Article Directory
First, we need to figure out the difference between snat and dnat:
by definition, one of them is source address translation (snat) and the other is destination address translation (dnat). Both are the function of address translation, which translates private addresses into public addresses.
To distinguish between these two functions, you can simply distinguish the connection initiator:
- SNAT: When the internal address wants to access the service on the public network (such as web access), the internal address will actively initiate the connection, and the router or the gateway on the firewall will do an address translation of the internal address to convert the private IP of the internal address to the public network. Public IP, this address translation of the gateway is called SNAT, which is mainly used for internal shared IP access to the outside.
- DNAT: When external services need to be provided internally (such as publishing a web site to the outside world), the external address initiates an active connection, and the router or gateway on the firewall receives the connection, and then converts the connection to the internal. This process is carried out with a public IP The gateway replaces internal services to receive external connections, and then performs address conversion internally. This conversion is called DNAT and is mainly used for internal services to publish externally.
When configuring firewalls or routing ACL policies, pay attention to these two NATs must not be confused.
1. SNAT experiment:
Experiment preparation:
internal PC (virtual win10: 192.168.200.100); gateway server (centos7-2: ens-33: 192.168.200.20 and ens-36: 12.0.0.1, note that you need to add another network card ens-36 in advance, Realize dual network cards); external web server (centos7-1: 12.0.0.12)
Operation steps:
First, we need to change the IP address of the ens-36 network card in the gateway server (here we can copy the network card configuration file of ens-33 to ens-36 and then modify it directly)
restart the network card and check if it is changed success.
Then restart the iptables service in the gateway server
and then clear the rules
in nat. Turn on the routing and forwarding function in the gateway server.
Use sysctl -p to check whether the routing and forwarding function is successfully enabled.
Next, prepare the web server, enter /etc/sysconfig/network-scripts/ and change ifcfg-ens33. Change the IP address and gateway address, and comment out DNS.
After changing the network card, it will be disconnected from xshell, then we will operate directly in the virtual machine.
Check whether the network card has been changed successfully in 7-1.
Then turn off the firewalld firewall.
Next, after mounting the disk, install the httpd service and turn it on.
Next, test whether you can connect to the web on virtual win10.
But before that, you need to modify the win10 network card.
Use the ping command to check whether the gateway server and the web server
can be connected. Also in the virtual win10, you can also connect to the web server website.
At this time, we check the httpd access log file in the web server and find that the client's own IP is used for access of.
The next step is to configure SNAT, change the internal IP address 192.168.200.100 to the public IP address 12.0.0.1 and then access the web.
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o ens36 -j SNAT --to 12.0.0.1
指定nat表 指定链 内网IP网段 外网网卡 使用SNAT 转换的外网IP
After setting up, visit the wen server
again on win10. Check the httpd log of the web server again, and find that the website accessed this time is 12.0.0.1, indicating that the SNAT setting is successful.
2. DNAT experiment
Experiment preparation:
intranet web server 7-1 (192.168.200.11); gateway server 7-2 (ens33:192.168.200.20; ens36: 12.0.0.1); external network client win10 (12.0.0.0/24)
Note: configuration DNAT, SNAT needs to be configured together, because when the web server returns data, it also needs to reply after the IP address is translated.
We continue to use the virtual machine configured with SNAT above, so we first need to clear the iptables rules on the gateway server.
Then reconfirm whether the routing and forwarding function is turned on (=1 means it is turned on)
Change the network card of the web server (7-1).
It is best to restart the httpd service on the web server and
change the network card on win10.
Then the configuration of DNAT and SNAT is carried out. The DNAT configuration command is:
iptables -t nat -A PREROUTING -i ens36 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to 192.168.200.11
使用PREROUTING链 指定入站端口ens36 指定端口号80
The SNAT configuration commands are:
iptables -t nat -A POSTROUTING -o ens36 -s 192.168.200.0/24 -j SNAT --to 12.0.0.1
Then check whether the rules are configured successfully,
and then you can access 12.0.0.1 on win10 for web access
. At this time, check the access log in the web server log after access.
