第1章 iptables实现共享上网
1.1 实现共享上网架构图规划
1.1.1 模拟企业上网拓扑结构
1.1.2 对应实际企业办公上网场景逻辑图
1.2 环境准备
1.2.1 网关服务器
[[email protected] ~]# cat /etc/redhat-release CentOS release 6.9 (Final) [[email protected] ~]# uname -r 2.6.32-696.el6.x86_64 [[email protected] ~]# ip a | egrep "eth0|eth1" 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 10.0.0.102/24 brd 10.0.0.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 172.16.1.102/24 brd 172.16.1.255 scope global eth1
1.2.2 后端服务器
[[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [[email protected] ~]# uname -r 3.10.0-327.el7.x86_64 [[email protected] ~]# ip a | egrep "eth0|eth1" 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 10.0.0.103/24 brd 10.0.0.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 172.16.1.103/24 brd 172.16.1.255 scope global eth1
1.3 配置后端服务器
1.3.1 关闭外网网卡
[[email protected] ~]# ifdown eth0
提示:为了方便可以关闭网卡后使用网关服务器通过ssh连接到后端服务器进行XShell配置。
1.3.2 配置网关和DNS
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1 DNS1=223.5.5.5 GATEWAY=172.16.1.102
1.3.3 重启网卡
[[email protected] ~]# ifdown eth1 && ifup eth1
1.4 配置网关服务器共享上网
1.4.1 开启内核转发功能
[[email protected] ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [[email protected] ~]# sysctl -p
1.4.2 关闭防火墙filter功能
- 黑名单模式:共享上网不需要防火墙功能,最好暂时停掉防火墙
[[email protected] ~]# iptables -P FORWARD ACCEPT
- FORWARD链白名单模式:
[[email protected] ~]# iptables -P FORWARD DROP [[email protected] ~]# iptables -A FORWARD -o eth0 -s 172.16.1.0/24 -j ACCEPT [[email protected] ~]# iptables -A FORWARD -i eth1 -s 172.16.1.0/24 -j ACCEPT [[email protected] ~]# iptables -A FORWARD -i eth1 -d 172.16.1.0/24 -j ACCEPT [[email protected] ~]# iptables -A FORWARD -o eth1 -d 172.16.1.0/24 -j ACCEPT # 或 [[email protected] ~]# iptables -A FORWARD -s 172.16.1.0/24 -j ACCEPT [[email protected] ~]# iptables -A FORWARD -d 172.16.1.0/24 -j ACCEPT
[[email protected] ~]# iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3048 241K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 30 2224 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 2 168 ACCEPT all -- * * 172.16.1.0/24 0.0.0.0/0 1870 77520 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 10.0.0.103 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 172.16.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 172.16.1.0/24 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 172.16.1.0/24 0 0 ACCEPT all -- * eth1 0.0.0.0/0 172.16.1.0/24 Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes) pkts bytes target prot opt in out source destination
1.4.3 开启NAT地址转换
- 适用于有固定外网地址的环境:
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.102 [[email protected] ~]# iptables -t nat -nL Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.1.0/24 0.0.0.0/0 to:10.0.0.102
- 命令说明:
- -s 172.16.1.0/24:指定办公室或IDC内网网段
- -o eth0:网关的外网卡接口
- -j SNAT --to-source 10.0.0.102:网关外网卡IP地址
适合变化外网地址(ADSL):
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE # 伪装 [[email protected] ~]# iptables -t nat -nvL Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 172.16.1.0/24 0.0.0.0/0
1.4.3.1 使用POSTROUTING的原因
- 企业共享上网:
- 办公网共享上网(网关要有外网IP,否则用路由zebra)
- IDC内网机器上网
- 企业上网是否需要linux网关
- 如果企业里有企业级路由器的情况下可以不需要上网网关,使用网关只是解决路由器无法解决的需要(如:上网行为、IP及端口的映射、网关杀毒等)
- IDC机房、大厦有固定外网IP的宽带,直接用网关解决上网及控制问题
1.4.4 测试连通性
[[email protected] ~]# ping 223.5.5.5 PING 223.5.5.5 (223.5.5.5) 56(84) bytes of data. 64 bytes from 223.5.5.5: icmp_seq=1 ttl=127 time=28.6 ms 64 bytes from 223.5.5.5: icmp_seq=2 ttl=127 time=28.3 ms [[email protected] ~]# ping www.baidu.com PING www.a.shifen.com (111.13.100.91) 56(84) bytes of data. 64 bytes from 111.13.100.91: icmp_seq=1 ttl=127 time=7.46 ms 64 bytes from 111.13.100.91: icmp_seq=2 ttl=127 time=6.98 ms
1.4.5 共享上网封IP的方式
iptables -I FORWARD -s 10.0.0.26 -j DROP
iptables ${deal} FORWARD -m mac --mac-source ${strIPmac} -j DROP
第2章 iptables实现端口映射访问
2.1 配置要求
把外部IP地址及端口映射到内部服务器地址及端口(和共享上网环境一样),在10段主机可以通过访问172.16.1.102:52113,即访问到10.0.0.103:22。
2.2 配置方法
2.2.1 命令实现
[[email protected] ~]# iptables -t nat -A PREROUTING -d 10.0.0.102 -p tcp --dport 52113 -j DNAT --to-destination 172.16.1.103:22 [[email protected] ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- 0.0.0.0/0 10.0.0.102 tcp dpt:52113 to:172.16.1.103:22
- 命令说明:
- -d 10.0.0.102:指定提供访问的网关服务器外网接口地址
- --dport 52113:网关外网卡接口
- -j DNAT --to-destination 172.16.1.103:22:将访问目标地址做映射
2.2.2 测试结果
[c:\~]$ ssh 10.0.0.102 52113 Connecting to 10.0.0.102:52113... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last login: Tue Dec 5 17:48:22 2017 from 172.16.1.102 [[email protected] ~]#
2.3 SNAT和DNAT说明
SNAT和DNAT均需要在外网卡上做地址转换。
2.3.1 SNAT说明图
2.3.2 DNAT说明图
第3章 实现IP一对一映射
用于没有外网地址的内网服务器映射为公网IP后对外提供服务,例如:FTP服务需要一对一映射。
3.1 配置要求
实现外部IP 10.0.0.81一对一映射到内部服务器10.0.0.103上。
3.2 配置方法
3.2.1 添加辅助IP
[[email protected] ~]# ip addr add 10.0.0.81/24 dev eth0 label eth0:0
3.2.2 进行配置
[[email protected] ~]# iptables -t nat -I PREROUTING -d 10.0.0.81 -j DNAT --to-destination 172.16.1.103 [[email protected] ~]# iptables -t nat -I POSTROUTING -s 172.16.1.103 -o eth0 -j SNAT --to-source 10.0.0.81
3.2.3 配置内网地址访问外网IP不走公网
[[email protected] ~]# iptables -t nat -I POSTROUTING -s 172.16.1.0/255.255.240.0 -d 10.0.0.81 -j SNAT --to-source 172.16.1.102
3.2.4 检查配置情况
# 查看防火墙规则 [[email protected] ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- 0.0.0.0/0 10.0.0.81 to:172.16.1.103 DNAT tcp -- 0.0.0.0/0 10.0.0.102 tcp dpt:52113 to:172.16.1.103:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 172.16.0.0/20 10.0.0.81 to:172.16.1.102 SNAT all -- 172.16.1.103 0.0.0.0/0 to:10.0.0.81 MASQUERADE all -- 172.16.1.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination
# 进行测试 [c:\~]$ ping 10.0.0.81 -t [[email protected] ~]# tcpdump|grep -i icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:10:00.626199 IP mirrors.aliyun.com > 10.0.0.81: ICMP echo request, id 1, seq 38727, length 40 19:10:00.626528 IP 10.0.0.81 > mirrors.aliyun.com: ICMP echo reply, id 1, seq 38727, length 40 [[email protected] ~]# tcpdump|grep -i icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 19:09:59.608878 IP mirrors.aliyun.com > 10.0.0.81: ICMP echo request, id 1, seq 38725, length 40 19:09:59.609264 IP 10.0.0.81 > mirrors.aliyun.com: ICMP echo reply, id 1, seq 38725, length 40
第4章 映射多个外网IP上网
4.1 配置方法
4.1.1 方法一:三层交换机或路由器,划分VLAN
iptables -t nat -A POSTROUTING -s 10.0.1.0/255.255.240.0 -o eth0 -j SNAT --to-source 124.42.60.11-124.42.60.16
4.1.2 方法二:扩大子网,增加广播风暴
iptables -t nat -A POSTROUTING -s 10.0.1.0/22 -o eth0 -j SNAT --to-source 124.42.60.11 iptables -t nat -A POSTROUTING -s 10.0.2.0/22 -o eth0 -j SNAT --to-source 124.42.60.12
我的微信
如果有技术上的问题可以扫一扫我的微信
