Configure NAT service with Webmin in RedHat Linux (1)

Environment: RedHat Linux9.0. Webmin version 1.38. Webmin is an excellent Linux system management software with B/S structure. It uses its graphical user interface to conveniently and efficiently manage most Linux services, applications, networks, and hardware configurations. After Webmin is installed, you do not need to run the Apache server. You can provide Web services by yourself. The default port is 10000.

NIC:
Eth0: External Nic, IP = 10.0.0.118, 255.255.255.0
Eth1: Intranet Nic, IP = 192.168.0.118, 255.255.255.0

In Linux, run the ifconfig command to view the NIC configuration result:
[Root @ mylinux root] # ifconfig
Eth0 link encap: Ethernet hwaddr 00: 03: FF: 0b: 21: 81
Inet ADDR: 10.0.0.118 bcast: 10.0.0.255 mask: 255.255.255.0
Up broadcast running Multicast MTU: 1500 Metric: 1
RX packets: 1447 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1257 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 100
RX Bytes: 134788 (131.6 KB) TX Bytes: 131251 (128.1 KB)
Interrupt: 11 base address: 0x9000

Eth1 link encap: Ethernet hwaddr 00: 03: FF: 19: 21: 81
Inet ADDR: 192.168.0.118 bcast: 192.168.0.255 mask: 255.255.255.0
Up broadcast running Multicast MTU: 1500 Metric: 1
RX packets: 2133 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 2082 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 100
RX Bytes: 160402 (156.6 KB) TX Bytes: 156738 (153.0 KB)
Interrupt: 11 base address: 0xd000

/Etc/sysconfig/network_scripts/ifcfg-eth0 file content:
# Please read/usr/share/doc/initscripts-*/sysconfig.txt
# For the documentation of these parameters.
Userctl = No
Peerdns = Yes
Gateway = 10.0.0.2
Type = Ethernet
Device = eth0
Hwaddr = 00: 03: FF: 0b: 21: 81
Bootproto = none
Netmask = 255.255.255.0
Onboot = Yes
Ipaddr = 10.0.0.118
Network = 10.0.0.0
Broadcast = 10.0.0.255

/Etc/sysconfig/network_scripts/ifcfg-eth1 file content:
# Please read/usr/share/doc/initscripts-*/sysconfig.txt
# For the documentation of these parameters.
Userctl = No
Peerdns = Yes
Type = Ethernet
Device = eth1
Hwaddr = 00: 03: FF: 19: 21: 81
Bootproto = none
Netmask = 255.255.255.0
Onboot = Yes
Ipaddr = 192.168.0.118
Network = 192.168.0.0
Broadcast = 192.168.0.255

Route table:
[Root @ mylinux root] # gedit
[Root @ mylinux root] # route-n
Kernel IP routing table
Destination gateway genmask flags metric ref use iface
10.0.0.0 0.0.0.0 255.255.255.0 u 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 u 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 u 0 0 0 Lo
0.0.0.0 10.0.0.2 0.0.0.0 ug 0 0 0 eth0

Configuration:
Open Webmin URL: http // 10.0.0.2: 10000, enter the root account name and password, and select "Linux firewall" under Network Configuration ":

On the displayed page, "packet filtering (filter)" is selected by default on the right of the "showing iptable" button to configure the firewall. If the intermediate or advanced firewall policy has been enabled, you must configure the forwarding (forwarded packets (forward) rule here, allow inbound and outbound traffic of protocols and ports for Nat communication (note that the direction is correct, the Intranet Nic is input, and the external Nic is output), so that Nat can take effect. During the experiment, all communications are allowed. The rules are as follows:
Accept-if input interface is eth1 and output interface is eth0
Note that the rule execution sequence is top-down, top-down, and top-down first matched. As long as a matching rule is found, the rule queue is directly jumped out.
To configure the NAT service, you need to select the "Network Address Translation (NAT)" option on the right of the "showing iptable" button, and then click the "showing iptable" button to enter the NAT configuration interface.

Click "add role" to open the rule configuration page.

For "action to take", select "Source Nat", and for "IP range" of "IPs and ports for SNAT", enter 10.0.0.118; for "outgoing interface", select equal to (equals) eth0, which is the external Nic; select the default value for other options. Then, press the Save button and then click Apply configuration to make the rule take effect.

Note: The configuration here still cannot implement the required functions. I don't know whether the Webmin function is lacking or why. We also need to configure Linux to implement the "IP Forwarding" function, to complete all tasks.
To configure "IP Forwarding" for Linux, you must add the forward_ipv4 = Yes statement at the end of the/etc/sysconfig/network file:
/Etc/sysconfig/network:
Networking = Yes
Hostname = mylinux
Gateway = 10.0.0.2
Forward_ipv4 = Yes
At the same time, execute the Echo 1>/proc/sys/NET/IPv4/ip_forward statement. However, I found that in RedHat Linux9.0, it is enough to execute the next statement. I don't know if other Linux distributions are the same.
To enable the statement Echo 1>/proc/sys/NET/IPv4/ip_forward to automatically execute the statement after startup, we add it to/etc/rc. d/RC. at the end of the local file.

You can use Webmin to configure the firewall and Nat services. In essence, you can edit and operate the/etc/sysconfig/iptables file. All the configuration results are saved in the file./etc/sysconfig/iptables content:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: IFUP-post will punch the current nameservers through
# Firewall; such entries will ** not * be listed here.
* Filter
: Forward accept [0: 0]
: Input accept [0: 0]
: RH-Lokkit-0-50-INPUT-[0: 0]
: Output accept [0: 0]
: My-test-chain-[0: 0]
-A input-p tcp-m tcp-I eth0 -- dport 80-J accept
-A input-p tcp-m tcp-I eth0 -- dport 137: 139-J accept
-A RH-Lokkit-0-50-INPUT-I lo-J accept
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport-J reject -- SYN
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 2049-J reject -- SYN
-A RH-Lokkit-0-50-INPUT-p udp-m udp -- dport-J reject
-A RH-Lokkit-0-50-INPUT-p udp-m udp -- dport 2049-J reject
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 6000: 6009-J reject -- SYN
-A RH-Lokkit-0-50-INPUT-p tcp-m tcp -- dport 7100-J reject -- SYN
-A my-test-chain-p icmp-D 10.0.0.118-I eth0-J Drop
-A input-J RH-Lokkit-0-50-INPUT
-A forward-J RH-Lokkit-0-50-INPUT
-A output-O eth0-J accept
# Not ping 10.0.0.118
-A input-p icmp-D 10.0.0.118-I eth0
-A forward-I eth1-O eth0-J accept
Commit
# Generated by Webmin
* Mangle
: Forward accept [0: 0]
: Input accept [0: 0]
: Output accept [0: 0]
: Prerouting accept [0: 0]
: Postrouting accept [0: 0]
Commit
# Completed
# Generated by Webmin
* Nat
: Prerouting accept [0: 0]
: Output accept [0: 0]
: Postrouting accept [0: 0]
-A postrouting-O eth0-j snat -- to-source 10.0.0.118
Commit
# Completed
In fact, the core configuration statement is:
-A postrouting-O eth0-j snat -- to-source 10.0.0.118

This article from "100,000 why" Computer Learning Network http://www.why100000.com
Http://www.why100000.com/_Linux/doc/RHLinux_Webmin_Nat.swf

Author: Zhang Qing (mesh)