1、简述DNS服务器原理,并搭建主-辅服务器。
DNS,全称Domain Name System,域名系统,是一个记录域名和Ip地址相互映射的一个系统,能够将用户访问互联网时使用的域名地址转换成对应的IP地址,而不用使用者去记住数量众多的IP地址。通过域名得到域名对应的IP地址的过程被称为域名解析。使用的端口为53。
DNS查询类型:
递归查询:一般客户机和本地DNS服务器之间属于递归查询,即当客户机向DNS服务器发出请求后,若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到最终的肯定或否定的结果转交给客户机。此查询的源和目标保持不变,为了查询结果只需要发起一次查询。
迭代查询:一般情况下(有例外)本地的DNS服务器向其他的DNS服务器的查询属于迭代查询,如:若对方不能返回权威的结果,则它会向下一个DNS服务器(参考前一台服务器返回的记过)再次发起查询,直到返回查询的结果为止。此查询的源不变,但查询的目标不断变化,为查询结果一般需要发起多次查询。
原理示意图
主辅DNS搭建
在Centos系统中与DNS服务相关的配置文件
/etc/named.conf主配置文件
/etc/named.rfc1912.zones区域管理文件
/var/named/目录下的区域数据库文件。
主配置文件/etc/named.conf和/etc/named.rfc1912.zones设置了DNS服务器能够管理哪些区域并且指定了这些区域对应的区域数据文件的存放路径和名称。
环境说明:
192.168.197.128 | Client |
192.168.197.129 | 主DNS |
192.168.197.130 | 辅助DNS |
dnf install bind -y #安装bind
dnf -y install bind-utils #安装bind工具包
主DNS配置文件
##修改named.conf
[root@dns-m ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.197.129; }; #监听本地地址
allow-query { any; }; #允许任何人访问
allow-transfer { 192.168.197.130; }; #除了辅DNS服务器,禁止其他人抓取全部DNS解析信息
##添加正向解析文件名和域名绑定
[root@dns-m ~]# vim /etc/named.rfc1912.zones
##正向解析
zone "test.com" IN {
type master;
file "test.com.zone";
};
##反向解析
zone "197.168.192.in-addr.arpa" IN {
type master;
file "192.168.197.zone";
};
##添加正向解析文件的指针
cd /var/named/
cp -p named.localhost test.com.zone 复制模板文件,如果不复制,需要把文件的使用者和组名改为一致即可
[root@dns-m ~]# vim /var/named/test.com.zone
$TTL 1D
$ORIGIN test.com. ;补一个后缀
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master ;设置主DNS服务器记录
NS slave ;设置辅DNS服务器记录
master A 192.168.197.129 ;设置主DNS的IP
slave A 192.168.197.130 ;设置辅DNS的IP
www A 192.168.197.100
mail A 192.168.197.101
##添加反向解析文件名和域名绑定
$TTL 1D
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master.test.com.
NS slave.test.com.
100 PTR www.test.com.
101 PTR mail.test.com.
检查配置文件和区域配置文件语法
[root@dns-m named]# named-checkconf
[root@dns-m named]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2022012105
OK
[root@dns-m named]# named-checkzone 197.168.192.in-addr.arpa /var/named/192.168.197.zone
zone 197.168.192.in-addr.arpa/IN: loaded serial 2022012105
OK
##启动named服务,并设置开机启动
[root@dns-m named]# systemctl enable --now named.service
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
##重新加载配置文件
[root@dns-m named]# rndc reload
server reload successful
[root@dns-m named]#
##客户端测试
[root@centos79 ~]# dig -t A www.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 192.168.197.100
;; AUTHORITY SECTION:
test.com. 86400 IN NS master.test.com.
test.com. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:28:15 CST 2022
;; MSG SIZE rcvd: 130
[root@centos79 ~]# dig -t A mail.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A mail.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39083
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.test.com. IN A
;; ANSWER SECTION:
mail.test.com. 86400 IN A 192.168.197.101
;; AUTHORITY SECTION:
test.com. 86400 IN NS master.test.com.
test.com. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:28:22 CST 2022
;; MSG SIZE rcvd: 131
[root@centos79 ~]# dig -x 192.168.197.100
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -x 192.168.197.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8752
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.197.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.197.168.192.in-addr.arpa. 86400 IN PTR www.test.com.
;; AUTHORITY SECTION:
197.168.192.in-addr.arpa. 86400 IN NS slave.test.com.
197.168.192.in-addr.arpa. 86400 IN NS master.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:45:55 CST 2022
;; MSG SIZE rcvd: 156
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: www.test.com
Address: 192.168.197.100
> mail.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: mail.test.com
Address: 192.168.197.101
>
> 192.168.197.100
100.197.168.192.in-addr.arpa name = www.test.com.
辅助DNS服务器配置
[root@dns-s ~]# vim /etc/named.conf
listen-on port 53 { 192.168.197.130; };
allow-query { any; };
allow-transfer { none; }; #不允许其它主机进行区域传输
zone "test.com" IN {
type slave;
masters { 192.168.197.129; }; #配置主DNS地址
file "slaves/test.com.slave"; #配置备DNS存放的正向文件名字
};
zone "197.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.197.129; }; #配置主DNS地址
file "slaves/192.168.197.slave"; #配置备DNS存放的正向文件名字
};
##配置文件检查
[root@dns-s ~]# named-checkconf
##启动服务并开机启动
[root@dns-s ~]# systemctl enable --now named.service
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
##重新加载配置文件
[root@dns-s ~]# rndc reload
server reload successful
##查看是否同步主服务器文件
[root@dns-s ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 407 Jan 22 18:36 192.168.197.slave
-rw-r--r--. 1 named named 382 Jan 22 18:36 test.com.slave
##客户端测试
[root@centos79 ~]# dig -t A www.test.com @192.168.197.130
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A www.test.com @192.168.197.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39186
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 192.168.197.100
;; AUTHORITY SECTION:
test.com. 86400 IN NS slave.test.com.
test.com. 86400 IN NS master.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 1 msec
;; SERVER: 192.168.197.130#53(192.168.197.130)
;; WHEN: Sat Jan 22 18:49:10 CST 2022
;; MSG SIZE rcvd: 130
[root@centos79 ~]# dig -x 192.168.197.100 @192.168.197.130
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -x 192.168.197.100 @192.168.197.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.197.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.197.168.192.in-addr.arpa. 86400 IN PTR www.test.com.
;; AUTHORITY SECTION:
197.168.192.in-addr.arpa. 86400 IN NS master.test.com.
197.168.192.in-addr.arpa. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 1 msec
;; SERVER: 192.168.197.130#53(192.168.197.130)
;; WHEN: Sat Jan 22 18:49:34 CST 2022
;; MSG SIZE rcvd: 156
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.130
Address: 192.168.197.130#53
Name: www.test.com
Address: 192.168.197.100
> 192.168.197.101
101.197.168.192.in-addr.arpa name = mail.test.com.
>
2、搭建并实现智能DNS。
使用acl和view模拟智能DNS的实现
环境说明:
192.168.197.10 代表北京客户端 可以解析IP10.10.10.10
192.168.197.20 代表天津客户端 可以解析IP20.20.20.20
##在/etc/named.conf顶端添加acl
acl bj_net {
192.168.197.10;
};
acl tj-net {
192.168.197.20;
};
#注意:
# 由于一旦启用了view,所有的zone都只能定义在view中,所以要/etc/named.conf的
#zone "." IN {
# type hint;
# file "named.ca";
#};
#转移到/etc/named.rfc1912.zones中
##配置指向不同的数据库文件
[root@dns-m named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@dns-m named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.tj
[root@dns-m named]# vim /etc/named.rfc1912.zones.t.bj
zone "test.com" IN {
type master;
file "test.com.zone.bj;
};
[root@dns-m named]# vim /etc/named.rfc1912.zones.tj
zone "test.com" IN {
type master;
file "test.com.zone.tj;
};
##在/etc/named.conf底端增加view
view bj_view {
match-clients { bj_net; };
include "/etc/named.rfc1912.zones.bj";
};
view tj_view {
match-clients { tj_net; };
include "/etc/named.rfc1912.zones.tj";
};
##创建不同区域的数据库文件
[root@dns-m named]# cp -p /var/named/test.com.zone /var/named/test.com.zone.bj
[root@dns-m named]# cp -p /var/named/test.com.zone /var/named/test.com.zone.tj
[root@dns-m named]# vim /var/named/test.com.zone.bj
$TTL 1D
$ORIGIN test.com. ;补一个后缀
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master ;设置主DNS服务器记录
NS slave ;设置辅DNS服务器记录
master A 192.168.197.129 ;设置主DNS的IP
slave A 192.168.197.130 ;设置辅DNS的IP
www A 10.10.10.10
[root@dns-m named]# vim /var/named/test.com.zone.tj
$TTL 1D
$ORIGIN test.com. ;补一个后缀
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master ;设置主DNS服务器记录
NS slave ;设置辅DNS服务器记录
master A 192.168.197.129 ;设置主DNS的IP
slave A 192.168.197.130 ;设置辅DNS的IP
www A 20.20.20.20
##检查配置文件
[root@dns-m named]# named-checkconf
##重新加载配置文件
[root@dns-m named]# rndc reload
server reload successful
##客户端测试
##北京
[root@centos79 ~]# ip addr show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b3:f4:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.197.10/24 brd 192.168.197.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::e132:5b27:135f:b310/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: www.test.com
Address: 10.10.10.10
##天津
[root@centos79 ~]# ip addr show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b3:f4:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.197.20/24 brd 192.168.197.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::e132:5b27:135f:b310/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: www.test.com
Address: 20.20.20.20
>
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
ssh端口22,telnet端口23, ftp端口21, web 80
[root@centos84 ~]# iptables -A INPUT -p tcp -m multiport --dports 21,22,23,80 -j ACCEPT
[root@centos84 ~]# iptables -I INPUT 2 -j REJECT
[root@centos84 ~]#
[root@centos84 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
22 1408 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,23,80
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_INP (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_OUT (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWO (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWI (0 references)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_FWX (0 references)
pkts bytes target prot opt in out source destination
保存配置 (需要安装iptables-services)
[root@centos84 ~]# iptables-save > /etc/sysconfig/iptables
4、NAT原理总结
在linux系统中,NAT的实现分为下面类型:
SNAT:源地址转换 ,支持POSTROUTING, INPUT规则链,方式为修改请求报文的源地址,把局域网内的地址转换为统一的外网地址访问外部网络。
DNAT:目标地址转换,支持PREROUTING ,OUTPUT规则链,方式为修改请求报文中的目标地址,外部网络访问内部网络的统一出口地址,内部网络统一出口转换目标IP为内部网络的IP,然后内部网络返回信息给出口地址。
PNAT: 端口地址转换,支持PREROUTING,OUTPUT规则链,方式为修改请求报文中的目标IP的目标端口,外部网络访问内部网路的统一出口地址和端口,目标IP的主机将目标端口修改为同个目标主机的另外一个端口上。
5、iptables实现SNAT和DNAT,并对规则持久保存
##环境说明
[root@wan ~]# ip addr show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b3:f4:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.128/24 brd 192.168.10.255 scope global noprefixroute dynamic ens33
valid_lft 1062sec preferred_lft 1062sec
inet6 fe80::e132:5b27:135f:b310/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@wan ~]# ip r
192.168.10.0/24 dev ens33 proto kernel scope link src 192.168.10.128 metric 100
[root@wan ~]#
[root@firewall ~]# ip addr show ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:68:87:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.128/24 brd 10.0.0.255 scope global dynamic noprefixroute ens160
valid_lft 1699sec preferred_lft 1699sec
inet6 fe80::20c:29ff:fe68:8702/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@firewall ~]# ip addr show ens224
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:68:87:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.10.129/24 brd 192.168.10.255 scope global dynamic noprefixroute ens224
valid_lft 1695sec preferred_lft 1695sec
inet6 fe80::45b1:edee:8636:4351/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@firewall ~]# ip r
default via 10.0.0.2 dev ens160 proto dhcp metric 102
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.128 metric 102
192.168.10.0/24 dev ens224 proto kernel scope link src 192.168.10.129 metric 103
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 metric 425 linkdown
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_PRT (0 references)
pkts bytes target prot opt in out source destination
[root@lan ~]# ip addr show ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:36:73:cb brd ff:ff:ff:ff:ff:ff
inet 10.0.0.129/24 brd 10.0.0.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe36:73cb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@lan ~]# ip r
default via 10.0.0.128 dev ens160 proto static metric 100
10.0.0.0/24 dev ens160 proto kernel scope link src 10.0.0.129 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 metric 425 linkdown
##在防火墙启动转发功能和SANT
[root@firewall ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewall ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@firewall ~]# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_PRT (0 references)
pkts bytes target prot opt in out source destination
##在lan上测试是否可以ping通
[root@lan ~]# ping 192.168.10.128
PING 192.168.10.128 (192.168.10.128) 56(84) bytes of data.
64 bytes from 192.168.10.128: icmp_seq=1 ttl=63 time=1.14 ms
64 bytes from 192.168.10.128: icmp_seq=2 ttl=63 time=0.904 ms
64 bytes from 192.168.10.128: icmp_seq=3 ttl=63 time=1.31 ms
64 bytes from 192.168.10.128: icmp_seq=4 ttl=63 time=0.806 ms
64 bytes from 192.168.10.128: icmp_seq=5 ttl=63 time=0.835 ms
64 bytes from 192.168.10.128: icmp_seq=6 ttl=63 time=1.29 ms
64 bytes from 192.168.10.128: icmp_seq=7 ttl=63 time=2.47 ms
64 bytes from 192.168.10.128: icmp_seq=8 ttl=63 time=2.05 ms
64 bytes from 192.168.10.128: icmp_seq=9 ttl=63 time=0.791 ms
^C
--- 192.168.10.128 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 8076ms
rtt min/avg/max/mdev = 0.791/1.288/2.469/0.561 ms
##在wan进行抓包分析
[root@wan ~]# tcpdump -i ens33 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:23:27.166530 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 1, length 64
18:23:27.166608 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 1, length 64
18:23:28.173172 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 2, length 64
18:23:28.173225 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 2, length 64
18:23:29.173698 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 3, length 64
18:23:29.173740 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 3, length 64
18:23:30.179838 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 4, length 64
18:23:30.179875 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 4, length 64
18:23:31.207059 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 5, length 64
18:23:31.207105 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 5, length 64
18:23:32.227039 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 6, length 64
18:23:32.227110 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 6, length 64
18:23:33.233767 IP 192.168.10.129 > 192.168.10.128: ICMP echo request, id 2865, seq 7, length 64
18:23:33.233856 IP 192.168.10.128 > 192.168.10.129: ICMP echo reply, id 2865, seq 7, length 64
##保存配置 (需要安装iptables-services)
[root@firewall ~]# yum install iptables-services.x86_64 -y
[root@firewall ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@centos84 ~]# iptables-save > /etc/sysconfig/iptables
##环境说明和SNAT相同
##在防火墙上配置DNAT转发规则
[root@firewall ~]# iptables -t nat -A PREROUTING -d 192.168.10.129 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.129:80
[root@firewall ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 300 DNAT tcp -- * * 0.0.0.0/0 192.168.10.129 tcp dpt:80 to:10.0.0.129:80
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.0.0.0/24 !10.0.0.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain LIBVIRT_PRT (0 references)
pkts bytes target prot opt in out source destination
##在wan测试80端口
[root@wan ~]# curl 192.168.10.129
IP:10.0.0.129
##保存配置 (需要安装iptables-services)
[root@firewall ~]# yum install iptables-services.x86_64 -y
[root@firewall ~]# systemctl enable --now iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@centos84 ~]# iptables-save > /etc/sysconfig/iptables
