Linux implements nat forwarding and internal port ing, linuxnat
Nat forwarding and internal port ing in linux
Dual NIC:
Host
Eth0: 114.114.114.114 (public ip) eth1: 192.168.1.1 (intranet ip)
Pc1
Eth0: 192.168.1.2 (intranet ip) eth1 (dialup ip)
Pc2
Eth0: 192.168.1.3 (intranet ip) eth1 (dialup ip)
1. Configure the NIC information of the host machine
Vim/etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noNAME=eth1UUID=85290fec-9166-4a02-90c3-711bf55d1ae2DEVICE=eth1ONBOOT=yesHWADDR=00:0c:29:27:64:b8IPADDR=192.168.1.1
Only the IP address is configured for this Nic, and no gateway is configured.
2. Configure the pc1 Nic
Vim/etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=EthernetBOOTPROTO=staticDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_PEERDNS=yesIPV6_PEERROUTES=yesIPV6_FAILURE_FATAL=noNAME=eth0UUID=d79660a0-4225-4f0e-96b1-4d61fc05a17cDEVICE=eth0ONBOOT=yesHWADDR=00:0c:29:97:6a:4bIPADDR=192.168.1.2NETMASK=255.255.255.0GATEWAY=192.168.1.1
Similar to pc1, pc2 ensures that two PCs and gateways can ping each other.
In this case, pc1 pc2 cannot access the Internet, and the hosts need to implement iptables rules.
1. enabled when viewing the forwarding function of the machine
cat /proc/sys/net/ipv4/ip_forward
If 1 is returned
Returns 0:
echo "1" > /proc/sys/net/ipv4/ip_forward
This rule takes effect immediately, but becomes invalid after restart. You need to add it in the configuration file.
Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1net. ipv4.conf. default. rp_filter = 1net. ipv4.conf. default. accept_source_route = 0kernel. sysrq = 0kernel. core_uses_pid = 1net. ipv4.tcp _ syncookies = 1kernel. msgmnb = 65536 # maximum number of bytes in each message queue. msgmax = 65536 # maximum sizekernel for each message. shmmax = 68719476736 # kernel Parameter defines the maximum value of a single shared memory segment kernel. shmall = 4294967296 # control the number of pages in the shared memory
Iptables for nat forwarding rules
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 114.114.114.114
Forward the IP address range 192.168.1.0 to the public IP address (static) of the host)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forward all CIDR blocks to the public ip address of the host (dynamic)
Now two PCs can access the internet. If not, check the dns configuration.
Internal port ing
iptables -t nat -A PREROUTING -d 114.114.114.114/32 -p tcp -m tcp --dport 26688 -j DNAT --to-destination 192.168.1.2:22
Map port 22 of 192.168.1.2 to external port 26688
Find an Internet machine to access port 26688 of 114.114.114.114, And you can directly access pc1
Delete rule: change-A to-D.
iptables -t nat -D PREROUTING -d 114.114.114.114/32 -p tcp -m tcp --dport 26688 -j DNAT --to-destination 192.168.1.2:22
Ing invalid
Finally, save the iptables configuration.
/usr/sbin/iptables-save
However, when pc1 is used for Dial-Up, port ing will also fail. Similar to the default external Routing Problem of the dual-nic, the IP address accessed through the host machine uses the dial-up port by default, and the ip address needs to be disguised, disguise the public IP address used to access the Intranet as a gateway address for Intranet Communication.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Single NIC:
The following uses CentOS as an example to describe the configuration of a single Nic NAT proxy.
First add the eth0: 0 interface: New File:/etc/sysconfig/network-scripts/ifcfg-eth0: 0 file content is as follows:
Click (here) to fold or open
DEVICE = eth0: 0 IPADDR = 192.168.164.100NETMASK = 255.255.255.0ONBOOT = yesBOOTPROTO = static where 192.168.164.100 is the ip address of the Intranet Proxy gateway, save the file you just created, and run the command: service network restart, restart the network. Enter the ifconfig command. The network configuration is as follows: the ip address of eth0 is 211.69.198.191, that is, the Internet ip address. The ip address of eth0: 0 is 192.168.164.100, that is, the Intranet ip address. Readers should replace these two ip addresses based on their own situations.
During the test order, the Internet ip address must use eth and the Intranet ip address must use eth0: 0 !!!
Also set a single route item at the Internet Nic, route
Run the following command:
Click (here) to fold or open
Echo 1>/proc/sys/net/ipv4/ip_forwardiptables-Fiptables-F-t natiptables-p forward DROPiptables-a forward-s 192.168.164.0/24-j ACCEPTiptables-a forward-I eth0-m state -- state ESTABLISHED, RELATED-j ACCEPTiptables-t nat-a postrouting-o eth0-s 192.168.164.0/24-j SNAT -- to 211.69.198.191 on another host: ip: 192.168.164.114 netmask: the 255.255.255.0 gateway is 192.168.164.100, as shown in figure: This host can use the configured nat The proxy is surfing the Internet.
Firewall-cmd implements port forwarding:☼NAT forwarding soft route
After NAT Forwarding is enabled, as long as the local machine can access the Internet, whether it is a single Nic or multiple NICs, other machines in the LAN can set the default gateway to the IP address of the server with NAT forwarding enabled, you can access the Internet.
# Enable NAT forwarding firewall-cmd -- permanent -- zone = public -- add-masquerade # Open the 53 port used by DNS. UDP # required, otherwise, other machines cannot perform domain name resolution firewall-cmd -- zone = public -- add-port = 80/tcp -- permanent # Check whether NAT Forwarding is allowed by firewall-cmd -- query-masquerade # disable firewall NAT forwarding: firewall-cmd -- remove-masquerade
☼Port forwarding
Port forwarding can forward traffic to the specified port of the specified address when the specified address accesses the specified port. If no ip address is specified for the purpose of forwarding, the local host is used by default. If an ip address is specified but no port is specified, the source port is used by default.
# Forward traffic from port 80 to port 8080firewall-cmd -- add-forward-port = 80: proto = tcp: toport = 8080 # forward traffic from port 80 to 192.168.0.1firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1 # forward traffic from port 80 to port 8080 of 192.168.0.1, firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080
Control port/service:
Firewall-cmd -- add-service = mysql # Open the mysql Port
Firewall-cmd -- remove-service = http # block http port
Firewall-cmd -- list-services # view open services
Firewall-cmd -- add-port = 3306/tcp # Open Access 3306 through tcp
Firewall-cmd -- remove-port = 80tcp # block tcp access 3306
Firewall-cmd -- add-port = 233/udp # Open Access 233 through udp
Firewall-cmd -- list-ports # view open ports
Whether to enable IP camouflage:
Firewall-cmd -- query-masquerade # Check whether disguised IP addresses are allowed
Firewall-cmd -- add-masquerade # allow firewall to disguise IP addresses
Firewall-cmd -- remove-masquerade # disable firewall from disguising IP addresses
Port forwarding:
Firewall-cmd -- add-forward-port = 80: proto = tcp: toport = 8080 # forward traffic from port 80 to port 8080
Firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.1.0.1 # forward traffic from port 80 to 192.168.0.1
Firewall-cmd -- add-forward-port = proto = 80: proto = tcp: toaddr = 192.168.0.1: toport = 8080 # forward traffic from port 80 to port 8080 of 192.168.0.1