1、网桥配置
# Uplink port. This port link to Internet
IFu=eth0
# downlink port. This port link pc
IFd=br0
IFd0=eth1
IFd1=wlan0
IPd=172.20.227.70
ifconfig ${IFd0} 0.0.0.0
ifconfig ${IFd1} 0.0.0.0
ifconfig ${IFd} down
brctl delbr ${IFd}
brctl addbr ${IFd}
brctl addif ${IFd} ${IFd0}
brctl addif ${IFd} ${IFd1}
ifconfig ${IFd} ${IPd} up
brctl show
2、NAT配置,需要内核支持,具体配置选项如下:
Networking support=y
->Networking options=y
--->Network packet filtering framework (Netfilter)=y
----->Core Netfilter Configuration
------->Netfilter NFACCT over NFNETLINK interface=y
------->Netfilter NFQUEUE over NFNETLINK interface=y
------->Netfilter connection tracking support=y
----->IP: Netfilter Configuration
------->IPv4 connection tracking support (required for NAT)=y
------->Full NAT=y
--------->MASQUERADE target support=y
--------->NETMAP target support=y
--------->REDIRECT target support=y
3、iptables配置
iptables通常用来配置防火墙或实现nat功能
3.1:iptables使用方法
iptables v1.4.12
Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe= try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
3.2:iptables实例
iptables -F #删除所有chain policy
iptables -P INPUT ACCEPT #设置policy,允许输入
iptables -P FORWARD ACCEPT #设置policy,允许输出
iptables -t nat -Lnv #查看规则
3.3:基于iptables实现NAT功能
3.3.1:基于SNAT功能的实现
考虑场景:为解决IP地址不足,所以用NAT功能来实现成本节约
SNAT:源地址转换(代理内部客户端访问外部网络)在POSTROUTING或OUTPUT链上来做规则限制
参数选项:
-j SNAT --to-source IP
-j MASQUERADE
DNAT :目标地址转换(将内部服务器公开至外部网络)需在PREROUTING做限制
参数选项:
-j DNAT --to-destination IP:prot
NAT不但可以转换目标地址,还可以映射目标端口
iptables -t nat -A POSTROUTING -s ${IPd}/${IPd_mask} -o ${IFu} -j SNAT --to-source ${IPu}
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -j SNAT --to-source 192.168.0.4
3.3.1:定义DNAT的实现
如果构建大并发的环境时,NAT并不适用,一般来讲能够并发用户请求的场景来讲,在2-3W已经非常庞大了,通常都是专业级硬件分发设备或应用来做分发,
下面尝试着使client能够访问web服务器,但期望的是今后访问web服务器不是访问192.168.0.110而是iptables服务器10.0.10.62
清除环境:
iptables -t nat -F
iptables -F
iptables -P FORWARD ACCEPT
我们期望网关10.0.10.62为用户访问目标,而不是192.168.0.110,但62上是没有web服务的,所以有人访问62的web服务必须将其转换到110上
所以要在iptables服务器上操作:
iptables -t nat -A PREROUTING -d 10.0.10.62 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.110
阅读(2047) | 评论(0) | 转发(0) |