SNAT and DNAT

I. SNAT

OSI Layer-7 Model

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Layer 5 TCP/IP

Application Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

SNAT function:

1) Implement LAN shared IP address for Internet access

2) Hide internal hosts

SNAT principle: Modify the source IP address of the data packet to a public IP address)

SNAT implementation method:

1) Hardware-level Router

2) Hardware-level firewall

3) software-level firewall: Vim/etc/sysctl. conf --> net. ipv4.ip _ forward = 1 (enable route forwarding) --> sysctl-P

SNAT rules

1) iptables-T Nat-A postrouting-s intranet IP-j snat -- to-source public IP // applicable to static public IP addresses

2) iptables-T Nat-A postrouting-s intranet IP-J masquerade // applicable to dynamic public IP addresses

Case:

Two servers, one Intranet (vmnet1) and one Linux gateway server (two NICs, vmnet1, and bridging)

1. Deploy an intranet Server

1) Vim/etc/sysconfig/network-scripts/ifcfg-eth0

Device = "eth0"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "static"
Ipaddr = 192.168.1.10
Netmask = 255.255.255.0
Gateway = 192.168.1.1
Dns1 = 114.114.114.114

2)/etc/init. d/iptables stop

3)/etc/init. d/network restart

4) Rm-RF/etc/yum. Repos. d /*

5) Vim/etc/yum. Repos. d/local. Repo

[Local]
Name = Local
Baseurl = file: // mnt
Gpgcheck = 0

6) Mount/dev/CDROM/mnt

7) Yum-y install elinks

2. Deploying a Linux Gateway

Alt +. (complete the preceding command parameters)

1) Vim/etc/sysconfig/network-scripts/ifcfg-eth0

Device = "eth0"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "static"
Ipaddr = 192.168.1.1
Netmask = 255.255.255.0

2) CP/etc/sysconfig/network-scripts/ifcfg-eth1

3) Vim/etc/sysconfig/network-scripts/ifcfg-eth1

Device = "eth1"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "DHCP"

/Etc/init. d/iptables stop

/Etc/init. d/network restart

4) Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

5) sysctl-P

6) iptables-T nat-I postrouting-s 192.168.1.0/24-J SNAT -- to-source 192.168.10.34

Iii. Test

Intranet server: elinks www.baidu.com | Ping www.baidu.com

Ii. DNAT

DNAT Function

1) publish an internal host so that the Internet client can access the Intranet.

2) Hide internal hosts

Note: DNAT must be used with DNS to resolve the domain name to a public IP address.

DNAT principle: Modify the destination IP address of the data packet to a public IP address)

DNAT implementation method:

1) Hardware-level Router

2) Hardware-level firewall

3) software-level firewall: Vim/etc/sysctl. conf --> net. ipv4.ip _ forward = 1 (enable route forwarding) --> sysctl-P

Case:

Two servers, one Intranet (vmnet1) and one Linux gateway server (two NICs, vmnet1, and bridging)

Implement SSH for Internet access to the Intranet

1. Deploy an intranet Server

Vim/etc/sysconfig/network-scripts/ifcfg-eth0

Device = "eth0"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "static"
Ipaddr = 192.168.1.10
Netmask = 255.255.255.0
Gateway = 192.168.1.1
Dns1 = 114.114.114.114

/Etc/init. d/iptables stop

/Etc/init. d/network restart

2. Deploying a Linux Gateway

Alt +. (complete the preceding command parameters)

1) Vim/etc/sysconfig/network-scripts/ifcfg-eth0

Device = "eth0"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "static"
Ipaddr = 192.168.1.1
Netmask = 255.255.255.0

2) CP/etc/sysconfig/network-scripts/ifcfg-eth1

3) Vim/etc/sysconfig/network-scripts/ifcfg-eth1

Device = "eth1"
Nm_controlled = "no"
Onboot = "yes"
Bootproto = "DHCP"

/Etc/init. d/iptables stop

/Etc/init. d/network restart

4) Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

5) sysctl-P

6) iptables-T nat-I prerouting-D 192.168.10.231-P TCP -- dport 2333-J DNAT -- to-destination 192.168.1.10: 22

Iii. Test

Public Network: SSH [email protected]-P 2333

SNAT and DNAT