Shulou(Shulou.com)06/01 Report--

1. Concept

Network address translation is used to control the apparent source or desired destination address of a network packet.

Simple host-based firewalls have only the rules in the INPUT chain to encapsulate packets in ACCEPT or REJECT, but on gateways or routers on private (non-routable) networks, PREROUTING and POSTROUTING chains are usually used to modify packets. The nat table uses three chains: PREROUTING, OUTPUT, and POSTROUTING. Network address translation occurs when a router modifies the source or destination IP address or port of communication over its network. It is used to map computer networks that use a single IP address so that they can share a single public address and hide their internal network (MASQUERADE or SNAT). It is also used to redirect traffic sent to one IP address to another IP address. This destination NAT is used for port forwarding (services inside the firewall through ports outside the firewall) and for transparent redirection to the proxy service.

The MASQUERADE destination changes the source IP address to match the IP of the interface on which the firewall is turned on. The destination sends the response back to the IP address of the interface. Connection tracking automatically converts the returned traffic to a matching internal IP address and port (traced based on the IP address and port on both sides of the connection). The SNAT destination changes the source IP address to the specified IP address with the option-- to-source.

# iptables-t nat-A POSTROUTING-o eth2-j MASQUERADE

The DNAT destination changes the destination IP address to match the specified IP address with the-to-destination option. The router forwards the packet to this address; this is why chains are used before routing decisions are made. Connection tracking automatically sends the response back to the original source with the original IP address instead of the new source.

# iptables-t nat-A PREROUTING-p tcp-- dport 80-j DNAT-- to-destination 192.168.0.254

DNAT example:

# iptables-t nat-A PREROUTING-p tcp-- dport 80-j DNAT-- to-dest 192.168.0.250

# iptables-t nat-An OUTPUT-p tcp-- dport 80-j DNAT-- to-dest 192.168.0.200 OUTPUT 3128 (redirect)

SNAT example:

# iptables-t nat-A POSTROUTING-o eth0-j MASQUERADE (camouflage)

# iptables-t nat-A POSTROUTING-j SNAT-- to-source 192.168.0.253

The 2.filter table only allows sshd,dns,http,https,ftp services

Vim / etc/vsftpd/vsftpd.conf

Pasv_max_port=5000

Pasv_min_port=5000

Iptables-F

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 22-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 20-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 443j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 53-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 953-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 5000-j ACCEPT

Iptables-An INPUT-m state-- state NEW-s 172.25.6.254-p tcp-- dport 1024:-j ACCEPT

Internal and external network access of 3.NAT table

3.1 Experimental environment:

Real machine 172.25.254.6 (external network)

Virtual machine-172.25.254.106ax 172.25.6.1

Virtual machine II 172.25.6.10 (intranet)

3.2 access to the public network via the internal network

3.2.1 Virtual machine one configuration

[root@server106 ~] # vim / etc/sysctl.conf

Net.ipv4.ip_forward = 1 # enable kernel routing

[root@server106] # sysctl-p

[root@server106] # iptables-F

[root@server106 ~] # iptables-t nat-A POSTROUTING-o eth2-j SNAT-- to-source 172.25.254.106 policies to add a private network to a public network

3.2.2 Virtual Machine second configuration

[root@localhost ~] # vim / etc/sysconfig/network-scripts/ifcfg-eth0

GATEWAY=172.25.6.1

[root@localhost ~] # / etc/init.d/network restart

3.2.3 Test: virtual machine can ping 254network segment 172.25.254.6

[root@localhost] # ping 172.25.254.6

PING 172.25.254.6 (172.25.254.6) 56 (84) bytes of data.

64 bytes from 172.25.254.6: icmp_seq=1 ttl=64 time=0.102 ms

64 bytes from 172.25.254.6: icmp_seq=2 ttl=64 time=0.127 ms

64 bytes from 172.25.254.6: icmp_seq=3 ttl=64 time=0.164 ms

3.3 access to the internal network via the public network

3.3.1 Virtual machine one configuration

[root@server106 ~] # iptables-t nat-A POSTROUTING-o eth2-j SNAT-- to-source 172.25.254.106 # # add external network and private network strategy

3.3.2 Virtual machine 2 # add test page

[root@localhost ~] # vim / var/www/html/index.html

Test page

[root@localhost ~] # / etc/init.d/httpd start

3.3.3 Real-machine test

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.