{"id":1139,"date":"2018-06-26T20:19:58","date_gmt":"2018-06-26T12:19:58","guid":{"rendered":"https:\/\/www.xiaobo.li\/?p=1139"},"modified":"2018-06-26T20:21:25","modified_gmt":"2018-06-26T12:21:25","slug":"iptables-snat-dnat","status":"publish","type":"post","link":"https:\/\/www.xiaobo.li\/notes\/archives\/1139","title":{"rendered":"iptables SNAT DNAT"},"content":{"rendered":"<p><strong>\u4e00\u3001SNAT\u6e90\u5730\u5740\u8f6c\u6362<\/strong><\/p>\n<p>1\u3001\u539f\u7406\uff1a\u5728\u8def\u7531\u5668\u540e\uff08PSOTROUTING\uff09\u5c06\u5185\u7f51\u7684ip\u5730\u5740\u4fee\u6539\u4e3a\u5916\u7f51\u7f51\u5361\u7684ip\u5730\u5740\u3002<\/p>\n<p>2\u3001\u5e94\u7528\u573a\u666f\uff1a\u5171\u4eab\u5185\u90e8\u4e3b\u673a\u4e0a\u7f51\u3002<\/p>\n<p>3\u3001\u8bbe\u7f6eSNAT\uff1a\u7f51\u5173\u4e3b\u673a\u8fdb\u884c\u8bbe\u7f6e\u3002<\/p>\n<p>\uff081\uff09\u8bbe\u7f6eip\u5730\u5740\u7b49\u57fa\u672c\u4fe1\u606f\u3002<\/p>\n<p>\uff082\uff09\u5f00\u542f\u8def\u7531\u529f\u80fd\uff1a<\/p>\n<p>sed -i '\/ip-forward\/s\/0\/1\/g'<\/p>\n<p>sysctl -p<\/p>\n<p>\uff083\uff09\u7f16\u5199\u89c4\u5219\uff1a<\/p>\n<p>iptables -t nat -I POSTROUTING -o \u5916\u7f51\u7f51\u5361 -s \u5185\u7f51\u7f51\u6bb5 -j SNAT --to-source \u5916\u7f51ip\u5730\u5740 \u00a0#\u9002\u7528\u4e8e\u5916\u7f51ip\u5730\u5740\u56fa\u5b9a\u573a\u666f<\/p>\n<p>iptables -t nat -I POSTROUTING -o \u5916\u7f51\u7f51\u5361 -s \u5185\u7f51\u7f51\u6bb5 -j MASQUERADE \u00a0#\u9002\u7528\u4e8e\u5171\u4eab\u52a8\u6001ip\u5730\u5740\u4e0a\u7f51\uff08\u5982adsl\u62e8\u53f7\uff0cdhcp\u83b7\u53d6\u5916\u7f51ip\uff09<\/p>\n<p>\uff084\uff09\u505a\u597d\u5b89\u5168\u63a7\u5236\uff1a\u4f7f\u7528FORWARD\u65f6\u673a\u8fdb\u884c\u63a7\u5236\uff0c\u4e25\u683c\u8bbe\u7f6eINPUT\u89c4\u5219\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u4e8c\u3001DNAT\u76ee\u7684\u5730\u5740\u8f6c\u6362\uff1a<\/strong><\/p>\n<p>1\u3001\u539f\u7406\uff1a\u5728\u8def\u7531\u524d\uff08PREROUTING\uff09\u5c06\u6765\u81ea\u5916\u7f51\u8bbf\u95ee\u7f51\u5173\u516c\u7f51ip\u53ca\u5bf9\u5e94\u7aef\u53e3\u7684\u76ee\u7684ip\u53ca\u7aef\u53e3\u4fee\u6539\u4e3a\u5185\u90e8\u670d\u52a1\u5668\u7684ip\u53ca\u7aef\u53e3\uff0c\u5b9e\u73b0\u53d1\u5e03\u5185\u90e8\u670d\u52a1\u5668\u3002<\/p>\n<p>2\u3001\u5e94\u7528\u573a\u666f\uff1a\u53d1\u5e03\u5185\u90e8\u4e3b\u673a\u670d\u52a1\u3002<\/p>\n<p>3\u3001\u8bbe\u7f6eDNAT\uff1a\u7f51\u5173\u4e3b\u673a\u4e0a\u8bbe\u7f6e\u3002<\/p>\n<p>\uff081\uff09\u8bbe\u7f6eip\u3001\u5f00\u542f\u8def\u7531\u3001\u8bbe\u7f6eSNAT<\/p>\n<p>\uff082\uff09\u7f16\u5199\u9632\u706b\u5899\u89c4\u5219\uff1a<\/p>\n<p>iptables -t nat -I PREROUTING -i \u5916\u7f51\u7f51\u5361 -d \u5916\u7f51ip tcp --dport \u53d1\u5e03\u7684\u7aef\u53e3 -j DNAT --to-destination \u5185\u7f51\u670d\u52a1ip:\u7aef\u53e3<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1140 size-full\" src=\"https:\/\/www.xiaobo.li\/notes\/wp-content\/uploads\/2018\/06\/101.gif\" alt=\"\" width=\"759\" height=\"346\" \/><\/p>\n<p>NAT network address translation<\/p>\n<p>\u4ec5\u4ece\u62a5\u6587\u8bf7\u6c42\u6765\u770b\uff0c\u53ef\u4ee5\u5206\u4e3a\uff1a<\/p>\n<p>SNAT \u6e90\u5730\u5740\u8f6c\u6362<\/p>\n<p>DNAT \u76ee\u6807\u5730\u5740\u8f6c\u6362<\/p>\n<p>PNAT \u7aef\u53e3\u8f6c\u6362<\/p>\n<p>NAT server\uff1a\u80fd\u6839\u636e\u9700\u8981\u5b9e\u73b0SNAT DNAT PNAT<\/p>\n<p>\u5e76\u975e\u662f\u7528\u6237\u7a7a\u95f4\u7684\u8fdb\u7a0b\u5b8c\u6210\u8f6c\u6362\u529f\u80fd\uff0c\u9760\u7684\u662f\u5185\u6838\u4e2d\u7684\u5730\u5740\u8f6c\u6362\u89c4\u5219<\/p>\n<p>\u79c1\u6709IP\u5ba2\u6237\u7aef\u8bbf\u95ee\u4e92\u8054\u7f51\u7684\u65b9\u6cd5<\/p>\n<p>SNAT \u3001PROXY<\/p>\n<p>SNAT\uff1a\u4e3b\u8981\u7528\u4e8e\u5b9e\u73b0\u5185\u7f51\u5ba2\u6237\u7aef\u8bbf\u95ee\u5916\u90e8\u4e3b\u673a\u65f6\u4f7f\u7528\uff08\u5c40\u57df\u7f51\u4e0a\u7f51\u7528\uff09<\/p>\n<p>\u5b9a\u4e49\u5728POSTROUTING\u94fe\u4e0a<\/p>\n<p>iptables -t nat -A postrouting -s \u5185\u90e8\u7f51\u7edc\u5730\u5740\u6216\u4e3b\u673a\u5730\u5740 -j SNAT --to-source NAT\u670d\u52a1\u5668\u4e0a\u7684\u67d0\u5916\u90e8\u5730\u5740<\/p>\n<p>\u53e6\u5916\u4e00\u4e2atarget<\/p>\n<p>MASQUERADE\u5730\u5740\u4f2a\u88c5\uff08\u9002\u7528\u4e8ePPPOE\u62e8\u53f7\u4e0a\u7f51\uff0c\u5047\u8bbeeth1\u662f\u51fa\u53e3\uff09<\/p>\n<p>iptables -t nat -A postrouting -s \u5185\u90e8\u7f51\u7edc\u6216\u4e3b\u673a\u5730\u5740 -o eth1 -j MASQUERADE<\/p>\n<p>DNAT\uff1a\u4e3b\u8981\u7528\u4e8e\u5185\u90e8\u670d\u52a1\u5668\u88ab\u5916\u7f51\u8bbf\u95ee\uff08\u53d1\u5e03\u670d\u52a1\uff09<\/p>\n<p>\u5b9a\u4e49\u5728PREROUTING<\/p>\n<p>iptables -t nat -A PREROUTING -d NAT\u670d\u52a1\u5668\u7684\u67d0\u5916\u90e8\u5730\u5740 -p \u67d0\u534f\u8bae --dport \u67d0\u7aef\u53e3 -j DNAT --to-destination \u5185\u7f51\u670d\u52a1\u5668\u5730\u5740[:port]<\/p>\n<p>\u6ce8\u610f\uff1aNAT\u670d\u52a1\u5668\u9700\u8981\u6253\u5f00\u6570\u636e\u8f6c\u53d1<\/p>\n<p>echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n<p>\u6216\u8005\u4fee\u6539\/etc\/sysctl.conf net.ipv4.ip_forward = 1<\/p>\n<p>\u5b9e\u9a8c\u64cd\u4f5c<\/p>\n<p>SNAT\u3001DNAT<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u5b9e\u9a8c\u4e00\uff1a<\/strong><\/p>\n<p>SNAT<\/p>\n<p>\u89c4\u5212\u4e3b\u673aA \u4f5c\u4e3aSNAT server<\/p>\n<p>eth0 ip\u5730\u5740172.20.1.10\uff08\u5916\u90e8\u5730\u5740\uff09\uff0ceth1 192.168.1.1\uff08\u5185\u90e8\u5730\u5740\uff09<\/p>\n<p>\u4e3b\u673aB\u5f53\u505a\u5c40\u57df\u7f51\u5185\u4e3b\u673a<\/p>\n<p>eth0 ip\u5730\u5740192.168.1.2 \u9ed8\u8ba4\u8def\u7531\u8981\u6307\u5411192.168.1.1<\/p>\n<p>SNAT server\uff1a<\/p>\n<p>[root@localhost ~]#\u00a0iptables -t nat -A\u00a0POSTROUTING\u00a0-s 192.168.1.0\/24 -j SNAT --to-source 172.20.1.10<\/p>\n<p>#\u4e0a\u9762\u548c\u6211\u4eec\u5b9e\u4f8b\u64cd\u4f5c\u76f8\u540c<\/p>\n<p>[root@localhost ~]# echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n<p>\u4e3b\u673aB ping\u5916\u90e8\u7684\u5176\u5b83\u4e3b\u673a\uff08172.20.1.20\u6a21\u62df\u4e92\u8054\u7f51\u4e0a\u7684\u4e3b\u673a\uff09<\/p>\n<p>DNAT<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1141 size-full\" src=\"https:\/\/www.xiaobo.li\/notes\/wp-content\/uploads\/2018\/06\/102.png\" alt=\"\" width=\"500\" height=\"265\" srcset=\"https:\/\/www.xiaobo.li\/notes\/wp-content\/uploads\/2018\/06\/102.png 500w, https:\/\/www.xiaobo.li\/notes\/wp-content\/uploads\/2018\/06\/102-300x159.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/p>\n<p>[root@nat ~]# iptables -t filter -F<\/p>\n<p>[root@nat ~]# iptables -t nat -F<\/p>\n<p>[root@nat ~]# iptables -t nat -A\u00a0PREROUTING\u00a0-d 10.1.249.125 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.4<\/p>\n<p>Chain PREROUTING (policy ACCEPT)<\/p>\n<p>target \u00a0 \u00a0 prot opt source \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/p>\n<p>DNAT \u00a0 \u00a0 \u00a0 tcp \u00a0-- \u00a00.0.0.0\/0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a010.1.249.125 \u00a0 \u00a0 \u00a0 \u00a0tcp dpt:80 to:192.168.2.4<\/p>\n<p>[root@nat ~]# netstat -tln | grep \"\\&lt;80\\&gt;\" \u00a0\u6b64\u65f6\u672c\u673a\u4e0a\u5e76\u6ca1\u6709\u5f00\u653e80\u7aef\u53e3<\/p>\n<p>[root@wai ~]# curl http:\/\/10.1.249.125<\/p>\n<p>hello \u00a0--&gt; \u6b64\u65f6\u6211\u4eec\u8bbf\u95ee\u4e3a nat \u4e3b\u673a\u4e0a\u768480\u7aef\u53e3 \u00a0\u7531\u4e0a\u9762\u53ef\u77e5,\u6b64\u670d\u52a1\u5668\u4e0a\u5e76\u6ca1\u6709\u5f00\u653e80,\u800c\u662f\u5c06\u8bf7\u6c42\u9001\u5f80 \u540e\u7aef\u670d\u52a1\u5668<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u5b9e\u4f53\u6848\u4f8b<\/strong><\/p>\n<p>\u6211\u4eec\u6709\u4e00\u53f0\u673a\u5668A\u53ef\u4ee5\u4e0a\u5916\u7f51\uff0c\u914d\u7f6eeth0=192.168.1.1,eth1=222.13.56.192<\/p>\n<p>\u67096\u53f0\u673a\u5668\u53ea\u6709\u5185\u7f51IP \uff0c\u5206\u522b\u662f192.168.1.102~192.168.1.108,\u60f3\u8ba9\u8fd96\u53f0\u673a\u5668\u901a\u8fc7\u673a\u5668A\u4e0a\u7f51<\/p>\n<p>\u5728\u673a\u5668A \u9632\u706b\u5899\u4e0a\u914d\u7f6e\u5982\u4e0b\u5373\u53ef<\/p>\n<p>\/sbin\/iptables -t nat -I\u00a0POSTROUTING\u00a0-s 192.168.1.101 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\/sbin\/iptables -t nat -I POSTROUTING -s 192.168.1.102 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\/sbin\/iptables -t nat -I POSTROUTING -s 192.168.1.103 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\/sbin\/iptables -t nat -I POSTROUTING -s 192.168.1.104 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\/sbin\/iptables -t nat -I POSTROUTING -s 192.168.1.105 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\/sbin\/iptables -t nat -I POSTROUTING -s 192.168.1.108 -j SNAT --to-source 222.13.56.192<\/p>\n<p>\u5728 6\u53f0\u673a\u5668\u4e0a\u8def\u7531\u663e\u793a<\/p>\n<p>route \u00a0-n<\/p>\n<p>Kernel IP routing table<\/p>\n<p>Destination \u00a0 \u00a0 Gateway \u00a0 \u00a0 \u00a0 \u00a0 Genmask \u00a0 \u00a0 \u00a0 \u00a0 Flags Metric Ref \u00a0 \u00a0Use Iface<\/p>\n<p>192.168.1.0 \u00a0 \u00a0 0.0.0.0 \u00a0 \u00a0 \u00a0 \u00a0 255.255.255.0 \u00a0 U \u00a0 \u00a0 0 \u00a0 \u00a0 \u00a00 \u00a0 \u00a0 \u00a0 \u00a00 em1<\/p>\n<p>169.254.0.0 \u00a0 \u00a0 0.0.0.0 \u00a0 \u00a0 \u00a0 \u00a0 255.255.0.0 \u00a0 \u00a0 U \u00a0 \u00a0 1002 \u00a0 0 \u00a0 \u00a0 \u00a0 \u00a00 em1<\/p>\n<p>0.0.0.0 \u00a0 \u00a0 \u00a0 \u00a0 192.168.1.1 \u00a0 0.0.0.0 \u00a0 \u00a0 \u00a0 \u00a0 UG \u00a0 \u00a00 \u00a0 \u00a0 \u00a00 \u00a0 \u00a0 \u00a0 \u00a00 em1<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001SNAT\u6e90\u5730\u5740\u8f6c\u6362 1\u3001\u539f\u7406\uff1a\u5728\u8def\u7531\u5668\u540e\uff08PSOTROUTING\uff09\u5c06\u5185\u7f51\u7684i &hellip; <a href=\"https:\/\/www.xiaobo.li\/notes\/archives\/1139\">\u7ee7\u7eed\u9605\u8bfb <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[273],"tags":[],"class_list":["post-1139","post","type-post","status-publish","format-standard","hentry","category-article"],"_links":{"self":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/1139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/comments?post=1139"}],"version-history":[{"count":0,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/1139\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/media?parent=1139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/categories?post=1139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/tags?post=1139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}