DNS与Linux防火墙

1、简述DNS服务器原理,并搭建主-辅服务器。

DNS:domain name system,域名系统。一般指的时internet上的一项服务,即域名解析服务,具体来说就是提供网站域名与对应IP地址相互转换的一项服务。分为两种,正向解析:将给定的网站域名转化为对应IP地址;反向解析:将IP地址转换为对应的网站域名。一般只使用正向解析,另外一个IP地址可以多个网站域名,这些网站域名存在别名列表中,是主域名的别名。
1:搭建主-辅服务器准备要求:
	四台主机:
		DNS主服务器:10.0.0.8
		DNS从服务器:10.0.0.28
		web服务器:10.0.0.38
		DNS客户端:10.0.0.48
2:前提准备
	关闭SElinux
	关闭防火墙
	时间同步
3:搭建主DNS服务端
[16:21:08 root@CentOS8 ~]\ [#hostnamectl set-hostname master
[16:25:08 root@master ~]\ [#yum -y install bind
[16:28:02 root@master ~]\ [#cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
//	listen-on port 53 { 127.0.0.1; };  ##注释此行
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
//	allow-query     { localhost; };   ##注释此行
	allow-transfer { 10.0.0.28;};     ##添加运行从服务器访问
	......
[16:30:50 root@master ~]\ [#cat /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add 
// disable-empty-zone "."; into options
// 
zone "magedu.org" IN {               ##添加此段
	type master;                    ##添加此段
	file "magedu.org.zone";         ##添加此段
};                                  ##添加此段

zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
	......
[16:30:57 root@master ~]\ [#cp -p /var/named/named.localhost  /var/named/magedu.org.zone
[16:35:33 root@master ~]\ [#cat  /var/named/magedu.org.zone
$TTL 1D
@	IN SOA	master  admin.magedu.org. (
					1	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	master
	NS	slave
master  A       10.0.0.8
slave	A	    10.0.0.28
[16:41:56 root@master ~]\ [#named-checkconf
[16:41:58 root@master ~]\ [#systemctl start named
4:搭建DNS从服务器
[16:57:03 root@CentOS8 ~]\ [#hostnamectl set-hostname slave
[16:58:21 root@CentOS8 ~]\ [#yum install bind -y
[17:00:05 root@CentOS8 ~]\ [#cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
//	listen-on port 53 { 127.0.0.1; };    ##注释此行
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
//	allow-query     { localhost; };      ##注释此行
	allow-transfer { none; };            ##加此行,不允许其他主机传输
	/* 
......
[17:02:44 root@CentOS8 ~]\ [#cat  /etc/named.rfc1912.zones 
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add 
// disable-empty-zone "."; into options
// 
zone "magedu.org" {               ##添加此段
	type slave;                   ##添加此段
	masters { 10.0.0.8; };        ##添加此段
	
	file "slaves/magedu.org.slave"; ##添加此段
};                                ##添加此段
zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};
5:web服务器设置
[root@CentOS8 ~]\ [#hostnamectl set-hostname web_service
[root@CentOS8 ~]\ [#yum install httpd
[root@CentOS8 ~]\ [#echo www.magedu.org > /var/www/html/index.html
[root@CentOS8 ~]\ [#systemctl start httpd

6:客户端测试主DNS
[18:42:11 root@CentOS8 ~]\ [#cat /etc/sysconfig/network-scripts/ifcfg-ens33
DEVICE=ens33
NAME=ens33
BOOTPROTO=static
IPADDR=10.0.0.48
PREFIX=24
GATEWAY=10.0.0.2
DNS1=10.0.0.8
DNS2=10.0.0.28
ONBOOT=yes
[18:43:52 root@CentOS8 ~]\ [#nmcli con reload
[18:44:06 root@CentOS8 ~]\ [#nmcli con up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[18:44:11 root@CentOS8 ~]\ [#cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 10.0.0.8
nameserver 10.0.0.28
[18:44:17 root@CentOS8 ~]\ [#dig www.magedu.org

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13298
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d867874fa6be0400459d70116134add567502c8d437f56d3 (good)
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	10.0.0.38

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	slave.magedu.org.
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIONAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8
slave.magedu.org.	86400	IN	A	10.0.0.28

;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sun Sep 05 18:45:25 WIB 2021
;; MSG SIZE  rcvd: 160
7:主DNS停住服务,再次验证
[18:40:27 root@master ~]\ [#systemctl stop named
[18:45:25 root@CentOS8 ~]\ [#dig www.magedu.org

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20265
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 183e5712db8b3e8a262e5d446134ae22d8850505e77c4e05 (good)
;; QUESTION SECTION:
;www.magedu.org.			IN	A

;; ANSWER SECTION:
www.magedu.org.		86400	IN	A	10.0.0.38

;; AUTHORITY SECTION:
magedu.org.		86400	IN	NS	slave.magedu.org.
magedu.org.		86400	IN	NS	master.magedu.org.

;; ADDITIONAL SECTION:
master.magedu.org.	86400	IN	A	10.0.0.8
slave.magedu.org.	86400	IN	A	10.0.0.28

;; Query time: 1 msec
;; SERVER: 10.0.0.28#53(10.0.0.28)
;; WHEN: Sun Sep 05 18:46:42 WIB 2021
;; MSG SIZE  rcvd: 160

2、搭建并实现智能DNS。

1:环境准备
	五台主机:
		DNS主服务器和web服务器1:10.0.0.8/24,172.16.0.8/24
		web服务器2:10.0.0.18/24
		web服务器3:172.16.0.7/24
		DNS客户端1:10.0.0.38/24
		DNS客户端2:172.16.0.6/24
2:关闭SElinux,关闭防火墙,时间同步
3:DNS服务器网卡配置
21:03:45 root@DNS_master_server ~]\ [#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:dc:b4:a9 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fedc:b4a9/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global noprefixroute virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
5: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:dc:b4:b3 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.8/24 brd 172.16.0.255 scope global ens37
       valid_lft forever preferred_lft forever
4:主DNS服务端配置
[21:03:50 root@DNS_master_server ~]\ [#yum install bind -y
[21:18:57 root@DNS_master_server ~]\ [#cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl beijingnet {
	10.0.0.0/24;
};
acl shanghainet {
	172.16.0.0/24;
};
acl othernet {
	any;
};
options {
//	listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
//	allow-query     { localhost; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};
view beijingview {
	match-clients { beijingnet;};
	include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
        match-clients { shanghainet;};
	include "/etc/named.rfc1912.zones.sh";
};
view otherview {
        match-clients { othernet;};
	include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
5:实现区域配置文件
[21:23:56 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.bj
zone "." IN {
	type hint;
	file "named.ca";
};
zone "magedu.org" {
	type master;
	file "magedu.org.zone.bj";
};
[21:24:06 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.sh
zone "." IN {
	type hint;
	file "named.ca";
};
zone "magedu.org" {
	type master;
	file "magedu.org.zone.sh";
};
[21:24:10 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.other
zone "." IN {
	type hint;
	file "named.ca";
};
zone "magedu.org" {
	type master;
	file "magedu.org.zone.other";
};
[21:24:13 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.bj
[21:24:24 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.sh
[21:24:26 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.other
6:创建区域数据库文件
[21:39:58 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.bj
$TTL 3H
@	IN SOA	admin.magedu.org. (
					1	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
		NS	master
master	A	10.0.0.8
websrv  A       10.0.0.18
www    CNAME    websrv

[21:40:06 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.sh
$TTL 3H
@	IN SOA	master admin.magedu.org. (
					1	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	master
master	A      10.0.0.8
websrv  A      172.16.0.7
www     CNAME  websrv
[21:40:09 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.other
$TTL 3H
@	IN SOA	master admin.magedu.org. (
					1	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	master
master	A	10.0.0.8
websrv  A       127.0.0.1
www     CNAME   websrv

[21:40:12 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.bj
[21:41:12 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.sh
[21:41:15 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.other
7:实现不同区域服务器效果
三台主机服务器安装http服务
[21:41:18 root@DNS_master_server ~]\ [#yum -y install httpd
[21:41:28 root@web1 ~]\ [#yum -y install httpd
[21:41:44 root@web2 ~]\ [#yum -y install httpd
[21:42:52 root@DNS_master_server ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
[21:44:37 root@web1 ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
[21:45:22 root@web2 ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
然后全部启动httpd服务

3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝

[19:23:46 root@test1 ~]\ [#iptables -I INPUT -p tcp -m multiport --dports 21,22,23,80 -j ACCEPT
[19:24:42 root@test1 ~]\ [#iptables -A INPUT -j REJECT
[19:24:47 root@test1 ~]\ [#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  135 10024 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 21,22,23,80
 2245   11M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
......

4、NAT原理总结

NAT就是在局域网内部网络中使用内部地址,而当内部节点要与外部网络进行通讯时,就在网关处将内部地址替换为公用地址,从而在外部公网上正常使用。
修改IP数据包中的源IP地址或目标的IP地址,主要目的是把RFC1918所提议的私有地址转变成在Internet上可路由的公有合法地址。对于某些有限的应用(如DNS、FTP等),它也可以修改IP数据包有效载荷中的地址。

5、iptables实现SNAT和DNAT,并对规则持久保存。

防火墙地址:10.0.0.8/24,192.168.100.8/24
外网地址:10.0.0.6
内网地址:192.168.100.7
实现SNAT:
[root@internet-host ~]#hostname -I
10.0.0.6 
[root@internet-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref   Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
#启用路由转发
[root@firewall ~]#vim /etc/sysctl.conf 
net.ipv4.ip_forward=1
[root@firewall ~]#sysctl -p
[root@firewall-host ~]#hostname -I
10.0.0.8 192.168.100.8 
[root@firewall-host ~]#sysctl -a |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@lan-host ~]#hostname -I
192.168.100.7 
[root@lan-host ~]#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref   Use Iface
0.0.0.0         192.168.100.8   0.0.0.0         UG    100    0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     100    0        0 eth0
[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT 
--to-source 10.0.0.8
[root@firewall-host ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 SNAT       all  -- *     *       192.168.100.0/24     0.0.0.0/0   
        to:10.0.0.8
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination 
[root@lan-host ~]#curl 10.0.0.6
internet Server
[root@internet-host ~]#curl 192.168.100.7
curl: (7) Failed to connect to 192.168.100.7: Network is unreachable
[root@internet-host ~]#tail /var/log/httpd/access_log 
10.0.0.8 - - [21/Mar/2020:16:31:35 +0800] "GET / HTTP/1.1" 200 16 "-"
"curl/7.29.0"
[root@lan-host ~]#ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.989 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=0.544 ms
[root@internet-host ~]#tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:30.171222 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 24718, seq 120, 
length 64
16:34:30.171255 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 24718, seq 120, 
length 64
[root@firewall-host ~]#iptables -t nat -R POSTROUTING 1 -s 192.168.100.0/24 -j 
MASQUERADE 
[root@firewall-host ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 MASQUERADE all  -- *     *       192.168.100.0/24     0.0.0.0/0   
        
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@firewall-host ~]#cat /proc/net/nf_conntrack
ipv4     2 tcp      6 32 TIME_WAIT src=192.168.100.7 dst=10.0.0.6 sport=39430
dport=80 src=10.0.0.6 dst=10.0.0.8 sport=80 dport=39430 [ASSURED] mark=0 zone=0
use=2
 实现DNAT:
 [root@firewall-host ~]#iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport 
80 -j DNAT --to-destination 192.168.100.7 
[root@firewall-host ~]#iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       tcp  -- *     *       0.0.0.0/0            10.0.0.8     
        tcp dpt:80 to:192.168.100.7
[root@firewall-host ~]#ss -ntl
State       Recv-Q       Send-Q                 Local Address:Port             
    Peer Address:Port        
LISTEN       0             128                          0.0.0.0:22               
         0.0.0.0:*           
LISTEN       0             128                             [::]:22               
            [::]:* 
[root@internet-host ~]#curl 10.0.0.8
lan server
[root@internet-host ~]#telnet 10.0.0.8
Trying 10.0.0.8...
telnet: connect to address 10.0.0.8: Connection refused
[root@lan-host ~]#tail -f /var/log/httpd/access_log 
10.0.0.6 - - [21/Mar/2020:17:32:37 +0800] "GET / HTTP/1.1" 200 11 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 
libidn/1.18 libssh2/1.4.2"
[root@firewall-host ~]#tail -f /proc/net/nf_conntrack
ipv4     2 tcp      6 81 TIME_WAIT src=10.0.0.6 dst=10.0.0.8 sport=59426
dport=80 src=192.168.100.7 dst=10.0.0.6 sport=80 dport=59426 [ASSURED] mark=0
zone=0 use=2
[root@lan-host ~]#vim /etc/httpd/conf/httpd.conf 
listen 8000
[root@lan-host ~]#systemctl restart httpd
[root@lan-host ~]#ss -ntl
State     Recv-Q Send-Q         Local Address:Port                         Peer 
Address:Port              
LISTEN     0      100                 127.0.0.1:25                               
      *:*                  
LISTEN     0      128                         *:22                               
      *:*                  
LISTEN     0      128                     [::]:23                               
    [::]:*                  
LISTEN     0      100                     [::1]:25                               
    [::]:*                  
LISTEN     0      128                     [::]:8000                             
    [::]:*                  
LISTEN     0      128                     [::]:22                               
    [::]:*                  
[root@firewall-host ~]#iptables -t nat -R PREROUTING 1 -d 10.0.0.8 -p tcp --dport 
80 -j DNAT --to-destination 192.168.100.7:8000 
[root@firewall-host ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DNAT       tcp  -- *     *       0.0.0.0/0            10.0.0.8     
        tcp dpt:80 to:192.168.100.7:8000
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
   11   816 MASQUERADE all  -- *     *       192.168.100.0/24     0.0.0.0/0   
        
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

DNS与Linux防火墙

上一篇:微信带场景参数的二维码生成与使用


下一篇:Mac jd-gui反编译打开失败