iptables防火墙【其二 实验篇】

2024-05-28 05:12
文章标签 实验 防火墙 iptables

本文主要是介绍iptables防火墙【其二 实验篇】,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

保存,还原规则

防火墙规则的备份和还原
导出(备份)所有表的规则
iptables-save > /opt/ipt.txt

导入(还原)规则
iptables-restore < /opt/ipt.txt


将iptables规则文件保存在 /etc/sysconfig/iptables 中,

iptables服务启动时会自动还原规则
iptables-save > /etc/sysconfig/iptables
systemctl stop iptables                        #停止iptables服务会清空掉所有表的规则
systemctl start iptables                    #启动iptables服务会自动还原/etc/sysconfig/iptables 中的规则

保存规则  iptables-save > 文件路径
还原规则  iptables-restore < 文件路径
保存为默认规则  iptables-save > /etc/sysconfig/iptables

[root@l1 ~]# systemctl disable --now firewalld  //永久关闭防火墙
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@l1 ~]# 
[root@l1 ~]# yum install -y iptables iptables-services  //安装两个软件
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
软件包 iptables-1.4.21-35.el7.x86_64 已安装并且是最新版本
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-35.el7 将被 安装
--> 解决依赖关系完成依赖关系解决=============================================================================================================================================================Package                                     架构                             版本                                     源                               大小
=============================================================================================================================================================
正在安装:iptables-services                           x86_64                           1.4.21-35.el7                            local                            52 k事务概要
=============================================================================================================================================================
安装  1 软件包总下载量:52 k
安装大小:23 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction正在安装    : iptables-services-1.4.21-35.el7.x86_64                                                                                                   1/1 验证中      : iptables-services-1.4.21-35.el7.x86_64                                                                                                   1/1 已安装:iptables-services.x86_64 0:1.4.21-35.el7                                                                                                                   完毕!
[root@l1 ~]# 


[root@l1 ~]# systemctl start iptables.service  //启动服务
[root@l1 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]# iptables -nL -t filter 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#

之前设置的规则没有永久保存,当你服务器重启  或者是 iptables服务重启 都会导致之前写入的规则丢失

[root@l1 ~]# iptables -t filter -F
[root@l1 ~]# iptables -nL -t filter 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]# iptables -t filter -A INPUT -p tcp -m multiport --dport 20:23,53,80,443,111,2049 -j ACCEPT
[root@l1 ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@l1 ~]# iptables -t filter -A INPUT -j DROP
[root@l1 ~]# iptables -nL -t filter 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 20:23,53,80,443,111,2049
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#

保存规则 

[root@l1 ~]# iptables-save > /opt/iptables.txt  //重定向输出到/opt/iptables.txt
[root@l1 ~]# vim /opt/iptables.txt 
[root@l1 ~]# iptables-restore < /opt/iptables.txt   //重定向输入规则
[root@l1 ~]# iptables -nL -t filter 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 20:23,53,80,443,111,2049
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#

还原规则

[root@l1 ~]# iptables -t filter -F  //清除规则
[root@l1 ~]# iptables -nL -t filter 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#

如何设置默认规则 

[root@l1 ~]# systemctl restart iptables.service //重启服务
[root@l1 ~]# iptables -nL -t filter   //规则还原了
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#

 

 

[root@l1 ~]# iptables-save > /etc/sysconfig/iptables //替换默认规则文件
[root@l1 ~]# vim /etc/sysconfig/iptables
[root@l1 ~]# 


[root@l1 ~]# iptables -t filter -F  //清空规则
[root@l1 ~]# iptables -nL -t filter   //查看规则
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]# systemctl restart iptables.service   //重启服务
[root@l1 ~]# iptables -nL -t filter     //查看规则(已恢复)
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 20:23,53,80,443,111,2049
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
DROP       all  --  0.0.0.0/0            0.0.0.0/0           Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]#


tcpdump    Linux系统抓包工具

tcp 协议    port 端口 [src/dst]     net 网段     -i 网卡  -s 0  -w XXX.cap
tcp                                             host 主机IP
udp
icmp

tcpdump tcp -i ens33 -t -s 0 -c 100 and port ! 22 and net 192.168.1.0/24 -w ./target.cap
(1)tcp: ip icmp arp rarp 和 tcp、udp、icmp这些协议选项等都要放到第一个参数的位置,用来过滤数据包的类型
(2)-i ens33 : 只抓经过接口ens33的包
(3)-t : 不显示时间戳
(4)-s 0 : 抓取数据包时默认抓取长度为68字节。加上-s 0 后可以抓到完整的数据包
(5)-c 100 : 只抓取100个数据包
(6)port ! 22 : 不抓取端口是22的数据包
(7)net 192.168.1.0/24 : 数据包的网络地址为192.168.1.0/24
(8)-w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析 

 实验1   SNAT

网关主机 ens33(左,连接内网)192.168.80.30    ens36(右,连接外网)12.0.0.30

客户端1 设置ip地址为192.168.80.11   网关为ens33 192.168.80.30

客户端2 设置ip地址为192.168.80.20   网关为ens33 192.168.80.30

外网服务器 ip 12.0.0.12  网关为ens36 12.0.0.30

SNAT    内网 --> 外网   转换源地址
iptables  -t nat  -A POSTROUTING  -s 内网的源地址/网段  -o 出站网卡  -j SNAT  --to 要转换的公网源地址

打开ip转发功能 

[root@l1 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@l1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward^C
[root@l1 ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@l1 ~]#

 只能临时生效,当你服务器重启又会被打回为0

永久设置

[root@l1 ~]# vim /etc/sysctl.conf  //这是我们的内核配置文件
[root@l1 ~]# 

[root@l1 ~]# sysctl -p  //加载配置文件的内核配置
net.ipv4.ip_forward = 1
[root@l1 ~]# 
[root@l1 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@l1 ~]#

SNAT 转发

网关服务器 

客户端 内网主机

客户机2同上操作

 Web服务器  外网服务器

网关服务器配置

[root@l1 ~]# systemctl disable --now firewalld
[root@l1 ~]# yum install -y iptables iptables-services
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
软件包 iptables-1.4.21-35.el7.x86_64 已安装并且是最新版本
软件包 iptables-services-1.4.21-35.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@l1 ~]# systemctl start iptables
[root@l1 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@l1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptablesLoaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)Active: active (exited) since 四 2024-05-23 11:41:28 CST; 27s agoMain PID: 2582 (code=exited, status=0/SUCCESS)Tasks: 0CGroup: /system.slice/iptables.service5月 23 11:41:28 l1 systemd[1]: Starting IPv4 firewall with iptables...
5月 23 11:41:28 l1 iptables.init[2582]: iptables: Applying firewall rules: …  ]
5月 23 11:41:28 l1 systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@l1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 ~]# systemctl disable --now firewalld
[root@l1 ~]# yum install -y iptables iptables-services
已加载插件:faste

[root@l1 network-scripts]# cd /etc/sysconfig/network-scripts/
[root@l1 network-scripts]# ls
ifcfg-ens33       ifdown-bnep  ifdown-ipv6  ifdown-routes    ifdown-tunnel  ifup-eth   ifup-isdn   ifup-ppp     ifup-TeamPort     network-functions
ifcfg-lo          ifdown-eth   ifdown-isdn  ifdown-sit       ifup           ifup-ib    ifup-plip   ifup-routes  ifup-tunnel       network-functions-ipv6
ifcfg-有线连接_1  ifdown-ib    ifdown-post  ifdown-Team      ifup-aliases   ifup-ippp  ifup-plusb  ifup-sit     ifup-wireless     route-有线连接_1
ifdown            ifdown-ippp  ifdown-ppp   ifdown-TeamPort  ifup-bnep      ifup-ipv6  ifup-post   ifup-Team    init.ipv6-global
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# 

[root@l1 network-scripts]# vim ifcfg-ens33

 内网 ens33
[root@l1 network-scripts]# vim ifcfg-ens33


TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=bb54a700-e209-4a22-a2a3-d4facf68b2b4
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.30
NETMASK=255.255.255.0
#GATEWAY=192.168.80.2
#DNS1=114.114.114.114
外网 ens36
[root@l1 network-scripts]# vim ifcfg-ens36


TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens36
DEVICE=ens36
ONBOOT=yes
IPADDR=12.0.0.30
NETMASK=255.255.255.0
~                       
[root@l1 network-scripts]# systemctl restart network  //重启网卡

[root@l1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@l1 ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.80.30  netmask 255.255.255.0  broadcast 192.168.80.255inet6 fe80::523e:232a:d39b:b32f  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:87:fc:b2  txqueuelen 1000  (Ethernet)RX packets 397  bytes 34591 (33.7 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 413  bytes 35175 (34.3 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500ether 00:0c:29:87:fc:bc  txqueuelen 1000  (Ethernet)RX packets 23  bytes 2871 (2.8 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 475  bytes 78490 (76.6 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 222  bytes 20050 (19.5 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 222  bytes 20050 (19.5 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:cc:65:de  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l1 ~]# cd /etc/sysconfig/network-scripts/
[root@l1 network-scripts]# ls
ifcfg-ens33  ifdown-ppp       ifup-ib      ifup-Team
ifcfg-lo     ifdown-routes    ifup-ippp    ifup-TeamPort
ifdown       ifdown-sit       ifup-ipv6    ifup-tunnel
ifdown-bnep  ifdown-Team      ifup-isdn    ifup-wireless
ifdown-eth   ifdown-TeamPort  ifup-plip    init.ipv6-global
ifdown-ib    ifdown-tunnel    ifup-plusb   network-functions
ifdown-ippp  ifup             ifup-post    network-functions-ipv6
ifdown-ipv6  ifup-aliases     ifup-ppp
ifdown-isdn  ifup-bnep        ifup-routes
ifdown-post  ifup-eth         ifup-sit
[root@l1 network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.80.30  netmask 255.255.255.0  broadcast 192.168.80.255inet6 fe80::523e:232a:d39b:b32f  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:87:fc:b2  txqueuelen 1000  (Ethernet)RX packets 464  bytes 39748 (38.8 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 476  bytes 44868 (43.8 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet6 fe80::a0bd:6d4f:1a86:6806  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:87:fc:bc  txqueuelen 1000  (Ethernet)RX packets 24  bytes 3114 (3.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 504  bytes 82656 (80.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 230  bytes 20682 (20.1 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 230  bytes 20682 (20.1 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:cc:65:de  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l1 network-scripts]# vim ifcfg-ens3
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# ls
ifcfg-ens33  ifdown-ppp       ifup-ib      ifup-Team
ifcfg-lo     ifdown-routes    ifup-ippp    ifup-TeamPort
ifdown       ifdown-sit       ifup-ipv6    ifup-tunnel
ifdown-bnep  ifdown-Team      ifup-isdn    ifup-wireless
ifdown-eth   ifdown-TeamPort  ifup-plip    init.ipv6-global
ifdown-ib    ifdown-tunnel    ifup-plusb   network-functions
ifdown-ippp  ifup             ifup-post    network-functions-ipv6
ifdown-ipv6  ifup-aliases     ifup-ppp
ifdown-isdn  ifup-bnep        ifup-routes
ifdown-post  ifup-eth         ifup-sit
[root@l1 network-scripts]# ls
ifcfg-ens33  ifdown-ppp       ifup-ib      ifup-Team
ifcfg-lo     ifdown-routes    ifup-ippp    ifup-TeamPort
ifdown       ifdown-sit       ifup-ipv6    ifup-tunnel
ifdown-bnep  ifdown-Team      ifup-isdn    ifup-wireless
ifdown-eth   ifdown-TeamPort  ifup-plip    init.ipv6-global
ifdown-ib    ifdown-tunnel    ifup-plusb   network-functions
ifdown-ippp  ifup             ifup-post    network-functions-ipv6
ifdown-ipv6  ifup-aliases     ifup-ppp
ifdown-isdn  ifup-bnep        ifup-routes
ifdown-post  ifup-eth         ifup-sit
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# systemctl restart network
[root@l1 network-scripts]# ifc
ifcfg     ifconfig  
[root@l1 network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.80.30  netmask 255.255.255.0  broadcast 192.168.80.255inet6 fe80::523e:232a:d39b:b32f  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:87:fc:b2  txqueuelen 1000  (Ethernet)RX packets 1527  bytes 125929 (122.9 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1222  bytes 154371 (150.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 12.0.0.30  netmask 255.255.255.0  broadcast 12.0.0.255inet6 fe80::cfd7:6dd8:9716:71a3  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:87:fc:bc  txqueuelen 1000  (Ethernet)RX packets 25  bytes 3357 (3.2 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 631  bytes 103125 (100.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 382  bytes 32994 (32.2 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 382  bytes 32994 (32.2 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:cc:65:de  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l1 network-scripts]#
客户端 1
[root@l2 ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.18.20  netmask 255.255.255.0  broadcast 192.168.18.255inet6 fe80::ef42:44d7:112c:7393  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:66:38:ff  txqueuelen 1000  (Ethernet)RX packets 3908  bytes 3856097 (3.6 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1554  bytes 116286 (113.5 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 37  bytes 3812 (3.7 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 37  bytes 3812 (3.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:0f:a7:1a  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l2 ~]# vim /etc/sysc vim /etc/sysc
还有 3 个文件等待编辑
[root@l2 ~]#  vim /etc/sysc
[root@l2 ~]# vim /etc/sysconfig/network-scripts/ens33
[root@l2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@l2 ~]# systemctl restart network
[root@l2 ~]# 


TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=b0bf3db5-b099-4770-96cf-0e3179f56bd1
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.11
NETMASK=255.255.255.0
GATEWAY=192.168.80.30
[root@l2 network-scripts]# systemctl restart network
[root@l2 network-scripts]# 

[root@l2 network-scripts]# systemctl stop firewalld
[root@l2 network-scripts]# setenforce 0
[root@l2 network-scripts]#

 客户端 2
[root@l3 ~]# cd
[root@l3 ~]# cd /etc//sysconfig/network-scripts/
[root@l3 network-scripts]# vim ifcfg-ens3
[root@l3 network-scripts]# vim ifcfg-ens33
[root@l3 network-scripts]# ls
ifcfg-ens33  ifdown-ppp       ifup-ib      ifup-Team
ifcfg-lo     ifdown-routes    ifup-ippp    ifup-TeamPort
ifdown       ifdown-sit       ifup-ipv6    ifup-tunnel
ifdown-bnep  ifdown-Team      ifup-isdn    ifup-wireless
ifdown-eth   ifdown-TeamPort  ifup-plip    init.ipv6-global
ifdown-ib    ifdown-tunnel    ifup-plusb   network-functions
ifdown-ippp  ifup             ifup-post    network-functions-ipv6
ifdown-ipv6  ifup-aliases     ifup-ppp
ifdown-isdn  ifup-bnep        ifup-routes
ifdown-post  ifup-eth         ifup-sit
[root@l3 network-scripts]# [root@l3 network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.18.30  netmask 255.255.255.0  broadcast 192.168.18.255inet6 fe80::4367:bd86:d4c9:c296  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:c9:0b:e0  txqueuelen 1000  (Ethernet)RX packets 383345  bytes 562327116 (536.2 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 51994  bytes 3184636 (3.0 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 221  bytes 18940 (18.4 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 221  bytes 18940 (18.4 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:1e:49:a2  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l3 network-scripts]# cd /etc//sysconfig/network-scripts/
[root@l3 network-scripts]# vim ifcfg-ens33
[root@l3 network-scripts]# systemctl restart net
netcf-transaction.service  network.service
network-online.target      
[root@l3 network-scripts]# systemctl restart networkw
Failed to restart networkw.service: Unit not found.
[root@l3 network-scripts]# systemctl restart network
[root@l3 network-scripts]# 

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=518f05a5-256a-45cf-bf88-e8e365e57bff
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.20
NETMASK=255.255.255.0
GATEWAY=192.168.80.30

[root@l3 ~]# systemctl stop firewalld
[root@l3 ~]# setenforce 0
[root@l3 ~]#
客户机1 客户机2ping网关服务器

网关服务器  清空规则

[root@l1 network-scripts]# iptables -F
[root@l1 network-scripts]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@l1 network-scripts]# iptables -t nat -F
[root@l1 network-scripts]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
[root@l1 network-scripts]#

 外网服务器

[root@localhost network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 12.0.0.12  netmask 255.255.255.0  broadcast 12.0.0.255inet6 fe80::149b:989c:c2fc:e0e0  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:3d:ca:57  txqueuelen 1000  (Ethernet)RX packets 304  bytes 72391 (70.6 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 200  bytes 25274 (24.6 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 1048  bytes 90856 (88.7 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1048  bytes 90856 (88.7 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:e5:c7:15  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 12.0.0.12  netmask 255.255.255.0  broadcast 12.0.0.255inet6 fe80::149b:989c:c2fc:e0e0  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:3d:ca:57  txqueuelen 1000  (Ethernet)RX packets 304  bytes 72391 (70.6 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 239  bytes 30819 (30.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 1184  bytes 102648 (100.2 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1184  bytes 102648 (100.2 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:e5:c7:15  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=db5dc291-4aff-4027-be90-8bc167e8ffaa
DEVICE=ens33
ONBOOT=yes
IPADDR=12.0.0.12
NETMASK=255.255.255.0
GATEWAY=12.0.0.30

[root@localhost network-scripts]# systemctl restart network  //重启网卡
[root@l3 network-scripts]# systemctl stop firewalld   //关闭防火墙
[root@l3 network-scripts]# setenforce 0
[root@l3 network-scripts]# 


[root@localhost ~]# yum install -y httpd  //下载软件httpd
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-97.el7.centos.5 将被 安装
--> 正在处理依赖关系 httpd-tools = 2.4.6-97.el7.centos.5,它被软件包 httpd-2.4.6-97.el7.centos.5.x86_64 需要
--> 正在处理依赖关系 /etc/mime.types,它被软件包 httpd-2.4.6-97.el7.centos.5.x86_64 需要
--> 正在检查事务
---> 软件包 httpd-tools.x86_64.0.2.4.6-97.el7.centos.5 将被 安装
---> 软件包 mailcap.noarch.0.2.1.41-2.el7 将被 安装
--> 解决依赖关系完成依赖关系解决==================================================================Package        架构      版本                     源        大小
==================================================================
正在安装:httpd          x86_64    2.4.6-97.el7.centos.5    local    2.7 M
为依赖而安装:httpd-tools    x86_64    2.4.6-97.el7.centos.5    local     94 kmailcap        noarch    2.1.41-2.el7             local     31 k事务概要
==================================================================
安装  1 软件包 (+2 依赖软件包)总下载量:2.8 M
安装大小:9.6 M
Downloading packages:
------------------------------------------------------------------
总计                                  34 MB/s | 2.8 MB  00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction正在安装    : httpd-tools-2.4.6-97.el7.centos.5.x86_64      1/3 正在安装    : mailcap-2.1.41-2.el7.noarch                   2/3 正在安装    : httpd-2.4.6-97.el7.centos.5.x86_64            3/3 验证中      : mailcap-2.1.41-2.el7.noarch                   1/3 验证中      : httpd-tools-2.4.6-97.el7.centos.5.x86_64      2/3 验证中      : httpd-2.4.6-97.el7.centos.5.x86_64            3/3 已安装:httpd.x86_64 0:2.4.6-97.el7.centos.5                            作为依赖被安装:httpd-tools.x86_64 0:2.4.6-97.el7.centos.5                      mailcap.noarch 0:2.1.41-2.el7                                   完毕!
[root@localhost 
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# netstat -lntp | grep :80 //阿帕奇端口已开启
tcp6       0      0 :::80                   :::*                    LISTEN      61993/httpd         
[root@localhost ~]#

已经全部配置好,现在开始验证

网关服务器

[root@l1 network-scripts]# ping 192.168.80.30
PING 192.168.80.30 (192.168.80.30) 56(84) bytes of data.
64 bytes from 192.168.80.30: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 192.168.80.30: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 192.168.80.30: icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from 192.168.80.30: icmp_seq=4 ttl=64 time=0.065 ms
64 bytes from 192.168.80.30: icmp_seq=5 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=6 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=7 ttl=64 time=0.052 ms
64 bytes from 192.168.80.30: icmp_seq=8 ttl=64 time=0.045 ms
64 bytes from 192.168.80.30: icmp_seq=9 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=10 ttl=64 time=0.043 ms

[root@l1 network-scripts]# ping 12.0.0.30
PING 12.0.0.30 (12.0.0.30) 56(84) bytes of data.
64 bytes from 12.0.0.30: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 12.0.0.30: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 12.0.0.30: icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from 12.0.0.30: icmp_seq=4 ttl=64 time=0.041 ms
64 bytes from 12.0.0.30: icmp_seq=5 ttl=64 time=0.039 ms
64 bytes from 12.0.0.30: icmp_seq=6 ttl=64 time=0.041 ms
64 bytes from 12.0.0.30: icmp_seq=7 ttl=64 time=0.044 ms
64 bytes from 12.0.0.30: icmp_seq=8 ttl=64 time=0.041 ms
^C
--- 12.0.0.30 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 6999ms
rtt min/avg/max/mdev = 0.025/0.039/0.044/0.008 ms
[root@l1 network-scripts]#

都可以ping通

网关服务器

=0 ping不通

客户端1
[root@l2 ~]# 
[root@l2 ~]# ping 192.168.80.30
PING 192.168.80.30 (192.168.80.30) 56(84) bytes of data.
64 bytes from 192.168.80.30: icmp_seq=1 ttl=64 time=0.273 ms
64 bytes from 192.168.80.30: icmp_seq=2 ttl=64 time=0.182 ms
64 bytes from 192.168.80.30: icmp_seq=3 ttl=64 time=0.293 ms
64 bytes from 192.168.80.30: icmp_seq=4 ttl=64 time=0.173 ms
^C
--- 192.168.80.30 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.173/0.230/0.293/0.054 ms
[root@l2 ~]# ping 12.0.0.30
PING 12.0.0.30 (12.0.0.30) 56(84) bytes of data.
64 bytes from 12.0.0.30: icmp_seq=1 ttl=64 time=0.214 ms
64 bytes from 12.0.0.30: icmp_seq=2 ttl=64 time=0.177 ms
64 bytes from 12.0.0.30: icmp_seq=3 ttl=64 time=0.245 ms
64 bytes from 12.0.0.30: icmp_seq=4 ttl=64 time=0.229 ms
64 bytes from 12.0.0.30: icmp_seq=5 ttl=64 time=0.262 ms
^C
--- 12.0.0.30 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.177/0.225/0.262/0.031 ms
[root@l2 ~]# ping 12.0.0.12
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=1.06 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.850 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.485 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=2.03 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.392 ms
^C
--- 12.0.0.12 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.392/0.966/2.034/0.587 ms
[root@l2 ~]#
外网服务器 

客户端1
[root@l2 ~]# ping 12.0.0.12
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=0.635 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.417 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.471 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=1.83 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.668 ms
64 bytes from 12.0.0.12: icmp_seq=6 ttl=63 time=0.469 ms
64 bytes from 12.0.0.12: icmp_seq=7 ttl=63 time=3.92 ms
64 bytes from 12.0.0.12: icmp_seq=8 ttl=63 time=5.65 ms
64 bytes from 12.0.0.12: icmp_seq=9 ttl=63 time=0.438 ms
64 bytes from 12.0.0.12: icmp_seq=10 ttl=63 time=0.556 ms
64 bytes from 12.0.0.12: icmp_seq=11 ttl=63 time=0.437 ms
64 bytes from 12.0.0.12: icmp_seq=12 ttl=63 time=0.338 ms
64 bytes from 12.0.0.12: icmp_seq=13 ttl=63 time=0.348 ms
64 bytes from 12.0.0.12: icmp_seq=14 ttl=63 time=0.409 ms
64 bytes from 12.0.0.12: icmp_seq=15 ttl=63 time=0.583 ms
64 bytes from 12.0.0.12: icmp_seq=16 ttl=63 time=0.474 ms
^C
--- 12.0.0.12 ping statistics ---
16 packets transmitted, 16 received, 0% packet loss, time 15010ms
rtt min/avg/max/mdev = 0.338/1.103/5.652/1.465 ms
[root@l2 ~]#
外网服务器 

[root@localhost ~]# tcpdump -i ens33 -s 0 -w ./test1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C196 packets captured
198 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# ls
anaconda-ks.cfg       test1.cap  模板  图片  下载  桌面
initial-setup-ks.cfg  公共       视频  文档  音乐

[root@localhost ~]# sz test1.cap
[root@localhost ~]#

 

真实环境中 客户端192.168.80.11   无法ping通   外网服务器12.0.0.12

网关服务器 

[root@l1 ~]# iptables -F nat
iptables: No chain/target/match by that name.
[root@l1 ~]# iptables -t nat -F
[root@l1 ~]# iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to 12.0.0.30
[root@l1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.80.0/24      0.0.0.0/0            to:12.0.0.30
[root@l1 ~]#
外网服务器
[root@localhost ~]# tcpdump -i ens33 -s 0 -w ./test2.cap  //抓包到test2.cap文件
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C26 packets captured
客户端1
[root@l2 ~]# ping -c 10 12.0.0.12  //ping十个包
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=0.440 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.373 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.362 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=0.455 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.468 ms
64 bytes from 12.0.0.12: icmp_seq=6 ttl=63 time=0.553 ms
64 bytes from 12.0.0.12: icmp_seq=7 ttl=63 time=0.427 ms
64 bytes from 12.0.0.12: icmp_seq=8 ttl=63 time=0.406 ms
64 bytes from 12.0.0.12: icmp_seq=9 ttl=63 time=0.648 ms
64 bytes from 12.0.0.12: icmp_seq=10 ttl=63 time=0.359 ms--- 12.0.0.12 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9001ms
rtt min/avg/max/mdev = 0.359/0.449/0.648/0.086 ms
[root@l2 ~]#

 外网服务器导出

[root@localhost ~]# sz test2.cap
[root@localhost ~]#

 总结

网关主机 ens33(左,连接内网)192.168.80.30    ens36(右,连接外网)12.0.0.30

客户端1 设置ip地址为192.168.80.11   网关为ens33 192.168.80.30

客户端2 设置ip地址为192.168.80.20   网关为ens33 192.168.80.30

外网服务器 ip 12.0.0.12  网关为ens36 12.0.0.30

SNAT    内网 --> 外网   转换源地址  
iptables  -t nat  -A POSTROUTING  -s 内网的源地址/网段  -o 出站网卡  -j SNAT  --to 要转换的公网源地址

实验2   DNAT

DNAT   外网 -->  内网   转换目的地址:端口
iptables  -t nat  -A PREROUTING   -i 入站网卡  -d 原公网目的地址  -p 协议 --dport 原目的端口  -j DNAT  --to 要转换的内网目的地址:端口

原 网站服务器 放入内网

原来 内网主机 放进 外网 

二号机同上操作 

客户机

客户机1 

[root@l2 ~]# cd /etc/sysconfig/network-scripts/
[root@l2 network-scripts]# 
[root@l2 network-scripts]# vim ifcfg-ens33

 

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=b0bf3db5-b099-4770-96cf-0e3179f56bd1
DEVICE=ens33
ONBOOT=yes
IPADDR=12.0.0.100
NETMASK=255.255.255.0
GATEWAY=12.0.0.30

[root@l2 network-scripts]# systemctl restart network  //重启网卡
[root@l2 network-scripts]# 

[root@l2 network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 12.0.0.100  netmask 255.255.255.0  broadcast 12.0.0.255inet6 fe80::ef42:44d7:112c:7393  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:66:38:ff  txqueuelen 1000  (Ethernet)RX packets 6110  bytes 4044553 (3.8 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 3032  bytes 250886 (245.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 156  bytes 14364 (14.0 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 156  bytes 14364 (14.0 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:0f:a7:1a  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l2 network-scripts]#

客户机2

[root@l3 ~]# cd /etc/sysconfig/network-scripts/
[root@l3 network-scripts]# vim ifcfg-ens33
[root@l3 network-scripts]# 


TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=518f05a5-256a-45cf-bf88-e8e365e57bff
DEVICE=ens33
ONBOOT=yes
IPADDR=12.0.0.200
NETMASK=255.255.255.0
GATEWAY=12.0.0.30
[root@l3 network-scripts]# systemctl restart network
[root@l3 network-scripts]# ifc
ifcfg     ifconfig  
[root@l3 network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 12.0.0.200  netmask 255.255.255.0  broadcast 12.0.0.255inet6 fe80::4367:bd86:d4c9:c296  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:c9:0b:e0  txqueuelen 1000  (Ethernet)RX packets 384632  bytes 562440735 (536.3 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 52970  bytes 3261985 (3.1 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 368  bytes 32328 (31.5 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 368  bytes 32328 (31.5 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:1e:49:a2  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@l3 network-scripts]#

服务器

[root@localhost network-scripts]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# vim ifcfg-ens33

 

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=db5dc291-4aff-4027-be90-8bc167e8ffaa
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.15
NETMASK=255.255.255.0
GATEWAY=192.168.80.30

[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.80.15  netmask 255.255.255.0  broadcast 192.168.80.255inet6 fe80::149b:989c:c2fc:e0e0  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:3d:ca:57  txqueuelen 1000  (Ethernet)RX packets 1830  bytes 216003 (210.9 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1480  bytes 184556 (180.2 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 2420  bytes 209820 (204.9 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 2420  bytes 209820 (204.9 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255ether 52:54:00:e5:c7:15  txqueuelen 1000  (Ethernet)RX packets 0  bytes 0 (0.0 B)RX errors 0  dropped 0  overruns 0  frame 0TX packets 0  bytes 0 (0.0 B)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@localhost network-scripts]# 

[root@localhost network-scripts]# systemctl restart httpd
[root@localhost network-scripts]#

准备一个DNS服务器给外网客户端使用

[root@l1 ~]# yum install -y bind
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 bind.x86_64.32.9.11.4-26.P2.el7_9.9 将被 安装
--> 解决依赖关系完成依赖关系解决=================================================================================Package      架构           版本                            源             大小
=================================================================================
正在安装:bind         x86_64         32:9.11.4-26.P2.el7_9.9         local         2.3 M事务概要
=================================================================================
安装  1 软件包总下载量:2.3 M
安装大小:5.4 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction正在安装    : 32:bind-9.11.4-26.P2.el7_9.9.x86_64                          1/1 验证中      : 32:bind-9.11.4-26.P2.el7_9.9.x86_64                          1/1 已安装:bind.x86_64 32:9.11.4-26.P2.el7_9.9                                            完毕!
[root@l1 ~]#

如果下载报错

[root@l1 ~]# vim /etc/named.conf 
[root@l1 ~]#

 

[root@l1 ~]# vim /etc/named.rfc1912.zones 


[root@l1 ~]# cd /var/named/
[root@l1 named]# ll
总用量 16
drwxrwx---. 2 named named    6 2月  24 2022 data
drwxrwx---. 2 named named    6 2月  24 2022 dynamic
-rw-r-----. 1 root  named 2253 4月   5 2018 named.ca
-rw-r-----. 1 root  named  152 12月 15 2009 named.empty
-rw-r-----. 1 root  named  152 6月  21 2007 named.localhost
-rw-r-----. 1 root  named  168 12月 15 2009 named.loopback
drwxrwx---. 2 named named    6 2月  24 2022 slaves
[root@l1 named]# cp -p named.localhost xy101.com.zone

[root@l1 named]# vim !$


[root@l1 named]# systemctl start named
[root@l1 named]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@l1 named]#

开始验证

客户机1

[root@l2 network-scripts]# vim /etc/resolv.conf

 

[root@l2 network-scripts]# nslookup www.xy101.com
Server:		12.0.0.30
Address:	12.0.0.30#53Name:	www.xy101.com
Address: 12.0.0.30[root@l2 network-scripts]#

网关服务器

[root@l1 named]# sysctl -p
net.ipv4.ip_forward = 1
[root@l1 named]#

客户机ping网关验证 

[root@l2 network-scripts]# ping 192.168.80.30
PING 192.168.80.30 (192.168.80.30) 56(84) bytes of data.
64 bytes from 192.168.80.30: icmp_seq=1 ttl=64 time=0.276 ms
64 bytes from 192.168.80.30: icmp_seq=2 ttl=64 time=0.238 ms
64 bytes from 192.168.80.30: icmp_seq=3 ttl=64 time=0.241 ms
^C
--- 192.168.80.30 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.238/0.251/0.276/0.025 ms
[root@l2 network-scripts]# 
[root@l2 network-scripts]# 
[root@l2 network-scripts]# ping 12.0.0.30
PING 12.0.0.30 (12.0.0.30) 56(84) bytes of data.
64 bytes from 12.0.0.30: icmp_seq=1 ttl=64 time=0.249 ms
64 bytes from 12.0.0.30: icmp_seq=2 ttl=64 time=0.181 ms
64 bytes from 12.0.0.30: icmp_seq=3 ttl=64 time=0.203 ms
64 bytes from 12.0.0.30: icmp_seq=4 ttl=64 time=0.230 ms
64 bytes from 12.0.0.30: icmp_seq=5 ttl=64 time=0.251 ms
^C
--- 12.0.0.30 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.181/0.222/0.251/0.033 ms
[root@l2 network-scripts]# 
[root@l2 network-scripts]# ping 12.0.0.100
PING 12.0.0.100 (12.0.0.100) 56(84) bytes of data.
64 bytes from 12.0.0.100: icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from 12.0.0.100: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 12.0.0.100: icmp_seq=3 ttl=64 time=0.023 ms
^C
--- 12.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.023/0.029/0.036/0.006 ms
[root@l2 network-scripts]# 

[root@l2 network-scripts]# ping 12.0.0.200
PING 12.0.0.200 (12.0.0.200) 56(84) bytes of data.
64 bytes from 12.0.0.200: icmp_seq=1 ttl=64 time=0.276 ms
64 bytes from 12.0.0.200: icmp_seq=2 ttl=64 time=0.220 ms
64 bytes from 12.0.0.200: icmp_seq=3 ttl=64 time=0.210 ms
64 bytes from 12.0.0.200: icmp_seq=4 ttl=64 time=0.224 ms
^C
--- 12.0.0.200 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.210/0.232/0.276/0.029 ms
[root@l2 network-scripts]#

下面开始做DNAT转换

网关服务器

[root@l1 named]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@l1 named]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.80.0/24      0.0.0.0/0            to:12.0.0.30
[root@l1 named]# 

[root@l1 named]# iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.30 -p tcp --dport 80 -j DNAT --to 192.168.80.15:80
[root@l1 named]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            12.0.0.30            tcp dpt:80 to:192.168.80.15:80Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.80.0/24      0.0.0.0/0            to:12.0.0.30
[root@l1 named]#

网页

 

[root@localhost network-scripts]# systemctl stop firewalld
[root@localhost network-scripts]# setenforce 0
[root@localhost network-scripts]#

网关服务器

客户端

网关服务器 ssh

[root@l1 named]# iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.30 -p tcp --dport 2345 -j DNAT --to 192.168.80.15:22

 

[root@l1 named]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            12.0.0.30            tcp dpt:80 to:192.168.80.15:80
DNAT       tcp  --  0.0.0.0/0            12.0.0.30            tcp dpt:2345 to:192.168.80.15:22Chain INPUT (policy ACCEPT)
target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.80.0/24      0.0.0.0/0            to:12.0.0.30
[root@l1 named]#

客户端

网关

网站服务器抓包

[root@localhost ~]# tcpdump -i ens33 -s 0  -w ./test3.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

客户端

这篇关于iptables防火墙【其二 实验篇】的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!


http://www.chinasem.cn/article/1009633

相关文章

STM32(十一):ADC数模转换器实验

STM32(十一):ADC数模转换器实验

AD单通道: 1.RCC开启GPIO和ADC时钟。配置ADCCLK分频器。 2.配置GPIO,把GPIO配置成模拟输入的模式。 3.配置多路开关,把左面通道接入到右面规则组列表里。 4.配置ADC转换器, 包括AD转换器和AD数据寄存器。单次转换,连续转换;扫描、非扫描;有几个通道,触发源是什么,数据对齐是左对齐还是右对齐。 5.ADC_CMD 开启ADC。 void RCC_AD
阅读更多...
HNU-2023电路与电子学-实验3

HNU-2023电路与电子学-实验3

写在前面: 一、实验目的 1.了解简易模型机的内部结构和工作原理。 2.分析模型机的功能,设计 8 重 3-1 多路复用器。 3.分析模型机的功能,设计 8 重 2-1 多路复用器。 4.分析模型机的工作原理,设计模型机控制信号产生逻辑。 二、实验内容 1.用 VERILOG 语言设计模型机的 8 重 3-1 多路复用器; 2.用 VERILOG 语言设计模型机的 8 重 2-1 多
阅读更多...
61.以太网数据回环实验(4)以太网数据收发器发送模块

61.以太网数据回环实验(4)以太网数据收发器发送模块

(1)状态转移图: (2)IP数据包格式: (3)UDP数据包格式: (4)以太网发送模块代码: module udp_tx(input wire gmii_txc ,input wire reset_n ,input wire tx_start_en , //以太网开始发送信
阅读更多...
iptables持久化命令:netfilter-persistent save

iptables持久化命令:netfilter-persistent save

在Linux上,使用netfilter-persistent命令可以保存iptables防火墙规则,确保它们在系统重启后仍然有效。以下是如何使用netfilter-persistent来保存iptables规则的步骤: 打开终端:首先,你需要打开Linux系统的终端。保存规则:使用netfilter-persistent save命令可以保存当前的iptables规则。这个命令会调用所有插件,将
阅读更多...
LTspice模拟CCM和DCM模式的BUCK电路实验及参数计算

LTspice模拟CCM和DCM模式的BUCK电路实验及参数计算

关于BUCK电路的原理可以参考硬件工程师炼成之路写的《 手撕Buck!Buck公式推导过程》.实验内容是将12V~5V的Buck电路仿真,要求纹波电压小于15mv. CCM和DCM的区别: CCM:在一个开关周期内,电感电流从不会到0. DCM:在开关周期内,电感电流总会到0. CCM模式Buck电路仿真: 在用LTspice模拟CCM电路时,MOS管驱动信号频率为100Khz,负载为10R(可自
阅读更多...
HCIA--实验十:路由的递归特性

HCIA--实验十:路由的递归特性

递归路由的理解 一、实验内容 1.需求/要求: 使用4台路由器,在AR1和AR4上分别配置一个LOOPBACK接口,根据路由的递归特性,写一系列的静态路由实现让1.1.1.1和4.4.4.4的双向通信。 二、实验过程 1.拓扑图: 2.步骤: (下列命令行可以直接复制在ensp) 1.如拓扑图所示,配置各路由器的基本信息: 各接口的ip地址及子网掩码,给AR1和AR4分别配置
阅读更多...
OpenGL/GLUT实践:流体模拟——数值解法求解Navier-Stokes方程模拟二维流体(电子科技大学信软图形与动画Ⅱ实验)

OpenGL/GLUT实践:流体模拟——数值解法求解Navier-Stokes方程模拟二维流体(电子科技大学信软图形与动画Ⅱ实验)

源码见GitHub:A-UESTCer-s-Code 文章目录 1 实现效果2 实现过程2.1 流体模拟实现2.1.1 网格结构2.1.2 数据结构2.1.3 程序结构1) 更新速度场2) 更新密度值 2.1.4 实现效果 2.2 颜色设置2.2.1 颜色绘制2.2.2 颜色交互2.2.3 实现效果 2.3 障碍设置2.3.1 障碍定义2.3.2 障碍边界条件判定2.3.3 障碍实现2.3.
阅读更多...
pta-2024年秋面向对象程序设计实验一-java

pta-2024年秋面向对象程序设计实验一-java

文章申明:作者也为初学者,解答仅供参考,不一定是最优解; 一:7-1 sdut-sel-2 汽车超速罚款(选择结构) 答案: import java.util.Scanner;         public class Main { public static void main(String[] arg){         Scanner sc=new Scanner(System
阅读更多...
【linux 防火墙设置】3条命令关闭linux防火墙

【linux 防火墙设置】3条命令关闭linux防火墙

检查防火墙是否开启 firewall-cmd --state runing是防火墙运行中 如果 not runing的话不用次步骤 防火墙配置 说明:防火墙中有一个配置文件,表示当Linux系统启动时防火墙应该如何操作!!! 需求: 告诉linux系统以后开机不需要启动防火墙 命令: systemctl disable firewalld.service 手动关闭防火墙 说明:
阅读更多...
如何校准实验中振镜频率的漂移

如何校准实验中振镜频率的漂移

在实验过程中,使用共振扫描振镜(如Cambridge Technology的8kHz振镜)时,频率漂移是一个常见问题,尤其是在温度变化或长期运行的情况下。为了确保实验的准确性和稳定性,我们需要采取有效的校准措施。本文将介绍如何监测、调节和校准振镜频率,以减少漂移对实验结果的影响。 1. 温度管理和稳定性控制 振镜的频率变化与温度密切相关,温度的升高会导致机械结构的变化,进而影响振镜的共
阅读更多...

Copyright China编程 23002807@qq.com

沪ICP备2023033072号-2