防火牆端口轉發操作手冊<二>
二.網絡環境
注:Linux網關服務器(防火牆)和客戶機是公網,WEB服務器在內網
1. 使用虛擬機虛擬兩臺LINUX服務器,一臺角色爲防火牆,另一臺角色爲公網web服務器
防火牆需要虛擬出來兩塊網卡,eth0 : 218.29.30.31/24 , eth1: 192.168.1.1/24
Web服務器一塊網卡eth0:192.168.1.6/24
2. 使用真實機做內網客戶端,用一塊真實網卡IP爲218.29.30.29/24
3. web服務器上設置
[root@kingmacro /]#iptables –F
[root@kingmacro /]#service iptables save
[root@kingmacro /]#chkconfig httpd on
[root@kingmacro /]#service httpd start
[root@kingmacro /]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:50:9f:5c
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.6
NETMASK=255.255.255.0
4. 防火牆設置
[root@wanghong ~]# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1
[root@wanghong ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:cf:82:fe
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
IPADDR=218.29.30.31
NETMASK=255.255.255.0
[root@wanghong ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.1
NETMASK=255.255.255.0
[root@wanghong ~]#service network restart
[root@wanghong ~]#vim /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
[root@wanghong ~]#sysctl -p
[root@wanghong ~]#iptables -t nat -A PREROUTING -i eth0 -d 218.29.30.31 -p tcp --dport 80 -j DNAT –to-destiantion 192.168.1.6
[root@wanghong ~]#iptables -t nat -L
5.防火牆測試
直接使客戶端ping命令,ping防火牆服務器eth0可以正常通讀,ping 端口eth1不能正常ping通 ,ping web服務器也是拼不通的(這些狀況都屬正常情況),因爲在端口eth0上做了端口轉發,也就是所有來自eth0 80端口的數據包全部直接轉發給wed服務器192.168.1.6 (注:在此實驗過程當中,web服務器需要加內部網關192.168.1.1)
使用瀏覽器訪問web服務器, http://192.168.1.6