1、简述DNS服务器原理,并搭建主-辅服务器。
1)简述DNS服务器原理
客户机需要访问www.qq.com为例:
step1:客户机首先浏览器地址栏输入www.qq.com域名,操作系统首先检查本地hosts文件是否有这个域名的IP映射,如果有,就先调用这个IP地址映射,完成域名解析。
step2:如果hosts里没有这个域名的IP映射,则查询本地DNS缓存是否有该域名的IP映射,如果有,直接返回结果,完成域名解析。
step3:如果hosts和本地DNS缓存都没有相应的域名IP映射,首先会找首选DNS服务器(本地DNS服务器),此服务器收到查询时,如果要询的域名,包含在本地配置区域资源中,则返回解析结果给客户机,完成域名解析,此解析具有权威性。
step4:如果要查询的域名,不由本地DNS服务器区域解析,但服务器已缓存了此网址映射关系,则调用这个IP地址映射,完成域名解析,此解析不具有权威性。
step5:如果本地DNS服务器本地区域文件与缓存解析都失败时,本地DNS服务器将www.qq.com的请求发至全球13台根DNS服务器,根DNS服务器收到请求后www.qq.com域我无法解析,但.com域是我的下一级域可能可以解析,并将.com域的IP映射发给本地DNS服务器。
step6:本地DNS服务器收到.com域的IP映射后,将请求发给.com域的DNS服务器,.com域的DNS服务器收到请求后www.qq.com我无法解析,但qq.com域是我的下一级域可能可以解析,并将qq.com域的IP映射发给本地DNS服务器。
step7:本地DNS服务器收到qq.com域的IP映射后,将请求发给qq.com域DNS服务器,qq.com域服务器收到请求后,查询得知www.qq.com域的IP映射我有,然后将www.qq.com域的IP映射发给本地DNS服务器。
step8:本地DNS服务器收到www.qq.com域的IP映射后,首先在缓存中保存该条域名记录,然后将www.qq.com的IP映射结果返回给客户机,完成域名解析。
2)搭建主-辅DNS服务器
环境准备:
http服务器:www.magedu.org,10.0.101.80/24
域名:magedu.org
主DNS服务器IP:10.0.101.80/24
辅DNS服务器IP:10.0.101.81/24
客户机IP:10.0.101.70/24
搭建主DNS服务器
step1:安装web包
[root@master-dns-ser named]# yum -y install httpd
[root@master-dns-ser named]# echo 'www.magedu.org' > /var/www/html/index.html
[root@master-dns-ser named]# systemctl enable --now httpd
step2:安装dns包
[root@master-dns-ser ~]# yum -y install bind
step3:启动服务
[root@master-dns-ser ~]# systemctl enable --now named
step4:编辑主配置文件
[root@master-dns-ser ~]# vim /etc/named.conf
# 在options选项下注释掉下两行:
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 仅允许从服务器进行区域传输
allow-transfer {10.0.101.81;};
step5:编辑区域配置文件
[root@master-dns-ser ~]# vim /etc/named.rfc1912.zones
# 增加以下内容:
zone "magedu.org" IN {
type master;
file "magedu.org.zone";
};
step6:创建区域数据库文件
[root@master-dns-ser ~]# cd /var/named/
[root@master-dns-ser named]# cp -a named.localhost magedu.org.zone
[root@master-dns-ser named]# ll magedu.org.zone # 查看文件权限
-rw-r----- 1 root named 152 May 28 04:49 magedu.org.zone
[root@master-dns-ser named]# vim magedu.org.zone
$TTL 1D
@ IN SOA master admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 10.0.101.80
slave A 10.0.101.81
www A 10.0.101.80
step7:重新加载配置
[root@master-dns-ser named]# rndc reload
step8:客户端解析测试
# 客户端安装解析测试工具包
[root@dns-clients ~]# yum -y install bind-utils
# 设置DNS指向DNS服务器
[root@dns-clients ~]# cdnet
[root@dns-clients network-scripts]# vim ifcfg-eth0
DNS1=10.0.101.80
[root@dns-clients network-scripts]# cd
# 使修改生效
[root@dns-clients ~]# nmcli conn reload
[root@dns-clients ~]# nmcli conn up eth0
[root@dns-clients ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search magedu.org
nameserver 10.0.101.80
# 使用dig工具对www.magedu.org域名进行解析测试
[root@dns-clients ~]# dig www.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43331
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN A 10.0.101.80
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS slave.magedu.org.
magedu.org. 86400 IN NS master.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 10.0.101.80
slave.magedu.org. 86400 IN A 10.0.101.81
;; Query time: 0 msec
;; SERVER: 10.0.101.80#53(10.0.101.80)
;; WHEN: Mon Nov 08 13:00:09 CST 2021
;; MSG SIZE rcvd: 132
[root@dns-clients ~]# ping www.magedu.org
PING www.magedu.org (10.0.101.80) 56(84) bytes of data.
64 bytes from 10.0.101.80 (10.0.101.80): icmp_seq=1 ttl=64 time=0.208 ms
^C
--- www.magedu.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
[root@dns-clients ~]# curl www.magedu.org
www.magedu.org
搭建辅DNS服务器
step1:安装dns包
[root@slave-dns-ser ~]# yum -y install bind
step2:编辑主配置文件
[root@slave-dns-ser ~]# vim /etc/named.conf
# 在options选项下注释掉下两行:
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 不允许其他主机进行区域传输
allow-transfer {none;};
step3:编辑区域配置文件
[root@slave-dns-ser ~]# vim /etc/named.rfc1912.zones
# 增加以下内容:
zone "magedu.org" IN {
type slave;
masters {10.0.101.80;};
file "slaves/magedu.org.slave";
};
step4:启动服务
[root@slave-dns-ser ~]# systemctl enable --now named
[root@slave-dns-ser ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 308 Nov 8 13:10 magedu.org.slave
step5:客户端解析测试
# 设置地址信息
[root@dns-clients ~]# sed -i '$aDNS2=10.0.101.81' /etc/sysconfig/network-scripts/ifcfg-eth0
[root@dns-clients ~]# nmcli connection reload
[root@dns-clients ~]# nmcli conn up eth0
[root@dns-clients ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search magedu.org
nameserver 10.0.101.80
nameserver 10.0.101.81
# 客户端解析测试
[root@dns-clients ~]# dig www.magedu.org @10.0.101.81
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org @10.0.101.81
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16926
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN A 10.0.101.80
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS master.magedu.org.
magedu.org. 86400 IN NS slave.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 10.0.101.80
slave.magedu.org. 86400 IN A 10.0.101.81
;; Query time: 1 msec
;; SERVER: 10.0.101.81#53(10.0.101.81)
;; WHEN: Mon Nov 08 13:18:14 CST 2021
;; MSG SIZE rcvd: 132
2、搭建并实现智能DNS。
环境准备
需要四台主机
主DNS服务器:双网卡:10.0.101.80/24,100.0.101.80
web1: 10.0.101.81/24
web2: 100.0.101.81/24
dns客户端:双网卡:10.0.101.70,100.0.101.70
安装并配置智能DNS
step1:配置web1,web2
# 查看web1和web2的IP地址
[root@web1 ~]# ip a sh eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:4b:0b:0b brd ff:ff:ff:ff:ff:ff
inet 10.0.101.81/24 brd 10.0.101.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4b:b0b/64 scope link
valid_lft forever preferred_lft forever
[root@web2 ~]# ip a sh eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:f2:e2:f8 brd ff:ff:ff:ff:ff:ff
inet 100.0.101.81/24 brd 100.0.101.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::e86e:efc5:6f73:a75c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# web1和web2配置http
[root@web1 ~]# yum -y install httpd
[root@web1 ~]# echo 'bj.magedu.org' > /var/www/html/index.html
[root@web1 ~]# systemctl enable --now httpd
[root@web2 ~]# yum -y install httpd
[root@web2 ~]# echo 'sh.magedu.org' > /var/www/html/index.html
[root@web2 ~]# systemctl enable --now httpd
# 测试web网页访问
[root@client1 ~]# ip a sh eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b1:66:fc brd ff:ff:ff:ff:ff:ff
inet 10.0.101.70/24 brd 10.0.101.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb1:66fc/64 scope link
valid_lft forever preferred_lft forever
[root@client2 ~]# ip a sh eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:03:f1:51 brd ff:ff:ff:ff:ff:ff
inet 100.0.101.70/24 brd 100.0.101.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::526b:58d3:5223:4627/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@client1 ~]# curl 10.0.101.81
bj.magedu.org
[root@client2 ~]# curl 100.0.101.81
sh.magedu.org
step2:配置DNS
# 安装bind
[root@dns-ser ~]# yum -y install bind
# 启动服务
[root@dns-ser ~]# systemctl enable --now named
# 编辑bind主配置文件
[root@dns-ser ~]# vim /etc/named.conf
# 在配置最前面加入acl内容
acl bjnet {
10.0.101.0/24;
};
acl shnet {
100.0.101.0/24;
};
# 注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 不允许其他主机进行区域传输
allow-transfer {none;};
# 关闭dnssec功能
dnssec-enable no;
dnssec-validation no;
# 创建view
view bjwiew {
match-clients {bjnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shview {
match-clients {shnet;};
include "/etc/named.rfc1912.zones.sh";
};
include "/etc/named.root.key";
# 注释掉以下内容
/*
zone "." IN {
type hint;
file "named.ca";
};
*/
# 创建并配置区域配置文件
[root@dns-ser ~]# vim /etc/named.rfc1912.zones
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" IN {
type master;
file "magedu.org.zone.bj";
};
[root@dns-ser ~]# mv /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@dns-ser ~]# cp -a /etc/named.rfc1912.zones.bj /etc/named.rfc1912.zones.sh
[root@dns-ser ~]# vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" IN {
type master;
file "magedu.org.zone.sh";
};
[root@dns-ser ~]# ll /etc/named.*
-rw-r----- 1 root named 1946 Nov 8 14:24 /etc/named.conf
-rw-r----- 1 root named 1150 Nov 8 14:30 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1150 Nov 8 14:32 /etc/named.rfc1912.zones.sh
-rw-r--r-- 1 root named 1070 May 28 04:49 /etc/named.root.key
# 创建区域数据库文件
[root@dns-ser ~]# cd /var/named/
[root@dns-ser named]# cp -a named.localhost magedu.org.zone.bj
[root@dns-ser named]# vim magedu.org.zone.bj
$TTL 1D
@ IN SOA master admin (
2021110814 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.101.80
websrv A 10.0.101.81
www CNAME websrv
[root@dns-ser named]# cp -a magedu.org.zone.bj magedu.org.zone.sh
[root@dns-ser named]# vim magedu.org.zone.sh
$TTL 1D
@ IN SOA master admin (
2021110814 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 100.0.101.80
websrv A 100.0.101.81
www CNAME websrv
# 重载配置
[root@dns-ser named]# rndc reload
server reload successful
step3:客户端测试
[root@client1 ~]# yum -y install bind-utils
[root@client1 ~]# cdnet ; vim ifcfg-eth0
DNS1=10.0.101.80
[root@client1 ~]# dig www.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9745
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN CNAME websrv.magedu.org.
websrv.magedu.org. 86400 IN A 10.0.101.81
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS master.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 10.0.101.80
;; Query time: 1 msec
;; SERVER: 10.0.101.80#53(10.0.101.80)
;; WHEN: Mon Nov 08 14:59:39 CST 2021
;; MSG SIZE rcvd: 117
[root@client1 ~]# ping www.magedu.org
PING websrv.magedu.org (10.0.101.81) 56(84) bytes of data.
64 bytes from 10.0.101.81 (10.0.101.81): icmp_seq=1 ttl=64 time=0.731 ms
64 bytes from 10.0.101.81 (10.0.101.81): icmp_seq=2 ttl=64 time=0.874 ms
^C
--- websrv.magedu.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.731/0.802/0.874/0.076 ms
[root@client1 ~]# curl www.magedu.org
bj.magedu.org
[root@client2 ~]# yum -y install bind-utils
[root@client2 ~]# cdnet;vim ifcfg-eth1
DNS1=100.0.101.80
[root@client2 ~]# dig www.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64051
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN CNAME websrv.magedu.org.
websrv.magedu.org. 86400 IN A 100.0.101.81
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS master.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 100.0.101.80
;; Query time: 1 msec
;; SERVER: 100.0.101.80#53(100.0.101.80)
;; WHEN: Mon Nov 08 15:02:47 CST 2021
;; MSG SIZE rcvd: 117
[root@client2 ~]# ping www.magedu.org
PING websrv.magedu.org (100.0.101.81) 56(84) bytes of data.
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=2 ttl=64 time=0.428 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=3 ttl=64 time=0.364 ms
^C64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=4 ttl=64 time=0.365 ms
64 bytes from pool-100-0-101-81.bstnma.fios.verizon.net (100.0.101.81): icmp_seq=5 ttl=64 time=0.214 ms
^C
--- websrv.magedu.org ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.193/0.312/0.428/0.095 ms
[root@client2 ~]# curl www.magedu.org
sh.magedu.org
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[root@centos8-0 ~]# iptables -A INPUT -d 10.0.101.80 -p tcp -m multiport --dports 20:23,80 -j ACCEPT
[root@centos8-0 ~]# iptables -A INPUT -j REJECT
4、NAT原理总结
NAT,英文全称:Network Address Translation,中文全称:网络地址转换,在计算机网络中是一种在IP数据包通过路由器或防火墙时重写来源IP地址或目标IP地址的技术,普遍使用在多台主机但只通过一个公有IP地址访问的互联网的私有网络中。
简单地说,NAT就是在局域网内部网络中使用内部地址,当内部主机要与外部网络进行通讯时,将在网关将内部地址替换成公用地址,从而在外部公网(internet)上正常使用,NAT可以使多台计算机共享Internet连接,这一功能很好地解决了公共 IP地址紧缺的问题。通过这种方法,可以只申请一个合法IP地址,把整个局域网中的计算机接入Internet中。这时,NAT屏蔽了内部网络,所有内部网计算机对于公共网络来说是不可见的,而内部网计算机用户通常不会意识到NAT的存在。
NAT,支持PREROUTING、INPUT、OUTPUT、POSTROUTING四个链
NAT分为下面三种类型
静态NAT(SNAT):支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装,请求报文:修改源IP
动态NAT(DNAT):把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
端口地址转换(PAT):端口和IP都进行修改
5、iptables实现SNAT和DNAT,并对规则持久保存。
1)实验环境
2)实验步骤
step1:IP地址信息
# Wan-Ser
root@wan-server:~# hostname -I
10.0.101.180
root@wan-server:~# ip route del default via 10.0.101.2 dev eth0 proto static # 删除默认路由
root@wan-server:~# ip route
10.0.101.0/24 dev eth0 proto kernel scope link src 10.0.101.180
----------------------------------------------------------------------------------------------------------
# Firewall
[root@firewall ~]# hostname -I
10.0.101.80 192.168.101.80
[root@firewall ~]# ip route
10.0.101.0/24 dev eth0 proto kernel scope link src 10.0.101.80 metric 106
192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.80 metric 105
----------------------------------------------------------------------------------------------------------
# Lan-Ser1
[root@lan-server1 ~]# hostname -I
192.168.101.81
[root@lan-server1 ~]# ip route
default via 192.168.101.80 dev eth0 proto static metric 100
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.81 metric 100
----------------------------------------------------------------------------------------------------------
# Lan-Ser2
[root@lan-server2 ~]# hostname -I
192.168.101.82
[root@lan-server2 ~]# ip route
default via 192.168.101.80 dev eth0 proto static metric 100
192.168.101.0/24 dev eth0 proto kernel scope link src 192.168.101.82 metric 100
----------------------------------------------------------------------------------------------------------
step2:配置web
[root@lan-server1 ~]# yum -y install httpd
[root@lan-server1 ~]# systemctl enable --now httpd
[root@lan-server1 ~]# echo 'LAN' > /var/www/html/index.html
root@wan-server:~# apt -y install apache2
root@wan-server:~# echo 'Internet' > /var/www/html/index.html
step3:测试网络连通性及web是否能访问
[root@firewall ~]# ping 10.0.101.180 -c 1
PING 10.0.101.180 (10.0.101.180) 56(84) bytes of data.
64 bytes from 10.0.101.180: icmp_seq=1 ttl=64 time=0.217 ms
--- 10.0.101.180 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.217/0.217/0.217/0.000 ms
[root@firewall ~]# ping 192.168.101.81 -c 1
PING 192.168.101.81 (192.168.101.81) 56(84) bytes of data.
64 bytes from 192.168.101.81: icmp_seq=1 ttl=64 time=0.308 ms
--- 192.168.101.81 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.308/0.308/0.308/0.000 ms
-----------------------------------------------------------------------------------------------------------------------
root@wan-server:~# ping 192.168.101.80
connect: Network is unreachable
-----------------------------------------------------------------------------------------------------------------------
[root@lan-server1 ~]# ping 10.0.101.180
PING 10.0.101.180 (10.0.101.180) 56(84) bytes of data.
^C
--- 10.0.101.180 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4096ms
-----------------------------------------------------------------------------------------------------------------------
[root@firewall ~]# curl 10.0.101.180
Internet
[root@firewall ~]# curl 192.168.101.81
LAN
step4:配置SNAT
# firewall上开启路由转发
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewall ~]# sysctl -p
net.ipv4.ip_forward = 1
# 配置SNAT
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 192.168.101.0/24 ! -d 192.168.101.0/24 -j MASQUERADE
# 内网主机访问外网web
[root@lan-server1 ~]# curl 10.0.101.180
Internet
# 外网主机不能访问内网web,要想访问内网web需配置DNAT规则
root@wan-server:~# curl 192.168.101.81
curl: (7) Couldn't connect to server
step5:配置DNAT
# 配置DNAT
[root@firewall ~]# iptables -t nat -A PREROUTING -d 10.0.101.80 -p tcp --dport 80 -j DNAT --to-destination 192.168.101.81:80
# 测试外网主机访问内网web
root@wan-server:~# curl 10.0.101.80
LAN
step6:配置防火墙规则持久保存
# 配置iptables规则持久保存
[root@firewall ~]# iptables-save > /data/iptables # 保存规则至文件
[root@firewall ~]# yum -y install iptables-services # 安装iptables服务
[root@firewall ~]# systemctl enable --now iptables.service # 启动服务
[root@firewall ~]# iptables -F # 清除filter表配置
[root@firewall ~]# iptables -t nat -F # 清除nat表配置
[root@firewall ~]# iptables-restore < /data/iptables # 加载规则
[root@firewall ~]# iptables-save > /etc/sysconfig/iptables # 保存规则至iptables服务默认保存规则的配置文件
[root@firewall ~]# iptables -t nat -F
[root@firewall ~]# iptables -tnat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@firewall ~]# systemctl restart iptables
[root@firewall ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.101.80 tcp dpt:80 to:192.168.101.81:80
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.101.0/24 !192.168.101.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination