iptables练习---实现俩个私有网络之间的通讯

简单实现俩个私有内网之间的通讯
iptables练习---实现俩个私有网络之间的通讯

实验前配置准备 关闭firwalld和selinux 启动 iptables.service服务 pc1配置: ip:172.16.10.100/24 网关:172.16.10.101 并安装httpd服务  pc2配置: ip:192.168.10.100/24 网关:192.168.10.101 并安装httpd服务  fir1配置 网卡eth0:10.0.0.80/24 网卡eth1:172.16.10.101/24  fir2配置 网卡eth1:10.0.0.91/24 网卡eth0:192.168.10.101/24  用俩台linux服务器模拟防火墙 fir1 fir2都需要开启路由转发,配置如下 [root@fir1 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@fir1 ~]# sysctl -p net.ipv4.ip_forward = 1  fir1和fir2都执行以上操作 防火墙路由配置: fir1:ip route add 192.168.10.0/24 via 10.0.0.91 fir2:ip route add 172.16.10.0/24 via 10.0.0.80 为实现俩个私有网段之间的内网ip之间有公网做隔绝 就不在俩台PC上配置路由了 这样俩个pc之间通过内网ip是无法实现通信的  由于开启路由转发 实现1:内网可以访问公网而公网不能访问内网 fir2配置 root@fir2 ~]#iptables -t filter -A FORWARD -d 192.168.10.0/24 -m state --state NEW -j DROP root@fir2 ~]#iptables -t filter -A INPUT -d 192.168.10.0/24 -m state --state NEW -j DROP   fir1配置 root@fir1 ~]#iptables -t filter -A FORWARD -d 172.16.10.0/24 -m state --state NEW -j DROP root@fir1 ~]#iptables -t filter -A INPUT -d 172.16.10.0/24 -m state --state NEW -j DROP 通过fir1模拟公网访问pc2 [root@fir1 ~]# ping 192.168.10.100 ING 192.168.10.101 (192.168.10.100) 56(84) bytes of data.  而pc2访问fir1 [root@pc2 ~]# ping 10.0.0.80 PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data. 64 bytes from 10.0.0.80: icmp_seq=1 ttl=63 time=1.98 ms 64 bytes from 10.0.0.80: icmp_seq=2 ttl=63 time=0.857 ms 64 bytes from 10.0.0.80: icmp_seq=3 ttl=63 time=1.23 ms 64 bytes from 10.0.0.80: icmp_seq=4 ttl=63 time=1.46 ms  为实现本地网络中的主机通过某一特定地址访问外部网络 内网去访问公网 实际上是通过nat转换为公网ip去访问公网上的服务器 实现如下: 在fir1上: [root@fir1 ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j SNAT --to-source 10.0.0.80  在fir2上: [root@fir2 ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 10.0.0.91  实现内网主机服务可以让公网访问并且访问的是nat转换过的公网地址 fir1上: [root@fir1 ~]# iptables -t nat -A PREROUTING -d 10.0.0.80 -p tcp --dport 80 -j DNAT --to-destination  172.16.10.100:80  fir2上: [root@fir2 ~]# iptables -t nat -A PREROUTING -d 10.0.0.91 -p tcp --dport -j DNAT --to-destination 192.168.10.100:80  [root@pc2 ~]# curl 10.0.0.80 172.16.10.0/24 [root@pc2 ~]# ping 10.0.0.80 PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data. 64 bytes from 10.0.0.80: icmp_seq=1 ttl=63 time=1.50 ms 64 bytes from 10.0.0.80: icmp_seq=2 ttl=63 time=0.944 ms  [root@pc2 ~]# ping 10.0.0.80 PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data. 64 bytes from 10.0.0.80: icmp_seq=1 ttl=63 time=1.22 ms 64 bytes from 10.0.0.80: icmp_seq=2 ttl=63 time=0.796 ms ^C --- 10.0.0.80 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.796/1.011/1.226/0.215 ms [root@pc2 ~]# curl 10.0.0.80 172.16.10.0/24 [root@pc2 ~]# date Sun May  9 11:21:12 CST 202 [root@pc2 ~]# curl 172.16.10.100 curl: (7) Failed connect to 172.16.10.100:80; Network is unreachable  [root@pc1 ~]# tail -f /var/log/httpd/access_log  172.16.10.100 - - [09/May/2021:09:00:53 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.61.1" 172.16.10.101 - - [09/May/2021:09:08:00 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.61.1" 10.0.0.91 - - [09/May/2021:10:11:07 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.29.0" 10.0.0.91 - - [09/May/2021:11:05:17 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.29.0" 10.0.0.91 - - [09/May/2021:11:16:49 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.29.0" 10.0.0.91 - - [09/May/2021:11:18:48 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.29.0" 10.0.0.91 - - [09/May/2021:11:21:04 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.29.0"  在pc2上请求访问10.0.0.80:80 在pc1上看日志可以看到是地址为10.0.0.91成功访问。 根据上述操作:实现了简单的2个私有网络之间的通讯。 

版权声明:玥玥 发表于 2021-05-10 17:45:31。
转载请注明:iptables练习---实现俩个私有网络之间的通讯 | 女黑客导航