SNAT/DNAT实现外网访问内网

一、环境信息

SNAT：内部地址要访问公网上的服务时（如web访问），内部地址会主动发起连接，由路由器或者防火墙上的网关对内部地址做个地址转换，将内部地址的私有IP转换为公网的公有IP，网关的这个地址转换称为SNAT，主要用于内部共享IP访问外部。

DNAT：当内部需要提供对外服务时（如对外发布web网站），外部地址发起主动连接，由路由器或者防火墙上的网关接收这个连接，然后将连接转换到内部，此过程是由带有公网IP的网关替代内部服务来接收外部的连接，然后在内部做地址转换，此转换称为DNAT，主要用于内部服务对外发布。

在配置防火墙或者路由acl策略时要注意这两个NAT一定不能混淆。

SNAT ens33:10.68.100.180 ens36:192.168.11.180

web服务器 　 192.168.11.181

客户端 10.68.100.183 　

二、配置

Node1: SNAT网关服务器配置

Ens33:

[root@node1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE="Ethernet"

PROXY_METHOD="none"

BROWSER_ONLY="no"

BOOTPROTO="none"

DEFROUTE="yes"

IPV4_FAILURE_FATAL="no"

IPV6INIT="yes"

IPV6_AUTOCONF="yes"

IPV6_DEFROUTE="yes"

IPV6_FAILURE_FATAL="no"

IPV6_ADDR_GEN_MODE="stable-privacy"

NAME="ens33"

UUID="3ef9c82a-a30e-4499-b55f-8cf29f7f0ac8"

DEVICE="ens33"

ONBOOT="yes"

IPADDR="10.68.100.180"

PREFIX="24"

#GATEWAY="10.68.100.2"

#DNS1="114.114.114.114"

IPV6_PRIVACY="no"

Ens36:

[root@node1 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens36

TYPE="Ethernet"

PROXY_METHOD="none"

BROWSER_ONLY="no"

BOOTPROTO="none"

DEFROUTE="yes"

IPV4_FAILURE_FATAL="no"

IPV6INIT="yes"

IPV6_AUTOCONF="yes"

IPV6_DEFROUTE="yes"

IPV6_FAILURE_FATAL="no"

IPV6_ADDR_GEN_MODE="stable-privacy"

NAME="ens36"

DEVICE="ens36"

ONBOOT="yes"

IPADDR="192.168.11.180"

PREFIX="24"

[root@node1 ~]# vi /etc/sysctl.conf

# sysctl settings are defined through files in

# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.

#

# Vendors settings live in /usr/lib/sysctl.d/.

# To override a whole file, create a new file with the same in

# /etc/sysctl.d/ and put new settings there. To override

# only specific settings, add a file with a lexically later

# name in /etc/sysctl.d/ and put new settings there.

#

# For more information, see sysctl.conf(5) and sysctl.d(5).

net.ipv4.ip_forward=1

[root@node1 ~]# vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=disabled

# SELINUXTYPE= can take one of three values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

Systemctl stop firewalld

Systemctl disable firewalld

yum install iptables iptables-services -y

systemctl start iptables.service

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT #修改默认规则为允许

iptables -F && iptables -t nat -F #清除所有规则

service iptables save #保存规则

iptables -t nat -nL 查看nat中规则清除成功

Node2:

Ens36:

[root@node2 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens36

TYPE="Ethernet"

PROXY_METHOD="none"

BROWSER_ONLY="no"

BOOTPROTO="none"

DEFROUTE="yes"

IPV4_FAILURE_FATAL="no"

IPV6INIT="yes"

IPV6_AUTOCONF="yes"

IPV6_DEFROUTE="yes"

IPV6_FAILURE_FATAL="no"

IPV6_ADDR_GEN_MODE="stable-privacy"

NAME="ens36"

DEVICE="ens36"

ONBOOT="yes"

IPADDR="192.168.11.181"

PREFIX="24"

GATEWAY=192.168.11.180

Systemctl stop firewalld

Systemctl disable firewalld

Node3:

Ens33:

[root@node3 ~]# more /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE="Ethernet"

PROXY_METHOD="none"

BROWSER_ONLY="no"

BOOTPROTO="none"

DEFROUTE="yes"

IPV4_FAILURE_FATAL="no"

IPV6INIT="yes"

IPV6_AUTOCONF="yes"

IPV6_DEFROUTE="yes"

IPV6_FAILURE_FATAL="no"

IPV6_ADDR_GEN_MODE="stable-privacy"

NAME="ens33"

UUID="5d003e36-324a-403e-b8a1-6f969a7003d2"

DEVICE="ens33"

ONBOOT="yes"

IPADDR="10.68.100.183"

PREFIX="24"

GATEWAY="10.68.100.180"

IPV6_PRIVACY="no"

Systemctl stop firewalld

Systemctl disable firewalld

三、执行SNAT和DNAT命令

SNAT:

iptables -t nat -A POSTROUTING -s 10.68.100.0/24 -o ens36 -j SNAT --to 192.168.11.180

DNAT:

iptables -t nat -A PREROUTING -i ens33 -d 10.68.100.180 -p tcp --dport 80 -j DNAT --to 192.168.11.181

四、验证

Node3:

[root@node3 ~]# curl http://10.68.100.180

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

<style>

html { color-scheme: light dark; }

body { width: 35em; margin: 0 auto;

font-family: Tahoma, Verdana, Arial, sans-serif; }

</style>

</head>

<body>

<h1>Welcome to 181 nginx!</h1>

<p>If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.</p>

<p>For online documentation and support please refer to

<a href="http://nginx.org/">nginx.org</a>.<br/>

Commercial support is available at

<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>

</body>

</html>

Node2:

[root@node2 ~]# tail -f /var/log/nginx/access.log

192.168.11.180 - - [25/Mar/2024:17:12:02 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

10.68.100.183 - - [25/Mar/2024:17:38:59 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

192.168.11.180 - - [26/Mar/2024:10:25:22 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

10.68.100.183 - - [26/Mar/2024:10:25:33 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

10.68.100.183 - - [26/Mar/2024:10:30:41 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

192.168.11.180 - - [26/Mar/2024:10:31:45 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

192.168.11.180 - - [26/Mar/2024:10:41:27 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

192.168.11.180 - - [26/Mar/2024:10:53:50 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

192.168.11.180 - - [26/Mar/2024:10:54:21 +0800] "GET / HTTP/1.1" 200 619 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" "-"

192.168.11.180 - - [26/Mar/2024:10:54:21 +0800] "GET /favicon.ico HTTP/1.1" 404 555 "http://10.68.100.180/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" "-"

192.168.11.180 - - [26/Mar/2024:11:27:48 +0800] "GET / HTTP/1.1" 200 619 "-" "curl/7.29.0" "-"

以上内容在虚拟机实现，如有疑问，欢迎留下宝贵的意见。