iptables --- nat(地址轉換)
環境
1.機器一
192.168.1.3(公網)
192.168.183.127(內網)
2.機器二
192.168.183.128(內網)
實驗前我在vm虛擬機上添加一個網口,有ip地址但是卻沒有配置文件
可以這麼做
nmcli con show (查看設備唯一標識符uuid)
ip addr (網卡硬件MAC地址)
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3
HWADDR=00:0c:29:ab:38:87
防火牆規則,調用內核的安全策略。
[root@localhost ~]# iptables -t filter -L (默認查看filter表裏的列)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination [root@localhost ~]# iptables -t nat -L (這次試驗使用到的表--nat表)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ssh 登陸轉換 dnat(目標地址轉換,公網ip--->內網ip,意思就是你想訪問目標地址轉變了)
機器一:
[root@localhost ~]# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes (之前做過證書登陸,這裏改成yes)
[root@localhost ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter nat [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@www ipv4]# echo 1 > ip_forward (立即生效)
[root@www ipv4]# cat ip_forward
1
[root@www ipv4]# pwd
/proc/sys/net/ipv4
[root@www ipv4]# vim /etc/sysctl.conf (永久生效)
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
[root@www ipv4]# sysctl -p (刷新sysctl.conf文件)
net.ipv4.ip_forward = 1
機器二:
[root@localhost ~]# ifdown ens33 (確保不會通過此網卡連接)
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens37
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=ens37
UUID=a2d0be5d-0769-48b4-9270-b3eacd1d243e
DEVICE=ens37
ONBOOT=yes
IPADDR=192.168.183.128
NETMASK=255.255.255.0
GATEWAY=192.168.1.3 (這裏網關指向機器一公網ip)
HWADDR=00:0c:29:ab:38:87
~ [root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 22 -j DNAT --to-destination
192.168.18.128:22
**測試**: (這裏使用的是XSHELL)
Connecting to 192.168.1.3:22... (登陸的是1.3)
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Fri May 4 18:32:54 2018 from 192.168.1.138
[root@localhost ~]# ifconfig (成功轉換到18.128上面)
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:ab:38:7d txqueuelen 1000 (Ethernet)
RX packets 350 bytes 37643 (36.7 KiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 124 bytes 18169 (17.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.18.128 netmask 255.255.255.0 broadcast 192.168.18.255
inet6 fe80::20c:29ff:feab:3887 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ab:38:87 txqueuelen 1000 (Ethernet)
RX packets 271 bytes 38878 (37.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 198 bytes 54004 (52.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 40 bytes 3448 (3.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 3448 (3.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ssh 登陸轉換 snat(源地址轉換,內網ip--->公網ip,意思就是你所使用源ip地址轉變了)
這裏稍微改下iptbales協議即可
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3
*(原本192.168.18.128是不可以訪問外網的,這裏就以ping www.baidu.com爲例。看下效果圖即可)
1.128這臺機器resolv.conf文件dns服務器先指定好
2.沒添加snat協議時:
3.添加 iptables -t nat -A POSTROUTING -s 192.168.18.128 -j SNAT --to-source 192.168.1.3 協議後:
明天分享下web的搭建。。