七周四次课(1月25日) 10.15 iptables filter表案例 10.16/iptables nat表应用(1) 10.17/iptables nat表应用(2) 10.18/ iptables nat表应用(3)

七周四次课(1月25日)
10.15 iptables filter表案例
10.16/iptables nat表应用(1)
10.17/iptables nat表应用(2)
10.18/ iptables nat表应用(3)
==========================================================================================================================================================================================================================================================================
需求:只针对filter表,预设策略INPUT链DROP, 其他两个链ACCEPT,然后针对192.168.37.0/24开通22端口,对所有网段开放80端口,对所有网段开放21端口。
这个需求不算复杂,但是因为有多条规则,所以最好写成脚本的形式。脚本内容如下:
vi /usr/local/sbin/iptables.sh //加入如下内容
#! /bin/bash
ipt="/usr/sbin/iptables" //定义一个命令的变量
$ipt –F //清空以前的规则
$ipt -P INPUT DROP //定义默认INPUT策略
$ipt -P OUTPUT ACCEPT //定义默认OUTPUT策略
$ipt -P FORWARD ACCEPT //定义默认FORWARD ACCEPT策略
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT //指定包的连接状态RELATED,ESTABLISHED放行
$ipt -A INPUT -s 192.168.37.0/24 -p tcp --dport 22 -j ACCEPT //192.168.37.0/24网段的22端口放行
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT //80端口数据包放行
$ipt -A INPUT -p tcp --dport 21 -j ACCEPT //80端口数据包放行

icmp示例
iptables -I INPUT -p icmp --icmp-type 8 -j DROP
这里--icmp-type选项要跟-p icmp—起使用,后面指定类型编号。这个8指的是能在本机ping通其他机器,而其他机器不能ping通本机
10.16/10.17/10.18 iptables nat表应用
其实,Linux的iptales功能是十分强大的。一位老师曾经这样形容Linux的网络功能:只有想不到,没有做不到!也就是说,只要你能够想到的关于网络的应用,Linux都能帮你实现。你在日常生活中应该接触过路由器,它的功能就是分享上网。本来一根网线过来(其实只有一个公网IP),通过路由器后,路由器分配一个网段(私网IP),这样连接路由器的多台pc都能连接因特网,而远端的设备认为你的IP就是那个连接路由器的公网IP。这个路由器的功能其实就是由Linux的iptables实现的,而iptales又是通过nat表作用而实现的。
nat表应用
A机器两块网卡ens33(192.168.37.100)、ens37(192.168.100.1),ens33可以上外网,ens37仅仅是内部网络,B机器只有ens37(192.168.100.100),和A机器ens37可以通信互联。
需求1:可以让B机器连接外网
在虚拟机A机器上添加一块网卡,在虚拟机B机器上添加一块网卡。
设置虚拟机B上的网卡IP地址
A和B机器互通
宿主机无法ping通虚拟机A和B,虚拟机B无法访问外网
A机器上打开路由转发
A上执行 iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
B上设置网关为192.168.100.1
B机器连接外网
A机器清空filter表的规则
宿主机无法ping通虚拟机A和B,虚拟机
需求2:C机器只能和A通信,让C机器可以直接连通B机器的22端口
A机器上打开路由转发
删除原有规则
A机器上执行iptables -t nat -A PREROUTING -d 192.168.37.100 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
A机器上执行iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.37.100
B机器上设置网关为192.168.100.1
设置xshell,并连接
能联通外网
==========================================================================================================================================================================================================================================================================
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.44.128 netmask 255.255.255.0 broadcast 192.168.44.255
inet6 fe80::9d1c:ba9a:850d:5e30 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f6:5a:ef txqueuelen 1000 (Ethernet)
RX packets 367 bytes 35669 (34.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 212 bytes 22480 (21.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:f6:5a:f9 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 4104 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 155 bytes 27666 (27.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 4 bytes 340 (340.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 340 (340.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~]# ifconfig ens37 192.168.100.1/24
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.44.128 netmask 255.255.255.0 broadcast 192.168.44.255
inet6 fe80::9d1c:ba9a:850d:5e30 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f6:5a:ef txqueuelen 1000 (Ethernet)
RX packets 478 bytes 44495 (43.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 264 bytes 29177 (28.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fef6:5af9 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f6:5a:f9 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 4104 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 163 bytes 28294 (27.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 4 bytes 340 (340.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 340 (340.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
From 192.168.100.1 icmp_seq=1 Destination Host Unreachable
From 192.168.100.1 icmp_seq=2 Destination Host Unreachable
From 192.168.100.1 icmp_seq=3 Destination Host Unreachable
From 192.168.100.1 icmp_seq=4 Destination Host Unreachable
From 192.168.100.1 icmp_seq=5 Destination Host Unreachable
From 192.168.100.1 icmp_seq=6 Destination Host Unreachable
From 192.168.100.1 icmp_seq=7 Destination Host Unreachable
From 192.168.100.1 icmp_seq=8 Destination Host Unreachable
From 192.168.100.1 icmp_seq=9 Destination Host Unreachable
From 192.168.100.1 icmp_seq=10 Destination Host Unreachable
From 192.168.100.1 icmp_seq=11 Destination Host Unreachable
From 192.168.100.1 icmp_seq=12 Destination Host Unreachable
^C
--- 192.168.100.100 ping statistics ---
14 packets transmitted, 0 received, +12 errors, 100% packet loss, time 13004ms
pipe 4
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.44.128 netmask 255.255.255.0 broadcast 192.168.44.255
inet6 fe80::9d1c:ba9a:850d:5e30 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f6:5a:ef txqueuelen 1000 (Ethernet)
RX packets 595 bytes 53775 (52.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 322 bytes 37829 (36.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::20c:29ff:fef6:5af9 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f6:5a:f9 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 4104 (4.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 177 bytes 29154 (28.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 18 bytes 1908 (1.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1908 (1.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
From 192.168.100.1 icmp_seq=1 Destination Host Unreachable
From 192.168.100.1 icmp_seq=2 Destination Host Unreachable
From 192.168.100.1 icmp_seq=3 Destination Host Unreachable
From 192.168.100.1 icmp_seq=4 Destination Host Unreachable
From 192.168.100.1 icmp_seq=5 Destination Host Unreachable
From 192.168.100.1 icmp_seq=6 Destination Host Unreachable
From 192.168.100.1 icmp_seq=7 Destination Host Unreachable
From 192.168.100.1 icmp_seq=8 Destination Host Unreachable

^C
--- 192.168.100.100 ping statistics ---
10 packets transmitted, 0 received, +8 errors, 100% packet loss, time 9003ms
pipe 4
[root@localhost ~]# ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=1.10 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.653 ms
64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=0.793 ms
^C
--- 192.168.100.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.653/0.849/1.101/0.187 ms
[root@localhost ~]# ping 192.168.100.128
PING 192.168.100.128 (192.168.100.128) 56(84) bytes of data.
From 192.168.100.1 icmp_seq=1 Destination Host Unreachable
From 192.168.100.1 icmp_seq=2 Destination Host Unreachable
From 192.168.100.1 icmp_seq=3 Destination Host Unreachable
From 192.168.100.1 icmp_seq=4 Destination Host Unreachable
^C
--- 192.168.100.128 ping statistics ---
6 packets transmitted, 0 received, +4 errors, 100% packet loss, time 5001ms
pipe 4
[root@localhost ~]# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data.
^C
--- 192.168.100.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2008ms

[root@localhost ~]# ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.012 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.046 ms
^C
--- 192.168.100.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.012/0.035/0.048/0.017 ms
[root@localhost ~]# ping 192.168.44.2
PING 192.168.44.2 (192.168.44.2) 56(84) bytes of data.
64 bytes from 192.168.44.2: icmp_seq=1 ttl=128 time=0.063 ms
64 bytes from 192.168.44.2: icmp_seq=2 ttl=128 time=0.258 ms
64 bytes from 192.168.44.2: icmp_seq=3 ttl=128 time=0.441 ms
64 bytes from 192.168.44.2: icmp_seq=4 ttl=128 time=0.415 ms
^C
--- 192.168.44.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.063/0.294/0.441/0.151 ms
[root@localhost ~]# ping 192.168.44.130
PING 192.168.44.130 (192.168.44.130) 56(84) bytes of data.
^C
--- 192.168.44.130 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

[root@localhost ~]# ping 192.168.44.128
PING 192.168.44.128 (192.168.44.128) 56(84) bytes of data.
64 bytes from 192.168.44.128: icmp_seq=1 ttl=64 time=0.011 ms
64 bytes from 192.168.44.128: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 192.168.44.128: icmp_seq=3 ttl=64 time=0.045 ms
^C
--- 192.168.44.128 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.011/0.035/0.049/0.017 ms
[root@localhost ~]# ping 192.168.44.2
PING 192.168.44.2 (192.168.44.2) 56(84) bytes of data.
64 bytes from 192.168.44.2: icmp_seq=1 ttl=128 time=0.076 ms
64 bytes from 192.168.44.2: icmp_seq=2 ttl=128 time=0.274 ms
64 bytes from 192.168.44.2: icmp_seq=3 ttl=128 time=0.418 ms
^C
--- 192.168.44.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.076/0.256/0.418/0.140 ms
[root@localhost ~]# ping 192.168.44.1
PING 192.168.44.1 (192.168.44.1) 56(84) bytes of data.
^C
--- 192.168.44.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@localhost ~]# echo "1" > /proc/sys/net/ipv4/ip_forward
[root@localhost ~]# !cat
cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
68 5620 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 47 packets, 5312 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 50 packets, 3540 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 30 packets, 3544 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.1/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nst -nvL
iptables v1.4.21: can't initialize iptables table `nst': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 403 packets, 33296 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 271 packets, 28916 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 464 packets, 38516 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 320 packets, 34640 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat --nvL
iptables v1.4.21: unknown option "--nvL"
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.44.128
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 767 packets, 63504 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 20 packets, 1680 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 549 packets, 59920 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.44.128
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 795 packets, 65528 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 20 packets, 1680 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 566 packets, 63484 bytes)
pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.133.130 tcp dpt:1122 to:192.168.100.100:22
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.133.130 tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ens33 192.168.100.0/24 0.0.0.0/0
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.44.128
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.44.128
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.133.130 tcp dpt:1122 to:192.168.100.100:22
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.133.130 tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.44.128
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.44.128
[root@localhost ~]# iptables -t nat -D PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -D PREROUTING -d 192.168.133.130 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.44.128 -p tcp --dport 1122 -j DNAT --to 192.168.100.100:22
[root@localhost ~]# iptables -t nat -D POSTROUTING -s 192.168.100.100 -j SNAT --to 192.168.44.128
[root@localhost ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.44.128 tcp dpt:1122 to:192.168.100.100:22

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.100 0.0.0.0/0 to:192.168.44.128
[root@localhost ~]#

[root@localhost ~]# w
23:21:19 up 1:28, 2 users, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 21:53 19:43 0.12s 0.12s -bash
root pts/0 192.168.44.1 23:20 7.00s 0.02s 0.01s w
[root@localhost ~]# www.qq.com
-bash: www.qq.com: 未找到命令
[root@localhost ~]# ping www.qq.com
ping: www.qq.com: 未知的名称或服务
[root@localhost ~]# ping www.baidu.com
ping: www.baidu.com: 未知的名称或服务
[root@localhost ~]# vi /etc/resolv.conf
[root@localhost ~]# ping www.baidu.com
PING www.a.shifen.cOm (180.97.33.108) 56(84) bytes of data.
64 bytes from sp1.baidu.com (180.97.33.108): icmp_seq=1 ttl=127 time=20.5 ms
64 bytes from sp1.baidu.com (180.97.33.108): icmp_seq=2 ttl=127 time=20.2 ms
64 bytes from sp1.baidu.com (180.97.33.108): icmp_seq=3 ttl=127 time=20.2 ms
^C
--- www.a.shifen.cOm ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 20.223/20.352/20.551/0.217 ms
[root@localhost ~]#

posted @ 2018-01-25 23:38  两颗白菜  阅读(346)  评论(0编辑  收藏  举报