Linux 实验 -12 SNAT 与DNAT

艾伦_耶格宇2025-04-20 16:48

1、前提准备

  1. 三台centos虚拟机

分别充当外网、网关服务器,内网

网关服务器需要配置两张网卡

外网服务器的网卡类型与网关服务器的新添加的网卡类型为 仅主机模式

内网服务器和网关服务器原有的网卡均为 NAT 模式

具体IP地址的配置如下图

2、 具体实施

2.1 安装一些可能会用的到的依赖环境(建议装完可以拍一下快照)

yum install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common lrzsz openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev gcc openssh-server iotop unzip zip net-tools

2.2 安装 httpd 服务 (内网和外网服务器网关服务器不需要)

为了我们的实验结果更加明显 我们在内网,外网服务器上安装 httpd服务

yum install -y httpd

安装成功

2.3 更改IP地址

2.3.1外网服务器:改成仅主机的地址 本实验中外网服务器的IP地址设置为192.168.153.100

【注】我们可以在虚拟网络编辑器中看到自己的仅主机的网段

2.3.2网关服务器: 需要有两张网卡 ens33 与自己另外添加的一张

(1)ens33: 充当内网服务器的网关 : 192.168.107.254

(2)另一张: 充当外网服务器的网关: 192.168.153.254

2.3.3 内网服务器

仅需配置NAT网卡模式 IP地址:192.168.107.100

2.3.4 具体操作

外网

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33

js 复制代码 
BOOTPROTO="static"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.153.100
NETMASK=255.255.255.0
GATEWAY=192.168.153.254
DNS1=218.2.135.1
DNS2=8.8.8.8
~

[root@localhost ~]# systemctl restart network

重启之后会与xshell 断开连接 需要新建一个连接 我们命名为 waiwang

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.100  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::20c:29ff:fe09:f626  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:09:f6:26  txqueuelen 1000  (Ethernet)
        RX packets 200437  bytes 286281104 (273.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58770  bytes 3908607 (3.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 47119  bytes 4116240 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 47119  bytes 4116240 (3.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:a5:b3:e9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]#

再次连接之后可以发现ip地址更改成功

网关

我们可以发现我们新加的网卡名称为ens36

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.193  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e395:e99c:b9b2:e4cf  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:ec  txqueuelen 1000  (Ethernet)
        RX packets 121917  bytes 169240507 (161.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30149  bytes 2002898 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.129  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::8da1:294e:f366:263e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:f6  txqueuelen 1000  (Ethernet)
        RX packets 39  bytes 5556 (5.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26  bytes 4428 (4.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

更改网卡操作 -- 和上面类似就不再赘述

js 复制代码 
[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
ifcfg-ens33  ifdown-ipv6    ifdown-TeamPort  ifup-ippp   ifup-routes       network-functions
ifcfg-lo     ifdown-isdn    ifdown-tunnel    ifup-ipv6   ifup-sit          network-functions-ipv6
ifdown       ifdown-post    ifup             ifup-isdn   ifup-Team
ifdown-bnep  ifdown-ppp     ifup-aliases     ifup-plip   ifup-TeamPort
ifdown-eth   ifdown-routes  ifup-bnep        ifup-plusb  ifup-tunnel
ifdown-ib    ifdown-sit     ifup-eth         ifup-post   ifup-wireless
ifdown-ippp  ifdown-Team    ifup-ib          ifup-ppp    init.ipv6-global
[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens36
[root@localhost network-scripts]# ls
ifcfg-ens33  ifdown-ippp    ifdown-Team      ifup-ib     ifup-ppp       init.ipv6-global
ifcfg-ens36  ifdown-ipv6    ifdown-TeamPort  ifup-ippp   ifup-routes    network-functions
ifcfg-lo     ifdown-isdn    ifdown-tunnel    ifup-ipv6   ifup-sit       network-functions-ipv6
ifdown       ifdown-post    ifup             ifup-isdn   ifup-Team
ifdown-bnep  ifdown-ppp     ifup-aliases     ifup-plip   ifup-TeamPort
ifdown-eth   ifdown-routes  ifup-bnep        ifup-plusb  ifup-tunnel
ifdown-ib    ifdown-sit     ifup-eth         ifup-post   ifup-wireless
[root@localhost network-scripts]# vim ifcfg-ens36
[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]#

ens36

js 复制代码 
BOOTPROTO="static"
DEVICE="ens36"
ONBOOT="yes"
IPADDR=192.168.153.254
NETMASK=255.255.255.0
GATEWAY=192.168.153.254
DNS1=218.2.135.1
DNS2=8.8.8.8
~

ens33

js 复制代码 
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="9bd5863f-1c9f-42e3-a3c2-4c5fcc433131"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.107.254
NETMASK=255.255.255.0
GATEWAY=192.168.107.254
DNS1=218.2.135.1
DNS2=8.8.8.8

systemctl restart network

同样的我们新建一个连接 名为 wangguan

查看IP地址

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.254  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e395:e99c:b9b2:e4cf  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:ec  txqueuelen 1000  (Ethernet)
        RX packets 122802  bytes 169308862 (161.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30630  bytes 2077932 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.254  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::20c:29ff:fe58:6df6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:f6  txqueuelen 1000  (Ethernet)
        RX packets 40  bytes 5616 (5.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56  bytes 8760 (8.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

内网无需特别操作仅需修改IP地址即可

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33

js 复制代码 
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="a22f01af-7d83-4555-a495-60477525f807"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.107.100
NETMASK=255.255.255.0
GATEWAY=192.168.107.254
DNS1=218.2.135.1
DNS2=8.8.8.8

[root@localhost ~]# systemctl restart network

新建一个连接 取名为 neiwang

查看IP地址

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.100  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e412:d7d6:9eb3:4a18  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:97:20:dd  txqueuelen 1000  (Ethernet)
        RX packets 100245  bytes 136746570 (130.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21890  bytes 1500485 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.4 网关服务器开启路由转发功能

js 复制代码 
[root@localhost ~]# vim /etc/sysctl.conf 
[root@localhost ~]#
js 复制代码 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward=1

重新读取配置文件

js 复制代码 
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]#

尝试在内网ping外网 外网ping内网

js 复制代码 
外 - 内
[root@localhost ~]# ping 192.168.107.100
PING 192.168.107.100 (192.168.107.100) 56(84) bytes of data.
64 bytes from 192.168.107.100: icmp_seq=1 ttl=63 time=0.897 ms
64 bytes from 192.168.107.100: icmp_seq=2 ttl=63 time=0.440 ms
64 bytes from 192.168.107.100: icmp_seq=3 ttl=63 time=0.509 ms
64 bytes from 192.168.107.100: icmp_seq=4 ttl=63 time=0.669 ms
64 bytes from 192.168.107.100: icmp_seq=5 ttl=63 time=0.462 ms
^C
--- 192.168.107.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.440/0.595/0.897/0.172 ms
[root@localhost ~]# 

内 - 外
[root@localhost ~]# ping 192.168.153.100
PING 192.168.153.100 (192.168.153.100) 56(84) bytes of data.
64 bytes from 192.168.153.100: icmp_seq=1 ttl=63 time=1.02 ms
64 bytes from 192.168.153.100: icmp_seq=2 ttl=63 time=0.674 ms
64 bytes from 192.168.153.100: icmp_seq=3 ttl=63 time=0.423 ms
64 bytes from 192.168.153.100: icmp_seq=4 ttl=63 time=0.414 ms
64 bytes from 192.168.153.100: icmp_seq=5 ttl=63 time=0.771 ms
^C
--- 192.168.153.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.414/0.661/1.026/0.231 ms
[root@localhost ~]#

路由转发功能成功开启

2.5 验证 SNAT

外网开启的httpd服务

[root@localhost ~]# systemctl start httpd.service

配置http的网页

js 复制代码 
[root@localhost ~]# echo ailun > /var/www/html/index.html
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]#

监控日志文件看是哪个ip访问的

js 复制代码 
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

测试在内网访问

js 复制代码 
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# 



查看日志文件IP地址

Last login: Sun Apr 20 14:15:16 2025 from 192.168.153.1
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:42 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:43 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

发现多了一段IP地址为192.168.107.100 的访问记录

配置SNAT的规则

iptables -t nat -A POSTROUTING -s 192.168.107.0/24 -o ens36 -j SNAT --to 192.168.153.254

意为将来自192.168.107.0 网段 要从ens36网卡出去的IP地址 转变成从192.168.153.254 网关出去

js 复制代码 
[root@localhost ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    0     0 SNAT       all  --  *      ens36   192.168.107.0/24     0.0.0.0/0            to:192.168.153.254
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 4 packets, 301 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 4 packets, 301 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
6        0     0 SNAT       all  --  *      ens36   192.168.107.0/24     0.0.0.0/0            to:192.168.153.254
[root@localhost ~]#

内网再次测试

js 复制代码 
此时我们可以看到IP访问变成了网关

Last login: Sun Apr 20 14:15:16 2025 from 192.168.153.1
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:42 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:43 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:54 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:55 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:55 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:56 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:56 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:57 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:57 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:58 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:58 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:59 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

2.6 验证DNAT

先删除刚刚配置的SNAT规则

js 复制代码 
[root@localhost ~]# iptables -t nat -D POSTROUTING 6
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
[root@localhost ~]#

内网服务器操作

js 复制代码 
内网开启服务

[root@localhost ~]# systemctl start httpd.service 
[root@localhost ~]# echo yegeyu > /var/www/html/index.html
[root@localhost ~]# curl 192.168.107.100
yegeyu
[root@localhost ~]# curl 192.168.107.100
yegeyu
[root@localhost ~]# 


开始监控日志

[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.107.100 - - [20/Apr/2025:14:52:31 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:52:32 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0

配置DNAT规则

iptables -t nat -A PREROUTING -i ens36 -d 192.168.153.254 -p tcp --dport 80 -j DNAT --to 192.168.107.100

把目标地址是192.168.153.254 的 从ens36网卡进来的 tcp 协议的 目的端口为80 的目的地址改成192.168.107.100

js 复制代码 
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  ens36  *       0.0.0.0/0            192.168.153.254      tcp dpt:80 to:192.168.107.100

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
[root@localhost ~]#

在外网服务器上测试

js 复制代码 
访问网关相当于访问 192.168.107.100
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# 




在内网上查看到的日志

[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.107.100 - - [20/Apr/2025:14:52:31 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:52:32 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:08 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:10 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:11 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:11 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:12 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:13 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:13 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:14 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:14 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:15 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
显示为外网服务器地址

至此实验结束

相关推荐
Yana.nice2 小时前
openssl将证书从p7b转换为crt格式
java·linux
AI逐月2 小时前
tmux 常用命令总结:从入门到稳定使用的一篇实战博客
linux·服务器·ssh·php
小白跃升坊3 小时前
基于1Panel的AI运维
linux·运维·人工智能·ai大模型·教学·ai agent
跃渊Yuey3 小时前
【Linux】线程同步与互斥
linux·笔记
舰长1153 小时前
linux 实现文件共享的实现方式比较
linux·服务器·网络
zmjjdank1ng3 小时前
Linux 输出重定向
linux·运维
路由侠内网穿透.3 小时前
本地部署智能家居集成解决方案 ESPHome 并实现外部访问( Linux 版本)
linux·运维·服务器·网络协议·智能家居
VekiSon4 小时前
Linux内核驱动——基础概念与开发环境搭建
linux·运维·服务器·c语言·arm开发
zl_dfq4 小时前
Linux 之 【进程信号】(signal、kill、raise、abort、alarm、Core Dump核心转储机制)
linux
Ankie Wan4 小时前
cgroup(Control Group)是 Linux 内核提供的一种机制,用来“控制、限制、隔离、统计”进程对系统资源的使用。
linux·容器·cgroup·lxc
热门推荐
01GitHub 镜像站点02Clawdbot 中文汉化版 接入微信、飞书03OpenCode 入门教程:介绍 · 安装 · 配置第三方 API (如 Claude)042026美赛A题智能手机电池续航时间预测的连续时间数学模型052025 年大语言模型发展回顾:关键突破、意外转折与 2026 年展望06【Milvus】向量数据库pymilvus使用教程072026数学建模美赛题目特点与选题建议,常用四大模型汇总08Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services09Claude Code Skills 实用使用手册10Linux下V2Ray安装配置指南