SNAT And DNAT

1.SNAT Principle and Application

SNAT Application environment ：

LAN hosts share a single public network IP Address access Internet ( private IP Can't be in Internet Normal routing in )

SNAT principle ：

Source address translation , Modify the source of the packet according to the specified conditions IP Address , It's usually called yuanyingxie

SNAT Conversion prerequisites ：
① LAN hosts have been set correctly IP Address 、 Subnet mask 、 Default gateway address
②Linux Gateway on IP Routing and forwarding
linxu The system itself has no forwarding function , Only routing sends data

 Temporarily open :
echo 1 > /proc/sys/net/ipv4/ip_forward
 or 
sysctl -w net.ipv4.ip_forward=1

 Permanently open :
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1    # Write this line to the configuration file 
sysctl -p  # The modified configuration will be taken 

 notes ： Another way is static routing , This is more troublesome 

SNAT transformation 1: Fixed public network IP Address :
# To configure SNAT Strategy , Realization snat function , Will all 192.168.100.0 This segment of ip Source ip Change it to 10.0.0.1
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j SNAT --to 10.0.0.1
                                     Can be replaced by a separate IP   Departure   The network card              Extranet IP
 or 
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j SNAT --to-source 10.0.0.1-10.0.0.10
                                         Intranet IP    Departure   The network card                      Extranet IP Or address pool 
												
SNAT transformation 2: Non fixed public network IP Address ( Shared dynamics IP Address ):
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -o ens33 -j MASQUERADE

2.DNAT Principle and Application

DNAT Application environment ：

stay Internet Publish servers located in the LAN

DNAT principle ：

Destination address translation , Modify the purpose of the packet according to the specified conditions IP Address , Ensure the security of intranet server , It is often called destination mapping

DNAT Conversion prerequisites ：

① LAN servers can access Internet

② The gateway's Internet address is correct DNS Parsing records

③Linux Gateway on IP Routing and forwarding

vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

DNAT transformation 1: Publishing Intranet Web service 
# Take from ens37 Come in and visit web The destination address of the service packet is converted to 192.168.100.13
iptables -t nat -A PREROUTING -i ens37 -d 10.0.0.1 -p tcp --dport 80 -j DNAT --to 192.168.100.13
                                  Inbound       Public network IP                                   Intranet server IP
 or 
iptables -t nat -A PREROUTING -i ens37 -d 10.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.13
                               Inbound            Public network IP              port                             Intranet server IP
							                                                                   notes ： by default 80

 Return packet 
iptables -t nat -A POSTROUTING  -s 192.168.100.13 -o ens37 -j SNAT --to 10.0.0.1
										 Intranet IP	 Outbound extranet card 			 Internet address 


 You can do a domain name resolution on site 

 Inbound external network card IP
 Intranet server IP
iptables -t nat -A PREROUTING -i ens37 -p tcp --dport 80 -j DNAT --to 192.168.100.13-192.168.100.20
																			 Address segment 
DNAT transformation 2: Modify the target port when publishing 
# Publish the information inside the LAN OpenSSH The server , The external network host needs to use 250 Port to connect 
iptables -t nat -A PREROUTING -i ens37 -d 10.0.0.1 -p tcp --dport 250 -j DNAT --to 192.168.100.13:22
							 Inbound extranet card      Extranet IP            Internet remote port 			  Intranet IP And remote port number 
# Use... In an extranet environment SSH test 
ssh -p 250 [email protected]  

yum -y install net-tools    # If there is no ifconfig  The command can be used in advance yum  Installation 
ifconfig ens33

iptables -nvL -t nat   see 

 Be careful : Use DNAT when , At the same time, there is cooperation SNAT Use , In order to realize the correct return of the response packet