iptables nat表应用

nat表应用

A机器：双网卡，ens33（ip：192.168.188.2）、ens37（ip：192.168.100.1），网卡ens33可以使用外网，网卡ens37只能用内网；
B机器：单网卡ens37（ip：192.168.100.100），可以与A机器的ens37相连通信；
C机器：单网卡ens37（ip：192.168.100.101），与B机器连接；

NAT默认路由指向

需求1：让B机器连接外网；
也就是将0.0.0.0/0网段指向A机器的ens33网卡的下一跳，即可实现192.168.100.0/24上网；

1、打开端口转发模式

查询（将 /proc/sys/net/ipv4/ip_forward设置为1为转发，默认为0）；

[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward0[root@shu-test ~]#

打开端口转发

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward1[root@shu-test ~]#

2、在机器A上增加规则

（记住B机器的网关必须指向机器A的ens37也就是192.168.100.1）

 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

在机器A上增加nat 将源地址192.168.100.0/24的所有路由（数据包）指向ens33出去

[root@shu-test ~]# iptables -F[root@shu-test ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 659 packets, 67162 bytes)pkts bytes target     prot opt in     out     source               destination         Chain INPUT (policy ACCEPT 18 packets, 1935 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes)pkts bytes target     prot opt in     out     source               destination         Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes)pkts bytes target     prot opt in     out     source               destination            42  3201 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           [root@shu-test ~]#

3、测试：

如果能ping通机器A的ens33网卡，而ping不通外网，可以清空下iptables -F配置的规则；
机器B上ping www.hao123.com

[root@localhost ~]# ping 192.168.188.1PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms^C--- 192.168.188.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1002msrtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms[root@localhost ~]# ping www.hao123.comPING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data.64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms^C--- hao123.n.shifen.com ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2002msrtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms[root@localhost ~]#

端口映射

需求2：C机器只能和A通信，让C机器可以直接通过B机器22端口；（端口映射）

1、打开A机器的端口转发功能；

echo "1" > /proc/sys/net/ipv4/ip_forward

[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward1[root@localhost ~]#

2、清空和删除所有配置

使用iptables -F与 -D 命令，详情见前文章

3、在A机器上添加规则

iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
将192.168.100.101的22端口映射到A机器的ens33的1122端口上，
使外网通过访问192.168.188.2:1122来达到访问机器C（ip：192.168.100.101）的22端口；

[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22[root@shu-test ~]#[root@shu-test ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 13 packets, 1072 bytes)pkts bytes target     prot opt in     out     source               destination             5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22Chain INPUT (policy ACCEPT 6 packets, 549 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)pkts bytes target     prot opt in     out     source               destination         Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes)pkts bytes target     prot opt in     out     source               destination           113  8561 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0           [root@shu-test ~]#

4、在A机器上添加回包规则

iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
将从192.168.100.101的过来的包，返回给192.168.188.2；
有来有回

[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2[root@shu-test ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination             5   260 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.188.2        tcp dpt:1122 to:192.168.100.101:22Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination           122  9236 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0               0     0 SNAT       all  --  *      *       192.168.100.101      0.0.0.0/0            to:192.168.188.2[root@shu-test ~]#

5、测试

在Windows本机测试（使用tcping工具）

C:\Users\Administrator.USER-20170617IG>tcping 192.168.188.2 1122Probing 192.168.188.2:1122/tcp - Port is open - time=24.733msProbing 192.168.188.2:1122/tcp - Port is open - time=4.718msProbing 192.168.188.2:1122/tcp - Port is open - time=4.639msProbing 192.168.188.2:1122/tcp - Port is open - time=4.886msPing statistics for 192.168.188.2:1122     4 probes sent.     4 successful, 0 failed.Approximate trip times in milli-seconds:     Minimum = 4.639ms, Maximum = 24.733ms, Average = 9.744ms C:\Users\Administrator.USER-20170617IG>ping 192.168.100.101正在 Ping 192.168.100.101 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。192.168.100.101 的 Ping 统计信息:    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)，C:\Users\Administrator.USER-20170617IG>

在Windows上直接ssh 192.168.188.2：1122

Connecting to 192.168.188.2:1122...Connection established.To escape to local shell, press 'Ctrl+Alt+]'.Last login: Thu Jan 25 22:22:33 2018 from 192.168.188.1[root@shu002 ~]# w23:02:45 up 43 min,  2 users,  load average: 0.00, 0.01, 0.05USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHATroot     tty1                      22:20   11:09   0.29s  0.29s -bashroot     pts/0    192.168.188.1    23:02    5.00s  0.07s  0.04s w[root@shu002 ~]#[root@shu002 ~]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        ether 00:0c:29:20:41:c3  txqueuelen 1000  (Ethernet)        RX packets 636  bytes 67857 (66.2 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 333  bytes 45907 (44.8 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.100.101  netmask 255.255.255.0  broadcast 192.168.100.255        inet6 fe80::d347:6274:ae3f:7255  prefixlen 64  scopeid 0x20<link>        inet6 fe80::f39c:81b9:efac:5b41  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:20:41:cd  txqueuelen 1000  (Ethernet)        RX packets 289  bytes 27155 (26.5 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 341  bytes 34283 (33.4 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1  (Local Loopback)        RX packets 72  bytes 5712 (5.5 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 72  bytes 5712 (5.5 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0[root@shu002 ~]#

一次性定义iptables规则

创建文件

 vi /usr/local/sbin/iptables.sh

内容：

#! /bin/bashipt="/usr/sbin/iptables"$ipt -F$ipt -P INPUT DROP$ipt -P OUTPUT ACCEPT$ipt -P FORWARD ACCEPT$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$ipt -A INPUT -s 192.168.188.0/24 -p tcp --dport 22 -j ACCEPT$ipt -A INPUT -p tcp --dport 80 -j ACCEPT$ipt -A INPUT -p tcp --dport 21 -j ACCEPT

执行文件

 sh /usr/local/sbin/iptables.sh

测试：

可以ssh该机器的22端口，但不能ping通（icmp被禁）；

[root@shu-test ~]# iptables -nvLChain INPUT (policy DROP 12 packets, 936 bytes)pkts bytes target     prot opt in     out     source               destination            91  7272 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED    0     0 ACCEPT     tcp  --  *      *       192.168.133.0/24     0.0.0.0/0            tcp dpt:22    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy ACCEPT 72 packets, 8232 bytes)pkts bytes target     prot opt in     out     source               destination         [root@shu-test ~]#

C:\Users\Administrator.USER-20170617IG>ping 192.168.188.2正在 Ping 192.168.188.2 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。192.168.188.2 的 Ping 统计信息:    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)，C:\Users\Administrator.USER-20170617IG>