Internet Firewall
NAT (network address translation) network address translation, is divided into SNAT, DNAT and PNAT
SNAT: request the NAT replaces the source address of the packet, a response packet destination address Alternatively, it is also to SNAT
DNAT: When a site within the external network users to access the LAN, the gateway to receive targeted in the request packet and request packet
Address and port for the address and replace the LAN port, the LAN site after receiving the request message response packet
To the gateway, then the gateway in response to the source address of the packet is replaced with the external address, and sends the packet back to the user extranet
PNAT: to http services, for example, port extranet users to access network services http requests is 80, and within the network service httpd
Service work on non-standard port 8080, which is called PNAT also known as port redirection
Environmental requirements: three hosts
The router acts as the host turned ip_forward
echo net.ipv4.ip_forward >> /etc/sysctl.conf
sysctl -p
Network Configuration FIG installation,
SNAT:
Suppose NAT left portion is connected to the network card, the local public network gateway is not configured ip172.16.12.7,172.16.12.6
Directly in the local pc ping 172.16.12.6 is illogical, because the data packet reaches B, B and A view not on the same network segment, and there is no gateway can only receive from
A request packet did not respond
SNAT resolve the situation with
SNAT is divided into two kinds of situations
(1) fixed local public network ip
iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j SNAT --to-source 172.16.12.7
Packets may be sent from the firewall itself, or emitted from the internal host, forwarded by the POSTROUTING summary, thus adding POSTROUTING
(2) dial-up Internet public network ip is not fixed, in fact, such an approach is also applicable to fixed ip
iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -j MASQUERADE
DNAT:
By accessing the local network to the public network so that the request to the local ip172.16.12.7 pc, similar to the scheduler
iptables -t nat -A PREROUTING -d 172.16.12.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.12.17:80
It should be added to the PREROUTING, to httpd, for example, if the data packets sent over after reaching the PREROUTING INPUT corresponds to the service is not found,
The packet is discarded directly
Access 172.16.12.7 on the B, or access log source ip 172.16.12.6
iptables -t nat -F iptables -t nat -A PREROUTING -d 172.16.12.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.12.17:8080
Ip80 local port mapped to public network 8080 within the network, a local public network ip 80 only mapped to a port,
NAT:
Pc80 external network access to the local port, automatically go to 8080, needs to be revised to httpd service port 8080
Add port forwarding rules in the local pc
iptables -t nat -A PREROUTING -d 192.168.12.17 -p tcp --dport 80 -j REDIRECT --to-ports 8080