飞塔防火墙 fortigate 配置DNAT和SNAT

精选原创

J4ck0r 2021-02-10 18:19:41 博主文章分类：network ©著作权

©著作权归作者所有：来自51CTO博客作者J4ck0r的原创作品，请联系作者获取转载授权，否则将追究法律责任

一、实验拓扑实验的目的：配置SNAT后，内部服务器可以成功访问外部服务器，同时外部服务器看到的源IP是SNAT后的IP，56.56.56.1 配置DNAT后，外部服务器通过Virtual IP-56.56.56.52来访问内部服务器的服务。

a.internal server 的eth0 网卡IP为5.5.5.1/24，网关为对端防火墙port2的IP:5.5.5.2/24 b.防火墙的port3接口6.6.6.1/24 连接外部网络服务器的eth0 接口6.6.6.2/24

二、SNAT的配置 a.配置NAT 地址池(IP POOL)

config firewall ippool
    edit "56.56.56.1_overload"
        set startip 56.56.56.1
        set endip 56.56.56.1
    next
end

b.配置内部服务器访问外部时的策略，并调用NAT地址池

 edit 2
        set name "to-all-permit"
        set uuid 8d96be5c-6b90-51eb-aa29-9b7fc34ca6ca
        set srcintf "port2"    //内部接口
        set dstintf "port3"    //外部接口
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable   // 开启NAT地址池功能
        set poolname "56.56.56.1_overload"   // 调用NAT地址池
        set nat enable       // 开启NAT功能
    next

c.外部服务器配置到NAT地址段的静态路由

[root@c6 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
56.56.56.0      6.6.6.1         255.255.255.0   UG    0      0        0 eth5

d.验证SNAT配置是否正常

1.内部服务器网络配置
[root@localhost ~]# ifconfig ens39
ens39: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.5.5.1  netmask 255.255.255.0  broadcast 5.5.5.255
        inet6 fe80::20c:29ff:fe00:8058  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:00:80:58  txqueuelen 1000  (Ethernet)
        RX packets 5870  bytes 474480 (463.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 426  bytes 36317 (35.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         5.5.5.2         0.0.0.0         UG    0      0        0 ens39

2.内部服务器Ping 外部服务器
[root@localhost ~]# ping 6.6.6.2
PING 6.6.6.2 (6.6.6.2) 56(84) bytes of data.
64 bytes from 6.6.6.2: icmp_seq=1 ttl=63 time=1.50 ms
64 bytes from 6.6.6.2: icmp_seq=2 ttl=63 time=1.53 ms

3.在外部服务器抓包
[root@c6 ~]# ifconfig eth5
eth5      Link encap:Ethernet  HWaddr 00:0C:29:5B:93:45  
          inet addr:6.6.6.2  Bcast:6.6.6.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe5b:9345/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:443 errors:0 dropped:0 overruns:0 frame:0
          TX packets:583 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44908 (43.8 KiB)  TX bytes:52443 (51.2 KiB)
[root@c6 ~]# tcpdump -i eth5 -nnn -vvv 
tcpdump: listening on eth5, link-type EN10MB (Ethernet), capture size 65535 bytes
11:58:34.460576 IP (tos 0x0, ttl 63, id 65514, offset 0, flags [DF], proto ICMP (1), length 84)
    56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 1, length 64
11:58:34.460638 IP (tos 0x0, ttl 64, id 15653, offset 0, flags [none], proto ICMP (1), length 84)
    6.6.6.2 > 56.56.56.1: ICMP echo reply, id 9543, seq 1, length 64
11:58:35.461347 IP (tos 0x0, ttl 63, id 814, offset 0, flags [DF], proto ICMP (1), length 84)
    56.56.56.1 > 6.6.6.2: ICMP echo request, id 9543, seq 2, length 64

e.SNAT实验结论: 实验符合预期，内部服务器可以成功访问外部服务器，同时外部服务器看到的源IP是SNAT后的IP 56.56.56.1。

三、配置DNAT a.创建DNAT的Virtual IP（也就是外部网络访问内部服务时使用的目的IP）

config firewall vip
    edit "56.56.56.52-5.5.5.1"
        set uuid 34a97bc8-6b8a-51eb-8808-b94f5cd25dba
        set extip 56.56.56.52
        set extintf "port3"
        set portforward enable
        set mappedip "5.5.5.1"
        set extport 515
        set mappedport 515
    next
end

b.创建策略，并调用VIP

config firewall policy
    edit 1
        set name "test"
        set uuid 4f007e72-6b8a-51eb-3e87-d1cfe35c0b71
        set srcintf "port3"   // 外部接口
        set dstintf "port2"   // 内部接口
        set srcaddr "all"
        set dstaddr "56.56.56.52-5.5.5.1"
        set action accept
        set schedule "always"
        set service "ALL"
    next

c.<配置SNAT>中，外部服务器已经配置了到NAT地址段的路由，这里就不赘述了

d.验证DNAT是否正常

1.内部服务器开启515端口

[root@localhost ~]# python -m SimpleHTTPServer 515
Serving HTTP on 0.0.0.0 port 515 ...
2.外部网络服务器telnet  VIP的515 端口
[root@c6 ~]# telnet 56.56.56.52 515
Trying 56.56.56.52...
Connected to 56.56.56.52.
Escape character is '^]'.
^]
<head>
<title>Error response</title>
</head>
<body>
Error response
<p>Error code 400.
<p>Message: Bad request syntax ('^]').
<p>Error code explanation: 400 = Bad request syntax or unsupported method.
</body>
Connection closed by foreign host.

3.内部服务器上抓包
[root@localhost ~]# tcpdump -i ens39 -nnn -vvv host 6.6.6.2
tcpdump: listening on ens39, link-type EN10MB (Ethernet), capture size 65535 bytes
16:37:24.291051 IP (tos 0x10, ttl 63, id 42541, offset 0, flags [DF], proto TCP (6), length 57)
    6.6.6.2.34980 > 5.5.5.1.515: Flags [P.], cksum 0x98df (correct), seq 2296234720:2296234725, ack 743420663, win 115, options [nop,nop,TS val 25389246 ecr 21012527], length 5
16:37:24.295944 IP (tos 0x0, ttl 64, id 4806, offset 0, flags [DF], proto TCP (6), length 52)
    5.5.5.1.515 > 6.6.6.2.34980: Flags [.], cksum 0x1634 (incorrect -> 0x9a9c), seq 1, ack 5, win 227, options [nop,nop,TS val 21079036 ecr 25389246], length 0

e.DNAT结论符合预期。外部网络服务器通过VIP-56.56.56.52来访问内部IP-5.5.5.1的服务.