网络防火墙
NAT NAT: network address translation PREROUTING,INPUT,OUTPUT,POSTROUTING 请求报文:修改源/目标IP,由定义如何修改 响应报文:修改源/目标IP,根据跟踪机制自动实现 DNAT:destination NAT PREROUTING , OUTPUT 把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP 请求报文:修改目标IP PNAT: port nat,端口和IP都进行修改 准备: firewall:开启ip_forward功能 [root@firewall ~]#vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@firewall ~]#sysctl -p [root@firewall ~]#sysctl -a 场景:外网访问内外对外开放的服务(防火墙IP2应该是192.168.37.121)
可理解为反向代理,但DNAT只能实现端口一对一映射,无法代理多台后台映射,LVS调度器,NGINX方向代理等服务可实现1对多代理映射:
DNAT
--to-destination [ipaddr[-ipaddr]][:port[-port]]
规范:iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
示例:
iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.108
iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.108:80
示例:在nat表的PREROUTING添加策略
1 [root@firewall-121 ~]# iptables -t nat -A PREROUTING -d 192.168.37.121 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.108:80 2 #/防火墙抓包/ 3 [root@firewall-121 ~]# tcpdump -i ens37 -nn host 192.168.37.122 4 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 5 listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes 6 10:25:25.526290 IP 192.168.37.122.40280 > 192.168.37.121.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0 7 10:25:25.526493 IP 192.168.37.121.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0 8 #/模拟内网,抓包/ 9 [root@CentOS7-108 ~]# tcpdump -i ens33 -nn host 192.168.37.122 10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 11 listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 12 10:25:24.974946 IP 192.168.37.122.40280 > 10.0.0.108.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0 13 10:25:24.974982 IP 10.0.0.108.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0View Code
标签:DNAT,--,IP,网络,192.168,防火墙,PREROUTING,80 From: https://www.cnblogs.com/cnblogsfc/p/14183931.html