当前位置：网站首页>Backup and restore of SNAT and DNAT firewall rules

Source address translation , Modify the source of the packet according to the specified conditions IP Address , It is often called source mapping
Simply put, it is to modify the source address of the packet

1.3.SNAT Conversion prerequisites

1. Each host of LAN has been set correctly IP Address 、 Subnet mask 、 Default gateway address
2.Linux Gateway on IP Routing and forwarding

 Temporarily open ：
echo 1 > /proc/sys/net/ipv4/ip_forward
 or 
sysctl -w net.ipv4.ip_forward=1 The two methods 
 
 Permanently open ：
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1  Write this line to the configuration file 
sysctl -p  The modified configuration will be taken

1.4SNAT transformation 1： Fixed public network IP Address

1.iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens37 -j SNAT --to 10.0.0.1

2.ptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens37 -j SNAT --to-source 10.0.0.1-10.0.0.10 Two kinds of

3.192.168.100.0/24 Intranet ip , -o Outbound extranet card ens37 ,10.0.0.1-10.0.0.10 Extranet ip Or address pool

1.5 Small knowledge expansion

One ip Address do SNAT transformation , You can usually let the intranet 100 To 200 This host can access the Internet

1.6DNAT experiment

1.6.1 Install two machines first httpd Service and iptables service

1.6.2 Change the original network to user-defined mode and add an additional network card

1.6.3 modify ens33 and ens37 And restart

1.6.4 Permanent open IP Route forwarding

1.6.5SNAT transformation ： Fixed public network IP Address

1.6.6 Modify the network card of the second machine and restart

install apache Service and verify

1.6.7 modify windows To configure

1.6.8 The verification results

2.DNAT Conversion prerequisites

2.1DNAT Conversion prerequisites

1. LAN servers can access Internet
2. The gateway's Internet address is correct DNS Parsing records
3Linux Gateway on IP Routing and forwarding

 open DNAT
 
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

2.2DNAT Application environment

1. stay Internet Publish servers located in the LAN

2.3DNAT principle

1. Modify the destination address of the packet

2.4DNAT transformation 1： Publishing Intranet Web service

1.# Take from ens33 Come in and visit web The destination address of the service packet is converted to 192.168.100.118
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp--dport 80 -j DNAT --to 192.168.100.118

or

2.iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp--dport 80-j DNAT --to-destination 192.168.100.118
Inbound | The network card | Extranet ip Intranet server ip

2.5DNAT transformation 2∶ Modify the target port when publishing

1.# Publish the information inside the LAN OpenSSH The server , The external network host needs to use 250 Port to connect
iptables-t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp--dport 250-jDNAT --to 192.168.100.102:22