Week 9 Homework

1、简述DNS服务器原理，并搭建主-辅服务器。 1)简述DNS服务器原理

客户机需要访问www.qq.com为例：
step1：客户机首先浏览器地址栏输入www.qq.com域名，操作系统首先检查本地hosts文件是否有这个域名的IP映射，如果有，就先调用这个IP地址映射，完成域名解析。
step2：如果hosts里没有这个域名的IP映射，则查询本地DNS缓存是否有该域名的IP映射，如果有，直接返回结果，完成域名解析。
step3：如果hosts和本地DNS缓存都没有相应的域名IP映射，首先会找首选DNS服务器（本地DNS服务器），此服务器收到查询时，如果要询的域名，包含在本地配置区域资源中，则返回解析结果给客户机，完成域名解析，此解析具有权威性。
step4：如果要查询的域名，不由本地DNS服务器区域解析，但服务器已缓存了此网址映射关系，则调用这个IP地址映射，完成域名解析，此解析不具有权威性。
step5：如果本地DNS服务器本地区域文件与缓存解析都失败时，本地DNS服务器将www.qq.com的请求发至全球13台根DNS服务器，根DNS服务器收到请求后www.qq.com域我无法解析，但.com域是我的下一级域可能可以解析，并将.com域的IP映射发给本地DNS服务器。
step6：本地DNS服务器收到.com域的IP映射后，将请求发给.com域的DNS服务器，.com域的DNS服务器收到请求后www.qq.com我无法解析，但qq.com域是我的下一级域可能可以解析，并将qq.com域的IP映射发给本地DNS服务器。
step7：本地DNS服务器收到qq.com域的IP映射后，将请求发给qq.com域DNS服务器，qq.com域服务器收到请求后，查询得知www.qq.com域的IP映射我有，然后将www.qq.com域的IP映射发给本地DNS服务器。
step8：本地DNS服务器收到www.qq.com域的IP映射后，首先在缓存中保存该条域名记录，然后将www.qq.com的IP映射结果返回给客户机，完成域名解析。

2）搭建主-辅DNS服务器

环境准备：

http服务器：www.magedu.org，10.0.101.80/24
域名：magedu.org
主DNS服务器IP：10.0.101.80/24
辅DNS服务器IP：10.0.101.81/24
客户机IP：10.0.101.70/24

搭建主DNS服务器
step1:安装web包

[root@master-dns-ser named]# yum -y install httpd
[root@master-dns-ser named]# echo 'www.magedu.org' > /var/www/html/index.html
[root@master-dns-ser named]# systemctl enable --now httpd

step2:安装dns包

[root@master-dns-ser ~]# yum -y install bind

step3:启动服务

[root@master-dns-ser ~]# systemctl enable --now named

step4:编辑主配置文件

[root@master-dns-ser ~]# vim /etc/named.conf 
# 在options选项下注释掉下两行：
//  listen-on port 53 { 127.0.0.1; };
//  allow-query     { localhost; }; 
# 仅允许从服务器进行区域传输
allow-transfer  {10.0.101.81;};

step5:编辑区域配置文件

[root@master-dns-ser ~]# vim /etc/named.rfc1912.zones 
# 增加以下内容：
zone "magedu.org" IN {
    type master;
    file "magedu.org.zone";
};

step6:创建区域数据库文件

[root@master-dns-ser ~]# cd /var/named/
[root@master-dns-ser named]# cp -a named.localhost magedu.org.zone

[root@master-dns-ser named]# ll magedu.org.zone    # 查看文件权限
-rw-r----- 1 root named 152 May 28 04:49 magedu.org.zone

[root@master-dns-ser named]# vim magedu.org.zone
$TTL 1D
@   IN SOA  master admin (
                    1   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
    NS  master
    NS  slave
master  A   10.0.101.80
slave   A   10.0.101.81                                                                                      
www     A   10.0.101.80

step7:重新加载配置

[root@master-dns-ser named]# rndc reload

step8:客户端解析测试

# 客户端安装解析测试工具包
[root@dns-clients ~]# yum -y install bind-utils

# 设置DNS指向DNS服务器
[root@dns-clients ~]# cdnet
[root@dns-clients network-scripts]# vim ifcfg-eth0
DNS1=10.0.101.80  
[root@dns-clients network-scripts]# cd

# 使修改生效
[root@dns-clients ~]# nmcli conn reload
[root@dns-clients ~]# nmcli conn up eth0
[root@dns-clients ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search magedu.org
nameserver 10.0.101.80

# 使用dig工具对www.magedu.org域名进行解析测试
[root@dns-clients ~]# dig www.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43331
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	10.0.101.80

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	slave.magedu.org.
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.101.80
slave.magedu.org.	86400	IN	A	10.0.101.81

;; Query time: 0 msec
;; SERVER: 10.0.101.80#53(10.0.101.80)
;; WHEN: Mon Nov 08 13:00:09 CST 2021
;; MSG SIZE  rcvd: 132

[root@dns-clients ~]# ping www.magedu.org
PING www.magedu.org (10.0.101.80) 56(84) bytes of data.
64 bytes from 10.0.101.80 (10.0.101.80): icmp_seq=1 ttl=64 time=0.208 ms
^C
--- www.magedu.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms

[root@dns-clients ~]# curl www.magedu.org
www.magedu.org

搭建辅DNS服务器
step1:安装dns包

[root@slave-dns-ser ~]# yum -y install bind

step2:编辑主配置文件

[root@slave-dns-ser ~]# vim /etc/named.conf 
# 在options选项下注释掉下两行：
//  listen-on port 53 { 127.0.0.1; };
//  allow-query     { localhost; };
# 不允许其他主机进行区域传输
    allow-transfer {none;};

step3:编辑区域配置文件

[root@slave-dns-ser ~]# vim /etc/named.rfc1912.zones 
# 增加以下内容：
zone "magedu.org" IN {
    type slave;
    masters {10.0.101.80;};
    file "slaves/magedu.org.slave";                                                               
};

step4:启动服务

[root@slave-dns-ser ~]# systemctl enable --now named

[root@slave-dns-ser ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 308 Nov  8 13:10 magedu.org.slave

step5:客户端解析测试

# 设置地址信息
[root@dns-clients ~]# sed -i '$aDNS2=10.0.101.81' /etc/sysconfig/network-scripts/ifcfg-eth0 

[root@dns-clients ~]# nmcli connection reload
[root@dns-clients ~]# nmcli conn up eth0

[root@dns-clients ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search magedu.org
nameserver 10.0.101.80
nameserver 10.0.101.81

# 客户端解析测试
[root@dns-clients ~]# dig www.magedu.org @10.0.101.81

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org @10.0.101.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16926
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	10.0.101.80

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.
magedu.org.		86400	IN	NS	slave.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.101.80
slave.magedu.org.	86400	IN	A	10.0.101.81

;; Query time: 1 msec
;; SERVER: 10.0.101.81#53(10.0.101.81)
;; WHEN: Mon Nov 08 13:18:14 CST 2021
;; MSG SIZE  rcvd: 132

2、搭建并实现智能DNS。

环境准备

需要四台主机
主DNS服务器：双网卡：10.0.101.80/24,100.0.101.80
web1: 10.0.101.81/24
web2: 100.0.101.81/24
dns客户端：双网卡：10.0.101.70，100.0.101.70

安装并配置智能DNS
step1:配置web1，web2

# 查看web1和web2的IP地址
[root@web1 ~]# ip a sh eth0
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:4b:0b:0b brd ff:ff:ff:ff:ff:ff
    inet 10.0.101.81/24 brd 10.0.101.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe4b:b0b/64 scope link 
       valid_lft forever preferred_lft forever

[root@web2 ~]# ip a sh eth1
3: eth1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:f2:e2:f8 brd ff:ff:ff:ff:ff:ff
    inet 100.0.101.81/24 brd 100.0.101.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::e86e:efc5:6f73:a75c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
       
# web1和web2配置http
[root@web1 ~]# yum -y install httpd
[root@web1 ~]# echo 'bj.magedu.org' > /var/www/html/index.html
[root@web1 ~]# systemctl enable --now httpd

[root@web2 ~]# yum -y install httpd
[root@web2 ~]# echo 'sh.magedu.org' > /var/www/html/index.html
[root@web2 ~]# systemctl enable --now httpd

# 测试web网页访问
[root@client1 ~]# ip a sh eth0
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b1:66:fc brd ff:ff:ff:ff:ff:ff
    inet 10.0.101.70/24 brd 10.0.101.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb1:66fc/64 scope link 
       valid_lft forever preferred_lft forever
[root@client2 ~]# ip a sh eth1
3: eth1:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:03:f1:51 brd ff:ff:ff:ff:ff:ff
    inet 100.0.101.70/24 brd 100.0.101.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::526b:58d3:5223:4627/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@client1 ~]# curl 10.0.101.81
bj.magedu.org

[root@client2 ~]# curl 100.0.101.81
sh.magedu.org

step2:配置DNS

# 安装bind
[root@dns-ser ~]# yum -y install bind

# 启动服务
[root@dns-ser ~]# systemctl enable --now named

# 编辑bind主配置文件
[root@dns-ser ~]# vim /etc/named.conf 
# 在配置最前面加入acl内容
acl bjnet {
    10.0.101.0/24;
};
acl shnet {
    100.0.101.0/24;
};
# 注释掉下面两行
//  listen-on port 53 { 127.0.0.1; };
//  allow-query     { localhost; };
# 不允许其他主机进行区域传输
    allow-transfer  {none;}; 
# 关闭dnssec功能
    dnssec-enable no;
    dnssec-validation no;  
    
# 创建view
view bjwiew {
    match-clients {bjnet;};
    include "/etc/named.rfc1912.zones.bj";
};
view shview {
    match-clients {shnet;};
    include "/etc/named.rfc1912.zones.sh";
};
include "/etc/named.root.key";

# 注释掉以下内容
  

# 创建并配置区域配置文件
[root@dns-ser ~]# vim /etc/named.rfc1912.zones 
zone "." IN {
    type hint;
    file "named.ca";
};
zone "magedu.org" IN {
    type master;
    file "magedu.org.zone.bj";
};

[root@dns-ser ~]# mv /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@dns-ser ~]# cp -a /etc/named.rfc1912.zones.bj /etc/named.rfc1912.zones.sh
[root@dns-ser ~]# vim /etc/named.rfc1912.zones.sh
zone "." IN {
    type hint;
    file "named.ca";
};
zone "magedu.org" IN {
    type master;
    file "magedu.org.zone.sh";                                                                               
};
[root@dns-ser ~]# ll /etc/named.*
-rw-r----- 1 root named 1946 Nov  8 14:24 /etc/named.conf
-rw-r----- 1 root named 1150 Nov  8 14:30 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1150 Nov  8 14:32 /etc/named.rfc1912.zones.sh
-rw-r--r-- 1 root named 1070 May 28 04:49 /etc/named.root.key

# 创建区域数据库文件
[root@dns-ser ~]# cd /var/named/
[root@dns-ser named]# cp -a named.localhost magedu.org.zone.bj
[root@dns-ser named]# vim magedu.org.zone.bj 
$TTL 1D
@   IN SOA  master admin (
                    2021110814  ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
    NS  master
master  A   10.0.101.80
websrv  A   10.0.101.81 
www		CNAME	websrv
[root@dns-ser named]# cp -a magedu.org.zone.bj magedu.org.zone.sh
[root@dns-ser named]# vim magedu.org.zone.sh
$TTL 1D
@   IN SOA  master admin (
                    2021110814  ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
    NS  master
master  A   100.0.101.80
websrv   A   100.0.101.81
www     CNAME   websrv   

# 重载配置
[root@dns-ser named]# rndc reload
server reload successful

step3:客户端测试

[root@client1 ~]# yum -y install bind-utils
[root@client1 ~]# cdnet ; vim ifcfg-eth0
DNS1=10.0.101.80 

[root@client1 ~]# dig www.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9745
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	websrv.magedu.org.
websrv.magedu.org.	86400	IN	A	10.0.101.81

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.101.80

;; Query time: 1 msec
;; SERVER: 10.0.101.80#53(10.0.101.80)
;; WHEN: Mon Nov 08 14:59:39 CST 2021
;; MSG SIZE  rcvd: 117
[root@client1 ~]# ping www.magedu.org
PING websrv.magedu.org (10.0.101.81) 56(84) bytes of data.
64 bytes from 10.0.101.81 (10.0.101.81): icmp_seq=1 ttl=64 time=0.731 ms
64 bytes from 10.0.101.81 (10.0.101.81): icmp_seq=2 ttl=64 time=0.874 ms
^C
--- websrv.magedu.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.731/0.802/0.874/0.076 ms
[root@client1 ~]# curl www.magedu.org
bj.magedu.org

[root@client2 ~]# yum -y install bind-utils
[root@client2 ~]# cdnet;vim ifcfg-eth1
DNS1=100.0.101.80 

[root@client2 ~]# dig www.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64051
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	websrv.magedu.org.
websrv.magedu.org.	86400	IN	A	100.0.101.81

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	100.0.101.80

;; Query time: 1 msec
;; SERVER: 100.0.101.80#53(100.0.101.80)
;; WHEN: Mon Nov 08 15:02:47 CST 2021
;; MSG SIZE  rcvd: 117

[root@client2 ~]# ping www.magedu.org
PING websrv.magedu.org (100.0.101.81) 56(84) bytes of data.
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=2 ttl=64 time=0.428 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=3 ttl=64 time=0.364 ms
^C64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=4 ttl=64 time=0.365 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=5 ttl=64 time=0.214 ms
^C
--- websrv.magedu.org ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.193/0.312/0.428/0.095 ms
[root@client2 ~]# curl www.magedu.org
sh.magedu.org

3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口，其他端口服务全部拒绝

[root@centos8-0 ~]# iptables -A INPUT -d 10.0.101.80 -p tcp -m multiport --dports 20:23,80 -j ACCEPT

[root@centos8-0 ~]# iptables -A INPUT -j REJECT

4、NAT原理总结

NAT，英文全称：Network Address Translation，中文全称：网络地址转换，在计算机网络中是一种在IP数据包通过路由器或防火墙时重写来源IP地址或目标IP地址的技术，普遍使用在多台主机但只通过一个公有IP地址访问的互联网的私有网络中。
简单地说，NAT就是在局域网内部网络中使用内部地址，当内部主机要与外部网络进行通讯时，将在网关将内部地址替换成公用地址，从而在外部公网（internet）上正常使用，NAT可以使多台计算机共享Internet连接，这一功能很好地解决了公共 IP地址紧缺的问题。通过这种方法，可以只申请一个合法IP地址，把整个局域网中的计算机接入Internet中。这时，NAT屏蔽了内部网络，所有内部网计算机对于公共网络来说是不可见的，而内部网计算机用户通常不会意识到NAT的存在。
NAT，支持PREROUTING、INPUT、OUTPUT、POSTROUTING四个链
NAT分为下面三种类型
静态NAT（SNAT）：支持POSTROUTING, INPUT，让本地网络中的主机通过某一特定地址访问外部网络，实现地址伪装,请求报文：修改源IP
动态NAT（DNAT）：把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射)，但隐藏真实IP,请求报文：修改目标IP
端口地址转换（PAT)：端口和IP都进行修改

5、iptables实现SNAT和DNAT，并对规则持久保存。

1）实验环境

2）实验步骤
step1:IP地址信息

# Wan-Ser
root@wan-server:~# hostname -I 
10.0.101.180 
       
root@wan-server:~# ip route del default via 10.0.101.2 dev eth0 proto static    # 删除默认路由

root@wan-server:~# ip route
10.0.101.0/24 dev eth0 proto kernel scope link src 10.0.101.180 
----------------------------------------------------------------------------------------------------------
# Firewall
[root@firewall ~]# hostname -I 
10.0.101.80 192.168.101.80 

[root@firewall ~]# ip route
10.0.101.0/24 dev eth0 proto kernel scope link src 10.0.101.80 metric 106 
192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.80 metric 105
----------------------------------------------------------------------------------------------------------
# Lan-Ser1
[root@lan-server1 ~]# hostname -I 
192.168.101.81
[root@lan-server1 ~]# ip route
default via 192.168.101.80 dev eth0 proto static metric 100 
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.81 metric 100 
----------------------------------------------------------------------------------------------------------
# Lan-Ser2
[root@lan-server2 ~]# hostname -I 
192.168.101.82 
[root@lan-server2 ~]# ip route
default via 192.168.101.80 dev eth0 proto static metric 100 
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.82 metric 100 
----------------------------------------------------------------------------------------------------------

step2:配置web

[root@lan-server1 ~]# yum -y install httpd 
[root@lan-server1 ~]# systemctl enable --now httpd
[root@lan-server1 ~]# echo 'LAN' > /var/www/html/index.html

root@wan-server:~# apt -y install apache2
root@wan-server:~# echo 'Internet' > /var/www/html/index.html

step3:测试网络连通性及web是否能访问

[root@firewall ~]# ping 10.0.101.180 -c 1
PING 10.0.101.180 (10.0.101.180) 56(84) bytes of data.
64 bytes from 10.0.101.180: icmp_seq=1 ttl=64 time=0.217 ms

--- 10.0.101.180 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.217/0.217/0.217/0.000 ms

[root@firewall ~]# ping 192.168.101.81 -c 1
PING 192.168.101.81 (192.168.101.81) 56(84) bytes of data.
64 bytes from 192.168.101.81: icmp_seq=1 ttl=64 time=0.308 ms

--- 192.168.101.81 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
-----------------------------------------------------------------------------------------------------------------------
root@wan-server:~# ping 192.168.101.80
connect: Network is unreachable
-----------------------------------------------------------------------------------------------------------------------
[root@lan-server1 ~]# ping 10.0.101.180
PING 10.0.101.180 (10.0.101.180) 56(84) bytes of data.
^C
--- 10.0.101.180 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4096ms
-----------------------------------------------------------------------------------------------------------------------
[root@firewall ~]# curl 10.0.101.180
Internet
[root@firewall ~]# curl 192.168.101.81
LAN

step4:配置SNAT

# firewall上开启路由转发
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

[root@firewall ~]# sysctl -p
net.ipv4.ip_forward = 1

# 配置SNAT
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 192.168.101.0/24 ! -d 192.168.101.0/24 -j MASQUERADE

# 内网主机访问外网web
[root@lan-server1 ~]# curl 10.0.101.180
Internet

# 外网主机不能访问内网web,要想访问内网web需配置DNAT规则
root@wan-server:~# curl 192.168.101.81
curl: (7) Couldn't connect to server

step5:配置DNAT

# 配置DNAT
[root@firewall ~]# iptables -t nat -A PREROUTING -d 10.0.101.80 -p tcp --dport 80 -j DNAT --to-destination 192.168.101.81:80

# 测试外网主机访问内网web
root@wan-server:~# curl 10.0.101.80
LAN

step6:配置防火墙规则持久保存

# 配置iptables规则持久保存
[root@firewall ~]# iptables-save > /data/iptables   # 保存规则至文件
[root@firewall ~]# yum -y install iptables-services   # 安装iptables服务
[root@firewall ~]# systemctl enable --now iptables.service   # 启动服务

[root@firewall ~]# iptables -F    # 清除filter表配置
[root@firewall ~]# iptables -t nat -F   # 清除nat表配置

[root@firewall ~]# iptables-restore < /data/iptables  # 加载规则
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables # 保存规则至iptables服务默认保存规则的配置文件

[root@firewall ~]# iptables -t nat -F

[root@firewall ~]# iptables -tnat -vnL 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  
 
[root@firewall ~]# systemctl restart iptables 

[root@firewall ~]# iptables -t nat -vnL 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            10.0.101.80          tcp dpt:80 to:192.168.101.81:80

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       192.168.101.0/24    !192.168.101.0/24    

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Week 9 Homework

Linux相关栏目本月热门文章