网络防火墙之DNAT-编程知识

网络防火墙之DNAT

news/2024/9/21 8:04:26/文章来源:https://www.cnblogs.com/cnblogsfc/p/14183931.html

网络防火墙

NAT

NAT: network address translation

　　PREROUTING，INPUT，OUTPUT，POSTROUTING

　　请求报文：修改源/目标IP，由定义如何修改

　　响应报文：修改源/目标IP，根据跟踪机制自动实现

DNAT：destination NAT PREROUTING , OUTPUT

　　把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射)，但隐藏真实IP

　　请求报文：修改目标IP

PNAT: port nat，端口和IP都进行修改

准备：

firewall：开启ip_forward功能

　　[root@firewall ~]#vim /etc/sysctl.conf

　　net.ipv4.ip_forward = 1

　　[root@firewall ~]#sysctl -p

　　[root@firewall ~]#sysctl -a

场景：外网访问内外对外开放的服务(防火墙IP2应该是192.168.37.121)

可理解为反向代理，但DNAT只能实现端口一对一映射，无法代理多台后台映射，LVS调度器，NGINX方向代理等服务可实现1对多代理映射：

DNAT

　　--to-destination [ipaddr[-ipaddr]][:port[-port]]

规范：iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]

示例：

iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.108

iptables -t nat -A PREROUTING -s 0/0 -d 192.168.37.121 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.108:80

示例：在nat表的PREROUTING添加策略

 1 [root@firewall-121 ~]# iptables -t nat -A PREROUTING -d 192.168.37.121 -p tcp --dport 80  -j DNAT --to-destination 10.0.0.108:80
 2 #/防火墙抓包/
 3 [root@firewall-121 ~]# tcpdump -i ens37 -nn host 192.168.37.122
 4 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 5 listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
 6 10:25:25.526290 IP 192.168.37.122.40280 > 192.168.37.121.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0
 7 10:25:25.526493 IP 192.168.37.121.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0
 8 #/模拟内网，抓包/
 9 [root@CentOS7-108 ~]# tcpdump -i ens33 -nn host 192.168.37.122
10 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
11 listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
12 10:25:24.974946 IP 192.168.37.122.40280 > 10.0.0.108.80: Flags [S], seq 1591772444, win 29200, options [mss 1460,sackOK,TS val 4906758 ecr 0,nop,wscale 7], length 0
13 10:25:24.974982 IP 10.0.0.108.80 > 192.168.37.122.40280: Flags [S.], seq 392735740, ack 1591772445, win 28960, options [mss 1460,sackOK,TS val 7596254 ecr 4906758,nop,wscale 7], length 0