Linux – NAT Port Forwarding

測試環境為 CentOS 8 x86_64

因為我的工作環境有兩個網段,其中 192.168.31.0/255.255.255.0 的 IP 透過 NAT( 192.168.31.133 ) 轉出去,但目前有一台 web server 放在 192.168.31.131 環境,從 192.168.88.x 網段的人無法與其相連,這時候可以透過 2 種方式.

  1. Apache ProxyPass & ProxyPassReverse – http://benjr.tw/103983
  2. NAT Port Forwarding 或 DNAT ( Destination Network Address Translation) – 這邊介紹

目的是把 Web Server IP:Port 192.168.31.131:80 NAT Port Forwarding 到 192.168.88.128:80 如下圖.

192.168.31.131


安裝 Apache Web Server .

[root@localhost ~]# yum install -y httpd
[root@localhost ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-07-21 12:03:23 CST; 5s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 6418 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─6418 /usr/sbin/httpd -DFOREGROUND
           ├─6419 /usr/sbin/httpd -DFOREGROUND
           ├─6420 /usr/sbin/httpd -DFOREGROUND
           ├─6421 /usr/sbin/httpd -DFOREGROUND
           ├─6422 /usr/sbin/httpd -DFOREGROUND
           └─6423 /usr/sbin/httpd -DFOREGROUND

CentOS 8 搭配的 Apache 沒有預設網頁,可以自行建立 index.html 來測試.

[root@localhost ~]# echo Apache on CentOS 8 > /var/www/html/index.html
[root@localhost ~]# curl http://192.168.31.131
Apache on CentOS 8

如果連不上請先確一下 Firewall 的狀態.

[root@localhost ~]# systemctl stop firewalld

192.168.31.133 / 192.168.88.128


預設 IPv4 Forwarding 是開啟的,檢視一下.

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1

如果為 0 表示沒有啟動,須透過下面的方式來啟動.

[root@localhost ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1

目前網路狀狀態.

[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.133  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::20c:29ff:fe62:edf8  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:62:ed:f8  txqueuelen 1000  (Ethernet)
        RX packets 118  bytes 18731 (18.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 131  bytes 17346 (16.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.88.128  netmask 255.255.255.0  broadcast 192.168.88.255
        inet6 fe80::c559:71a5:5f2d:d1fc  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:62:ed:02  txqueuelen 1000  (Ethernet)
        RX packets 5  bytes 709 (709.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 5135 (5.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:53:10:19  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

設定 NAT Port Forwarding 的規則也很簡單,收到 192.168.88.128:80 的封包都轉到 192.168.31.131:80,主要設定 NAT table 的 PREROUTING ( 針對進入網路介面卡封包的規則 DNAT : Destination NAT 與 REDIRECT )與 POSTROUTING ( 針對離開網路介面卡封包的規則 SNAT : Source NAT 與 MASQUERADE )

先清除 Iptables NAT 所有的 Rules.

[root@localhost ~]# iptables -F -t nat

-F, –flush [chain]

如果是清除單一 Rule 可透過以下指令檢視目前 rule 的行號.

[root@localhost ~]# iptables -t nat -v -L -n --line-number

如果知道是 PREROUTING 或是 POSTROUTING 可以指定.

[root@localhost ~]# iptables -t nat -v -L PREROUTING -n --line-number
[root@localhost ~]# iptables -t nat -v -L POSTROUTING -n --line-number

依據行號來刪除.

[root@localhost ~]# iptables -t nat -D PREROUTING {rule number}
[root@localhost ~]# iptables -t nat -D POSTROUTING {rule number}

刪除後檢視是否正確.

[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LIBVIRT_PRT (0 references)
target     prot opt source               destination

PREROUTING 規則是針對到網路介面卡(ens37)的封包,當其他電腦要連線 80 埠時 (–dport 80) 轉送到 192.168.31.131:80 (Port 80).
其他常用的 Port.

  1. 遠端桌面 (Remote Desktop) – 3389
  2. Windows 網路芳鄰 – 139 (NetBIOS Session Service) 與 445 (Microsoft-DS)
[root@localhost ~]# iptables -t nat -A PREROUTING -i ens37 -p tcp --dport 80 -j DNAT --to-destination 192.168.31.131

POSTROUTING 規則是針對封包離開網路介面卡(ens33)時,當 -d 目的地是 192.168.31.131 且為 80 埠時 (–dport 80) 轉成 192.168.31.133.

[root@localhost ~]# iptables -t nat -A POSTROUTING -o ens33 -p tcp --dport 80 -d 192.168.31.131 -j SNAT --to-source 192.168.31.133

檢視一下 NAT 的狀態.

[root@localhost ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:192.168.31.131

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       tcp  --  0.0.0.0/0            192.168.31.131       tcp dpt:80 to:192.168.31.133

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain LIBVIRT_PRT (0 references)
target     prot opt source               destination

192.168.88.129


從 192.168.88.129 就可以連到 192.168.31.131 的網頁了.

[root@localhost ~]# curl http://192.168.88.128:80
Apache on CentOS 8
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料