Linux implements nat forwarding and internal port ing, linuxnat

Source: Internet
Author: User

Linux implements nat forwarding and internal port ing, linuxnat
Nat forwarding and internal port ing in linux

Dual NIC:

Host

Eth0: 114.114.114.114 (public ip) eth1: 192.168.1.1 (intranet ip)

Pc1

Eth0: 192.168.1.2 (intranet ip) eth1 (dialup ip)

Pc2

Eth0: 192.168.1.3 (intranet ip) eth1 (dialup ip)

1. Configure the NIC information of the host machine

Vim/etc/sysconfig/network-scripts/ifcfg-eth1

TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noNAME=eth1UUID=85290fec-9166-4a02-90c3-711bf55d1ae2DEVICE=eth1ONBOOT=yesHWADDR=00:0c:29:27:64:b8IPADDR=192.168.1.1

Only the IP address is configured for this Nic, and no gateway is configured.

2. Configure the pc1 Nic

Vim/etc/sysconfig/network-scripts/ifcfg-eth0

TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noNAME=eth0UUID=d79660a0-4225-4f0e-96b1-4d61fc05a17cDEVICE=eth0ONBOOT=yesHWADDR=00:0c:29:97:6a:4bIPADDR=192.168.1.2NETMASK=255.255.255.0GATEWAY=192.168.1.1


Similar to pc1, pc2 ensures that two PCs and gateways can ping each other.

In this case, pc1 pc2 cannot access the Internet, and the hosts need to implement iptables rules.

1. enabled when viewing the forwarding function of the machine

cat /proc/sys/net/ipv4/ip_forward

If 1 is returned

Returns 0:

echo "1" > /proc/sys/net/ipv4/ip_forward

This rule takes effect immediately, but becomes invalid after restart. You need to add it in the configuration file.

Vim/etc/sysctl. conf

Net. ipv4.ip _ forward = 1net. ipv4.conf. default. rp_filter = 1net. ipv4.conf. default. accept_source_route = 0kernel. sysrq = 0kernel. core_uses_pid = 1net. ipv4.tcp _ syncookies = 1kernel. msgmnb = 65536 # maximum number of bytes in each message queue. msgmax = 65536 # maximum sizekernel for each message. shmmax = 68719476736 # kernel Parameter defines the maximum value of a single shared memory segment kernel. shmall = 4294967296 # control the number of pages in the shared memory

Iptables for nat forwarding rules

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 114.114.114.114

Forward the IP address range 192.168.1.0 to the public IP address (static) of the host)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Forward all CIDR blocks to the public ip address of the host (dynamic)
Now two PCs can access the internet. If not, check the dns configuration.

Internal port ing

iptables -t nat -A PREROUTING -d 114.114.114.114/32 -p tcp -m tcp --dport 26688 -j DNAT --to-destination 192.168.1.2:22

Map port 22 of 192.168.1.2 to external port 26688
Find an Internet machine to access port 26688 of 114.114.114.114, And you can directly access pc1

Delete rule: change-A to-D.

iptables -t nat -D PREROUTING -d 114.114.114.114/32 -p tcp -m tcp --dport 26688 -j DNAT --to-destination 192.168.1.2:22

Ing invalid

Finally, save the iptables configuration.

/usr/sbin/iptables-save


However, when pc1 is used for Dial-Up, port ing will also fail. Similar to the default external Routing Problem of the dual-nic, the IP address accessed through the host machine uses the dial-up port by default, and the ip address needs to be disguised, disguise the public IP address used to access the Intranet as a gateway address for Intranet Communication.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Single NIC:

The following uses CentOS as an example to describe the configuration of a single Nic NAT proxy.

First add the eth0: 0 interface: New File:/etc/sysconfig/network-scripts/ifcfg-eth0: 0 file content is as follows:

Click (here) to fold or open

DEVICE = eth0: 0 IPADDR = 192.168.164.100NETMASK = 255.255.255.0ONBOOT = yesBOOTPROTO = static where 192.168.164.100 is the ip address of the Intranet Proxy gateway, save the file you just created, and run the command: service network restart, restart the network. Enter the ifconfig command. The network configuration is as follows: the ip address of eth0 is 211.69.198.191, that is, the Internet ip address. The ip address of eth0: 0 is 192.168.164.100, that is, the Intranet ip address. Readers should replace these two ip addresses based on their own situations.

During the test order, the Internet ip address must use eth and the Intranet ip address must use eth0: 0 !!!
Also set a single route item at the Internet Nic, route


Run the following command:

Click (here) to fold or open

Echo 1>/proc/sys/net/ipv4/ip_forwardiptables-Fiptables-F-t natiptables-p forward DROPiptables-a forward-s 192.168.164.0/24-j ACCEPTiptables-a forward-I eth0-m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-t nat-a postrouting-o eth0-s 192.168.164.0/24-j SNAT -- to 211.69.198.191 on another host: ip: 192.168.164.114 netmask: the 255.255.255.0 gateway is 192.168.164.100, as shown in figure: This host can use the configured nat The proxy is surfing the Internet.
Firewall-cmd implements port forwarding:☼NAT forwarding soft route

After NAT Forwarding is enabled, as long as the local machine can access the Internet, whether it is a single Nic or multiple NICs, other machines in the LAN can set the default gateway to the IP address of the server with NAT forwarding enabled, you can access the Internet.

# Enable NAT forwarding firewall-cmd -- permanent -- zone = public -- add-masquerade # Open the 53 port used by DNS. UDP # required, otherwise, other machines cannot perform domain name resolution firewall-cmd -- zone = public -- add-port = 80/tcp -- permanent # Check whether NAT Forwarding is allowed by firewall-cmd -- query-masquerade # disable firewall NAT forwarding: firewall-cmd -- remove-masquerade
☼Port forwarding

Port forwarding can forward traffic to the specified port of the specified address when the specified address accesses the specified port. If no ip address is specified for the purpose of forwarding, the local host is used by default. If an ip address is specified but no port is specified, the source port is used by default.

# Forward traffic from port 80 to port 8080firewall-cmd -- add-forward-port = 80: proto = tcp: toport = 8080 # forward traffic from port 80 to 192.168.0.1firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1 # forward traffic from port 80 to port 8080 of 192.168.0.1, firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080
Control port/service:

Firewall-cmd -- add-service = mysql # Open the mysql Port
Firewall-cmd -- remove-service = http # block http port
Firewall-cmd -- list-services # view open services
Firewall-cmd -- add-port = 3306/tcp # Open Access 3306 through tcp
Firewall-cmd -- remove-port = 80tcp # block tcp access 3306
Firewall-cmd -- add-port = 233/udp # Open Access 233 through udp
Firewall-cmd -- list-ports # view open ports

Whether to enable IP camouflage:
Firewall-cmd -- query-masquerade # Check whether disguised IP addresses are allowed
Firewall-cmd -- add-masquerade # allow firewall to disguise IP addresses
Firewall-cmd -- remove-masquerade # disable firewall from disguising IP addresses

Port forwarding:

Firewall-cmd -- add-forward-port = 80: proto = tcp: toport = 8080 # forward traffic from port 80 to port 8080
Firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.1.0.1 # forward traffic from port 80 to 192.168.0.1
Firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080 # forward traffic from port 80 to port 8080 of 192.168.0.1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.