CentOS开启NAT路由转发功能

马谦马谦马谦

613
文章

17
评论

2018年12月31日17:04:53

评论1 763字阅读2分32秒

一、拓扑图

学习linux的网络框架netfilter，想用centos作为路由器，在下面接PC产生流量测试。

默认情况下linux是没有开启数据包转发功能的，需要手动配置，linux使用centos6.9，网络拓扑图如下：

CentOS开启NAT路由转发功能

路由器的eth0口接外网，IP地址192.168.123.102，内网口eth0地址10.0.0.x/24，希望PC通过路由nat上网。

二、转发配置

开启路由转发首先检查好防火墙配置，清空原有的nat规则：iptables -F，然后添加nat规则，一共有两种方式：

第一种：iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to 192.168.123.102

第二种：iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

其中的部分参数含义为：

-t: 类型为nat
-A: 添加新规则到规则链的末尾
POSTROUTING: 在包就要离开防火墙之前改变其源地址
-s: 源地址段，这里设置我的内网地址网段10.0.0.0/24
-j SNAT: 满足snat条件的时候跳转
--to: 跳转时设置的Ip地址
-o: 跳转时的出口设备为eth0

具体可参考防火墙规则，这里设置好后，开启设备的数据包转发：

echo 1 > /proc/sys/net/ipv4/ip_forward

1	echo 1 > /proc/sys/net/ipv4/ip_forward

转发永久生效

上面的echo开启数据包转发只是临时生效，下次重启后就失效了，如果需要永久生效，得修改/etc/sysctl.conf文件，把net.ipv4.ip_forwar设置为1。

> sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
> grep net.ipv4.ip_forwar /etc/sysctl.conf # 确认是否修改成功了
net.ipv4.ip_forward = 1 # 已经修改好了
> sysctl -p # 生效配置
net.ipv4.ip_forward = 1 # 这里也可以看到值被修改成了1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

> sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf

> grep net.ipv4.ip_forwar /etc/sysctl.conf # 确认是否修改成功了

net.ipv4.ip_forward = 1 # 已经修改好了

> sysctl -p # 生效配置

net.ipv4.ip_forward = 1 # 这里也可以看到值被修改成了1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

三、生效性测试

检测是否生效，给PC配置好IP，然后ping百度，同时设备上也开启抓包：

maqian@d2.dyxmq.cn:~$ tcpdump -i eth1 -nnn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:35:42.880920 IP 10.0.0.2.63573 > 223.5.5.5.53: 48582+ A? baidu.com. (27)
16:35:42.924100 IP 223.5.5.5.53 > 10.0.0.2.63573: 48582 2/5/5 A 220.181.57.216, A 123.125.115.110 (229)
16:35:42.938192 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 11, length 40
16:35:43.021923 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 11, length 40
16:35:43.947976 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 12, length 40
16:35:44.028291 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 12, length 40
16:35:44.963608 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 13, length 40
16:35:45.043968 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 13, length 40
16:35:45.979290 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 14, length 40
16:35:46.058447 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 14, length 40
16:35:47.923349 ARP, Request who-has 10.0.0.2 tell 10.0.0.1, length 28
16:35:47.923695 ARP, Reply 10.0.0.2 is-at 00:0c:29:60:22:cc, length 46

maqian@d2.dyxmq.cn:~$ tcpdump -i eth1 -nnn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

16:35:42.880920 IP 10.0.0.2.63573 > 223.5.5.5.53: 48582+ A? baidu.com. (27)

16:35:42.924100 IP 223.5.5.5.53 > 10.0.0.2.63573: 48582 2/5/5 A 220.181.57.216, A 123.125.115.110 (229)

16:35:42.938192 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 11, length 40

16:35:43.021923 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 11, length 40

16:35:43.947976 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 12, length 40

16:35:44.028291 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 12, length 40

16:35:44.963608 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 13, length 40

16:35:45.043968 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 13, length 40

16:35:45.979290 IP 10.0.0.2 > 220.181.57.216: ICMP echo request, id 1, seq 14, length 40

16:35:46.058447 IP 220.181.57.216 > 10.0.0.2: ICMP echo reply, id 1, seq 14, length 40

16:35:47.923349 ARP, Request who-has 10.0.0.2 tell 10.0.0.1, length 28

16:35:47.923695 ARP, Reply 10.0.0.2 is-at 00:0c:29:60:22:cc, length 46

CentOS开启NAT路由转发功能

一、拓扑图

三、生效性测试

发表评论 取消回复

发表评论取消回复