Masquerade is also a source address translation, but the firewall will automatically find the available public IP address according to the policy, adapt to the situation of change
If the interface uses ppp+, it means matching ppp0, ppp1 ... Any available dial-up Connections in
? If you need a demo, you can overwrite the example of the previous Snat policy (the interface still uses eth0 because there is no ADSL connection):
Execute "iptables-t nat-f" to empty the NAT table first
Add rule "iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j Masquerade"
Explain the basic steps of applying the Dnat strategy, which involves related actions
? It is also appropriate to emphasize that the external network tester does not need to set the default gateway address to the IP address of the Linux gateway host
? When confirming the status of the routing feature, you can perform the Sysctl command to view:
[Email protected] ~]# Sysctl-a | grep "Ip_forward"
Net.ipv4.ip_forward = 1
Perform "ELinks http://218.29.30.29" or "Lynx http://218.29.30.29" to test
[Email protected] ~]# tail-f/var/log/httpd/access_log
218.29.30.29--[04/jun/2009:14:35:53 +0800] "get/http/1.1"-"" "elinks/0.11.1 (TextMode; Linux; 80X25-2) "
Nat translation
Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth1-j SNAT--to-source 218.29.30.31
Execute "iptables-t nat-f" to empty the NAT table first
Add rule "iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j Masquerade"
[Email protected] ~]# iptables-t nat-a postrouting-s 192.168.1.0/24-o ppp0-j Masquerade
[Email protected] ~]# Sysctl-a | grep "Ip_forward" Net.ipv4.ip_forward = 1
Iptables-t nat-a prerouting-i eth0-d 218.29.30.31-p tcp--dport 80-j DNAT--to-destination 192.168.1.6
[Email protected] ~]# iptables-t nat-a prerouting-i eth0-d 218.29.30.31-p tcp--dport 2222-j DNAT--to-destination
192.168.1.5:22
--------------------------Understand established
Vm1
# iptables-p INPUT DROP
Ping 192.168.56.201
SSH 192.168.56.201
All failed
# iptables-a input-p all-m State--state established-j ACCEPT
Ping 192.168.56.201
SSH 192.168.56.201
All success
VM2 shutting down the firewall
Successfully crossed the reverse firewall.
Tracerout 192.168.56.201 failure, the reason to see below
--------------------------Understand Relate
Vm1
# iptables-p INPUT DROP
# iptables-f
# iptables-a input-p all-m State--state related-j ACCEPT
Tracerout 192.168.56.201 success. The other packages produced by the first package belong to the relate state.
--------------------------Understand New
Vm1
The output default policy is drop. Other policies are accept
# iptables-p INPUT ACCEPT
# iptables-p OUTPUT DROP
# iptables-f
Ping 192.168.56.201
SSH 192.168.56.201
All failed
# iptables-a output-p all-m State--state established,new-j ACCEPT
--------------------------Understand invalid
He needs a special first hack tool to produce, so here's the urgent usage below.
Usually applied to the first of the input tables.
# iptables-a input-p all-m State--state invalid-j DROP
--------------------------snat-intranet access to extranet
-------Extranet--------------------Gateway Firewall-------------------Intranet PC1 192.168.56.202
10.0.100 eth0 eth1
10.0.1.200 192.168.56.200
Intranet: Yum install ELinks lynx-y
Gateway Firewall
# iptables-t nat-a postrouting-s 192.168.56.202-o eth0-j SNAT--to-source 10.0.1.200
External network: HTTPD
# Tailf/var/log/httpd/access_log
--------------------------dnat-External Release port
Extranet: Yum Install elinks lynx-y
Gateway Firewall:
# iptables-t nat-a prerouting-i eth0-d 10.0.1.200-p tcp--dport 2345-j DNAT--to-destination 192.168.56.202:80
Intranet: httpd
# Tailf/var/log/httpd/access_log
Kernel Module Storage location
# ls/lib/modules/2.6.32-431.el6.x86_64/kernel/net/ipv4/netfilter///ipv4 Support
# ls/lib/modules/2.6.32-431.el6.x86_64/kernel/net/ipv6/netfilter///ipv6 Support
# ls/lib/modules/2.6.32-431.el6.x86_64/kernel/net/netfilter///Simultaneous support
Lsmod Viewing the current module
Iptables (2)