Chinaunix首页 | 论坛 | 博客
  • 博客访问: 408710
  • 博文数量: 120
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 741
  • 用 户 组: 普通用户
  • 注册时间: 2014-03-27 18:15
文章分类

全部博文(120)

文章存档

2016年(13)

2015年(41)

2014年(66)

我的朋友

分类: LINUX

2015-12-10 16:28:35

1、网桥配置
# Uplink port. This port link to Internet
IFu=eth0
# downlink port. This port link pc
IFd=br0
IFd0=eth1
IFd1=wlan0
IPd=172.20.227.70


ifconfig ${IFd0} 0.0.0.0 
ifconfig ${IFd1} 0.0.0.0
ifconfig ${IFd} down
brctl delbr ${IFd}
brctl addbr ${IFd}
brctl addif ${IFd} ${IFd0} 
brctl addif ${IFd} ${IFd1}
ifconfig ${IFd} ${IPd} up
brctl show


2、NAT配置,需要内核支持,具体配置选项如下:
Networking support=y
->Networking options=y
--->Network packet filtering framework (Netfilter)=y
----->Core Netfilter Configuration
------->Netfilter NFACCT over NFNETLINK interface=y
------->Netfilter NFQUEUE over NFNETLINK interface=y
------->Netfilter connection tracking support=y
----->IP: Netfilter Configuration
------->IPv4 connection tracking support (required for NAT)=y
------->Full NAT=y
--------->MASQUERADE target support=y
--------->NETMAP target support=y
--------->REDIRECT target support=y


3、iptables配置
iptables通常用来配置防火墙或实现nat功能
3.1:iptables使用方法
iptables v1.4.12


Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)


Commands:
Either long or short options are allowed.
  --append   -A chain Append to chain
  --check   -C chain Check for the existence of a rule
  --delete   -D chain Delete matching rule from chain
  --delete   -D chain rulenum
Delete rule rulenum (1 = first) from chain
  --insert   -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
  --list     -L [chain [rulenum]]
List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
  --flush   -F [chain] Delete all rules in  chain or all chains
  --zero     -Z [chain [rulenum]]
Zero counters in chain or all chains
  --new     -N chain Create a new user-defined chain
  --delete-chain
            -X [chain] Delete a user-defined chain
  --policy   -P chain target
Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
Change chain name, (moving any references)
Options:
    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
    --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
 --jump -j target
target for rule (may load target extension)
  --goto       -g chain
                              jump to chain with no return
  --match -m match
extended match (may load extension)
  --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
  --table -t table table to manipulate (default: `filter')
  --verbose -v verbose mode
  --line-numbers print line numbers when listing
  --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
  --modprobe= try to insert modules using this command
  --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.


3.2:iptables实例
iptables -F #删除所有chain policy
iptables -P INPUT ACCEPT #设置policy,允许输入
iptables -P FORWARD ACCEPT #设置policy,允许输出
iptables -t nat -Lnv #查看规则


3.3:基于iptables实现NAT功能
3.3.1:基于SNAT功能的实现
考虑场景:为解决IP地址不足,所以用NAT功能来实现成本节约
SNAT:源地址转换(代理内部客户端访问外部网络)在POSTROUTING或OUTPUT链上来做规则限制
参数选项:
    -j SNAT --to-source IP
    -j MASQUERADE
    
DNAT :目标地址转换(将内部服务器公开至外部网络)需在PREROUTING做限制
参数选项:
   -j DNAT --to-destination IP:prot


NAT不但可以转换目标地址,还可以映射目标端口


iptables -t nat -A POSTROUTING -s ${IPd}/${IPd_mask} -o ${IFu} -j SNAT --to-source ${IPu}
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 192.168.0.4


3.3.1:定义DNAT的实现
如果构建大并发的环境时,NAT并不适用,一般来讲能够并发用户请求的场景来讲,在2-3W已经非常庞大了,通常都是专业级硬件分发设备或应用来做分发,
下面尝试着使client能够访问web服务器,但期望的是今后访问web服务器不是访问192.168.0.110而是iptables服务器10.0.10.62
清除环境:
iptables -t nat -F
iptables -F
iptables -P FORWARD ACCEPT
我们期望网关10.0.10.62为用户访问目标,而不是192.168.0.110,但62上是没有web服务的,所以有人访问62的web服务必须将其转换到110上
所以要在iptables服务器上操作:
iptables -t nat -A PREROUTING -d 10.0.10.62 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.110

阅读(2047) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~