Iptables shared Internet access (use of NAT tables)

Computer room intranet server no external network IP on the network how to do?

For example, the computer room has a B two servers, a has an external network IP address, b No external IP address, that b how to surf the net?

The idea is to point B's gateway to a server's intranet address, through a server proxy internet

Iptables's advanced application sharing Internet

Examples are as follows:

Gateway Server B:

Ech0 10.0.0.51 External network address with Superior Gateway

ECH1 172.16.1.51 intranet address does not match gateway

Intranet Server C:

Ech1 172.16.1.52 Gateway 172.16.1.51

Required conditions for Gateway Server B

1 physical condition is a dual network card, an intranet address, an external network address

2 Ensure that server Gateway B has access to the Internet

3 Kernel file/etc/sysctl.conf to turn on forwarding

Net.ipv4.ip_forward = 1

Sysctl-p #使修改生效

4 The forward chain of the Iptables filter table allows forwarding

The iptables default rule for the gateway server is preferably accept

Required conditions for Server C

1 The default gateway for Server C is the intranet address of Server B

Route-n

Route del default GW 172.16.1.8

Route-n

Route add default GW 172.16.1.51

A rule is provided on Gateway Server B to allow server C to surf the internet

Gateway Server B

1 Loading kernel modules

Modprobe Ip_tables

Modprobe Iptable_filter

Modprobe Iptable_nat

Modprobe Ip_conntrack

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Modprobe ipt_state

2 Two command methods for LAN sharing:

(The implementation of the principle of the network address of server C into the gateway server's extranet address, equivalent to the packet arrives at Gateway B, and then from B, as if the packet is sent out of the same )

Method 1: Suitable for fixed extranet addresses:

Iptables-t nat-a postrouting-s 172.16.1.52-o eth0-j snat-to-source 10.0.0.51

-A postrouting because it is leaving the firewall to go to Gateway B server, so with postrouting chain

-S 172.16.1.52 Server C's intranet IP address, can be changed to network segment-S 172.16.1.0/24

-O eth0 Gateway Server B external NIC interface/writeable writable

-j Snat-to-source 10.0.0.51 Source address converted to Gateway Server B's external network card IP address

Ping 203.81.19.1 Test

Method 2: Suitable for the change of the external network address (ADSL)

Iptables-t nat-a postrouting-s 172.16.1.52-j Masquerade (camouflage)

I describe this process in words:

Assuming that the server C172.10.1.52 to visit Baidu 1.1.1.1 (assuming the address); First ARP intranet broadcast, no one responds after the gateway, to the gateway, because the source address translation, the Server C's intranet address replaced the gateway server's external network card address, so, Gateway server's external network card address can find Baidu's 1.1.1.1, so that Server C will be able to surf the internet

Address Resolution Protocol, which is ARP (Resolution Protocol), is based onIP AddressGetPhysical Addressof aTCP/IP protocol. Hostwhen the message is sent, the ARP request that contains the destination IP address is broadcast to all hosts on the network, and the return message is received to determine the physical address of the destination.

There is a question, the package is out, the package back how to find server C?

This article is from the "Youth Deng Yong" blog, please be sure to keep this source http://dengyong.blog.51cto.com/8409869/1853420

Iptables shared Internet access (use of NAT tables)