N63044-第九周

十七、域名系统 DNS服务
1、名称解析服务和DNS服务实现原理(88分钟)
2、dns服务基础配置实现互联网访问(79分钟)
3、实现正向解析dns服务(57分钟)
4、实现反向DNS解析和从DNS服务器(59分钟)
5、实现子域委派和转发查询(47分钟)
6、GSLB和CDN服务工作原理(50分钟)

十八、Linux防火墙
1、Linux防火墙介绍(53分钟)
2、iptables的基本用法(71分钟)
3、iptables的扩展模块用法(35分钟)
4、iptables的扩展模块用法(67分钟)
5、iptables的规则保存和自定义链(41分钟)
6、iptables实现网络防火墙(31分钟)
7、iptables实现NAT原理和实战(51分钟)

第九周

当前TCP/IP网络中的设备之间进行通信，是利用和依赖于IP地址实现的。但数字形式的IP地址是很难记
忆的。当网络设备众多，想要记住每个设备的IP地址，可以说是"不可能完成的任务"。那么如何解决这
一难题呢？我们可以给每个网络设备起一个友好的名称，如：www.magedu.org，这种由文字组成的名
称，显而易见要更容易记忆。但是计算机不会理解这种名称的，我们可以利用一种名字解析服务将名称
转化成（解析）成IP地址。从而我们就可以利用名称来直接访问网络中设备了。除此之外还有一个重要
功能，利用名称解析服务可以实现主机和IP的解耦，即：当主机IP变化时，只需要修改名称服务即可，
用户仍可以通过原有的名称进行访问而不受影响。

实现此服务的方法是多样的。如下面所述：

本地名称解析配置文件：hosts

Linux: /etc/hosts
windows: %WINDIR%/system32/drivers/etc/hosts

#格式
122.10.117.2 www.magedu.org.
93.46.8.89   www.google.com.

范例：

#cmd窗口
C:UsersDONG>set %WINDIR%
环境变量 C:Windows 没有定义

DNS：Domain Name System 域名系统,应用层协议,是互联网的一项服务。它作为将域名和IP地址相互
映射的一个分布式数据库，能够使人更方便地访问互联网,基于C/S架构，服务器端：53/udp, 53/tcp

BIND：Bekerley Internet Name Domain,由 ISC （www.isc.org）提供的DNS软件实现DNS域名结构

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-7zs6edNF-1646223251171)(E:马哥教育课堂作业N63044-第九周作业-imagesimage-20220223215930107.png)]

根域: 全球根服务器节点只有13个,10个在美国，1个荷兰，1个瑞典，1个日本一级域名：Top Level Domain: tld
三类：组织域、国家域(.cn, .ca, .hk, .tw)、反向域
com, edu, mil, gov, net, org, int,arpa二级域名：magedu.com三级域名：study.magedu.com最多可达到127级域名

ICANN（The Internet Corporation for Assigned Names and Numbers）互联网名称与数字地址分配
机构，负责在全球范围内对互联网通用顶级域名（gTLD）以及国家和地区顶级域名（ccTLD）系统的管
理、以及根服务器系统的管理

根服务器的安全

2004年4月由于顶级域名.ly瘫痪,导致利比亚从互联网消失了3天

雪人计划

在与现有IPv4根服务器体系架构充分兼容基础上，"雪人计划"于2016年在美国、日本、印度、俄罗斯、德
国、法国等全球16个国家完成25台IPv6根服务器架设，其中1台主根和3台辅根部署在中国，事实上形成了13
台原有根加25台IPv6根的新格局

递归查询：一般客户机和本地DNS服务器之间属于递归查询，即当客户机向DNS服务器发出请求后,
若DNS服务器本身不能解析，则会向另外的DNS服务器发出查询请求，得到最终的肯定或否定的结
果后转交给客户机。此查询的源和目标保持不变,为了查询结果只需要发起一次查询迭代查询：一般情况下(有例外)本地的DNS服务器向其它DNS服务器的查询属于迭代查询,如：若对
方不能返回权威的结果，则它会向下一个DNS服务器(参考前一个DNS服务器返回的结果)再次发起
进行查询，直到返回查询的结果为止。此查询的源不变,但查询的目标不断变化,为查询结果一般需
要发起多次查询 1.4 名称服务器

Name Server,域内负责解析本域内的名称的DNS服务器

IPv4的根名称服务器：全球共13个负责解析根域的DNS服务器，美国10个，荷兰1，瑞典1，日本1

IPv6的根名称服务器：全球共25个，中国1主3从，美国1主2从

FQDN --> IP 正向解析IP --> FQDN 反向解析

注意：正反向解析是两个不同的名称空间，是两棵不同的解析树

Client -->hosts文件 --> Client DNS Service Local Cache --> DNS Server (recursion递
归) --> DNS Server Cache -->DNS iteration(迭代) --> 根--> 顶级域名DNS-->二级域名DNS…

范例: Windows 客户端DNS缓存

C:UsersDONG>ipconfig/displaydns | findstr redhat

C:UsersDONG>ping www.redhat.com

正在 Ping e3396.ca2.s.tl88.net [223.111.102.32] 具有 32 字节的数据:
来自 223.111.102.32 的回复: 字节=32 时间=39ms TTL=57
来自 223.111.102.32 的回复: 字节=32 时间=39ms TTL=57
来自 223.111.102.32 的回复: 字节=32 时间=48ms TTL=57
来自 223.111.102.32 的回复: 字节=32 时间=39ms TTL=57

223.111.102.32 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，
往返行程的估计时间(以毫秒为单位):
    最短 = 39ms，最长 = 48ms，平均 = 41ms

C:UsersDONG>ipconfig/displaydns | findstr redhat
    www.redhat.com
    记录名称. . . . . . . : www.redhat.com
    CNAME 记录  . . . . . : ds-www.redhat.com.edgekey.net
    记录名称. . . . . . . : ds-www.redhat.com.edgekey.net
    CNAME 记录  . . . . . : ds-www.redhat.com.edgekey.net.globalredir.akadns.net
    记录名称. . . . . . . : ds-www.redhat.com.edgekey.net.globalredir.akadns.net

C:UsersDONG>ipconfig/flushdns

Windows IP 配置

已成功刷新 DNS 解析缓存。

C:UsersDONG>ipconfig/displaydns | findstr redhat

C:UsersDONG>

范例：DNS前期介绍

root@ubuntu1804:~# ping www.baidu.com
PING www.a.shifen.com (183.232.231.172) 56(84) bytes of data.
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=1 ttl=128 time=7.93 ms
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=2 ttl=128 time=7.08 ms
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=3 ttl=128 time=7.79 ms
^C
--- www.a.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 7.085/7.604/7.937/0.385 ms

root@ubuntu1804:~# cat /etc/resolv.conf 
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0

root@ubuntu1804:~# cat /etc/netplan/01-netcfg.yaml 
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:     
      dhcp4: no
      addresses: [10.0.0.100/24]
      gateway4: 10.0.0.2
      nameservers: 
        addresses: [223.6.6.6]

root@ubuntu1804:~# cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	ubuntu1804.magedu.org	ubuntu1804

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.0.8 www.baidu.com www.360.com

root@ubuntu1804:~# ping www.baidu.com
PING www.baidu.com (10.0.0.8) 56(84) bytes of data.
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=1 ttl=64 time=0.875 ms
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=2 ttl=64 time=0.536 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.536/0.705/0.875/0.171 ms

root@ubuntu1804:~# ping www.360.com
PING www.baidu.com (10.0.0.8) 56(84) bytes of data.
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=1 ttl=64 time=0.269 ms
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=2 ttl=64 time=0.652 ms
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=3 ttl=64 time=0.484 ms
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=4 ttl=64 time=0.751 ms
^C
--- www.baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3049ms
rtt min/avg/max/mdev = 0.269/0.539/0.751/0.182 ms

说明：1个IP可以对应多个域名，一个域名不能对应多个IP
#10.0.0.7在后
root@ubuntu1804:~# cat /etc/hosts
10.0.0.8 www.baidu.com www.360.com
10.0.0.7 www.baidu.com
root@ubuntu1804:~# ping www.baidu.com
PING www.baidu.com (10.0.0.8) 56(84) bytes of data.
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=1 ttl=64 time=0.538 ms
64 bytes from www.baidu.com (10.0.0.8): icmp_seq=2 ttl=64 time=0.376 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1017ms
rtt min/avg/max/mdev = 0.376/0.457/0.538/0.081 ms


#10.0.0.7在前
root@ubuntu1804:~# cat /etc/hosts
10.0.0.7 www.baidu.com
10.0.0.8 www.baidu.com www.360.com
root@ubuntu1804:~# ping www.baidu.com
PING www.baidu.com (10.0.0.7) 56(84) bytes of data.
64 bytes from www.baidu.com (10.0.0.7): icmp_seq=1 ttl=64 time=0.771 ms
64 bytes from www.baidu.com (10.0.0.7): icmp_seq=2 ttl=64 time=0.765 ms
^C
--- www.baidu.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.765/0.768/0.771/0.003 ms

#centos7修改优先级，实现DNS和hosts默认优先级，ubuntu修改完不生效
[root@centos7 ~]# cat /etc/hosts
10.0.0.8 www.baidu.com
[root@centos7 ~]# vim /etc/nsswitch.conf
#hosts:      files dns myhostname
hosts:      dns myhostname files
#以DNS生效优先，默认是hosts优先
[root@centos7 ~]# ping www.baidu.com
PING www.a.shifen.com (183.232.231.172) 56(84) bytes of data.
64 bytes from 183.232.231.172 (183.232.231.172): icmp_seq=1 ttl=128 time=7.21 ms
^C
--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 7.212/7.212/7.212/0.000 ms

主服务器：

[root@centos8 ~]# yum install -y bind bind-utils

[root@centos8 ~]#vim /etc/named.conf      
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query   { localhost; };
#只允许从服务器进行区域传输
allow-transfer { 10.0.0.18; };

#加上下面内容
[root@centos8 ~]# vim /etc/named.rfc1912.zones 
zone "magedu.org" IN {
 type master;
 file  "magedu.org.zone";
};

#如果没有加-p选项，需要修改所有者或权限。chgrp named /var/named/magedu.org.zone
[root@centos8 ~]# cp -p /var/named/named.localhost /var/named/magedu.org.zone
[root@centos8 ~]# ll /var/named/magedu.org.zone 
-rw-r----- 1 root named 152 Mar  1  2021 /var/named/magedu.org.zone

[root@centos8 ~]# vim /var/named/magedu.org.zone
$TTL 1D
@       IN SOA  master admin.magedu.org. (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      master
        NS      slave1
master  A       10.0.0.8
slave1  A       10.0.0.18
www     CNAME   cdn.magedu.org.
cdn     A       10.0.0.100

辅服务器：

#安装
[root@centos8 ~]# yum install -y bind

#注释
[root@centos8 ~]# vim /etc/named.conf 
// listen-on port 53 { 127.0.0.1; };
// allow-query   { localhost; };

#编辑zones
[root@centos8 ~]# vim /etc/named.rfc1912.zones
zone "magedu.org" {
	type slave;
	masters { 10.0.0.8; };
	file "slaves/magedu.org.slave";
};

[root@centos8 ~]# systemctl start named

#已经自动从服务器同步
[root@centos8 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 686 Feb 25 22:03 magedu.org.slave

#文件内容乱码，二进制格式，安全性较高，
[root@centos8 ~]# cat /var/named/slaves/magedu.org.slave 
b↛Q 
   mageduorg9mastermageduorgadminmageduorgQ	:*05Q 
                                                     mageduorgmastermageduorgLQ 
                                                                               mageduorg 
mail1mageduorgmail2mageduorg&Q 
                              mageduorg 
d(Q*mageduorg 
d*Qcdnmageduorg 
d)Qdbmageduorg 
{/k8snode1mageduorg 
e/k8snode2mageduorg 
f,Qmail1mageduorg 
ǬQmail2mageduorg 
ȭQmastermageduorg        

#增加DNS2
[root@centos7 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 
DNS1=10.0.0.8
DNS2=10.0.0.18

[root@centos7 ~]# systemctl restart network

[root@centos7 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search magedu.org
nameserver 10.0.0.8
nameserver 10.0.0.18

#默认走10.0.0.8服务器
[root@centos7 ~]# dig www.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
cdn.magedu.org.		86400	IN	A	10.0.0.100

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8

;; Query time: 0 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Fri Feb 25 22:12:22 CST 2022
;; MSG SIZE  rcvd: 114

#停止10.0.0.8 dns
[root@centos8 ~]# rndc stop

#自动切换到10.0.0.18服务器
[root@centos7 ~]# dig www.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11864
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
cdn.magedu.org.		86400	IN	A	10.0.0.100

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8

;; Query time: 0 msec
;; SERVER: 10.0.0.18#53(10.0.0.18)
;; WHEN: Fri Feb 25 22:13:22 CST 2022
;; MSG SIZE  rcvd: 114

[root@centos8 ~]# systemctl start named

#修改zone文件
[root@centos8 ~]# vim /var/named/magedu.org.zone 
cdn     A       10.0.0.111

[root@centos8 ~]# rndc reload

#指定服务器解析
[root@centos7 ~]# dig www.magedu.org @10.0.0.18

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org @10.0.0.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7878
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
cdn.magedu.org.		86400	IN	A	10.0.0.100				#未变化

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8

;; Query time: 0 msec
;; SERVER: 10.0.0.18#53(10.0.0.18)
;; WHEN: Fri Feb 25 22:21:06 CST 2022
;; MSG SIZE  rcvd: 114

#增加NS记录，服务器推送到指定服务器，refresh拉时间为1D
[root@centos8 ~]# vim /var/named/magedu.org.zone 
        NS      master
        NS      slave1
master  A       10.0.0.8
slave1  A       10.0.0.18

[root@centos8 ~]# rndc reload

#依旧没起变化
[root@centos7 ~]# dig www.magedu.org @10.0.0.18

#修改版本号为1
[root@centos8 ~]# vim /var/named/magedu.org.zone 
     1       ; serial

[root@centos8 ~]# rndc reload

#已经和主服务器同步
[root@centos7 ~]# dig www.magedu.org @10.0.0.18

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org @10.0.0.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48612
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
cdn.magedu.org.		86400	IN	A	10.0.0.111

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	slave1.magedu.org.
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8
slave1.magedu.org.	86400	IN	A	10.0.0.18

;; Query time: 0 msec
;; SERVER: 10.0.0.18#53(10.0.0.18)
;; WHEN: Fri Feb 25 22:32:41 CST 2022
;; MSG SIZE  rcvd: 151

#抓取主服务器信息
[root@centos7 ~]# dig -t axfr magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -t axfr magedu.org
;; global options: +cmd
magedu.org.		86400	IN	SOA	master.magedu.org. admin.magedu.org. 1 86400 3600 604800 10800
magedu.org.		86400	IN	A	10.0.0.100
magedu.org.		86400	IN	MX	10 mail1.magedu.org.
magedu.org.		86400	IN	MX	20 mail2.magedu.org.
magedu.org.		86400	IN	NS	master.magedu.org.
magedu.org.		86400	IN	NS	slave1.magedu.org.
*.magedu.org.		86400	IN	A	10.0.0.100
cdn.magedu.org.		86400	IN	A	10.0.0.111
db.magedu.org.		86400	IN	A	10.0.0.123
k8snode1.magedu.org.	86400	IN	A	10.0.0.101
k8snode2.magedu.org.	86400	IN	A	10.0.0.102
mail1.magedu.org.	86400	IN	A	10.0.0.201
mail2.magedu.org.	86400	IN	A	10.0.0.202
master.magedu.org.	86400	IN	A	10.0.0.8
slave1.magedu.org.	86400	IN	A	10.0.0.18
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
magedu.org.		86400	IN	SOA	master.magedu.org. admin.magedu.org. 1 86400 3600 604800 10800
;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Fri Feb 25 22:47:09 CST 2022
;; XFR size: 17 records (messages 1, bytes 408)

#只允许从服务器进行区域传输
[root@centos8 ~]# vim /etc/named.conf 
    allow-transfer { 10.0.0.18; };

#抓取失败
[root@centos7 ~]# dig -t axfr magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -t axfr magedu.org
;; global options: +cmd
; Transfer failed.

#从服务器还可以抓取
[root@centos7 ~]# dig -t axfr magedu.org @10.0.0.18

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -t axfr magedu.org @10.0.0.18
;; global options: +cmd
magedu.org.		86400	IN	SOA	master.magedu.org. admin.magedu.org. 1 86400 3600 604800 10800
magedu.org.		86400	IN	NS	master.magedu.org.
magedu.org.		86400	IN	NS	slave1.magedu.org.
magedu.org.		86400	IN	MX	10 mail1.magedu.org.
magedu.org.		86400	IN	MX	20 mail2.magedu.org.
magedu.org.		86400	IN	A	10.0.0.100
*.magedu.org.		86400	IN	A	10.0.0.100
cdn.magedu.org.		86400	IN	A	10.0.0.111
db.magedu.org.		86400	IN	A	10.0.0.123
k8snode1.magedu.org.	86400	IN	A	10.0.0.101
k8snode2.magedu.org.	86400	IN	A	10.0.0.102
mail1.magedu.org.	86400	IN	A	10.0.0.201
mail2.magedu.org.	86400	IN	A	10.0.0.202
master.magedu.org.	86400	IN	A	10.0.0.8
slave1.magedu.org.	86400	IN	A	10.0.0.18
www.magedu.org.		86400	IN	CNAME	cdn.magedu.org.
magedu.org.		86400	IN	SOA	master.magedu.org. admin.magedu.org. 1 86400 3600 604800 10800
;; Query time: 1 msec
;; SERVER: 10.0.0.18#53(10.0.0.18)
;; WHEN: Fri Feb 25 22:54:27 CST 2022
;; XFR size: 17 records (messages 1, bytes 408)

#不允许其它主机进行区域传输
[root@centos8 ~]# vim /etc/named.conf 
	allow-transfer { none; };

[root@centos8 ~]# rndc reload

#从服务器也抓取不了
[root@centos7 ~]# dig -t axfr magedu.org @10.0.0.18

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> -t axfr magedu.org @10.0.0.18
;; global options: +cmd
; Transfer failed.

#添加100网段，模拟上海，10网段为北京
[root@centos8 ~]# ip a a 100.0.0.8/24 dev eth0
[root@centos8 ~]# ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:5e:b6:6f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 100.0.0.8/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5e:b66f/64 scope link 
       valid_lft forever preferred_lft forever

#添加100网段，模拟上海，10网段为北京
[root@centos7 ~]# ip a a 100.0.0.7/24 dev eth0
[root@centos7 ~]# ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:c7:a5:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.7/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 100.0.0.7/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fec7:a5e1/64 scope link 
       valid_lft forever preferred_lft forever

#option前面添加以下内容
[root@centos8 ~]# vim /etc/named.conf 
acl beijingnet {
        10.0.0.0/24;
        11.0.0.0/24;
};

acl shanghainet {
        100.0.0.0/24;
};

#增加区域配置文件
[root@centos8 ~]# cp /var/named/magedu.org.zone /var/named/magedu.org.zone.bj
[root@centos8 ~]# cp /var/named/magedu.org.zone /var/named/magedu.org.zone.sh

#北京区域文件保持不变
[root@centos8 ~]# vim /var/named/magedu.org.zone.bj
$TTL 1D
@       IN SOA  master admin.magedu.org. (
                                        6       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                NS      master
                NS      slave1
shanghai        NS      shanghaidns
master  A       10.0.0.8
slave1  A       10.0.0.18
shanghaidns A   10.0.0.28
www     A       10.0.0.100



#修改上海区域www主机IP为100.0.0.100
[root@centos8 ~]# vim /var/named/magedu.org.zone.sh
$TTL 1D
@       IN SOA  master admin.magedu.org. (
                                        7       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                NS      master
                NS      slave1
shanghai        NS      shanghaidns
master  A       10.0.0.8
slave1  A       10.0.0.18
shanghaidns A   10.0.0.28
www     A       100.0.0.100

#主DNS删除以下内容，放置在named.rfc1912.zones里面
[root@centos8 ~]# vim /etc/named.conf 
zone "." IN {							#需删除此部分
        type hint;
        file "named.ca";
};

#修改如下
[root@centos8 ~]# vim /etc/named.rfc1912.zones 
zone "." IN {							#新增
        type hint;
        file "named.ca";
};

zone "magedu.org" {
        type master;
        file "magedu.org.zone.bj";		#此处需修改
};

#复制文件
[root@centos8 ~]# cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@centos8 ~]# cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.sh

#修改上海zone
[root@centos8 ~]# vim /etc/named.rfc1912.zones.sh
zone "." IN {
        type hint;
        file "named.ca";
};

zone "magedu.org" {
        type master;
        file "magedu.org.zone.sh";		#修改此处
};

#创建view
[root@centos8 ~]# vim /etc/named.conf 
view beijingview {
        match-clients { beijingnet; };
        include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
        match-clients { shanghainet; };
        include "/etc/named.rfc1912.zones.sh";
};
include "/etc/named.root.key";

#拷贝没加-p属性,显示权限拒绝
[root@centos8 ~]# rndc reload
rndc: 'reload' failed: permission denied

#添加权限
[root@centos8 ~]# chgrp named /etc/named.rfc1912.zones.sh;chmod 640 /etc/named.rfc1912.zones.sh
[root@centos8 ~]# ll /etc/named.rfc1912.zones.sh
-rw-r----- 1 root named 1225 Feb 26 21:44 /etc/named.rfc1912.zones.sh
[root@centos8 ~]# chgrp named /etc/named.rfc1912.zones.bj;chmod 640 /etc/named.rfc1912.zones.bj
[root@centos8 ~]# ll /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1225 Feb 26 21:37 /etc/named.rfc1912.zones.bj

#添加权限
[root@centos8 ~]# chgrp named /var/named/magedu.org.zone.bj;chmod 640 /var/named/magedu.org.zone.bj
[root@centos8 ~]# ll /var/named/magedu.org.zone.bj
-rw-r----- 1 root named 272 Feb 26 21:30 /var/named/magedu.org.zone.bj
[root@centos8 ~]# chgrp named /var/named/magedu.org.zone.sh;chmod 640 /var/named/magedu.org.zone.sh
[root@centos8 ~]# ll /var/named/magedu.org.zone.sh
-rw-r----- 1 root named 273 Feb 26 21:23 /var/named/magedu.org.zone.sh

#启动成功
[root@centos8 ~]# rndc reload
server reload successful

#模拟北京10网段用户测试
[root@centos7 ~]# dig www.magedu.org @10.0.0.8

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org @10.0.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33608
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	10.0.0.100		#访问网段为10

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.
magedu.org.		86400	IN	NS	slave1.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8
slave1.magedu.org.	86400	IN	A	10.0.0.18

;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Feb 26 22:18:10 CST 2022
;; MSG SIZE  rcvd: 133

#模拟上海100网段用户测试
[root@centos7 ~]# dig www.magedu.org @100.0.0.8

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7 <<>> www.magedu.org @100.0.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15739
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	100.0.0.100		#访问网段为100

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	master.magedu.org.
magedu.org.		86400	IN	NS	slave1.magedu.org.

;; ADDITIonAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8
slave1.magedu.org.	86400	IN	A	10.0.0.18

;; Query time: 0 msec
;; SERVER: 100.0.0.8#53(100.0.0.8)
;; WHEN: Sat Feb 26 22:19:08 CST 2022
;; MSG SIZE  rcvd: 133

[root@centos8 ~]#iptables -A INPUT -p tcp -m multiport --dports 21:23,80 -j ACCEPT 
[root@centos8 ~]#iptables -A INPUT -j REJECT
[root@centos8 ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   29  2132 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 21:23,80
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain L (0 references)
 pkts bytes target     prot opt in     out     source               destination    

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4IoEMlm2-1646223251176)(N63044-第九周作业-images/image-20220302185818523.png)]

NAT: network address translation，支持PREROUTING，INPUT，OUTPUT，POSTROUTING四个链
请求报文：修改源/目标IP，由定义如何修改
响应报文：修改源/目标IP，根据跟踪机制自动实现
NAT的实现分为下面类型：

SNAT：source NAT ，支持POSTROUTING, INPUT，让本地网络中的主机通过某一特定地址访问
外部网络，实现地址伪装,请求报文：修改源IPDNAT：destination NAT 支持PREROUTING , OUTPUT，把本地网络中的主机上的某服务开放给外
部网络访问(发布服务和端口映射)，但隐藏真实IP,请求报文：修改目标IPPNAT: port nat，端口和IP都进行修改 5、iptables实现SNAT和DNAT，并对规则持久保存。

[root@centos7 ~]#yum -y install httpd;systemctl enable --now httpd;hostnamectl set-hostname web1.mageud.org;hostname > /var/www/html/index.html

[root@centos17 ~]#yum -y install httpd;systemctl enable --now httpd;hostnamectl set-hostname web2.mageud.org;hostname > /var/www/html/index.html

#修改网关
[root@web1 ~]#vie0
GATEWAY=10.0.0.8
[root@web2 ~]#vie0
GATEWAY=10.0.0.8

#生效
[root@web1 ~]#systemctl restart network
[root@web2 ~]#systemctl restart network

#centos8添加仅主机网卡
[root@centos8 ~]#ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:5e:b6:6f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5e:b66f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:5e:b6:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.128/24 brd 192.168.10.255 scope global dynamic noprefixroute eth1
       valid_lft 1749sec preferred_lft 1749sec
    inet6 fe80::904f:5d2b:1c2d:477/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

#查看
[root@centos8 ~]#nmcli connection
NAME                UUID                                  TYPE      DEVICE 
eth0                5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0   
Wired connection 1  1530c6a4-b89f-364a-b3db-0351d24e80dc  ethernet  eth1   

#修改网卡名称
[root@centos8 ~]#nmcli connection modify Wired connection 1 con-name eth1
[root@centos8 ~]#nmcli connection
NAME  UUID                                  TYPE      DEVICE 
eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0   
eth1  1530c6a4-b89f-364a-b3db-0351d24e80dc  ethernet  eth1   

#修改IP地址
[root@centos8 ~]#nmcli connection modify eth1 ipv4.method manual ipv4.addresses 192.168.10.8/24 ifname eth1
[root@centos8 ~]#nmcli connection up eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@centos8 ~]#ip add
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:5e:b6:6f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe5e:b66f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:5e:b6:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.8/24 brd 192.168.10.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::904f:5d2b:1c2d:477/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

#删除内网网关
[root@centos8 ~]#ip route del default via 10.0.0.2 dev eth0 proto static metric 100

#修改IP
[root@ubuntu1804 ~]#vim /etc/netplan/01-netcfg.yaml 
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: no
      addresses: [192.168.10.100/24]
      gateway4: 192.168.10.8

[root@ubuntu1804 ~]#netplan apply

#此时ubuntu会断开，需改成仅主机模式

#抓取eth1数据包
[root@centos8 ~]#tcpdump -i eth1 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:25:47.834579 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 1, length 64
16:25:48.844687 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 2, length 64
16:25:49.868145 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 3, length 64
16:25:50.892310 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 4, length 64
16:25:51.916341 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 5, length 64
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

#网卡0没数据包
[root@centos8 ~]#tcpdump -i eth0 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

#查找forward参数
[root@centos8 ~]#sysctl -a |grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0

#永久开启forward
[root@centos8 ~]#vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1

#生效
[root@centos8 ~]#sysctl -p
net.ipv4.ip_forward = 1

#网卡0有数据包
[root@centos8 ~]#tcpdump -i eth0 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:38:19.430153 IP 192.168.10.100 > 10.0.0.7: ICMP echo request, id 3406, seq 735, length 64
16:38:19.430508 IP 10.0.0.7 > 192.168.10.100: ICMP echo reply, id 3406, seq 735, length 64

#此时ubuntu可以连接内网了
[root@ubuntu1804 ~]#ping 10.0.0.7
PING 10.0.0.7 (10.0.0.7) 56(84) bytes of data.
64 bytes from 10.0.0.7: icmp_seq=735 ttl=63 time=0.781 ms

#内部可以访问外部，外部禁止访问内部
[root@centos8 ~]#iptables -A FORWARD ! -s 10.0.0.0/24 -d 10.0.0.0/24 -m state --state NEW -j REJECT

#外网访问不了
[root@ubuntu1804 ~]#curl 10.0.0.7
curl: (7) Failed to connect to 10.0.0.7 port 80: Connection refused
[root@ubuntu1804 ~]#curl 10.0.0.17
curl: (7) Failed to connect to 10.0.0.17 port 80: Connection refused

#内网可以访问外网
[root@web1 ~]#ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=0.988 ms

#10.0.0.7开放访问
[root@centos8 ~]#iptables -I FORWARD ! -s 10.0.0.0/24 -d 10.0.0.7 -m state --state NEW -p tcp --dport 80 -j ACCEPT

#测试效果
[root@ubuntu1804 ~]#curl 10.0.0.7
web1.mageud.org
[root@ubuntu1804 ~]#curl 10.0.0.17
curl: (7) Failed to connect to 10.0.0.17 port 80: Connection refused

[root@centos8 ~]#iptables -F

[root@ubuntu1804 ~]#ip route
default via 192.168.10.8 dev eth0 proto static 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
[root@ubuntu1804 ~]#ip route del default via 192.168.10.8 dev eth0 proto static
[root@ubuntu1804 ~]#ip route
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 

#进行SNAT地址转换
[root@centos8 ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
[root@centos8 ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   

#可以访问
[root@web1 ~]#ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=3.15 ms

#ping100正常
[root@web1 ~]#ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=1.02 ms

#抓包结果，可以看到是SNAT转换后的地址192.168.10.8
[root@ubuntu1804 ~]#tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:41:28.081075 IP 192.168.10.8 > 192.168.10.100: ICMP echo request, id 2471, seq 1, length 64
19:41:28.081118 IP 192.168.10.100 > 192.168.10.8: ICMP echo reply, id 2471, seq 1, length 64

#100访问7，访问不了
[root@ubuntu1804 ~]#curl 10.0.0.7
curl: (7) Couldn't connect to server

#进行DNAT地址转换
[root@centos8 ~]#iptables -t nat -A PREROUTING -d 192.168.10.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7
[root@centos8 ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.10.8         tcp dpt:80 to:10.0.0.7

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   252 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

#访问转换后的公网IP地址，正常访问
[root@ubuntu1804 ~]#curl 192.168.10.8
web1.mageud.org

#centos7日志显示真实公网IP地址
[root@web1 ~]#tail -f /var/log/httpd/access_log 
10.0.0.7 - - [02/Mar/2022:15:08:31 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.29.0"
192.168.10.100 - - [02/Mar/2022:16:40:50 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.58.0"
192.168.10.100 - - [02/Mar/2022:16:47:57 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.58.0"
192.168.10.100 - - [02/Mar/2022:16:54:57 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.58.0"
192.168.10.100 - - [02/Mar/2022:19:49:24 +0800] "GET / HTTP/1.1" 200 16 "-" "curl/7.58.0"

#修改端口
[root@web1 ~]#vim /etc/httpd/conf/httpd.conf 
Listen 8080
[root@web1 ~]#systemctl restart httpd

#替换原有规则
[root@centos8 ~]#iptables -t nat -R PREROUTING 1 -d 192.168.10.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7:8080
[root@centos8 ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.10.8         tcp dpt:80 to:10.0.0.7:8080

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   252 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

#测试正常
[root@ubuntu1804 ~]#curl 192.168.10.8
web1.mageud.org 

#永久保存规则
[root@centos8 ~]#iptables-save > /data/iptables.rule
#添加以下行，实现开机启动
[root@centos8 ~]#vim /etc/rc.d/rc.local 
iptables-restore < /data/iptables.rule
[root@centos8 ~]#chmod +x /etc/rc.d/rc.local
[root@centos8 ~]#reboot
#此时规则正常
[root@centos8 ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.10.8         tcp dpt:80 to:10.0.0.7:8080

Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination