保存,还原规则
防火墙规则的备份和还原
导出(备份)所有表的规则
iptables-save > /opt/ipt.txt导入(还原)规则
iptables-restore < /opt/ipt.txt
将iptables规则文件保存在 /etc/sysconfig/iptables 中,iptables服务启动时会自动还原规则
iptables-save > /etc/sysconfig/iptables
systemctl stop iptables #停止iptables服务会清空掉所有表的规则
systemctl start iptables #启动iptables服务会自动还原/etc/sysconfig/iptables 中的规则
保存规则 iptables-save > 文件路径
还原规则 iptables-restore < 文件路径
保存为默认规则 iptables-save > /etc/sysconfig/iptables
[root@l1 ~]# systemctl disable --now firewalld //永久关闭防火墙
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@l1 ~]#
[root@l1 ~]# yum install -y iptables iptables-services //安装两个软件
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
软件包 iptables-1.4.21-35.el7.x86_64 已安装并且是最新版本
正在解决依赖关系
--> 正在检查事务
---> 软件包 iptables-services.x86_64.0.1.4.21-35.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
=============================================================================================================================================================
Package 架构 版本 源 大小
=============================================================================================================================================================
正在安装:
iptables-services x86_64 1.4.21-35.el7 local 52 k
事务概要
=============================================================================================================================================================
安装 1 软件包
总下载量:52 k
安装大小:23 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : iptables-services-1.4.21-35.el7.x86_64 1/1
验证中 : iptables-services-1.4.21-35.el7.x86_64 1/1
已安装:
iptables-services.x86_64 0:1.4.21-35.el7
完毕!
[root@l1 ~]#
[root@l1 ~]# systemctl start iptables.service //启动服务
[root@l1 ~]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@l1 ~]# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
之前设置的规则没有永久保存,当你服务器重启 或者是 iptables服务重启 都会导致之前写入的规则丢失
[root@l1 ~]# iptables -t filter -F
[root@l1 ~]# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]# iptables -t filter -A INPUT -p tcp -m multiport --dport 20:23,53,80,443,111,2049 -j ACCEPT
[root@l1 ~]# iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@l1 ~]# iptables -t filter -A INPUT -j DROP
[root@l1 ~]# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,53,80,443,111,2049
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
保存规则
[root@l1 ~]# iptables-save > /opt/iptables.txt //重定向输出到/opt/iptables.txt
[root@l1 ~]# vim /opt/iptables.txt [root@l1 ~]# iptables-restore < /opt/iptables.txt //重定向输入规则
[root@l1 ~]# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,53,80,443,111,2049
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
还原规则
[root@l1 ~]# iptables -t filter -F //清除规则
[root@l1 ~]# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
如何设置默认规则
[root@l1 ~]# systemctl restart iptables.service //重启服务
[root@l1 ~]# iptables -nL -t filter //规则还原了
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
[root@l1 ~]# iptables-save > /etc/sysconfig/iptables //替换默认规则文件
[root@l1 ~]# vim /etc/sysconfig/iptables
[root@l1 ~]#
[root@l1 ~]# iptables -t filter -F //清空规则
[root@l1 ~]# iptables -nL -t filter //查看规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]# systemctl restart iptables.service //重启服务
[root@l1 ~]# iptables -nL -t filter //查看规则(已恢复)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,53,80,443,111,2049
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]#
tcpdump Linux系统抓包工具
tcp 协议 port 端口 [src/dst] net 网段 -i 网卡 -s 0 -w XXX.cap
tcp host 主机IP
udp
icmp
tcpdump tcp -i ens33 -t -s 0 -c 100 and port ! 22 and net 192.168.1.0/24 -w ./target.cap
(1)tcp: ip icmp arp rarp 和 tcp、udp、icmp这些协议选项等都要放到第一个参数的位置,用来过滤数据包的类型
(2)-i ens33 : 只抓经过接口ens33的包
(3)-t : 不显示时间戳
(4)-s 0 : 抓取数据包时默认抓取长度为68字节。加上-s 0 后可以抓到完整的数据包
(5)-c 100 : 只抓取100个数据包
(6)port ! 22 : 不抓取端口是22的数据包
(7)net 192.168.1.0/24 : 数据包的网络地址为192.168.1.0/24
(8)-w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析 
实验1 SNAT
网关主机 ens33(左,连接内网)192.168.80.30 ens36(右,连接外网)12.0.0.30
客户端1 设置ip地址为192.168.80.11 网关为ens33 192.168.80.30
客户端2 设置ip地址为192.168.80.20 网关为ens33 192.168.80.30
外网服务器 ip 12.0.0.12 网关为ens36 12.0.0.30
SNAT 内网 --> 外网 转换源地址
iptables -t nat -A POSTROUTING -s 内网的源地址/网段 -o 出站网卡 -j SNAT --to 要转换的公网源地址
打开ip转发功能
[root@l1 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@l1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward^C
[root@l1 ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@l1 ~]#
只能临时生效,当你服务器重启又会被打回为0
永久设置
[root@l1 ~]# vim /etc/sysctl.conf //这是我们的内核配置文件
[root@l1 ~]# 
[root@l1 ~]# sysctl -p //加载配置文件的内核配置
net.ipv4.ip_forward = 1
[root@l1 ~]#
[root@l1 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@l1 ~]#
SNAT 转发
网关服务器
客户端 内网主机
客户机2同上操作
Web服务器 外网服务器
网关服务器配置
[root@l1 ~]# systemctl disable --now firewalld
[root@l1 ~]# yum install -y iptables iptables-services
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
软件包 iptables-1.4.21-35.el7.x86_64 已安装并且是最新版本
软件包 iptables-services-1.4.21-35.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@l1 ~]# systemctl start iptables
[root@l1 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@l1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since 四 2024-05-23 11:41:28 CST; 27s ago
Main PID: 2582 (code=exited, status=0/SUCCESS)
Tasks: 0
CGroup: /system.slice/iptables.service
5月 23 11:41:28 l1 systemd[1]: Starting IPv4 firewall with iptables...
5月 23 11:41:28 l1 iptables.init[2582]: iptables: Applying firewall rules: … ]
5月 23 11:41:28 l1 systemd[1]: Started IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
[root@l1 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 ~]# systemctl disable --now firewalld
[root@l1 ~]# yum install -y iptables iptables-services
已加载插件:faste[root@l1 network-scripts]# cd /etc/sysconfig/network-scripts/
[root@l1 network-scripts]# ls
ifcfg-ens33 ifdown-bnep ifdown-ipv6 ifdown-routes ifdown-tunnel ifup-eth ifup-isdn ifup-ppp ifup-TeamPort network-functions
ifcfg-lo ifdown-eth ifdown-isdn ifdown-sit ifup ifup-ib ifup-plip ifup-routes ifup-tunnel network-functions-ipv6
ifcfg-有线连接_1 ifdown-ib ifdown-post ifdown-Team ifup-aliases ifup-ippp ifup-plusb ifup-sit ifup-wireless route-有线连接_1
ifdown ifdown-ippp ifdown-ppp ifdown-TeamPort ifup-bnep ifup-ipv6 ifup-post ifup-Team init.ipv6-global
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]#
[root@l1 network-scripts]# vim ifcfg-ens33
内网 ens33
[root@l1 network-scripts]# vim ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=bb54a700-e209-4a22-a2a3-d4facf68b2b4
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.30
NETMASK=255.255.255.0
#GATEWAY=192.168.80.2
#DNS1=114.114.114.114
外网 ens36
[root@l1 network-scripts]# vim ifcfg-ens36
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens36
DEVICE=ens36
ONBOOT=yes
IPADDR=12.0.0.30
NETMASK=255.255.255.0
~ [root@l1 network-scripts]# systemctl restart network //重启网卡
[root@l1 ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@l1 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.80.30 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 fe80::523e:232a:d39b:b32f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:fc:b2 txqueuelen 1000 (Ethernet)
RX packets 397 bytes 34591 (33.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 413 bytes 35175 (34.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:87:fc:bc txqueuelen 1000 (Ethernet)
RX packets 23 bytes 2871 (2.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 475 bytes 78490 (76.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 222 bytes 20050 (19.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 222 bytes 20050 (19.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:cc:65:de txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l1 ~]# cd /etc/sysconfig/network-scripts/
[root@l1 network-scripts]# ls
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes
ifdown-post ifup-eth ifup-sit
[root@l1 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.80.30 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 fe80::523e:232a:d39b:b32f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:fc:b2 txqueuelen 1000 (Ethernet)
RX packets 464 bytes 39748 (38.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 476 bytes 44868 (43.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a0bd:6d4f:1a86:6806 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:fc:bc txqueuelen 1000 (Ethernet)
RX packets 24 bytes 3114 (3.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 504 bytes 82656 (80.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 230 bytes 20682 (20.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 230 bytes 20682 (20.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:cc:65:de txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l1 network-scripts]# vim ifcfg-ens3
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# ls
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes
ifdown-post ifup-eth ifup-sit
[root@l1 network-scripts]# ls
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes
ifdown-post ifup-eth ifup-sit
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens33
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# vim ifcfg-ens36
[root@l1 network-scripts]# systemctl restart network
[root@l1 network-scripts]# ifc
ifcfg ifconfig
[root@l1 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.80.30 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 fe80::523e:232a:d39b:b32f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:fc:b2 txqueuelen 1000 (Ethernet)
RX packets 1527 bytes 125929 (122.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1222 bytes 154371 (150.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 12.0.0.30 netmask 255.255.255.0 broadcast 12.0.0.255
inet6 fe80::cfd7:6dd8:9716:71a3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:87:fc:bc txqueuelen 1000 (Ethernet)
RX packets 25 bytes 3357 (3.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 631 bytes 103125 (100.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 382 bytes 32994 (32.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 382 bytes 32994 (32.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:cc:65:de txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l1 network-scripts]#
客户端 1
[root@l2 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.18.20 netmask 255.255.255.0 broadcast 192.168.18.255
inet6 fe80::ef42:44d7:112c:7393 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:66:38:ff txqueuelen 1000 (Ethernet)
RX packets 3908 bytes 3856097 (3.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1554 bytes 116286 (113.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 37 bytes 3812 (3.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37 bytes 3812 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:0f:a7:1a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l2 ~]# vim /etc/sysc vim /etc/sysc
还有 3 个文件等待编辑
[root@l2 ~]# vim /etc/sysc
[root@l2 ~]# vim /etc/sysconfig/network-scripts/ens33
[root@l2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@l2 ~]# systemctl restart network
[root@l2 ~]#
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=b0bf3db5-b099-4770-96cf-0e3179f56bd1
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.11
NETMASK=255.255.255.0
GATEWAY=192.168.80.30
[root@l2 network-scripts]# systemctl restart network
[root@l2 network-scripts]#
[root@l2 network-scripts]# systemctl stop firewalld
[root@l2 network-scripts]# setenforce 0
[root@l2 network-scripts]#
客户端 2
[root@l3 ~]# cd
[root@l3 ~]# cd /etc//sysconfig/network-scripts/
[root@l3 network-scripts]# vim ifcfg-ens3
[root@l3 network-scripts]# vim ifcfg-ens33
[root@l3 network-scripts]# ls
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes
ifdown-post ifup-eth ifup-sit
[root@l3 network-scripts]#
[root@l3 network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.18.30 netmask 255.255.255.0 broadcast 192.168.18.255
inet6 fe80::4367:bd86:d4c9:c296 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:c9:0b:e0 txqueuelen 1000 (Ethernet)
RX packets 383345 bytes 562327116 (536.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 51994 bytes 3184636 (3.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 221 bytes 18940 (18.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 221 bytes 18940 (18.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:1e:49:a2 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l3 network-scripts]# cd /etc//sysconfig/network-scripts/
[root@l3 network-scripts]# vim ifcfg-ens33
[root@l3 network-scripts]# systemctl restart net
netcf-transaction.service network.service
network-online.target
[root@l3 network-scripts]# systemctl restart networkw
Failed to restart networkw.service: Unit not found.
[root@l3 network-scripts]# systemctl restart network
[root@l3 network-scripts]#
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=518f05a5-256a-45cf-bf88-e8e365e57bff
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.80.20
NETMASK=255.255.255.0
GATEWAY=192.168.80.30
[root@l3 ~]# systemctl stop firewalld
[root@l3 ~]# setenforce 0
[root@l3 ~]#
客户机1 客户机2ping网关服务器
网关服务器 清空规则
[root@l1 network-scripts]# iptables -F
[root@l1 network-scripts]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@l1 network-scripts]# iptables -t nat -F
[root@l1 network-scripts]# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
[root@l1 network-scripts]# 外网服务器
[root@localhost network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 12.0.0.12 netmask 255.255.255.0 broadcast 12.0.0.255
inet6 fe80::149b:989c:c2fc:e0e0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:3d:ca:57 txqueuelen 1000 (Ethernet)
RX packets 304 bytes 72391 (70.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 200 bytes 25274 (24.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1048 bytes 90856 (88.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1048 bytes 90856 (88.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:e5:c7:15 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 12.0.0.12 netmask 255.255.255.0 broadcast 12.0.0.255
inet6 fe80::149b:989c:c2fc:e0e0 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:3d:ca:57 txqueuelen 1000 (Ethernet)
RX packets 304 bytes 72391 (70.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 239 bytes 30819 (30.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1184 bytes 102648 (100.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1184 bytes 102648 (100.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:e5:c7:15 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=db5dc291-4aff-4027-be90-8bc167e8ffaa
DEVICE=ens33
ONBOOT=yes
IPADDR=12.0.0.12
NETMASK=255.255.255.0
GATEWAY=12.0.0.30
[root@localhost network-scripts]# systemctl restart network //重启网卡[root@l3 network-scripts]# systemctl stop firewalld //关闭防火墙
[root@l3 network-scripts]# setenforce 0
[root@l3 network-scripts]#
[root@localhost ~]# yum install -y httpd //下载软件httpd
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 httpd.x86_64.0.2.4.6-97.el7.centos.5 将被 安装
--> 正在处理依赖关系 httpd-tools = 2.4.6-97.el7.centos.5,它被软件包 httpd-2.4.6-97.el7.centos.5.x86_64 需要
--> 正在处理依赖关系 /etc/mime.types,它被软件包 httpd-2.4.6-97.el7.centos.5.x86_64 需要
--> 正在检查事务
---> 软件包 httpd-tools.x86_64.0.2.4.6-97.el7.centos.5 将被 安装
---> 软件包 mailcap.noarch.0.2.1.41-2.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
==================================================================
Package 架构 版本 源 大小
==================================================================
正在安装:
httpd x86_64 2.4.6-97.el7.centos.5 local 2.7 M
为依赖而安装:
httpd-tools x86_64 2.4.6-97.el7.centos.5 local 94 k
mailcap noarch 2.1.41-2.el7 local 31 k
事务概要
==================================================================
安装 1 软件包 (+2 依赖软件包)
总下载量:2.8 M
安装大小:9.6 M
Downloading packages:
------------------------------------------------------------------
总计 34 MB/s | 2.8 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : httpd-tools-2.4.6-97.el7.centos.5.x86_64 1/3
正在安装 : mailcap-2.1.41-2.el7.noarch 2/3
正在安装 : httpd-2.4.6-97.el7.centos.5.x86_64 3/3
验证中 : mailcap-2.1.41-2.el7.noarch 1/3
验证中 : httpd-tools-2.4.6-97.el7.centos.5.x86_64 2/3
验证中 : httpd-2.4.6-97.el7.centos.5.x86_64 3/3
已安装:
httpd.x86_64 0:2.4.6-97.el7.centos.5
作为依赖被安装:
httpd-tools.x86_64 0:2.4.6-97.el7.centos.5
mailcap.noarch 0:2.1.41-2.el7
完毕!
[root@localhost [root@localhost ~]# systemctl start httpd
[root@localhost ~]# netstat -lntp | grep :80 //阿帕奇端口已开启
tcp6 0 0 :::80 :::* LISTEN 61993/httpd
[root@localhost ~]#
已经全部配置好,现在开始验证
网关服务器
[root@l1 network-scripts]# ping 192.168.80.30
PING 192.168.80.30 (192.168.80.30) 56(84) bytes of data.
64 bytes from 192.168.80.30: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 192.168.80.30: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 192.168.80.30: icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from 192.168.80.30: icmp_seq=4 ttl=64 time=0.065 ms
64 bytes from 192.168.80.30: icmp_seq=5 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=6 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=7 ttl=64 time=0.052 ms
64 bytes from 192.168.80.30: icmp_seq=8 ttl=64 time=0.045 ms
64 bytes from 192.168.80.30: icmp_seq=9 ttl=64 time=0.043 ms
64 bytes from 192.168.80.30: icmp_seq=10 ttl=64 time=0.043 ms
[root@l1 network-scripts]# ping 12.0.0.30
PING 12.0.0.30 (12.0.0.30) 56(84) bytes of data.
64 bytes from 12.0.0.30: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 12.0.0.30: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 12.0.0.30: icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from 12.0.0.30: icmp_seq=4 ttl=64 time=0.041 ms
64 bytes from 12.0.0.30: icmp_seq=5 ttl=64 time=0.039 ms
64 bytes from 12.0.0.30: icmp_seq=6 ttl=64 time=0.041 ms
64 bytes from 12.0.0.30: icmp_seq=7 ttl=64 time=0.044 ms
64 bytes from 12.0.0.30: icmp_seq=8 ttl=64 time=0.041 ms
^C
--- 12.0.0.30 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 6999ms
rtt min/avg/max/mdev = 0.025/0.039/0.044/0.008 ms
[root@l1 network-scripts]#
都可以ping通
网关服务器
=0 ping不通
客户端1
[root@l2 ~]#
[root@l2 ~]# ping 192.168.80.30
PING 192.168.80.30 (192.168.80.30) 56(84) bytes of data.
64 bytes from 192.168.80.30: icmp_seq=1 ttl=64 time=0.273 ms
64 bytes from 192.168.80.30: icmp_seq=2 ttl=64 time=0.182 ms
64 bytes from 192.168.80.30: icmp_seq=3 ttl=64 time=0.293 ms
64 bytes from 192.168.80.30: icmp_seq=4 ttl=64 time=0.173 ms
^C
--- 192.168.80.30 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.173/0.230/0.293/0.054 ms
[root@l2 ~]# ping 12.0.0.30
PING 12.0.0.30 (12.0.0.30) 56(84) bytes of data.
64 bytes from 12.0.0.30: icmp_seq=1 ttl=64 time=0.214 ms
64 bytes from 12.0.0.30: icmp_seq=2 ttl=64 time=0.177 ms
64 bytes from 12.0.0.30: icmp_seq=3 ttl=64 time=0.245 ms
64 bytes from 12.0.0.30: icmp_seq=4 ttl=64 time=0.229 ms
64 bytes from 12.0.0.30: icmp_seq=5 ttl=64 time=0.262 ms
^C
--- 12.0.0.30 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.177/0.225/0.262/0.031 ms
[root@l2 ~]# ping 12.0.0.12
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=1.06 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.850 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.485 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=2.03 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.392 ms
^C
--- 12.0.0.12 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 0.392/0.966/2.034/0.587 ms
[root@l2 ~]#
外网服务器
客户端1
[root@l2 ~]# ping 12.0.0.12
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=0.635 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.417 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.471 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=1.83 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.668 ms
64 bytes from 12.0.0.12: icmp_seq=6 ttl=63 time=0.469 ms
64 bytes from 12.0.0.12: icmp_seq=7 ttl=63 time=3.92 ms
64 bytes from 12.0.0.12: icmp_seq=8 ttl=63 time=5.65 ms
64 bytes from 12.0.0.12: icmp_seq=9 ttl=63 time=0.438 ms
64 bytes from 12.0.0.12: icmp_seq=10 ttl=63 time=0.556 ms
64 bytes from 12.0.0.12: icmp_seq=11 ttl=63 time=0.437 ms
64 bytes from 12.0.0.12: icmp_seq=12 ttl=63 time=0.338 ms
64 bytes from 12.0.0.12: icmp_seq=13 ttl=63 time=0.348 ms
64 bytes from 12.0.0.12: icmp_seq=14 ttl=63 time=0.409 ms
64 bytes from 12.0.0.12: icmp_seq=15 ttl=63 time=0.583 ms
64 bytes from 12.0.0.12: icmp_seq=16 ttl=63 time=0.474 ms
^C
--- 12.0.0.12 ping statistics ---
16 packets transmitted, 16 received, 0% packet loss, time 15010ms
rtt min/avg/max/mdev = 0.338/1.103/5.652/1.465 ms
[root@l2 ~]#
外网服务器
[root@localhost ~]# tcpdump -i ens33 -s 0 -w ./test1.cap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C196 packets captured
198 packets received by filter
0 packets dropped by kernel
[root@localhost ~]# ls
anaconda-ks.cfg test1.cap 模板 图片 下载 桌面
initial-setup-ks.cfg 公共 视频 文档 音乐
[root@localhost ~]# sz test1.cap
[root@localhost ~]#
真实环境中 客户端192.168.80.11 无法ping通 外网服务器12.0.0.12
网关服务器
[root@l1 ~]# iptables -F nat
iptables: No chain/target/match by that name.
[root@l1 ~]# iptables -t nat -F
[root@l1 ~]# iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens36 -j SNAT --to 12.0.0.30
[root@l1 ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.80.0/24 0.0.0.0/0 to:12.0.0.30
[root@l1 ~]#
外网服务器
[root@localhost ~]# tcpdump -i ens33 -s 0 -w ./test2.cap //抓包到test2.cap文件
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C26 packets captured
客户端1
[root@l2 ~]# ping -c 10 12.0.0.12 //ping十个包
PING 12.0.0.12 (12.0.0.12) 56(84) bytes of data.
64 bytes from 12.0.0.12: icmp_seq=1 ttl=63 time=0.440 ms
64 bytes from 12.0.0.12: icmp_seq=2 ttl=63 time=0.373 ms
64 bytes from 12.0.0.12: icmp_seq=3 ttl=63 time=0.362 ms
64 bytes from 12.0.0.12: icmp_seq=4 ttl=63 time=0.455 ms
64 bytes from 12.0.0.12: icmp_seq=5 ttl=63 time=0.468 ms
64 bytes from 12.0.0.12: icmp_seq=6 ttl=63 time=0.553 ms
64 bytes from 12.0.0.12: icmp_seq=7 ttl=63 time=0.427 ms
64 bytes from 12.0.0.12: icmp_seq=8 ttl=63 time=0.406 ms
64 bytes from 12.0.0.12: icmp_seq=9 ttl=63 time=0.648 ms
64 bytes from 12.0.0.12: icmp_seq=10 ttl=63 time=0.359 ms
--- 12.0.0.12 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9001ms
rtt min/avg/max/mdev = 0.359/0.449/0.648/0.086 ms
[root@l2 ~]#
外网服务器导出
[root@localhost ~]# sz test2.cap
[root@localhost ~]# 
总结
网关主机 ens33(左,连接内网)192.168.80.30 ens36(右,连接外网)12.0.0.30
客户端1 设置ip地址为192.168.80.11 网关为ens33 192.168.80.30
客户端2 设置ip地址为192.168.80.20 网关为ens33 192.168.80.30
外网服务器 ip 12.0.0.12 网关为ens36 12.0.0.30
SNAT 内网 --> 外网 转换源地址
iptables -t nat -A POSTROUTING -s 内网的源地址/网段 -o 出站网卡 -j SNAT --to 要转换的公网源地址
实验2 DNAT
DNAT 外网 --> 内网 转换目的地址:端口
iptables -t nat -A PREROUTING -i 入站网卡 -d 原公网目的地址 -p 协议 --dport 原目的端口 -j DNAT --to 要转换的内网目的地址:端口
