 time=0.339 ms 64 bytes from 192.168.100.242: icmp_seq=3 ttl=64 time=0.319 ms 64 bytes from 192.168.100.242: icmp_seq=4 ttl=64 time=0.400 ms --- 192.168.100.242 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 0.319/0.403/0.557/0.096 ms [root@EndUser ~]#
iptables:
[root@iptables ~]# tail -n 5 /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static IPADDR=192.168.100.242 NETMASK=255.255.255.0 GATEWAY=192.168.100.1 DNS1=114.114.114.114 [root@iptables ~]# tail -n 4 /etc/sysconfig/network-scripts/ifcfg-eth1 NM_CONTROLLED=yes BOOTPROTO=static IPADDR=192.168.101.1 NETMASK=255.255.255.0 [root@iptables ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 * 255.255.255.0 U 0 0 0 eth0 192.168.101.0 * 255.255.255.0 U 0 0 0 eth1 link-local * 255.255.0.0 U 1002 0 0 eth0 link-local * 255.255.0.0 U 1003 0 0 eth1 default 192.168.100.1 0.0.0.0 UG 0 0 0 eth0 [root@iptables ~]# [root@iptables ~]# grep forward /etc/sysctl.conf |grep -v ^# net.ipv4.ip_forward = 1 [root@iptables ~]# sysctl -p [root@iptables ~]# iptables -t nat -vL //查看linux下NAT映射表
[root@iptables ~]# grep "POSTROUTING" /etc/sysconfig/iptables|grep -v ^: -A POSTROUTING -s 192.168.101.0/24 -o eth0 -j SNAT --to-source 192.168.100.242 [root@iptables ~]# [root@iptables ~]# /etc/init.d/iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter nat [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@iptables ~]#
先测试防火墙能否上网:
[root@iptables ~]# ping www.baidu.com -c 4 PING www.a.shifen.com (180.97.33.107) 56(84) bytes of data. 64 bytes from 180.97.33.107: icmp_seq=1 ttl=53 time=27.3 ms 64 bytes from 180.97.33.107: icmp_seq=2 ttl=53 time=26.5 ms 64 bytes from 180.97.33.107: icmp_seq=3 ttl=53 time=25.2 ms 64 bytes from 180.97.33.107: icmp_seq=4 ttl=53 time=24.9 ms --- www.a.shifen.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3031ms rtt min/avg/max/mdev = 24.994/26.047/27.371/0.977 ms [root@iptables ~]#
测试EndUser:
ping一个windows主机用wireshark抓包:
DNAT测试:
地址规划:
Node | IP Address | GW |
WEB | 192.168.101.241/24 | 192.168.101.1 |
iptables | eth0:192.168.100.242/24 eth1:192.168.101.1/24 | 192.168.100.243 192.168.101.241 |
EndUser | 192.168.100.251/24 | - |
WEB:
[root@WEB ~]# tail -n 4 /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static IPADDR=192.168.101.241 NETMASK=255.255.255.0 GATEWAY=192.168.101.1 [root@WEB ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 eth0 [root@WEB ~]# [root@WEB ~]# ping 192.168.100.242 -c 4 PING 192.168.100.242 (192.168.100.242) 56(84) bytes of data. 64 bytes from 192.168.100.242: icmp_seq=1 ttl=64 time=0.287 ms 64 bytes from 192.168.100.242: icmp_seq=2 ttl=64 time=0.346 ms 64 bytes from 192.168.100.242: icmp_seq=3 ttl=64 time=0.403 ms 64 bytes from 192.168.100.242: icmp_seq=4 ttl=64 time=0.409 ms --- 192.168.100.242 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.287/0.361/0.409/0.051 ms [root@WEB ~]#
iptables:
[root@iptables ~]# grep forward /etc/sysctl.conf |grep -v ^# net.ipv4.ip_forward = 1 [root@iptables ~]# [root@iptables ~]# tail -n 4 /etc/sysconfig/network-scripts/ifcfg-eth0 BOOTPROTO=static IPADDR=192.168.100.242 NETMASK=255.255.255.0 GATEWAY=192.168.100.243 [root@iptables ~]# tail -n 4 /etc/sysconfig/network-scripts/ifcfg-eth1 BOOTPROTO=static IPADDR=192.168.101.1 NETMASK=255.255.255.0 GATEWAY=192.168.101.241 [root@iptables ~]# [root@iptables ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 0.0.0.0 192.168.101.241 0.0.0.0 UG 0 0 0 eth1 [root@iptables ~]# [root@iptables ~]# iptables -t nat -A PREROUTING -d 192.168.100.242 -p tcp -m tcp --dport 80 -i eth0 -j DNAT --to-destination 192.168.101.241
[root@iptables ~]# /etc/init.d/iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter nat [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@iptables ~]#
本文出自 “鹏城-酱油瓶” 博客,谢绝转载!
原文地址:http://yfshare.blog.51cto.com/8611708/1674960
