Through previous learning (SEE), we learned about the table and link structure of the linux Firewall and learned to write simple firewall rules, next we will add the SNAT source address translation and DNAT target address translation policies of the linux firewall. familiarity with their usage and usage is the basis for us to master the firewall. Next we will start learning:
Recommended reading:
Iptables-packet filtering (Network Layer) Firewall
Linux Firewall iptables
Iptables + L7 + Squid implements a complete software firewall
Basic use of iptables backup, recovery, and firewall scripts
Detailed description of firewall iptables usage rules in Linux
Snat policy Overview:
Typical application environment of SNAT policies
Lan hosts share a single public IP address to access the Internet
Principles of the SNAT policy:
Source Network Address Translation is an Address Translation operation of the linux firewall. It is also a data packet control type in the iptables command and modifies the Source IP Address of the data packet according to the specified conditions.
Tutorial environment topology:
Experiment Analysis:
A: Only route forwarding is enabled, without address conversion:
Analysis:
The source IP address of a data packet that accesses the Internet from a lan pc remains unchanged after it is forwarded by the gateway;
When a host on the Internet receives such a request packet, the response packet cannot be returned correctly, leading to access failure.
B: Enable route forwarding and set SNAT conversion:
Analysis:
When packets from a lan pc accessing the Internet arrive at the gateway server, the route is selected first;
If the packet needs to be forwarded from the Internet interface eth0, change its source IP address 192.168.10.2 to the gateway's Internet interface address 210.106.46.151, and then send it to the target host.
Advantages of this access method:
Servers in the Internet do not know the actual IP address of the lan pc. The switch in the middle is completely completed by the gateway host, which protects the internal network.
SNAT policy application:
Prerequisites:
Correctly set the IP address/subnet mask for each host in the LAN
Correctly set the default gateway address for each LAN host
Linux gateway supports IP route forwarding
Implementation Method:
Compile SNAT conversion rules
SNAT Internet access by sharing a fixed IP Address:
Lab Environment Description:
Linux gateway server two NICs, eth0: 210.106.46.151, connect to the Internet, eth1: 192.168.10.1, and enable IP routing
The default gateway of the lan pc is 192.168.10.1 and the correct DNS server is set.
Create new clients on the Intranet and Internet respectively, specify the corresponding gateway address, enable the httpd service on the Internet client, access the httpd service from the Intranet client, and view the access records of the httpd client;
Requirement: a PC with a network segment of 192.168.10.0/24 can access the internet normally through sharing.
Tutorial steps:
1: open the gateway route forwarding (IP Forwarding is the key to implementing the routing function ):
There are two ways to enable route forwarding:
Permanent Open (modify ip_forward in the/proc file system. If the value is 1, it indicates it is enabled; if it is 0, it indicates it is disabled ):
Temporarily enable and take effect temporarily:
2: Set the SNAT policy correctly (to keep the SNAT policy valid for a long time, write the relevant commands to rc. local ):
[Root @ localhost ~] # Iptables-t nat-a postrouting-s 192.168.10.0/24-o eth0-j SNAT -- to-source 210.106.46.151
3: test the SNAT shared access result:
After the appeal is completed, you can use a lan pc to access websites on the Internet.
For the accessed website server, access to the gateway host 210.106.46.151 is recorded in the log file.
Share a dynamic IP address to access the Internet:
MASQUERADE-address disguise
Applicable to non-fixed Internet IP addresses
For ADSL dial-up connections, the interfaces are usually ppp0 and ppp1
Change the SNAT rule to MASQUERADE.
Instance:
[Root @ localhost ~] # Iptables-t nat-a postrouting-s 192.168.10.0/24-o ppp0-j MASQUERADE
If the gateway uses a fixed public IP address, we recommend that you select the SNAT policy instead of the MASQUERADE policy to reduce unnecessary system overhead.