Linux 实验 -12 SNAT 与DNAT

艾伦_耶格宇2025-04-20 16:48

1、前提准备

  1. 三台centos虚拟机

分别充当外网、网关服务器,内网

网关服务器需要配置两张网卡

外网服务器的网卡类型与网关服务器的新添加的网卡类型为 仅主机模式

内网服务器和网关服务器原有的网卡均为 NAT 模式

具体IP地址的配置如下图

2、 具体实施

2.1 安装一些可能会用的到的依赖环境(建议装完可以拍一下快照)

yum install -y iproute2 ntpdate tcpdump telnet traceroute nfs-kernel-server nfs-common lrzsz openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev gcc openssh-server iotop unzip zip net-tools

2.2 安装 httpd 服务 (内网和外网服务器网关服务器不需要)

为了我们的实验结果更加明显 我们在内网,外网服务器上安装 httpd服务

yum install -y httpd

安装成功

2.3 更改IP地址

2.3.1外网服务器:改成仅主机的地址 本实验中外网服务器的IP地址设置为192.168.153.100

【注】我们可以在虚拟网络编辑器中看到自己的仅主机的网段

2.3.2网关服务器: 需要有两张网卡 ens33 与自己另外添加的一张

(1)ens33: 充当内网服务器的网关 : 192.168.107.254

(2)另一张: 充当外网服务器的网关: 192.168.153.254

2.3.3 内网服务器

仅需配置NAT网卡模式 IP地址:192.168.107.100

2.3.4 具体操作

外网

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33

js 复制代码 
BOOTPROTO="static"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.153.100
NETMASK=255.255.255.0
GATEWAY=192.168.153.254
DNS1=218.2.135.1
DNS2=8.8.8.8
~

[root@localhost ~]# systemctl restart network

重启之后会与xshell 断开连接 需要新建一个连接 我们命名为 waiwang

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.100  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::20c:29ff:fe09:f626  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:09:f6:26  txqueuelen 1000  (Ethernet)
        RX packets 200437  bytes 286281104 (273.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58770  bytes 3908607 (3.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 47119  bytes 4116240 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 47119  bytes 4116240 (3.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:a5:b3:e9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]#

再次连接之后可以发现ip地址更改成功

网关

我们可以发现我们新加的网卡名称为ens36

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.193  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e395:e99c:b9b2:e4cf  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:ec  txqueuelen 1000  (Ethernet)
        RX packets 121917  bytes 169240507 (161.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30149  bytes 2002898 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.129  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::8da1:294e:f366:263e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:f6  txqueuelen 1000  (Ethernet)
        RX packets 39  bytes 5556 (5.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26  bytes 4428 (4.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

更改网卡操作 -- 和上面类似就不再赘述

js 复制代码 
[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
ifcfg-ens33  ifdown-ipv6    ifdown-TeamPort  ifup-ippp   ifup-routes       network-functions
ifcfg-lo     ifdown-isdn    ifdown-tunnel    ifup-ipv6   ifup-sit          network-functions-ipv6
ifdown       ifdown-post    ifup             ifup-isdn   ifup-Team
ifdown-bnep  ifdown-ppp     ifup-aliases     ifup-plip   ifup-TeamPort
ifdown-eth   ifdown-routes  ifup-bnep        ifup-plusb  ifup-tunnel
ifdown-ib    ifdown-sit     ifup-eth         ifup-post   ifup-wireless
ifdown-ippp  ifdown-Team    ifup-ib          ifup-ppp    init.ipv6-global
[root@localhost network-scripts]# cp ifcfg-ens33 ifcfg-ens36
[root@localhost network-scripts]# ls
ifcfg-ens33  ifdown-ippp    ifdown-Team      ifup-ib     ifup-ppp       init.ipv6-global
ifcfg-ens36  ifdown-ipv6    ifdown-TeamPort  ifup-ippp   ifup-routes    network-functions
ifcfg-lo     ifdown-isdn    ifdown-tunnel    ifup-ipv6   ifup-sit       network-functions-ipv6
ifdown       ifdown-post    ifup             ifup-isdn   ifup-Team
ifdown-bnep  ifdown-ppp     ifup-aliases     ifup-plip   ifup-TeamPort
ifdown-eth   ifdown-routes  ifup-bnep        ifup-plusb  ifup-tunnel
ifdown-ib    ifdown-sit     ifup-eth         ifup-post   ifup-wireless
[root@localhost network-scripts]# vim ifcfg-ens36
[root@localhost network-scripts]# vim ifcfg-ens33
[root@localhost network-scripts]#

ens36

js 复制代码 
BOOTPROTO="static"
DEVICE="ens36"
ONBOOT="yes"
IPADDR=192.168.153.254
NETMASK=255.255.255.0
GATEWAY=192.168.153.254
DNS1=218.2.135.1
DNS2=8.8.8.8
~

ens33

js 复制代码 
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="9bd5863f-1c9f-42e3-a3c2-4c5fcc433131"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.107.254
NETMASK=255.255.255.0
GATEWAY=192.168.107.254
DNS1=218.2.135.1
DNS2=8.8.8.8

systemctl restart network

同样的我们新建一个连接 名为 wangguan

查看IP地址

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.254  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e395:e99c:b9b2:e4cf  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:ec  txqueuelen 1000  (Ethernet)
        RX packets 122802  bytes 169308862 (161.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30630  bytes 2077932 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.153.254  netmask 255.255.255.0  broadcast 192.168.153.255
        inet6 fe80::20c:29ff:fe58:6df6  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:58:6d:f6  txqueuelen 1000  (Ethernet)
        RX packets 40  bytes 5616 (5.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56  bytes 8760 (8.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

内网无需特别操作仅需修改IP地址即可

[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33

js 复制代码 
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="a22f01af-7d83-4555-a495-60477525f807"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.107.100
NETMASK=255.255.255.0
GATEWAY=192.168.107.254
DNS1=218.2.135.1
DNS2=8.8.8.8

[root@localhost ~]# systemctl restart network

新建一个连接 取名为 neiwang

查看IP地址

js 复制代码 
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.107.100  netmask 255.255.255.0  broadcast 192.168.107.255
        inet6 fe80::e412:d7d6:9eb3:4a18  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:97:20:dd  txqueuelen 1000  (Ethernet)
        RX packets 100245  bytes 136746570 (130.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21890  bytes 1500485 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.4 网关服务器开启路由转发功能

js 复制代码 
[root@localhost ~]# vim /etc/sysctl.conf 
[root@localhost ~]#
js 复制代码 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward=1

重新读取配置文件

js 复制代码 
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]#

尝试在内网ping外网 外网ping内网

js 复制代码 
外 - 内
[root@localhost ~]# ping 192.168.107.100
PING 192.168.107.100 (192.168.107.100) 56(84) bytes of data.
64 bytes from 192.168.107.100: icmp_seq=1 ttl=63 time=0.897 ms
64 bytes from 192.168.107.100: icmp_seq=2 ttl=63 time=0.440 ms
64 bytes from 192.168.107.100: icmp_seq=3 ttl=63 time=0.509 ms
64 bytes from 192.168.107.100: icmp_seq=4 ttl=63 time=0.669 ms
64 bytes from 192.168.107.100: icmp_seq=5 ttl=63 time=0.462 ms
^C
--- 192.168.107.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.440/0.595/0.897/0.172 ms
[root@localhost ~]# 

内 - 外
[root@localhost ~]# ping 192.168.153.100
PING 192.168.153.100 (192.168.153.100) 56(84) bytes of data.
64 bytes from 192.168.153.100: icmp_seq=1 ttl=63 time=1.02 ms
64 bytes from 192.168.153.100: icmp_seq=2 ttl=63 time=0.674 ms
64 bytes from 192.168.153.100: icmp_seq=3 ttl=63 time=0.423 ms
64 bytes from 192.168.153.100: icmp_seq=4 ttl=63 time=0.414 ms
64 bytes from 192.168.153.100: icmp_seq=5 ttl=63 time=0.771 ms
^C
--- 192.168.153.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.414/0.661/1.026/0.231 ms
[root@localhost ~]#

路由转发功能成功开启

2.5 验证 SNAT

外网开启的httpd服务

[root@localhost ~]# systemctl start httpd.service

配置http的网页

js 复制代码 
[root@localhost ~]# echo ailun > /var/www/html/index.html
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]#

监控日志文件看是哪个ip访问的

js 复制代码 
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

测试在内网访问

js 复制代码 
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# curl 192.168.153.100
ailun
[root@localhost ~]# 



查看日志文件IP地址

Last login: Sun Apr 20 14:15:16 2025 from 192.168.153.1
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:42 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:43 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

发现多了一段IP地址为192.168.107.100 的访问记录

配置SNAT的规则

iptables -t nat -A POSTROUTING -s 192.168.107.0/24 -o ens36 -j SNAT --to 192.168.153.254

意为将来自192.168.107.0 网段 要从ens36网卡出去的IP地址 转变成从192.168.153.254 网关出去

js 复制代码 
[root@localhost ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    0     0 SNAT       all  --  *      ens36   192.168.107.0/24     0.0.0.0/0            to:192.168.153.254
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 4 packets, 301 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 4 packets, 301 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
6        0     0 SNAT       all  --  *      ens36   192.168.107.0/24     0.0.0.0/0            to:192.168.153.254
[root@localhost ~]#

内网再次测试

js 复制代码 
此时我们可以看到IP访问变成了网关

Last login: Sun Apr 20 14:15:16 2025 from 192.168.153.1
[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.153.100 - - [20/Apr/2025:14:39:19 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:21 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:39:22 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:42 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:43 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:44 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:41:45 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:54 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:55 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:55 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:56 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:56 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:57 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:57 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:58 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:58 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"
192.168.153.254 - - [20/Apr/2025:14:47:59 +0800] "GET / HTTP/1.1" 200 6 "-" "curl/7.29.0"

2.6 验证DNAT

先删除刚刚配置的SNAT规则

js 复制代码 
[root@localhost ~]# iptables -t nat -D POSTROUTING 6
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
[root@localhost ~]#

内网服务器操作

js 复制代码 
内网开启服务

[root@localhost ~]# systemctl start httpd.service 
[root@localhost ~]# echo yegeyu > /var/www/html/index.html
[root@localhost ~]# curl 192.168.107.100
yegeyu
[root@localhost ~]# curl 192.168.107.100
yegeyu
[root@localhost ~]# 


开始监控日志

[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.107.100 - - [20/Apr/2025:14:52:31 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:52:32 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0

配置DNAT规则

iptables -t nat -A PREROUTING -i ens36 -d 192.168.153.254 -p tcp --dport 80 -j DNAT --to 192.168.107.100

把目标地址是192.168.153.254 的 从ens36网卡进来的 tcp 协议的 目的端口为80 的目的地址改成192.168.107.100

js 复制代码 
[root@localhost ~]# iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DNAT       tcp  --  ens36  *       0.0.0.0/0            192.168.153.254      tcp dpt:80 to:192.168.107.100

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        5   414 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
2        0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
3        0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
4        0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
5        0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
[root@localhost ~]#

在外网服务器上测试

js 复制代码 
访问网关相当于访问 192.168.107.100
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# curl 192.168.153.254
yegeyu
[root@localhost ~]# 




在内网上查看到的日志

[root@localhost ~]# tail -f /var/log/httpd/access_log 
192.168.107.100 - - [20/Apr/2025:14:52:31 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.107.100 - - [20/Apr/2025:14:52:32 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:08 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:10 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:11 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:11 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:12 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:13 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:13 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:14 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:14 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
192.168.153.100 - - [20/Apr/2025:14:58:15 +0800] "GET / HTTP/1.1" 200 7 "-" "curl/7.29.0"
显示为外网服务器地址

至此实验结束

相关推荐
nLif7 分钟前
LicheeRV Nano 与Ubuntu官方risc-v 镜像混合
linux·ubuntu·risc-v
青春:一叶知秋20 分钟前
【MySQL数据库】数据类型
linux·服务器·mysql
chian-ocean20 分钟前
深入理解Linux中的线程控制:多线程编程的实战技巧
linux·运维·服务器
一只帆記1 小时前
Vim 编辑器的常用命令整理
linux·编辑器·vim
想躺在地上晒成地瓜干4 小时前
树莓派超全系列教程文档--(32)config.txt常用音频配置
linux·音视频·树莓派·raspberrypi·树莓派教程
邪恶的贝利亚5 小时前
FFmpeg 硬核指南:从底层架构到播放器全链路开发实战 基础
linux·服务器·ffmpeg
涛ing6 小时前
【Linux “less“ 命令详解】
linux·运维·c语言·c++·人工智能·vscode·bash
林木木木木木木木木木8 小时前
【随身WiFi】随身WiFi Debian系统优化教程
linux·运维·debian·随身wifi
临观_9 小时前
打靶日记 zico2: 1
linux·网络安全
痆古酊旳琲伤9 小时前
Linux驱动开发1 - Platform设备
linux·驱动开发
热门推荐
01YOLOv8改进 | 细节创新篇 | iAFF迭代注意力特征融合助力多目标细节涨点02我决定放弃搞 Java 了03RAG 实践- Ollama+RagFlow 部署本地知识库04如何用 AI 工具做数据分析与可视化?05Scipy||第三章 线性代数 (scipy.linalg)06DeepSeek各版本说明与优缺点分析07避免IP地址关联,多个手机设备的完美公网IP问题08汽车上的各种质量:整备质量、总质量、装载质量、簧上质量、簧下质量09本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程10将 DeepSeek 集成到 Spring Boot 项目实现通过 AI 对话方式操作后台数据