20190926笔记 netfilter

一、准备

两个虚拟机、A 机器添加一个网卡添加并选择LAN区段

B机器，先禁掉原本的网卡再重新添加一个网卡

启动两个机器

A机器

#查看网卡
[root@linux-01 ~]# ifconfig
ens33: flags=4163  mtu 1500
        inet 192.168.96.135  netmask 255.255.255.0  broadcast 192.168.96.255
        inet6 fe80::4a54:5df8:cd7e:6fb7  prefixlen 64  scopeid 0x20
        ether 00:0c:29:d1:b7:57  txqueuelen 1000  (Ethernet)
        RX packets 673  bytes 53438 (52.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 339  bytes 34572 (33.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163  mtu 1500
        inet 192.168.96.137  netmask 255.255.255.0  broadcast 192.168.96.255
        ether 00:0c:29:d1:b7:57  txqueuelen 1000  (Ethernet)

ens37: flags=4163  mtu 1500
        inet6 fe80::b2a9:d548:4148:d0e6  prefixlen 64  scopeid 0x20
        ether 00:0c:29:d1:b7:61  txqueuelen 1000  (Ethernet)
#新增ens37网卡

给ens37 设置临时ip
[root@linux-01 ~]# ifconfig ens37 192.168.100.1/24
[root@linux-01 ~]# ifconfig
ens33: flags=4163  mtu 1500
        inet 192.168.96.135  netmask 255.255.255.0  broadcast 192.168.96.255
        inet6 fe80::4a54:5df8:cd7e:6fb7  prefixlen 64  scopeid 0x20
        ether 00:0c:29:d1:b7:57  txqueuelen 1000  (Ethernet)
        RX packets 766  bytes 61088 (59.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 396  bytes 46394 (45.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33:0: flags=4163  mtu 1500
        inet 192.168.96.137  netmask 255.255.255.0  broadcast 192.168.96.255
        ether 00:0c:29:d1:b7:57  txqueuelen 1000  (Ethernet)

ens37: flags=4163  mtu 1500
        inet 192.168.100.1  netmask 255.255.255.0  broadcast 192.168.100.255
        ether 00:0c:29:d1:b7:61  txqueuelen 1000  (Ethernet)

B机器

查看网卡状态
[root@linux-01 ~]# mii-tool ens37
ens37: negotiated 1000baseT-FD flow-control, link ok
[root@linux-01 ~]#

试ping 机器A

A机器

打开路由转发

#打开端口转发
[root@linux-01 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@linux-01 ~]# echo "1">/proc/sys/net/ipv4/ip_forward
[root@linux-01 ~]# 
[root@linux-01 ~]# cat /proc/sys/net/ipv4/ip_forward
1

iptanles 增加一条规则

#使100.0 的网段能上网
[root@linux-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE 

#查看规则
[root@linux-01 ~]# iptables -t nat  -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7 packets, 532 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 7 packets, 532 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      ens33   192.168.100.0/24     0.0.0.0/0

B机器：

#查看路由表网关
[root@linux-02 ~]#  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.96.2    0.0.0.0         UG    100    0        0 ens33
192.168.96.0    0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 ens37

#设置网关
[root@linux-02 ~]#  route add default gw 192.168.100.1

[root@linux-02 ~]#  route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 ens37
0.0.0.0         192.168.96.2    0.0.0.0         UG    100    0        0 ens33
192.168.96.0    0.0.0.0         255.255.255.0   U     100    0        0 ens33
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 ens37

测试ping

设置DNS 测试外网

[root@linux-02 ~]#  vi /etc/resolv.conf

端口映射远程链接B机器

A机器

打开端口转发
[root@linux-01 ~]# echo "1">/proc/sys/net/ipv4/ip_forward
[root@linux-01 ~]#

#增加规则前将之前的规则删除
[root@linux-01 ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE 

#将进来的包进行转发到192.168.100.100：22
[root@linux-01 ~]# iptables -t nat -A PREROUTING -d 192.168.96.135 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22

#将192.168.100.100：22回来的包进行转发
[root@linux-01 ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.96.135
[root@linux-01 ~]#

B机器：

#设置网关
[root@linux-02 ~]#  route add default gw 192.168.100.1

C机器：

新建远程链接

测试外网

iptables规则备份和恢复

#iptables规则另存为

[root@linux-01 ~]# iptables-save > /tmp/ipt.txt
[root@linux-01 ~]# cat  /tmp/ipt.txt
# Generated by iptables-save v1.4.21 on Sun Sep  8 22:09:36 2019
*nat
:PREROUTING ACCEPT [27:1992]
:INPUT ACCEPT [1:84]
:OUTPUT ACCEPT [18:1376]
:POSTROUTING ACCEPT [18:1376]
-A PREROUTING -d 192.168.96.135/32 -p tcp -m tcp --dport 1122 -j DNAT --to-destination 192.168.100.100:22
-A POSTROUTING -s 192.168.100.100/32 -j SNAT --to-source 192.168.96.135

#恢复
[root@linux-01 ~]# iptables-restore < /tmp/ipt.txt

20190926笔记 netfilter

PHP相关栏目本月热门文章