3.8 nat {#38-nat}

• 共享上网
• 端口转发/端口映射
• ip映射

|---------------------------------------------------------------------------------------------------------------------| | [root@m01 ~]# iptables -P INPUT ACCEPT [root@m01 ~]# iptables -P FORWARD ACCEPT [root@m01 ~]# iptables -nL |

1. 防火墙配置

   [root@m01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.61 [root@m01 ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf [root@m01 ~]# sysctl -p net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.ip_forward = 1

注意事项:
公网ip不固定:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE

2. web配置
   [root@web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
   TYPE=Ethernet
   BOOTPROTO=none
   NAME=eth0
   DEVICE=eth0
   ONBOOT=no
   IPADDR=10.0.0.7
   PREFIX=24
   GATEWAY=10.0.0.254
   DNS1=223.5.5.5
   GATEWAY=10.0.0.254
   [root@web01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
   TYPE=Ethernet
   IPADDR=172.16.1.7
   PREFIX=24
   NAME=eth1
   DEVICE=eth1
   ONBOOT=yes
   GATEWAY=172.16.1.61
   DNS1=1.2.4.8
   [root@web01 ~]# systemctl restart network
   [root@m01 ~]# ssh 172.16.1.7
   Last login: Wed Jul 24 23:06:58 2019 from 10.0.0.1
   [root@web01 ~]# ip a
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
   2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
   link/ether 00:0c:29:b2:e3:7e brd ff:ff:ff:ff:ff:ff
   3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
   link/ether 00:0c:29:b2:e3:88 brd ff:ff:ff:ff:ff:ff
   inet 172.16.1.7/24 brd 172.16.1.255 scope global eth1
   valid_lft forever preferred_lft forever
   inet6 fe80::20c:29ff:feb2:e388/64 scope link
   valid_lft forever preferred_lft forever
   [root@web01 ~]# ping baidu.com
   PING baidu.com (220.181.38.148) 56(84) bytes of data.
   64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=1 ttl=127 time=8.90 ms
   64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=2 ttl=127 time=7.52 ms
   64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=3 ttl=127 time=9.28 ms
   64 bytes from 220.181.38.148 (220.181.38.148): icmp_seq=4 ttl=127 time=9.36 ms
   ^C
   --- baidu.com ping statistics ---
   4 packets transmitted, 4 received, 0% packet loss, time 3006ms
   rtt min/avg/max/mdev = 7.528/8.769/9.364/0.746 ms
   [root@web01 ~]# ping 1.2.4.8
   PING 1.2.4.8 (1.2.4.8) 56(84) bytes of data.
   64 bytes from 1.2.4.8: icmp_seq=1 ttl=127 time=76.4 ms
   64 bytes from 1.2.4.8: icmp_seq=2 ttl=127 time=76.8 ms
   ^C
   --- 1.2.4.8 ping statistics ---
   2 packets transmitted, 2 received, 0% packet loss, time 1002ms
   rtt min/avg/max/mdev = 76.440/76.637/76.834/0.197 ms
3. 完成后 在web01 发出 ip r和ping 外网ip的结果
   [root@web01 ~]# ip r
   default via 172.16.1.61 dev eth1
   169.254.0.0/16 dev eth1 scope link metric 1003
   172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.7
   [root@web01 ~]# route -n
   Kernel IP routing table
   Destination Gateway Genmask Flags Metric Ref Use Iface
   0.0.0.0 172.16.1.61 0.0.0.0 UG 0 0 0 eth1
   169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
   172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
   [root@web01 ~]# ping baidu.com
   PING baidu.com (39.156.69.79) 56(84) bytes of data.
   64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=127 time=21.7 ms
   64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=127 time=32.6 ms
   ^C
   --- baidu.com ping statistics ---
   2 packets transmitted, 2 received, 0% packet loss, time 1002ms
   rtt min/avg/max/mdev = 21.781/27.214/32.647/5.433 ms
   3.8.2 实现端口转发※※※※※

[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.61 -p tcp --dport 9000 -j DNAT --to-destination 172.16.1.7:22
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.7:22
​
Chain INPUT (policy ACCEPT)
target prot opt source destination
​
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
​
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61

测试与检查

本地shell中

[d:\~]$ ssh root@10.0.0.61 9000
3.8.3 实现ip映射
ip a add 10.0.0.62/24 dev eth0 label eth0:0
​
[root@m01 ~]# iptables -t nat -A PREROUTING -d 10.0.0.62 -j DNAT --to-destination 172.16.1.7
[root@m01 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 10.0.0.61 tcp dpt:9000 to:172.16.1.7:22
DNAT all -- 0.0.0.0/0 10.0.0.62 to:172.16.1.7
​
Chain INPUT (policy ACCEPT)
target prot opt source destination
​
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
​
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.61
3.8.4 nat表总结
实现共享上网
端口转发
nat功能在 云服务器无法使用 替代品叫: NAT网关