返回总目录页

iptables使用详解(centos7)

 

安装前

里面有iptables的命令
[root@mcw01 ~]$ rpm -qa|grep iptables
iptables-1.4.21-18.0.1.el7.centos.x86_64
[root@mcw01 ~]$ rpm -ql iptables
/etc/sysconfig/ip6tables-config
/etc/sysconfig/iptables-config
/usr/bin/iptables-xml
。..........
/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/iptables  #iptables管理命令
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/xtables-multi
.....
[root@mcw01 ~]$ 

我们需要安装iptables-services,用来启动和停止iptables服务

[root@mcw01 ~]$ yum list all|grep iptables-services
iptables-services.x86_64                 1.4.21-35.el7                 base     
[root@mcw01 ~]$ yum install -y iptables-services
[root@mcw01 ~]$  rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables  #防火墙配置就是这个
/usr/lib/systemd/system/ip6tables.service
/usr/lib/systemd/system/iptables.service    #服务启动停止文件
/usr/libexec/initscripts/legacy-actions/ip6tables
/usr/libexec/initscripts/legacy-actions/ip6tables/panic
/usr/libexec/initscripts/legacy-actions/ip6tables/save
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/initscripts/legacy-actions/iptables/panic
/usr/libexec/initscripts/legacy-actions/iptables/save
/usr/libexec/iptables
/usr/libexec/iptables/ip6tables.init
/usr/libexec/iptables/iptables.init
[root@mcw01 ~]$ 



modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state

[root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable'  #默认是没有开启这些内核模块的
[root@mcw01 ~]$ 
[root@mcw01 ~]$ modprobe ip_tables    #加载这些模块,应该写进配置,即使重启了也加载,永久性修改生效。
[root@mcw01 ~]$ modprobe iptable_filter
[root@mcw01 ~]$ modprobe iptable_nat
[root@mcw01 ~]$ modprobe ip_conntrack
[root@mcw01 ~]$ modprobe ip_conntrack_ftp
[root@mcw01 ~]$ modprobe ip_nat_ftp
[root@mcw01 ~]$ modprobe ipt_state

加载内核模块的配置在/etc/modprobe.d/目录下
[root@mcw01 ~]$ ls /etc/modprobe.d/
tuned.conf
[root@mcw01 ~]$ 
[root@mcw01 ~]$ tail -7 /etc/rc.local #也可以直接加到开机自启动文件里
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
[root@mcw01 ~]$ 


然后再检查下,现在有这些内核模块了
[root@mcw01 ~]$ lsmod|egrep 'filter|nat|iptable'
nf_nat_ftp             12770  0 
nf_conntrack_ftp       18638  1 nf_nat_ftp
iptable_nat            12875  0 
nf_nat_ipv4            14115  1 iptable_nat
nf_nat                 26787  2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack          133387  6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter         12810  0 
ip_tables              27115  2 iptable_filter,iptable_nat
libcrc32c              12644  4 xfs,sctp,nf_nat,nf_conntrack
[root@mcw01 ~]$ 

关闭firewalld,开启iptables

关闭firewalld
systemctl stop firewalld 
systemctl disable firewalld
systemctl is-active firewalld.service
systemctl is-enabled firewalld.service

[root@mcw01 ~]$ systemctl stop firewalld 
[root@mcw01 ~]$ systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@mcw01 ~]$ systemctl is-active firewalld.service   #只有不活跃,就关闭了,只有禁用了就不会开机自启了
unknown
[root@mcw01 ~]$ systemctl is-enabled firewalld.service 
disabled
[root@mcw01 ~]$

开启iptables
systemctl start iptables.service
systemctl enable iptables.service
[root@mcw01 ~]$ systemctl start iptables.service 
[root@mcw01 ~]$ systemctl enable iptables.service 
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@mcw01 ~]$ 


[root@mcw01 ~]$ iptables -Ln  #写反了什么都没有
iptables: No chain/target/match by that name.
[root@mcw01 ~]$ iptables -nL #这里默认显示的是filter表的。这里有filter表的input链,forword链,和output链
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
#用户请求来的时候,默认先从input链这里一行一行规则往下匹配,如果都没有匹配上了,就走input链后面的小括号里面的规则,
#这里是(policy ACCEPT),小括号里面表示默认规则

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 

学习前环境准备

清除所有的iptables规则
--flush   -F [chain]        Delete all rules in  chain or all chains  清除所有规则
  --delete-chain    -X [chain]        Delete a user-defined chain  删除用户自定义的规则
  --zero    -Z [chain [rulenum]]    Zero counters in chain or all chains  清除链的计数器

清除所有规则,但不会清除默认规则
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -F  #清除所有的iptables规则
[root@mcw01 ~]$ iptables -nL  #再次查看,安装好后默认设置的规则都清除掉了
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 

禁止访问22端口(指定端口)

 --append  -A chain        Append to chain  #追加链,追加是放到最下面,如果是拒绝的规则,那么应该放到最上面才防止未匹配到而失效。
--delete  -D chain        Delete matching rule from chain
--insert  -I chain [rulenum]      Insert in chain as rulenum (default 1=first)  #把规则放到前面,插入,一般拒绝的规则放到前面
--jump    -j target    target for rule (may load target extension)  #匹配到规则需要做的动作,满足条件后的动作,比如:DROP/ACCEPT/REJECT 拒绝,接受,拒绝

--dport 目标端口, -d 目标ip    --sport源端口
 -A添加规则;INPUT,我要在INPUT链中添加规则。是需要指定端口还是ip呢,这里是22端口,指定端口的话一般要先指定协议(协议一般这里有tcp,udp,icmp,all就是所有),端口在网络中一般有两种情况,ip也是有两种情况,就是目标端口,源端口,目标ip,源ip,我这里是禁止访问22端口,也就是端口是目标端口,所以--dport 22;需要禁止访问,那就是 -j DROP ,这个DROP要大写

iptables  -A INPUT -p tcp --dport 22 -j DROP
iptables  -t filter -A INPUT -p tcp --dport 22 -j DROP

需要谨慎,看清了。这里是演示,如果真的把22端口禁了,就连不上了。我这里是虚拟机,可以在VMware上把这条规则清除掉重新远程连接

如果我们只是想清除一条规则,可以先执行
iptables -nL --line-numbers
查看到是第几条链,防止眼睛数错行。这里是在INPUT链上的第一条规则,然后执行删除这条规则.清除之后,22端口就能重新连接了
iptables -D INPUT 1 

如下,我禁用23端口和解除23端口的过程
[root@mcw01 ~]$ iptables  -A INPUT -p tcp --dport 23 -j DROP  #未指定默认是filter表了;添加;在input链上;tcp协议,目标端口23;来访问了就drop丢掉
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23  #禁用23端口

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -nL --line-numbers  #查看规则是第几个,删除可以用到
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:23

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
[root@mcw01 ~]$ iptables -D INPUT 1    #删除,指定是INPUT链,第一个规则
[root@mcw01 ~]$ iptables -nL 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 

禁止指定ip,访问本服务器指定端口

禁止指定ip,访问本服务器指定端口
iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 

防火墙四表五链,我们常用的是filter,nat表。我们常用的是filter表的INPUT,FORWARD,OUTPUT链;nat表的PREROUTING,POSTROUTING链,OUTPUT链


禁止10.0.0.12访问10.0.0.11服务器的22端口
10.0.0.11  172.16.0.11  mcw01
10.0.0.12  172.16.0.12  mcw02
iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP 

一开始12能访问11的22端口
[root@mcw02 ~]$ ssh 10.0.0.11 hostname
root@10.0.0.11's password: 
mcw01
[root@mcw02 ~]$ 


[root@mcw01 ~]$ iptables -I INPUT -s 10.0.0.12 -p tcp --dport 22 -j DROP  
[root@mcw01 ~]$ iptables -nL  #禁止10.0.0.12访问10.0.0.11服务器的22端口
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  10.0.0.12            0.0.0.0/0            tcp dpt:22
#来自10.0.0.12的IP,访问本机的22端口被drop
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   


再次从12上访问11的22端口,发现是连接超时的
[root@mcw02 ~]$ ssh 10.0.0.11 hostname
ssh: connect to host 10.0.0.11 port 22: Connection timed out
[root@mcw02 ~]$ 
[root@mcw02 ~]$ ssh 172.16.0.11 hostname  #如果使用内网ip,还是可以访问的,因为只是禁用10.0.0.12访问  
root@172.16.0.11's password: 
mcw01
[root@mcw02 ~]$ ping 10.0.0.11 -c 1 #访问icmp协议的还是不影响的
PING 10.0.0.11 (10.0.0.11) 56(84) bytes of data.
64 bytes from 10.0.0.11: icmp_seq=1 ttl=64 time=0.682 ms

--- 10.0.0.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.682/0.682/0.682/0.000 ms
[root@mcw02 ~]$ 
[root@mcw02 ~]$ nc 10.0.0.11 22  #使用nc查看端口是否能连上
Ncat: Connection timed out.
[root@mcw02 ~]$
[root@mcw02 ~]$ telnet 10.0.0.11 22  #telnet查看是否能连上
Trying 10.0.0.11...
telnet: connect to address 10.0.0.11: Connection timed out
[root@mcw02 ~]$ 


正常能连的显示
[root@mcw03 ~]$ nc 10.0.0.11 22
SSH-2.0-OpenSSH_7.4 #夯住

命令有,但不知道是哪个包带来的命令,两种方式找到包

[root@mcw01 ~]$ rpm -qa nc
[root@mcw01 ~]$ rpm -qa ncat
[root@mcw01 ~]$ rpm -qa |grep nc
irqbalance-1.0.7-10.el7.x86_64
ncurses-base-5.9-14.20130511.el7_4.noarch
perl-Encode-2.51-7.el7.x86_64
qrencode-libs-3.4.1-3.el7.x86_64
ncurses-libs-5.9-14.20130511.el7_4.x86_64
ncurses-5.9-14.20130511.el7_4.x86_64
nmap-ncat-6.40-19.el7.x86_64
vim-enhanced-7.4.629-8.el7_9.x86_64
ncurses-devel-5.9-14.20130511.el7_4.x86_64
[root@mcw01 ~]$ 
[root@mcw01 ~]$ rpm -qa |grep ncat
nmap-ncat-6.40-19.el7.x86_64
[root@mcw01 ~]$ which nc
/usr/bin/nc
[root@mcw01 ~]$ yum provides nc  #方式一:yum查看命令是哪个包里的
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
netcat-1.218-2.el7.x86_64 : OpenBSD netcat to read and write data across connections using TCP or UDP
Repo        : epel
Matched from:
Provides    : nc = 1.218-2.el7



2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement
Repo        : base
Matched from:
Provides    : nc



2:nmap-ncat-6.40-19.el7.x86_64 : Nmap's Netcat replacement
Repo        : @base
Matched from:
Provides    : nc



[root@mcw01 ~]$ rpm -qf `which nc`  #方式二:rpm查看命令是哪个包里的
nmap-ncat-6.40-19.el7.x86_64
[root@mcw01 ~]$ 

使用nc命令进行端口间通信

当我使用nc连接本服务器端口的时候
[root@mcw03 ~]$ nc -l  6381
#夯住

新开一个窗口,发现这个命令的进程
[root@mcw03 ~]$ ps -ef|grep -v grep |grep 6381
root      19421  19094  0 03:26 pts/0    00:00:00 nc -l 6381
[root@mcw03 ~]$ 

--
如下当我将mcw03上redis端口,使用nc命令夯住后
[root@mcw03 ~]$ nc -l  6381
wo shi machangwei
nihaoya


当我在其他机器,比如在mcw01上telnet mcw03的这个6381端口,也会夯住,然后这样两者间就可以互相写字进行通信了,一行一行的发送,点击enter就发送。telnet如果是客户端的话,那么我断开telnet,nc命令并不会终止
[root@mcw01 ~]$ telnet 10.0.0.13 6381
Trying 10.0.0.13...
Connected to 10.0.0.13.
Escape character is '^]'.
wo shi machangwei
nihaoya



当我在mcw03上使用nc之后,夯住
[root@mcw03 ~]$ nc -l  6381

然后
[root@mcw01 ~]$ cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw01 ~]$ cat /etc/hosts |nc 10.0.0.13 6381  #然后在另一个主机上连接这个端口,就能发送文件内容过去


[root@mcw03 ~]$ nc -l  6381  #接收到文件内容,我们也可以将接收的文件内容重定向到文件里,实现nc通过端口传输文件
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw03 ~]$ 
[root@mcw03 ~]$ nc -l  6381 >1.host
[root@mcw03 ~]$ cat 1.host 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@mcw03 ~]$ 

禁止指定网段访问本服务器的指定端口

禁止指定网段访问本服务器的指定端口
iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP

别人访问我,是进入的包,INPUT链。别人访问我的某个端口服务,我这个端口是对方访问的目标端口,所以是dport,禁止就得drop,-I拒绝的就往前面插入


我在mcw01上开启了8080端口的监听,然后通过两个ip访问,都能通,接收到信息
[root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080
[root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080
[root@mcw02 ~]$ 

[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$ 



现在设置防火墙规则,禁止指定172.16.0.0/24网段访问本服务器的指定端口8080
[root@mcw01 ~]$ iptables -I INPUT -s 172.16.0.0/24 -p tcp --dport 8080 -j DROP
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  172.16.0.0/24        0.0.0.0/0            tcp dpt:8080
DROP       tcp  --  10.0.0.12            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 



然后再看,mcw02连接mcw01的nc开启的连接服务,发现172.16.0.11只有这个网段的不能连上服务了,说明禁止生效了
[root@mcw02 ~]$ echo 111|nc 10.0.0.11 8080
[root@mcw02 ~]$ echo 111|nc 172.16.0.11 8080
Ncat: Connection timed out.
[root@mcw02 ~]$ 

[root@mcw01 ~]$ nc -l 8080
111
[root@mcw01 ~]$ nc -l 8080 #夯住,没反应

指定只能某个网段访问本服务器。(不是指定网段的拒绝掉)

指定只能某个网段访问本服务器。(不是指定网段的拒绝掉)
iptables -I INPUT ! -s 10.0.0.0/24 -j DROP


当我清空所以防火墙配置之后,mcw02能访问mcw01上nc开启的2222端口
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222
[root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222
[root@mcw02 ~]$ 

[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$ 



[root@mcw01 ~]$ iptables -I INPUT ! -s 10.0.0.0/24 -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 


当我两次在mcw01上nc开启2222端口时,只有访问10.0.0.11能访问到,访问172.16.0.11访问不到。所以防火墙配置生效
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 2222
[root@mcw02 ~]$ echo 2222|nc 172.16.0.11 2222
Ncat: Connection timed out.
[root@mcw02 ~]$ 


[root@mcw01 ~]$ nc -l 2222
2222
[root@mcw01 ~]$ nc -l 2222

禁止用户访问本服务器指定范围或者指定多个的端口

禁止用户访问本服务器指定范围或者指定多个的端口
iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP


执行命令前,nc开启mcw01的端口,mcw02上都能访问到
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000
[root@mcw02 ~]$ 

[root@mcw01 ~]$ nc -l 444
2222
[root@mcw01 ~]$ nc -l 1024
2222
[root@mcw01 ~]$ nc -l 60000
2222
[root@mcw01 ~]$ 



[root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 1024:65535 -j DROP
[root@mcw01 ~]$ iptables -I INPUT -p tcp -m multiport --dport 81,444 -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81,444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination     


执行命令后,无法访问到
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 444
Ncat: Connection timed out.
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 1024
Ncat: Connection timed out.
[root@mcw02 ~]$ echo 2222|nc 10.0.0.11 60000
Ncat: Connection timed out.
[root@mcw02 ~]$ 

[root@mcw01 ~]$ nc -l 444
^C
[root@mcw01 ~]$ nc -l 1024
^C
[root@mcw01 ~]$ nc -l 60000
^C
[root@mcw01 ~]$ 

使用iptables实现禁止ping功能

使用iptables实现禁止ping功能
iptables -I INPUT -p icmp --icmp-type 8 -j DROP  #实际上icmp协议的类型有很多,影响我们ping的类型是8,只需禁止8就行
iptables -I INPUT -p icmp --icmp-type any -j DROP

当我给mcw01添加内核设置为1的时候,mcw02就无法ping通mcw01了,当我修改为0的时候,就能ping同mcw01了
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all



加上这条命令后,里面就不能ping通了 ,这里是任意类型,好像写成8也可以
[root@mcw01 ~]$ iptables -I INPUT -p icmp --icmp-type any -j DROP
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81,444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 

保存和恢复规则

iptables-save保存当前防火墙到配置文件中,加上重定向,可以将防火墙规则导入到指定文件中备份起来
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81,444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables-save  #会把所有的打印出来,*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则
# Generated by iptables-save v1.4.21 on Mon Mar  7 16:48:59 2022
*nat
:PREROUTING ACCEPT [6543:408185]
:INPUT ACCEPT [76:11426]
:OUTPUT ACCEPT [358288:21886420]
:POSTROUTING ACCEPT [358288:21886420]
COMMIT
# Completed on Mon Mar  7 16:48:59 2022
# Generated by iptables-save v1.4.21 on Mon Mar  7 16:48:59 2022
*filter  
:INPUT ACCEPT [696:58996]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [653551:39668311] #*后面显示表的名字;冒号后欧美是默认的规则,再往下就死我们自己配置的规则
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m multiport --dports 81,444 -j DROP
-A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP
-A INPUT ! -s 10.0.0.0/24 -j DROP
COMMIT
# Completed on Mon Mar  7 16:48:59 2022
[root@mcw01 ~]$ 


防火墙配置,实际保存的是如下文件中。可以看到和命令查询出来的差不多
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@mcw01 ~]$ 


如下保存防火墙规则

[root@mcw01 ~]$ iptables-save >iptRule.txt
[root@mcw01 ~]$ cat iptRule.txt 
# Generated by iptables-save v1.4.21 on Mon Mar  7 16:53:44 2022
*nat
:PREROUTING ACCEPT [6642:414294]
:INPUT ACCEPT [77:11655]
:OUTPUT ACCEPT [363901:22224847]
:POSTROUTING ACCEPT [363901:22224847]
COMMIT
# Completed on Mon Mar  7 16:53:44 2022
# Generated by iptables-save v1.4.21 on Mon Mar  7 16:53:44 2022
*filter
:INPUT ACCEPT [781:65217]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [664961:40365111]
-A INPUT -p icmp -m icmp --icmp-type any -j DROP
-A INPUT -p tcp -m multiport --dports 81,444 -j DROP
-A INPUT -p tcp -m tcp --dport 1024:65535 -j DROP
-A INPUT ! -s 10.0.0.0/24 -j DROP
COMMIT
# Completed on Mon Mar  7 16:53:44 2022
[root@mcw01 ~]$ 




不小心把防火墙都误清除了,因为之前保存到配置里了,重启一下防火墙重新就出来了
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81,444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ systemctl restart iptables.service 
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 




iptables-restore无需重启防火墙,可以将备份导出来的防火墙规则,再导入回去
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables-restore <iptRule.txt 
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 255
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 81,444
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:1024:65535
DROP       all  -- !10.0.0.0/24          0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 

修改默认规则为drop,默认都不接受的做法

-i --input 数据进入的时候通过哪个网卡
-o --output   数据出去的时候通过哪个网卡
-P  --policy  -P chain target   Change policy on chain to target 修改默认规则


修改默认规则前设置:
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT

修改默认规则
iptables -P INPUT DROP
iptables -P FORWARD DROP 
iptables -P OUTPUT ACCEPT

修改默认规则后添加自己使用的网段为白名单
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT


清除好环境
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -X
[root@mcw01 ~]$ iptables -Z
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 


在修改默认策略为拒绝时,首先要提前做些准备。比如接收22端口访问
[root@mcw01 ~]$ #准许连接 22端口
[root@mcw01 ~]$ iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 


设置本地lo通讯规则
[root@mcw01 ~]$ iptables -A INPUT -i lo -j ACCEPT
[root@mcw01 ~]$ iptables -A OUTPUT -o lo -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
[root@mcw01 ~]$ 


添加指定服务需要能被访问,比如80 443 
[root@mcw01 ~]$ iptables -I INPUT -ptcp -m multiport --dport 80,443 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
[root@mcw01 ~]$ 


修改默认规则
[root@mcw01 ~]$ #修改默认规则
[root@mcw01 ~]$ iptables -P INPUT DROP  #进来的时候,默认是drop
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
[root@mcw01 ~]$ iptables -P FORWARD DROP   #这个也默认是drop
[root@mcw01 ~]$ iptables -P OUTPUT ACCEPT   #出去的时候不管,都接受
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
[root@mcw01 ~]$ 


添加两个白名单
[root@mcw01 ~]$ iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
[root@mcw01 ~]$ iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0           
ACCEPT     all  --  172.16.0.0/24        0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0     




然后保存下我们的配置
[root@mcw01 ~]$ iptables-save 
# Generated by iptables-save v1.4.21 on Mon Mar  7 17:21:59 2022
*nat
:PREROUTING ACCEPT [148:9218]
:INPUT ACCEPT [13:949]
:OUTPUT ACCEPT [2894:191439]
:POSTROUTING ACCEPT [2894:191439]
COMMIT
# Completed on Mon Mar  7 17:21:59 2022
# Generated by iptables-save v1.4.21 on Mon Mar  7 17:21:59 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [195:20374]
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/24 -j ACCEPT
-A INPUT -s 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Mar  7 17:21:59 2022
[root@mcw01 ~]$  #其中默认是drop ,INPUT和OUTPUT链添加了规则

内网服务器通过iptables转发实现访问外网SNAT(共享上网)

内网服务器通过iptables转发实现访问外网(共享上网)

10.0.0.11是集群中的外网ip,能通过这个ip访问外网的。这个ip所在服务器可以做成网关,让其它主机的网关设置成该主机的内网ip,然后通过ipv4内核源地址转换实现访问外网

单个ip实现源地址转换
iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
sysctl -p

指定网段的地址实现源地址转换
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11


当公网ip不固定时:更换。用如下命令
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE


MASQUERADE


masquerade
英[ˌmæskəˈreɪd]
美[ˌmæskəˈreɪd]
n.    掩藏; 掩饰; 化装舞会; 假面舞会;
vi.    假扮; 乔装; 伪装;



nat表(可以共享上网,端口映射,ip映射)


主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了):
10.0.0.11  172.16.0.11 mcw01
10.0.0.12  172.16.0.12 mcw02
10.0.0.13  172.16.0.13 mcw03


准备环境:
先把上面做的环境改回来,记得先改回默认策略为接受,然后再清空所有的规则。不然默认规则是拒绝,我把22接受服务的删除掉,那么就连不上服务器了,只能去机房连接服务器恢复了
[root@mcw01 ~]$ iptables -P INPUT ACCEPT
[root@mcw01 ~]$ iptables -P FORWARD ACCEPT
[root@mcw01 ~]$ iptables -P OUTPUT ACCEPT
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ 





[root@mcw01 ~]$ ping www.baidu.com -c 1  #查看百度的ip是110.242.68.4,我现在需要内网的机子能访问这个ip
PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data.
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=17.1 ms

--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 17.186/17.186/17.186/0.000 ms
[root@mcw01 ~]$ 


我现在mcw03这个后端内网服务器不能访问到外网,mcw01可以访问到外网。我想通过mcw01做转发,实现mcw03访问外网

mcw03的ip是172.16.0.13,这时数据包通过mcw01访问110.242.68.4时,目标ip110.242.68.4不变,在mcw01上要将源ip172.16.0.13修改mcw01的ip即10.0.0.11。
所以,需要内网实现共享上网的时候,需要使用snat,源网络地址转换

这时我们的mcw03的数据包,是需要通过mcw01上出去,进而访问外网,所以我们需要修改的是以前画的那张图里的nat表POSTROUTING

所以,需要设置防火墙命令如下:需要在nat表设置;需要在POSTROUTING链里追加;目标ip是访问的外网ip,
需要指定源ip是mcw03内网ip地址需要转换为可以访问的外网ip;动作是mcw03的内网ip,源ip转换为能访问外网的mcw01上的外网ip,动作是源地址访问;将源地址改为mcw01上的外网ip10.0.0.11
mcw01配置了防火墙,还要开启mcw01的ip转发内核参数。将mcw03网关应该修改为mcw01的内网ip,内网网卡上给mcw03添加DNS服务器的配置,不然无法解析了。

单个ip实现源地址转换
iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
echo 1 >/proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
sysctl -p

指定网段的地址实现源地址转换
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11


操作前检查情况
[root@mcw02 ~]$ ssh 172.16.0.13  #从mcw02上连接mcw03内网ip
root@172.16.0.13's password: 
Last login: Mon Mar  7 17:58:21 2022 from 172.16.0.12
[root@mcw03 ~]$ ip a  #查看网卡情况
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.13/24 brd 10.0.0.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::6782:98:f742:b0e8/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::6faf:5935:98b1:7f8d/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
    inet6 fe80::cdd:d005:758:ad29/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
[root@mcw03 ~]$ ifdown ens33  #将mcw03的外网网卡关闭掉
Device 'ens33' successfully disconnected.
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$ ping www.baidu.com  #查看mcw03无法访问外网,只有内网ip172.16.0.13可以通信
ping: www.baidu.com: Name or service not known
[root@mcw03 ~]$ 




[root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.13 -j SNAT --to-source 10.0.0.11
[root@mcw01 ~]$ echo 1 >/proc/sys/net/ipv4/ip_forward
[root@mcw01 ~]$ echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.conf
[root@mcw01 ~]$ sysctl -p


发现mcw03还是不通外网,是因为忘记修改网关了,网关应该修改为mcw01的内网ip.
[root@mcw03 ~]$ ping www.baidu.com
ping: www.baidu.com: Name or service not known
[root@mcw03 ~]$ ip r
default via 172.160.0.253 dev ens34 proto static metric 100 
172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 
172.160.0.253 dev ens34 proto static scope link metric 100 


这里将内网网卡配置的网关设置为mcw01主机的内网ip。让它onboot改为yes,不然重启就关闭网卡了
[root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens34 
[root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens34
ONBOOT=yes
GATEWAY=172.16.0.11
[root@mcw03 ~]$ vim /etc/sysconfig/network-scripts/ifcfg-ens33  #将外网网卡的onboot关闭掉,防止重启网络,而重启网卡
[root@mcw03 ~]$ egrep -i "onboot|gateway" /etc/sysconfig/network-scripts/ifcfg-ens33
ONBOOT="no"
GATEWAY="10.0.0.253"
[root@mcw03 ~]$ systemctl restart network
[root@mcw03 ~]$ 
检查环境以及验证内网访问外网
[root@mcw03 ~]$ ip a  #查看网络,没有问题,还是内网ip
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$ 
[root@mcw03 ~]$ ip r  #查看网关,已经变成了mcw01主机的内网ip
default via 172.16.0.11 dev ens34 proto static metric 100 
172.16.0.0/24 dev ens34 proto kernel scope link src 172.16.0.13 metric 100 
[root@mcw03 ~]$ 
[root@mcw03 ~]$ ping www.baidu.com  #成功访问外网
PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data.
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=127 time=14.8 ms
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=2 ttl=127 time=13.6 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 13.674/14.261/14.848/0.587 ms
[root@mcw03 ~]$ 


附上mcw01的内网ip查询
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::9910:d66a:5b4d:7102/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::cdd:d005:758:ad29/64 scope link 
       valid_lft forever preferred_lft forever
[root@mcw01 ~]$ 





执行完后,记得保存一下配置
iptables -t nat -nL 查看nat表的转发规则
[root@mcw01 ~]$ iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
[root@mcw01 ~]$ 
[root@mcw01 ~]$ 
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables  -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ 
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@mcw01 ~]$ 
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables-save 
# Generated by iptables-save v1.4.21 on Mon Mar  7 18:52:42 2022
*nat
:PREROUTING ACCEPT [143:9307]
:INPUT ACCEPT [1:229]
:OUTPUT ACCEPT [80:6466]
:POSTROUTING ACCEPT [80:6466]
-A POSTROUTING -s 172.16.0.13/32 -j SNAT --to-source 10.0.0.11
-A POSTROUTING -s 172.16.0.0/24 -j SNAT --to-source 10.0.0.11
COMMIT
# Completed on Mon Mar  7 18:52:42 2022
# Generated by iptables-save v1.4.21 on Mon Mar  7 18:52:42 2022
*filter
:INPUT ACCEPT [698927:234693305]
:FORWARD ACCEPT [5426:390414]
:OUTPUT ACCEPT [704597:225964959]
COMMIT
# Completed on Mon Mar  7 18:52:42 2022
[root@mcw01 ~]$ 
[root@mcw01 ~]$ cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

如何删除nat表的规则:

[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.61
[root@mcw01 ~]$ 
[root@mcw01 ~]$ 
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables -t nat -D  POSTROUTING 2 #删除nat表的规则,需要指定nat表
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11

DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网)

DNAT端口转发(内网服务器不暴露在公网上,但是它上面的服务可以通过某台服务器的端口转发提供给外网)

iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22


有点像Nginx的端口转发

当外网需要访问内网某个主机的某个服务时,服务无法提供。我们可以使用端口转发,mcw01有外网ip,当外网访问mcw01的外网时,我们可以根据端口来将请求转发给内网某个服务器如mcw03,mcw03上是没有外网ip的。


主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了):
10.0.0.11  172.16.0.11 mcw01
10.0.0.12  172.16.0.12 mcw02
10.0.0.13  172.16.0.13 mcw03


例如:当用户访问我们的mcw01主机上的9000端口(10.0.0.11:9000)时,我们将它转发到我们内网服务器mcw03上的22端口(172.16.0.13:22)。用户访问时,源地址是他们自己,
他们的目标是访问我们的10.0.0.11:9000,我们要实现转发,需要将这个目标地址改成172.16.0.13:22。所以这里是目标地址转换DNAT。

这里是目标地址转换,是nat表;这是用户来访问的数据包,也就是用户要进来,所以是PREROUTING 链;目标访问的是10.0.0.11;对方访问的是9000端口;动作我就用DNAT,目标地址转换,转换成我们内网的地址;这里是转换成目标地址172.16.0.13:22
注意:此时这里的mcw03的网卡上配置的网关,要设置成mcw01上内网的ip。因为数据包是转发给mcw03了,但是我要回包的话,得发给mcw01的内网ip,然后mcw01内网ip再发给mcw01的公网ip10.0.0.11,这样才能给客户返回响应数据。这里之前已经配置了,详情见上面的SNAT共享上网

iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport  -j DNAT --to-destination 172.16.0.13:22

然后还需要开启ipv4转发。之前我已经配置好了
[root@mcw01 ~]$ tail -1 /etc/sysctl.conf 
net.ipv4.ip_forward=1
[root@mcw01 ~]$ 



操作前检查情况
mcw03和mcw01的9000端口目前都不能连接
[c:\~]$ ssh root@172.16.0.13


Connecting to 172.16.0.13:22...
Could not connect to '172.16.0.13' (port 22): Connection failed.

Type `help' to learn how to use Xshell prompt.
[c:\~]$ 
[c:\~]$ 
[c:\~]$ 
[c:\~]$ ssh root@10.0.0.11 9000


Connecting to 10.0.0.11:9000...
Could not connect to '10.0.0.11' (port 9000): Connection failed.

Type `help' to learn how to use Xshell prompt.
[c:\~]$ 


执行操作:配置目标地址转发,查看配置的规则,查看ipv4转发是否开启
[root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.11 -p tcp --dport 9000 -j DNAT --to-destination 172.16.0.13:22
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            10.0.0.11            tcp dpt:9000 to:172.16.0.13:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ tail -1 /etc/sysctl.conf 
net.ipv4.ip_forward=1
[root@mcw01 ~]$ 





检验配置的效果:发现当我们外网上连接mcw01的9000端口时,实际上我们是访问到了没有外网ip,不通外网的mcw03主机上。也就是在mcw01上成功实现端口转发。这样当我们内网的主机上某个服务要提供给外网访问时,可以使用端口转发的方式提供服务,这也能保证了内网服务器的安全性。
[c:\~]$ ssh root@10.0.0.11 9000


Connecting to 10.0.0.11:9000...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Mon Mar  7 18:06:33 2022 from 172.16.0.12
[root@mcw03 ~]$ hostname -I
172.16.0.13 
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$ 

ip地址转发(DNAT实现ip地址转发,ip映射)

主机环境(将mcw02和mcw03的外网ip10网段的先停掉网卡,只剩内网ip172网段的,纯内网机子了):
10.0.0.11  172.16.0.11 mcw01
10.0.0.12  172.16.0.12 mcw02
10.0.0.13  172.16.0.13 mcw03

配置过程中需要注意的事项请参考上面的snat和dnat配置过程



查看环境,将之前已有的端口转发配置去掉
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            10.0.0.11            tcp dpt:9000 to:172.16.0.13:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ iptables -t nat -D PREROUTING 1  #删除之前配置的端口转发,防止收到影响
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$


在mcw01上添加一个新的公网ip,当访问这个公网ip10.0.0.111时,将它转发到内网服务器mcw03的内网ip172.16.0.13
然后可以给这个公网ip,在网关mcw01上加上标签,这样在mcw01上就能看到这个ip了。
[root@mcw01 ~]$ iptables -t nat -A PREROUTING -d 10.0.0.111 -j DNAT --to-destination 172.16.0.13
[root@mcw01 ~]$ ip a a 10.0.0.111/24 dev ens33 label ens33:0
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::9910:d66a:5b4d:7102/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet 10.0.0.111/24 scope global secondary ens33:0
       valid_lft forever preferred_lft forever
    inet6 fe80::cdd:d005:758:ad29/64 scope link 
       valid_lft forever preferred_lft forever
[root@mcw01 ~]$ ^C



验证:
当我在外网连接刚刚在mcw01上添加的公网ip10.0.0.111时,实际上连上了内网服务器mcw03上。
也就是当用户访问mcw01上的外网ip10.0.0.111的某个端口服务时,它就会转发给内网服务器mcw03上对应的端口。
这样就成功实现了ip地址转发。缺点是,只要某个服务器某个端口需要外网访问,就要对应一个外网ip,而一般情况下,不需要访问这么多端口,所以浪费公网ip资源


[c:\~]$ 
[c:\~]$ ssh root@10.0.0.111


Connecting to 10.0.0.111:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Mon Mar  7 19:30:16 2022 from 10.0.0.1
[root@mcw03 ~]$ hostname -I
172.16.0.13 
[root@mcw03 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:3b:e7:99 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.13/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:3b:e7:8f brd ff:ff:ff:ff:ff:ff
[root@mcw03 ~]$ 



当删除这个标签后,就不能通过这个ip访问内网指定服务器了
[root@mcw01 ~]$ ip a del 10.0.0.111/24 dev ens33 label ens33:0
[root@mcw01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:4f:40:9c brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.11/24 brd 172.16.0.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::9910:d66a:5b4d:7102/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fb:80c5:2bc7:80e9/64 scope link tentative dadfailed 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:4f:40:92 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::cdd:d005:758:ad29/64 scope link 
       valid_lft forever preferred_lft forever
[root@mcw01 ~]$ 

-F不能清除nat表的规则

[root@mcw01 ~]$ iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            10.0.0.111           to:172.16.0.13

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ 
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            10.0.0.111           to:172.16.0.13

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ iptables -F
[root@mcw01 ~]$ iptables -X
[root@mcw01 ~]$ iptables -Z
[root@mcw01 ~]$ iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  0.0.0.0/0            10.0.0.111           to:172.16.0.13

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  172.16.0.13          0.0.0.0/0            to:10.0.0.11
SNAT       all  --  172.16.0.0/24        0.0.0.0/0            to:10.0.0.11
[root@mcw01 ~]$ 

 

posted @ 2022-03-07 21:55  马昌伟  阅读(4026)  评论(0编辑  收藏  举报
博主链接地址:https://www.cnblogs.com/machangwei-8/