In the previous section, we forwarded the machines on the two network segments through the network of the intermediate machine to achieve interoperability. Let’s review this network connection diagram again
In the previous section, in the firewall experiment, we set the forwarding rules of host B. We first clear the forwarding rules of host B.
[root@localhost ~]# iptables -F FORWARD
At this time, A and C can also communicate with each other.
Because B has enabled the forwarding function, do you still remember how to enable forwarding?
1. SNAT
Check the two network cards of host B
[root@localhost ~]# ifconfig
enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.106 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::db6e:9a5d:7349:6075 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:c4:c4:34 txqueuelen 1000 (Ethernet)
RX packets 2132 bytes 878351 (857.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1802 bytes 417950 (408.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s9: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.11 netmask 255.255.0.0 broadcast 10.1.255.255
inet6 fe80::6f7e:d360:eb44:50d2 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:21:7b:f0 txqueuelen 1000 (Ethernet)
RX packets 3199 bytes 310848 (303.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3080 bytes 963634 (941.0 KiB)
Host C pings Host A
[root@test-c ~]# ping 192.168.56.104 PING 192.168.56.104 (192.168.56.104) 56(84) bytes of data. 64 bytes from 192.168.56.104: icmp_seq=1 ttl=63 time=1.60 ms 64 bytes from 192.168.56.104: icmp_seq=2 ttl=63 time=1.81 ms 64 bytes from 192.168.56.104: icmp_seq=3 ttl=63 time=1.83 ms 64 bytes from 192.168.56.104: icmp_seq=4 ttl=63 time=1.61 ms
Host A tcpdump checks icmp messages
[root@localhost ~]# tcpdump -i enp0s8 -nn icmp dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 03:25:52.191447 IP 10.1.0.10 > 192.168.56.104: ICMP echo request, id 2681, seq 8, length 64 03:25:52.191525 IP 192.168.56.104 > 10.1.0.10: ICMP echo reply, id 2681, seq 8, length 64 03:25:53.192233 IP 10.1.0.10 > 192.168.56.104: ICMP echo request, id 2681, seq 9, length 64
It can be found that it is directly connected and the IP has not changed.
Then enable NAT on host B, and then check the tcpdump messages on host A.
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -j SNAT --to-source 192.168.56.106
What is seen on host A is 106 host B, and the request goes to this machine
[root@localhost ~]# tcpdump -i enp0s8 -nn icmp dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 03:23:08.675793 IP 192.168.56.106 > 192.168.56.104: ICMP echo request, id 2663, seq 1, length 64 03:23:08.675845 IP 192.168.56.104 > 192.168.56.106: ICMP echo reply, id 2663, seq 1, length 64 03:23:09.677209 IP 192.168.56.106 > 192.168.56.104: ICMP echo request, id 2663, seq 2, length 64 03:23:09.677292 IP 192.168.56.104 > 192.168.56.106: ICMP echo reply, id 2663, seq 2, length 64
2. DNAT
Set the forwarding rules on host B192.168.56.106 as follows
[root@localhost ~]# iptables -t nat -I PREROUTING -d 192.168.56.106 -p tcp --dport 801 -j DNAT --to-destination 10.1.0.10:80
That is, accessing port 801 of the 106 machine will forward the data to port 80 of the C host.
C host starts httpd service
At this time, host A tries to access
[root@localhost ~]# curl -X GET http://192.168.56.106:801
Can access data
At the same time, check the message with tcpdump on host B.
[root@localhost ~]# tcpdump -i enp0s8 -p tcp port 801 -nn dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s8, link-type EN10MB (Ethernet), capture size 262144 bytes 05:06:16.442102 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [S], seq 2976570142, win 29200, options [mss 1460, sackOK, TS val 3328446820 ecr 0, nop ,wscale 7], length 0 05:06:16.443153 IP 192.168.56.106.801 > 192.168.56.104.35408: Flags [S.], seq 2959350184, ack 2976570143, win 28960, options [mss 1460, sackOK, TS val 11 65808246 ecr 3328446820,nop,wscale 7 ], length 0 05:06:16.445879 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [.], ack 1, win 229, options [nop,nop,TS val 3328446823 ecr 1165808246], length 0 05:06:16.446365 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [P.], seq 1:83, ack 1, win 229, options [nop,nop,TS val 3328446823 ecr 1165808246], length 82 05:06:16.447290 IP 192.168.56.106.801 > 192.168.56.104.35408: Flags [.], ack 83, win 227, options [nop,nop,TS val 1165808249 ecr 3328446823], length 0 05:06:16.448087 IP 192.168.56.106.801 > 192.168.56.104.35408: Flags [.], seq 1:14481, ack 83, win 227, options [nop,nop,TS val 1165808250 ecr 332844682 3], length 14480 05:06:16.448587 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [.], ack 14481, win 455, options [nop,nop,TS val 3328446826 ecr 1165808250], length 0 05:06:16.450968 IP 192.168.56.106.801 > 192.168.56.104.35408: Flags [.], seq 14481:37649, ack 83, win 227, options [nop,nop,TS val 1165808252 ecr 33284 46826], length 23168 05:06:16.451369 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [.], ack 37649, win 817, options [nop,nop,TS val 3328446829 ecr 1165808252], length 0 05:06:16.451483 IP 192.168.56.106.801 > 192.168.56.104.35408: Flags [P.], seq 37649:43441, ack 83, win 227, options [nop,nop,TS val 1165808253 ecr 3328 446826], length 5792 05:06:16.452178 IP 192.168.56.104.35408 > 192.168.56.106.801: Flags [.], ack 43441, win 907, options [nop,nop,TS val 3328446829 ecr 1165808253], length 0
3. Action MASQUERADE
Above, we have described SNAT, which is source address translation, so now let’s get to know an action similar to SNAT: MASQUERADE
When we dial up the Internet, the IP address assigned each time is often different, and we will not be assigned a fixed IP address for a long time. If at this time, we want to let the intranet hosts share the public IP for accessing the Internet, it will be very troublesome, because Every time the IP address changes, we have to reconfigure the SNAT rules. This display is not very user-friendly. We can solve this problem through MASQUERADE. MASQUERADE will dynamically convert the source address into an available IP address. In fact, it is implemented with SNAT The functions of MASQUERADE are exactly the same, both modify the source address. However, SNAT needs to specify which IP to change the source address of the message to, while MASQUERADE does not need to specify an explicit IP and will dynamically modify the source address of the message to the specified network card. Available IP addresses, examples are as follows:
[root@localhost ~]# iptables -t nat -I POSTROUTING -s 10.1.0.0/24 -o enp0s8 -j MASQUERADE
As shown in the figure above, we specify that when the packets going out through the external network card pass through the POSTROUTING chain, the source address of the packet will be automatically modified to the IP address available on the external network card. At this time, even if the packets in the external network card Even if the public IP address changes, the source IP of the internal host’s packets can be normally and dynamically mapped to the corresponding public IP.
MASQUERADE can be understood as dynamic and automated SNAT. If there is no need for dynamic SNAT, there is no need to use MASQUERADE because SNAT is more efficient.
4. Action REDIRECT
Port mapping can be performed on the local machine using the REDIRECT action
For example, map port 8081 of the local machine to port 80 of the local machine.
Host A (192.168.56.104) makes the following settings
[root@localhost ~]# iptables -t nat -A PREROUTING -p tcp –dport 8081 -j REDIRECT –to-ports 80
After mapping the above rules, when other machines access port 8081 of this machine, the packets will be redirected to port 80 of this machine.
When other hosts access the following address (the 104 host provides services on port 80), the request can be successful
[root@test-c ~]# curl -X GET http://192.168.56.104:8081
REDIRECT rules can only be defined in the PREROUTING chain or OUTPUT chain.
5. Summary
To facilitate future review, we summarize the above commands.
If you want the NAT function to work properly, you need to enable the core forwarding function of the Linux host.
echo 1 > /proc/sys/net/ipv4/ip_forward
- SNAT related operations
Configuring SNAT can hide the IP address of the host in the network, or share the public IP to access the Internet. If you only want to share the IP, you only need to configure the following SNAT rules.
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -j SNAT –to-source public network IP
If the public network IP is obtained dynamically and is not fixed, you can use MASQUERADE to perform dynamic SNAT operations. The following command changes the source IP of the packets in the 10.1 network segment to the address available in the eth0 network card.
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth0 -j MASQUERADE
- DNAT related operations
Configure DNAT to access services in the LAN through public IP.
Note: Theoretically, as long as DNAT rules are configured, the DNAT effect can be achieved without corresponding SNAT rules.
However, when testing DNAT, the corresponding SNAT rules also need to be configured to ensure normal DNAT. You can first try to configure only the DNAT rules. If DNAT cannot work properly, try adding the corresponding SNAT rules. Just configure one SNAT rule. The DNAT rules need to be based on actual conditions. Situation configure different DNAT rules.
iptables -t nat -I PREROUTING -d public IP -p tcp --dport public port -j DNAT --to-destination private IP: port number iptables -t nat -I PREROUTING -d public IP -p tcp --dport 8080 -j DNAT --to-destination 10.1.0.1:80iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -j SNAT --to-source public network IP
The REDIRECT action can be used when mapping target ports on this machine.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
After configuring the above rules, when other machines access port 80 of this machine, they will be mapped to port 8080.