实现snat和dnat实现内网主机互相访问

1，环境

client：与放火墙互联，ip为10.2.2.10 管理ip：10.1.1.40
firewalld-1：与对端放火墙和client互联，和client互联ip为10.2.2.11 与对端放火墙互联 10.3.3.10 管理ip：10.1.1.41
firewalld-2：与对端放火墙和server互联，和server互联ip为10.4.4.10 与对端放火墙互联 10.3.3.11 管理ip：10.1.1.42
server：与放火墙互联，ip为10.4.4.11 管理ip：10.1.1.43
软件：iptables工具，关闭所有firewalld，nft

2，目的

使用snat和dnat实现client和server的互相访问

3，步骤

3.1，在client端使用snat使client能访问防火墙2的10.3.3.11

[root@firewalld-1 ~]# iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -j SNAT --to-source 10.3.3.10
[root@firewalld-1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
#测试
[root@client network-scripts]# ssh 10.3.3.11
The authenticity of host ‘10.3.3.11 (10.3.3.11)‘ can‘t be established.
ECDSA key fingerprint is SHA256:Qg6++73oV2CPwbQdocTKF1Rp/kvOGnf5PtkNw6ISYgY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
[root@client network-scripts]# ping 10.3.3.11
PING 10.3.3.11 (10.3.3.11) 56(84) bytes of data.
64 bytes from 10.3.3.11: icmp_seq=1 ttl=63 time=1.18 ms
64 bytes from 10.3.3.11: icmp_seq=2 ttl=63 time=3.58 ms
64 bytes from 10.3.3.11: icmp_seq=3 ttl=63 time=3.51 ms
^C
--- 10.3.3.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 9ms
rtt min/avg/max/mdev = 1.180/2.756/3.581/1.116 ms
[root@client network-scripts]# ip route 
default via 10.2.2.11 dev ens39 
10.1.1.0/24 dev ens33 proto kernel scope link src 10.1.1.40 metric 100 
10.2.2.0/24 dev ens39 proto kernel scope link src 10.2.2.10 metric 101 
#在防火墙2上抓包
[root@firewalld-2 ~]# tcpdump -i ens37 -nn icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
14:46:05.710153 IP 10.3.3.10 > 10.3.3.11: ICMP echo request, id 1716, seq 1, length 64
14:46:05.710183 IP 10.3.3.11 > 10.3.3.10: ICMP echo reply, id 1716, seq 1, length 64
14:46:06.713530 IP 10.3.3.10 > 10.3.3.11: ICMP echo request, id 1716, seq 2, length 64
14:46:06.713557 IP 10.3.3.11 > 10.3.3.10: ICMP echo reply, id 1716, seq 2, length 64
14:46:07.715038 IP 10.3.3.10 > 10.3.3.11: ICMP echo request, id 1716, seq 3, length 64
14:46:07.715064 IP 10.3.3.11 > 10.3.3.10: ICMP echo reply, id 1716, seq 3, length 64
14:46:08.717835 IP 10.3.3.10 > 10.3.3.11: ICMP echo request, id 1716, seq 4, length 64
14:46:08.717861 IP 10.3.3.11 > 10.3.3.10: ICMP echo reply, id 1716, seq 4, length 64
14:46:09.726162 IP 10.3.3.10 > 10.3.3.11: ICMP echo request, id 1716, seq 5, length 64
14:46:09.726191 IP 10.3.3.11 > 10.3.3.10: ICMP echo reply, id 1716, seq 5, length 64

3.2，将client端的httpd服务发布出来使用dnat使得防火墙2能够访问

[root@client network-scripts]# ip route 
default via 10.2.2.11 dev ens39 
10.1.1.0/24 dev ens33 proto kernel scope link src 10.1.1.40 metric 100 
10.2.2.0/24 dev ens39 proto kernel scope link src 10.2.2.10 metric 101 
[root@client network-scripts]# 
[root@client]# yum insatll -y httpd; echo `hostname -I ` >> /var/www/html/index.html;systemctl start httpd.service
[root@firewalld-1 ~]# iptables -t nat -A PREROUTING -d 10.3.3.10 -p tcp --dport 80 -j DNAT --to-destination 10.2.2.10:80
[root@firewalld-2 ~]# curl  10.3.3.10
10.1.1.40 10.2.2.10

3.3，将server主机使用snat使其能够访问client端的httpd

[root@firewalld-2 ~]#  echo 1 > /proc/sys/net/ipv4/ip_forward
[root@firewalld-2 ~]# iptables -t nat -A POSTROUTING -s 10.4.4.0/24 -j SNAT --to-source 10.3.3.11
 #测试 注意将默认路由指向防火墙
 3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:e2:08:d4 brd ff:ff:ff:ff:ff:ff
    inet 10.4.4.11/24 brd 10.4.4.255 scope global noprefixroute ens37
       valid_lft forever preferred_lft forever
    inet6 fe80::4c65:5c25:d5f0:afb5/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@server ~]# ip route 
default via 10.1.1.2 dev ens33 proto static metric 100 
10.1.1.0/24 dev ens33 proto kernel scope link src 10.1.1.43 metric 100 
10.4.4.0/24 dev ens37 proto kernel scope link src 10.4.4.11 metric 101 
[root@server ~]# ip route default via 10.1.1.2 dev ens33 
Command "default" is unknown, try "ip route help".
[root@server ~]# ip route del default via 10.1.1.2 dev ens33
[root@server ~]# ip route add default via 10.4.4.10 dev ens37

[root@server ~]# ping 10.3.3.10
PING 10.3.3.10 (10.3.3.10) 56(84) bytes of data.
64 bytes from 10.3.3.10: icmp_seq=1 ttl=63 time=1.13 ms
64 bytes from 10.3.3.10: icmp_seq=2 ttl=63 time=4.07 ms
^C
--- 10.3.3.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 1.129/2.599/4.069/1.470 ms
[root@server ~]# curl 10.3.3.10
10.1.1.40 10.2.2.10

3.4，将server的ssh服务使用dnat使得client能访问

[root@firewalld-2 ~]# iptables -t nat -A PREROUTING -d 10.3.3.11 -p tcp --dport 22 -j DNAT --to-destination 10.4.4.11:22
[root@client network-scripts]# ip route 
default via 10.2.2.11 dev ens39 
10.1.1.0/24 dev ens33 proto kernel scope link src 10.1.1.40 metric 100 
10.2.2.0/24 dev ens39 proto kernel scope link src 10.2.2.10 metric 101 
[root@client network-scripts]# ssh 10.3.3.11
The authenticity of host ‘10.3.3.11 (10.3.3.11)‘ can‘t be established.
ECDSA key fingerprint is SHA256:pZLBoNKJWWBM5RkDS31r/YwwN+0GtrDmXrq6j2HmpOY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘10.3.3.11‘ (ECDSA) to the list of known hosts.
root@10.3.3.11‘s password: 
Last login: Tue Jun 29 03:16:58 2021 from 10.1.1.1
[root@server ~]# hostname -I
10.1.1.43 10.4.4.11 

dnat和snat的简单应用