5月 192014
 

dual-nic-iptables主机A
外网IP地址:182.92.78.105
内网IP地址:10.162.220.104
主机B
内网iP地址:10.162.221.118
查看接口信息
[root@AY1405161625122035baZ ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:37:B6
inet addr:10.162.220.104 Bcast:10.162.223.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27730 errors:0 dropped:0 overruns:0 frame:0
TX packets:4894 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1722333 (1.6 MiB) TX bytes:356206 (347.8 KiB)
Interrupt:165

eth1 Link encap:Ethernet HWaddr 00:16:3E:00:37:B7
inet addr:182.92.78.105 Bcast:182.92.79.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4147415 errors:0 dropped:0 overruns:0 frame:0
TX packets:15476 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:206913746 (197.3 MiB) TX bytes:1928149 (1.8 MiB)
Interrupt:164

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root@AY1405161625122035baZ ~]#

修改IP包转发
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@AY1405161625122035baZ ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@AY1405161625122035baZ ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@AY1405161625122035baZ ~]#
[root@AY1405161625122035baZ ~]# vi /etc/rc.local
echo 1 > /proc/sys/net/ipv4/ip_forward

修改配置文件
[root@AY1405161625122035baZ ~]# vi /etc/sysctl.conf
# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
将iptables加入服务启动
root@AY1405161625122035baZ ~]# chkconfig –list iptables
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@AY1405161625122035baZ ~]# chkconfig –level 35 iptables on

无法启动
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]# service iptables start
[root@AY1405161625122035baZ ~]# service iptables status
iptables: Firewall is not running.
[root@AY1405161625122035baZ ~]#
添加规则后启动
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 80 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -I INPUT -p tcp –dport 22 -j ACCEPT
[root@AY1405161625122035baZ ~]# iptables -t nat -A PREROUTING -p tcp –dport 41022 -j DNAT –to-destination 10.162.221.118:22
[root@AY1405161625122035baZ ~]# iptables -t nat -A POSTROUTING -d 10.162.221.118 -p tcp –dport 22 -j SNAT –to 10.162.220.104

源地址发送数据->{PREROUTING->路由规则->POSTROUTING}->目的地址接收到数据

–table -t table table to manipulate (default: `filter’)
–append -A chain Append to chain
-d, –destination address[/mask][,…]

[root@AY1405161625122035baZ ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@AY1405161625122035baZ ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@AY1405161625122035baZ ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:41022 to:10.162.221.118:22

Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp — 0.0.0.0/0 10.162.221.118 tcp dpt:22 to:10.162.220.104

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

[root@AY1405161625122035baZ ~]#
在内网主机上查看网络连接状态
[root@AY140518164554406132Z ~]# netstat -tun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 232 10.162.221.118:22 10.162.220.104:53408 ESTABLISHED
tcp 0 1 10.162.221.118:44338 110.75.102.62:80 SYN_SENT
[root@AY140518164554406132Z ~]#

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据