防火墙SNAT和DNAT

内核参数

开启内核参数为1
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward
0
临时有效
[[email protected] ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[[email protected] ~]# cat /proc/sys/net/ipv4/ip_forward
1
长期有效
[[email protected] ~]# vim /etc/sysctl.conf

写入
net.ipv4.ip_forward=1
生效
[[email protected] ~]# sysctl -p

配置
客户：172.168.126.8/24 172.168.126.2 网络模式为VMnetl
防火墙：172.168.126.2/24 网络模式为VMnetl
防火墙：192.168.126.2/24 网络模式为net
服务器：192.168.126.6/24 192.1689.126.2 网络模式为net

检测
客户端
ping 192.168.126.6可以连通
curl 192.168.126.6
防火墙
修给为1
cat /proc/sys/net/ipv4/ip_forward
1
服务器
[[email protected] ~]# systemctl restart httpd
[[email protected] ~]# tail -f /var/log/httpd/access_log
172.168.126.8 - - [26/Jun/2019:02:50:24 -0400] "GET / HTTP/1.1" 200 9638 "-" "curl/7.29.0"
自己IP访问

客户端访问服务器 SNAT
防火墙：清除链和规则
╭─[email protected] ~
╰─? iptables -t nat -F
╭─[email protected] ~
╰─? iptables -t filter -F
╭─[email protected] ~
╰─? iptables -t mangle -F
╭─[email protected] ~
╰─? iptables -t raw -F
╭─[email protected] ~
╰─? iptables -t raw -X
╭─[email protected] ~
╰─? iptables -t mangle -X
╭─[email protected] ~
╰─? iptables -t nat -X
╭─[email protected] ~
╰─? iptables -t filter -F

╭─[email protected] ~
╰─? systemctl status firewalld
╭─[email protected] ~
╰─? systemctl start firewalld

╭─[email protected] ~
╰─? iptables -t nat \ 指定表
-AROUTING \ 在指定链后别追加
-s 172 POS T.168.126.8 \ 源IP地址
-d 192.168.126.6 \ 目标ip地址
-p tcp \ tpc网络协议
--dport 80 \ 目标地址访问端口
-j SNAT \ 源地址转换
--to-source 192.168.126.2

╭─[email protected] ~
╰─? iptables -t nat -L -n

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 172.168.126.8 192.168.126.6 tcp dpt:80 to:192.168.126.2

客户端：访问服务器
curl 192.168.1268.6

服务器：检测。
[[email protected] ~]# tail -f /var/log/httpd/access_log
192.168.126.2 - - [26/Jun/2019:03:27:55 -0400] "GET / HTTP/1.1" 200 9643 "-" "curl/7.29.0"
公网IP访问

服务器端访问客户 DNAT
防火墙：
╭─[email protected] ~
╰─? iptables -t nat -I PREROUTING \
-s 192.168.126.6 \
-d 192.168.126.2 \
-p tcp \
--dport 80 \
-j DNAT \
--to-destination 172.168.126.8
╭─[email protected] ~
╰─? iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 192.168.126.6 192.168.126.2 tcp dpt:80 to:172.168.126.8

服务器：访问客户
[[email protected] ~]# curl 172.168.126.8

客户端：检测
[[email protected] ~]# tail -f /var/log/httpd/access_log
192.168.126.6 - - [26/Jun/2019:03:27:55 -0400] "GET / HTTP/1.1" 200 9643 "-" "curl/7.29.0"
公网IP访问

原文地址：https://www.cnblogs.com/itzhao/p/11259017.html