eth0 connection to external network
eth1 connection to internal network
Enable ip route
echo 1 > /proc/sys/net/ipv4/ip_forward
Set up IP FORWARDing and Masquerading
(this is the most simple method to config NAT for internal users)
[root@linux ~]#(suppose ppp0 is ready for external network)iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE[root@linux ~]#iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT[root@linux ~]#iptables -A FORWARD -i eth1 -o eth0 -j ACCEPTFor this case using MASQUERADE, there is alternative [root@linux ~]#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
More information (Just sample for your reference):
SNAT
Example: Internal users access external network with private IP
[root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34 (Map source addresses to 202.175.12.34) [root@linux ~]#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 202.175.12.34-202.175.12.39 (Map source addresses to the range of 202.175.12.34~202.175.12.39)
DNAT
Example: External users access internal server
[root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.10 [root@linux ~]# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.1.5-192.168.1.10 [root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:80 [root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.10:8080 [root@linux ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
發表文章
沒有留言:
張貼留言