In the past two days, the company's firewall was broken, and a linux was temporarily enabled to replace the firewall.
Three steps, very simple, five minutes to get it done.
Prerequisite: Two network cards of the Linux server, both internal and external network cards are set to the correct IP.
1: Modify the system kernel and enable ip forwarding.
vi /etc/sysctl.conf
Modify net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1
Then execute sysctl -p to take effect immediately
2: Configure NAT
2: Configure NAT
iptables -t nat -A PREROUTING -d 218.249.XXX.X -p tcp--dport 80 -j DNAT --to-destination 192.168.9.100
iptables -t nat -A PREROUTING -d 218.249.XXX.X -p tcp --dport 80 -j DNAT --to-destination 192.168.9.12
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -d 218.249.XXX.X -p tcp --dport 80 -j DNAT --to-destination 192.168.9.12
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The first two are iptables rules for mapping the public network to the internal private network.
3: Configure routing
route add -net 192.168.0.0/16 gw 192.168.10.2
route add default gw 218.249.XXX.X
After this is configured, the internal network can basically access the external network, and the external network can also access the intranet web server and other servers through the domain name or public network ip.
But the problem is: the problem of intranet reflow cannot be solved
add one
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 -d 192.168.9.0/24 -j SNAT --to 192.168.10.1
注意 192.168.10.1 是我linux防火墙对内网的接口地址,一定要设置成这个地址才行。
这样内网用户就可以通过公网地址或者域名来访问我们内网的web等服务器了。
service iptables save 保持iptables 规则。