网络防火墙之DNAT

网络防火墙

NAT
NAT: network address translation
  PREROUTING,INPUT,OUTPUT,POSTROUTING
  请求报文:修改源/目标IP,由定义如何修改
  响应报文:修改源/目标IP,根据跟踪机制自动实现
DNAT:destination NAT PREROUTING , OUTPUT
  把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP
  请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
 
准备:
firewall:开启ip_forward功能
  [root@firewall ~]#vim /etc/sysctl.conf
  net.ipv4.ip_forward = 1
  [root@firewall ~]#sysctl -p
  [root@firewall ~]#sysctl -a
 
 
场景:外网访问内外对外开放的服务(防火墙IP2应该是192.168.37.121)
 
可理解为反向代理,但DNAT只能实现端口一对一映射,无法代理多台后台映射,LVS调度器,NGINX方向代理等服务可实现1对多代理映射:
 
DNAT
  --to-destination [ipaddr[-ipaddr]][:port[-port]]
规范:iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]
示例:
iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.108
iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.108:80
示例:在nat表的PREROUTING添加策略
 1 [root@firewall-121 ~]# iptables -t nat -A PREROUTING -d 192.168.37.121 -p tcp --dport 80  -j DNAT --to-destination 10.0.0.108:80
 2 #/防火墙抓包/
 3 [root@firewall-121 ~]# tcpdump -i ens37 -nn host 192.168.37.122
 4 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 5 listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
 6 10:25:25.526290 IP 192.168.37.122.40280 > 192.168.37.121.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0
 7 10:25:25.526493 IP 192.168.37.121.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0
 8 #/模拟内网,抓包/
 9 [root@CentOS7-108 ~]# tcpdump -i ens33 -nn host 192.168.37.122
10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
11 listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12 10:25:24.974946 IP 192.168.37.122.40280 > 10.0.0.108.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0
13 10:25:24.974982 IP 10.0.0.108.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0
View Code

 

posted @ 2024-08-29 08:39  起点·漫步前行  阅读(89)  评论(0)    收藏  举报