10.16 iptables nat table application
1. Enable port forwarding mode
query (set /proc/sys/net/ipv4/ip_forward to 1 for forwarding, the default is 0);
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@shu-test ~]#
Turn on port forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@shu-test ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@shu-test ~]#
2. Add rules on machine A
(Remember that the gateway of machine B must point to ens37 of machine A, which is 192.168.100.1)
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
Add nat on machine A to point all routes (packets) of source address 192.168.100.0/24 to ens33 out
[root@shu-test ~]# iptables -F
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 659 packets, 67162 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 18 packets, 1935 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 50 packets, 3782 bytes)
pkts bytes target prot opt in out source destination
42 3201 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@shu-test ~]#
3. Test:
If you can ping the ens33 network card of machine A, but cannot ping the external network, you can clear the rules configured by iptables -F;
ping www.hao123.com on machine B
[root@localhost ~]# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
64 bytes from 192.168.188.1: icmp_seq=1 ttl=127 time=1.58 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=127 time=0.814 ms
^C
--- 192.168.188.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.814/1.199/1.585/0.387 ms
[root@localhost ~]# ping www.hao123.com
PING hao123.n.shifen.com (112.34.111.167) 56(84) bytes of data.
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=1 ttl=127 time=31.1 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=2 ttl=127 time=31.5 ms
64 bytes from 112.34.111.167 (112.34.111.167): icmp_seq=3 ttl=127 time=31.2 ms
^C
--- hao123.n.shifen.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 31.116/31.291/31.502/0.159 ms
[root@localhost ~]#
Port Mapping
Requirement 2: Machine C can only communicate with machine A, so that machine C can directly pass the 22 port of machine B; (port mapping)
1. Turn on the port forwarding function of machine A;
echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]#
2. Empty and delete all configurations
Use the iptables -F and -D commands, see the previous article for details
3. Add rules on machine A
iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
Map port 22 of 192.168.100.101 to port 1122 of ens33 of machine A,
so that the external The network accesses port 22 of machine C (ip: 192.168.100.101) by accessing 192.168.188.2:1122;
[root@shu-test ~]# iptables -t nat -A PREROUTING -d 192.168.188.2 -p tcp --dport 1122 -j DNAT --to 192.168.100.101:22
[root@shu-test ~]#
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 13 packets, 1072 bytes)
pkts bytes target prot opt in out source destination
5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 6 packets, 549 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 412 bytes)
pkts bytes target prot opt in out source destination
113 8561 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@shu-test ~]#
4. Add a packet return rule on the A machine
iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
Return the packets from 192.168.100.101 to 192.168.188.2;
there are back and forth
[root@shu-test ~]# iptables -t nat -A POSTROUTING -s 192.168.100.101 -j SNAT --to 192.168.188.2
[root@shu-test ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 260 DNAT tcp -- * * 0.0.0.0/0 192.168.188.2 tcp dpt:1122 to:192.168.100.101:22
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
122 9236 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 SNAT all -- * * 192.168.100.101 0.0.0.0/0 to:192.168.188.2
[root@shu-test ~]#
5. Test
ssh directly on windows 192.168.188.2:1122
Connecting to 192.168.188.2:1122...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Jan 25 22:22:33 2018 from 192.168.188.1
[root@shu002 ~]# w
23:02:45 up 43 min, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 22:20 11:09 0.29s 0.29s -bash
root pts/0 192.168.188.1 23:02 5.00s 0.07s 0.04s w
[root@shu002 ~]#
[root@shu002 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:20:41:c3 txqueuelen 1000 (Ethernet)
RX packets 636 bytes 67857 (66.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 333 bytes 45907 (44.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.101 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::d347:6274:ae3f:7255 prefixlen 64 scopeid 0x20<link>
inet6 fe80::f39c:81b9:efac:5b41 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:20:41:cd txqueuelen 1000 (Ethernet)
RX packets 289 bytes 27155 (26.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 341 bytes 34283 (33.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 72 bytes 5712 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 72 bytes 5712 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@shu002 ~]#
10.19 iptables rule backup and restore
service iptables save will save the rules to the iptables configuration file /etc/sysconfig/iptables
iptables -save > /tmp/ipt.txt save the rules to ipt.txt
iptabls - restore </tmp/ipt.txt restore rules