Centos6.3 双网卡NAT上网与映射内网服务器
Centos6.3 双网卡NAT 上网与映射内网服务器
login as: root
root@60.190.217.197's password: **********Last login: Mon Mar 18 00:11:47 2013 from 116.208.8.234
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.200.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 60.190.217.197
[root@localhost ~]# /sbin/iptables -A FORWARD -s 192.168.200.0/24 -j ACCEPT
[root@localhost ~]# /sbin/iptables -t nat -A PREROUTING -d 60.190.217.197 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.200.101:3389
[root@localhost ~]# /sbin/iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -d 192.168.200.101 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.200.250
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.200.0/24 anywhere
ACCEPT all -- 192.168.200.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -A FORWARD -o eth1 -d 192.168.1.10 -p tcp --dport 3389 -j ACCEPT
[root@localhost ~]# iptables -A FORWARD -i eth1 -s 192.168.1.10 -p tcp --sport 3389 -m --state ESTABLISHED -j ACCEPT
iptables v1.4.7: Couldn't load match `--state':/lib/xtables/libipt_--state.so: cannot open shared object f ile: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -A FORWARD -i eth1 -s 192.168.1.10 -p tcp --sport 3389 -m -state ESTABLISHED -j ACCEPT
iptables v1.4.7: Couldn't load match `-state':/lib/xtables/libipt_-state.so: cannot open shared object fil e: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost ~]# iptables -A FORWARD -i eth1 -s 192.168.1.10 -p tcp --sport 3389 -m state --state ESTAB LISHED -j ACCEPT
[root@localhost ~]# service iptabled start
iptabled: unrecognized service
[root@localhost ~]# service iptables start
[root@localhost ~]# cd /etc/init.d/
[root@localhost init.d]# i
i386 ifenslave initctl ip6tables-restore iptables-save
iconv ifup insmod ip6tables-save iptables-xml
iconvconfig igawk insmod.static ipcalc iptunnel
iconvconfig.i686 in install ipcmk iscsiadm
id indxbib install-info ipcrm iscsid
idn info installkernel ipcs iscsi-iname
if infocmp ionice ipmaddr iscsistart
ifcfg infokey ip iptables iscsiuio
ifconfig infotocap ip6tables iptables-multi isosize
ifdown init ip6tables-multi iptables-restore
[root@localhost init.d]# service iptables start
[root@localhost init.d]# sysctl
usage: sysctl [-n] [-e] variable ...
sysctl [-n] [-e] [-q] -w variable=value ...
sysctl [-n] [-e] -a
sysctl [-n] [-e] [-q] -p <file> (default /etc/sysctl.conf)
sysctl [-n] [-e] -A
[root@localhost init.d]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
[root@localhost init.d]# yum update all
Loaded plugins: fastestmirror, presto
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=i386&repo=os error was
14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrorlist.centos.org'"
Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again
[root@localhost init.d]# yum update
Loaded plugins: fastestmirror, presto
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=i386&repo=os error was
14: PYCURL ERROR 6 - "Couldn't resolve host 'mirrorlist.centos.org'"
Error: Cannot find a valid baseurl for repo: base
[root@localhost init.d]# vi /etc/resolv.conf
[root@localhost init.d]# vi /etc/sysc
sysconfig/ sysctl.conf
[root@localhost init.d]# vi /etc/sysc
sysconfig/ sysctl.conf
[root@localhost init.d]# vi /etc/sysconfig/network-scripts/if
ifcfg-eth1 ifdown-eth ifdown-ppp ifup-aliases ifup-isdn ifup-routes
ifcfg-eth2 ifdown-ippp ifdown-routes ifup-bnep ifup-plip ifup-sit
ifcfg-lo ifdown-ipv6 ifdown-sit ifup-eth ifup-plusb ifup-tunnel
ifdown ifdown-isdn ifdown-tunnel ifup-ippp ifup-post ifup-wireless
ifdown-bnep ifdown-post ifup ifup-ipv6 ifup-ppp
[root@localhost init.d]# vi /etc/sysconfig/network-scripts/ifcfg-eth1
[root@localhost init.d]# service network restart
Shutting down interface eth1: [ OK ]
Shutting down interface eth2: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth1: [ OK ]
Bringing up interface eth2: [ OK ]
[root@localhost init.d]# ping www.qq.com
^Z
[1]+ Stopped ping www.qq.com
[root@localhost init.d]# yum update
Loaded plugins: fastestmirror, presto
Loading mirror speeds from cached hostfile
^Z
[2]+ Stopped yum update
[root@localhost init.d]# iptables -F
[root@localhost init.d]# iptables -X
[root@localhost init.d]# iptables -Z
[root@localhost init.d]# iptables -F -t nat
[root@localhost init.d]# iptables -X -t nat
[root@localhost init.d]# iptables -Z -t nat
[root@localhost init.d]# iptables -P INPUT ACCEPT
[root@localhost init.d]# iptables -P FORWARD ACCEPT
[root@localhost init.d]# iptables -P OUTPUT ACCEPT
[root@localhost init.d]# iptables -t nat -P PREROUTING ACCEPT
[root@localhost init.d]# iptables -t nat -P OUTPUT ACCEPT
[root@localhost init.d]# iptables -t nat -P POSTROUTING ACCEPT
[root@localhost init.d]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@localhost init.d]# iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
[root@localhost init.d]# iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
[root@localhost init.d]# iptables -A FORWARD -p udp --dport 53 -j ACCEPT
[root@localhost init.d]# iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
[root@localhost init.d]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@localhost init.d]# iptables -t nat -A PREROUTING -d 60.190.217.197 -p cp --dport 3389 -j DNAT --to-destination 192.168.200.101
iptables v1.4.7: unknown protocol `cp' specified
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost init.d]# iptables -t nat -A PREROUTING -d 60.190.217.197 -p tcp --dport 3389 -j DNAT --to- destination 192.168.200.101
[root@localhost init.d]# iptables -t nat -a POSTROUTING -s 192.168.200.0/255.255.255.0 -j SNAT --to 60.190.217.197
iptables v1.4.7: option `-a' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
[root@localhost init.d]# iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -j SNAT --to 60.190217.197
[root@localhost init.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost init.d]# iptables -L -t NAT
iptables v1.4.7: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@localhost init.d]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
^C
[root@localhost init.d]# chkconfig iptables on
[root@localhost init.d]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost init.d]#
目录 返回
首页