17.第13章Linux防火墙

1.FORWARD链实现内外网络的互访

环境准备：

[root@centos7 network-scripts]# vim ifcfg-eth1
NAME=eth1
DEVICE=eth1
BOOTPROTO=none
IPADDR=192.168.10.7
PREFIX=24     

[root@centos7 network-scripts]# nmcli connection reload
[root@centos7 network-scripts]# nmcli connection up eth1
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@centos7 network-scripts]# nmcli connection
NAME                UUID                                  TYPE      DEVICE 
eth0                5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0   
eth1                9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04  ethernet  eth1   
Wired connection 1  23436a72-d80b-332a-8b30-6265ea877859  ethernet  --     
[root@centos7 network-scripts]# nmcli connection delete Wired\ connection\ 1
Connection 'Wired connection 1' (23436a72-d80b-332a-8b30-6265ea877859) successfully deleted.
[root@centos7 network-scripts]# nmcli connection
NAME  UUID                                  TYPE      DEVICE 
eth0  5fb06bd0-0bb0-7ffb-45f1-d6edd65f3e03  ethernet  eth0   
eth1  9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04  ethernet  eth1   
[root@centos7 network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:6a:7e:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe6a:7eb8/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:6a:7e:c2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.7/24 brd 192.168.10.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe6a:7ec2/64 scope link 
       valid_lft forever preferred_lft forever


root@ubuntu1804:~# cd /etc/netplan/
root@ubuntu1804:/etc/netplan# ls
01-netcfg.yaml
root@ubuntu1804:/etc/netplan# vim 01-netcfg.yaml 
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses: [192.168.10.100/24] 
      gateway4: 192.168.10.7                                                                                                   
      nameservers:
        search: [neteagles.cn， neteagles.com]
        addresses: [223.5.5.5, 223.6.6.6]

root@ubuntu1804:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:b1:12:5e brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.100/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb1:125e/64 scope link 
       valid_lft forever preferred_lft forever

root@ubuntu1804:~# ping 192.168.10.7
PING 192.168.10.7 (192.168.10.7) 56(84) bytes of data.
64 bytes from 192.168.10.7: icmp_seq=1 ttl=64 time=0.627 ms
64 bytes from 192.168.10.7: icmp_seq=2 ttl=64 time=0.496 ms
64 bytes from 192.168.10.7: icmp_seq=3 ttl=64 time=0.431 ms
^C
--- 192.168.10.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2047ms
rtt min/avg/max/mdev = 0.431/0.518/0.627/0.081 ms


[root@centos8 network-scripts]# vim ifcfg-eth0 
DEVICE=eth0
NAME=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=10.0.0.8
PREFIX=24
GATEWAY=10.0.0.7                                                                                                               
DNS1=223.5.5.5
DNS2=223.6.6.6

[root@centos8 network-scripts]# nmcli connection reload
[root@centos8 network-scripts]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@centos8 network-scripts]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.7        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     100    0        0 eth0

[root@centos8 ~]# ping 10.0.0.7
PING 10.0.0.7 (10.0.0.7) 56(84) bytes of data.
64 bytes from 10.0.0.7: icmp_seq=1 ttl=64 time=0.342 ms
64 bytes from 10.0.0.7: icmp_seq=2 ttl=64 time=0.258 ms
^C
--- 10.0.0.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 0.258/0.300/0.342/0.042 ms


root@ubuntu1804:~# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
^C
--- 10.0.0.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2053ms

[root@centos8 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

root@ubuntu1804:~# iptables -vnL
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   

[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   

root@ubuntu1804:~# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
^C
--- 10.0.0.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1027ms

root@ubuntu1804:~# ping 10.0.0.7
PING 10.0.0.7 (10.0.0.7) 56(84) bytes of data.
64 bytes from 10.0.0.7: icmp_seq=1 ttl=64 time=0.361 ms
64 bytes from 10.0.0.7: icmp_seq=2 ttl=64 time=0.551 ms
^C
--- 10.0.0.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1028ms
rtt min/avg/max/mdev = 0.361/0.456/0.551/0.095 ms
7 packets transmitted, 0 received, 100% packet loss, time 6121ms

root@ubuntu1804:~# ping 192.168.10.7
PING 192.168.10.7 (192.168.10.7) 56(84) bytes of data.
64 bytes from 192.168.10.7: icmp_seq=1 ttl=64 time=0.399 ms
64 bytes from 192.168.10.7: icmp_seq=2 ttl=64 time=0.352 ms
^C
--- 192.168.10.7 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1014ms
rtt min/avg/max/mdev = 0.352/0.375/0.399/0.030 ms

[root@centos7 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@centos7 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

[root@centos7 ~]# sysctl -p
net.ipv4.ip_forward = 1

root@ubuntu1804:~# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
64 bytes from 10.0.0.8: icmp_seq=1 ttl=63 time=0.788 ms
64 bytes from 10.0.0.8: icmp_seq=2 ttl=63 time=0.847 ms
64 bytes from 10.0.0.8: icmp_seq=3 ttl=63 time=0.869 ms
^C
--- 10.0.0.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2026ms
rtt min/avg/max/mdev = 0.788/0.834/0.869/0.047 ms


[root@centos8 ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=0.704 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=0.843 ms
^C
--- 192.168.10.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 49ms
rtt min/avg/max/mdev = 0.704/0.773/0.843/0.074 ms

实现内网可以访问外网，外网不能访问内网

[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 642 packets, 52030 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 20 packets, 1506 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 394 packets, 50340 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@centos7 ~]# iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 4 packets, 544 bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@centos7 ~]# iptables -A FORWARD -j REJECT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4 packets, 464 bytes)
 pkts bytes target     prot opt in     out     source               destination

[root@centos8 ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.

root@ubuntu1804:~# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:15:03.796520 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 148, length 64
16:15:03.796555 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 148, length 64
16:15:03.796991 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 43072 unreachable, length 92
16:15:04.820341 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 149, length 64
16:15:04.820374 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 149, length 64
16:15:04.820646 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 2531 unreachable, length 92
16:15:05.844612 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 150, length 64
16:15:05.844662 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 150, length 64
16:15:05.844984 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 36227 unreachable, length 92
16:15:06.868321 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 151, length 64
16:15:06.868355 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 151, length 64
16:15:06.868569 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 37669 unreachable, length 92
16:15:07.893308 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 152, length 64
16:15:07.893349 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 152, length 64
16:15:07.893577 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 1987 unreachable, length 92
16:15:08.917245 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 153, length 64
16:15:08.917295 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 153, length 64
16:15:08.917636 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 19301 unreachable, length 92
16:15:09.940319 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 154, length 64
16:15:09.940351 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 154, length 64
16:15:09.940523 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 15625 unreachable, length 92
16:15:10.965210 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 155, length 64
16:15:10.965244 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 155, length 64
16:15:10.965466 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 16807 unreachable, length 92
16:15:11.988524 IP 10.0.0.8 > 192.168.10.100: ICMP echo request, id 2042, seq 156, length 64
16:15:11.988558 IP 192.168.10.100 > 10.0.0.8: ICMP echo reply, id 2042, seq 156, length 64
16:15:11.988817 IP 192.168.10.7 > 192.168.10.100: ICMP 10.0.0.8 protocol 1 port 36427 unreachable, length 92
^C
27 packets captured
27 packets received by filter
0 packets dropped by kernel

root@ubuntu1804:~# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
From 192.168.10.7 icmp_seq=1 Destination Port Unreachable
From 192.168.10.7 icmp_seq=2 Destination Port Unreachable
From 192.168.10.7 icmp_seq=3 Destination Port Unreachable
^C
--- 10.0.0.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms

[root@centos7 ~]# iptables -I FORWARD -m state --state ESTABLISHED -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
  312 26208 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0           
  348 28416 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 4 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source               destination         

[root@centos8 ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=1.03 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=0.885 ms
64 bytes from 192.168.10.100: icmp_seq=3 ttl=63 time=0.641 ms
64 bytes from 192.168.10.100: icmp_seq=4 ttl=63 time=0.780 ms
^C
--- 192.168.10.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 81ms
rtt min/avg/max/mdev = 0.641/0.834/1.030/0.142 ms
实现内网可以访问外网

root@ubuntu1804:~# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8) 56(84) bytes of data.
From 192.168.10.7 icmp_seq=1 Destination Port Unreachable
From 192.168.10.7 icmp_seq=2 Destination Port Unreachable
From 192.168.10.7 icmp_seq=3 Destination Port Unreachable
^C
--- 10.0.0.8 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2000ms
外网不能访问内网

实现外网可以访问内网的http

[root@centos8 ~]# dnf -y install httpd
[root@centos8 ~]# systemctl start httpd
[root@centos8 ~]# echo lan web site >/var/www/html/index.html
[root@centos8 ~]# curl 10.0.0.8
lan web site

[root@centos7 ~]# iptables -I FORWARD 3 -d 10.0.0.8 -p tcp --dport 80 -j ACCEPT
[root@centos7 ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  114  9576 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
  326 27046 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.8             tcp dpt:80
  996 82848 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 5 packets, 672 bytes)
 pkts bytes target     prot opt in     out     source               destination

root@ubuntu1804:~# curl 10.0.0.8
lan web site

[root@centos8 ~]# tail /var/log/httpd/access_log 
10.0.0.8 - - [24/Dec/2020:16:25:58 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.61.1"
192.168.10.100 - - [24/Dec/2020:16:29:12 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.58.0"

2.实现SNAT和DNAT

SNAT

DNAT

[root@centos7 ~]# hostnamectl set-hostname firewall
[root@centos7 ~]# exit
[root@firewall ~]#

[root@centos8 ~]# hostnamectl set-hostname lanserver
[root@centos8 ~]# exit
[root@lanserver ~]#


root@ubuntu1804:~# hostnamectl set-hostname intelnet
root@ubuntu1804:~# exit
root@intelnet:~#


[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 225 packets, 20828 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  123 10378 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED
  326 27046 ACCEPT     all  --  *      *       10.0.0.0/24          0.0.0.0/0           
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.8             tcp dpt:80
 1247 98844 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 294 packets, 27404 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@firewall ~]# iptables -F
[root@firewall ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 428 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 432 bytes)
 pkts bytes target     prot opt in     out     source               destination


[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    

root@intelnet:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.10.7    0.0.0.0         UG    0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
root@intelnet:~# ip route
default via 192.168.10.7 dev eth0 proto static 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
root@intelnet:~# ip route del default via 192.168.10.7 dev eth0 proto static
root@intelnet:~# ip route
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
root@intelnet:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

[root@lanserver ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
^C
--- 192.168.10.100 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 27ms

#实现SNAT
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j SNAT --to-source 192.168.10.7
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 SNAT       all  --  *      *       10.0.0.0/24         !10.0.0.0/24          to:192.168.10.7


[root@lanserver ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=1.23 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=0.568 ms
64 bytes from 192.168.10.100: icmp_seq=3 ttl=63 time=0.714 ms
^C
--- 192.168.10.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 20ms
rtt min/avg/max/mdev = 0.568/0.837/1.229/0.283 ms

[root@lanserver ~]# ssh 192.168.10.100
The authenticity of host '192.168.10.100 (192.168.10.100)' can't be established.
ECDSA key fingerprint is SHA256:xH9+hx1G0I8HlYUznIqYjiMZw7Ep8xptc2rpnsDIV/Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

root@intelnet:~# ss -nt
State        Recv-Q         Send-Q                    Local Address:Port                   Peer Address:Port          
ESTAB        0              0                        192.168.10.100:22                     192.168.10.7:49466         
ESTAB        0              0                        192.168.10.100:22                     192.168.10.1:59356         
ESTAB        0              36                       192.168.10.100:22                     192.168.10.1:59707


[root@lanserver ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=0.910 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=1.47 ms
64 bytes from 192.168.10.100: icmp_seq=3 ttl=63 time=0.633 ms
64 bytes from 192.168.10.100: icmp_seq=4 ttl=63 time=0.881 ms
64 bytes from 192.168.10.100: icmp_seq=5 ttl=63 time=0.529 ms
64 bytes from 192.168.10.100: icmp_seq=6 ttl=63 time=0.747 ms
64 bytes from 192.168.10.100: icmp_seq=7 ttl=63 time=0.743 ms
64 bytes from 192.168.10.100: icmp_seq=8 ttl=63 time=0.521 ms

[root@firewall ~]# iptables -F -t nat
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

[root@lanserver ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
^C
--- 192.168.10.100 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 81ms

[root@firewall ~]# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
0     0 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24


[root@lanserver ~]# ping 192.168.10.100
PING 192.168.10.100 (192.168.10.100) 56(84) bytes of data.
64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=0.860 ms
64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=0.565 ms
64 bytes from 192.168.10.100: icmp_seq=3 ttl=63 time=0.581 ms
^C
--- 192.168.10.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 45ms
rtt min/avg/max/mdev = 0.565/0.668/0.860/0.138 ms

#实现DNAT
[root@lanserver ~]# curl 10.0.0.8
lan web site

root@ubuntu1804:~# curl 192.168.10.7
curl: (7) Failed to connect to 192.168.10.7 port 80: Connection refused


[root@firewall ~]# iptables -t nat -A PREROUTING -d 192.168.10.7 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.8:80
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.10.7         tcp dpt:80 to:10.0.0.8:80

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1    84 MASQUERADE  all  --  *      *       10.0.0.0/24         !10.0.0.0/24         

root@ubuntu1804:~# curl 192.168.10.7
lan web site

[root@lanserver ~]# tail -f /var/log/httpd/access_log 
10.0.0.8 - - [24/Dec/2020:16:25:58 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.61.1"
192.168.10.100 - - [24/Dec/2020:16:29:12 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.58.0"
10.0.0.8 - - [24/Dec/2020:17:58:42 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.61.1"
192.168.10.100 - - [24/Dec/2020:18:03:20 +0800] "GET / HTTP/1.1" 200 13 "-" "curl/7.58.0"

[root@firewall ~]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 300 ESTABLISHED src=10.0.0.1 dst=10.0.0.7 sport=59699 dport=22 src=10.0.0.7 dst=10.0.0.1 sport=22 dport=59699 [ASSURED] mark=0 zone=0 use=2

3.REDIRECT转发

[root@lanserver ~]# vim /etc/httpd/conf/httpd.conf
Listen 8080  

[root@lanserver ~]# systemctl restart httpd
[root@lanserver ~]# ss -ntl
State            Recv-Q           Send-Q                     Local Address:Port                     Peer Address:Port          
LISTEN           0                128                              0.0.0.0:22                            0.0.0.0:*             
LISTEN           0                128                                    *:8080                                *:*             
LISTEN           0                128                                 [::]:22                               [::]:*

root@ubuntu1804:~# curl 192.168.10.7
curl: (7) Failed to connect to 192.168.10.7 port 80: Connection refused

[root@lanserver ~]# iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport 80 -j REDIRECT --to-ports 8080
[root@lanserver ~]# ss -ntl
State            Recv-Q           Send-Q                     Local Address:Port                     Peer Address:Port          
LISTEN           0                128                              0.0.0.0:22                            0.0.0.0:*             
LISTEN           0                128                                    *:8080                                *:*             
LISTEN           0                128                                 [::]:22                               [::]:*

root@ubuntu1804:~# curl 192.168.10.7
lan web site