这里我们通过设置跳板机(ecos01)的iptables实现内网中的Web服务器(ecos02和ecos03)可以访问外网
首先我们需要关闭Web服务器的防火墙
service iptables stop
关闭开机自动启动
chkconfig iptables off
修改配置文件
vim /etc/sysctl.conf
找到这里
net.ipv4.ip_forward = 0
修改为
net.ipv4.ip_forward = 1
这样为了避免旧有的规则影响新的设定
iptables -F iptables -X iptables -F -t mangle iptables -t mangle -X iptables -F -t nat iptables -t nat -X预设接受全部规则链:
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
把 10.0.0.0/24 这个网段,伪装成 192.168.51.119 出去
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 192.168.51.119
查看iptables规则
iptabels -t nat -nvL
结果如果是下面的结果则配置成功
Chain PREROUTING (policy ACCEPT 56334 packets, 7922K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 5229 packets, 324K bytes) pkts bytes target prot opt in out source destination 1105 69446 SNAT all -- * * 10.0.0.0/24 0.0.0.0/0 to:192.168.51.119 Chain OUTPUT (policy ACCEPT 5233 packets, 324K bytes) pkts bytes target prot opt in out source destination
CENTOS 中iptables的配置文件在
/etc/sysconfig/iptables
保存命令
iptables-save > /etc/sysconfig/iptables
iptables 中的内容:
# Generated by iptables-save v1.3.5 on Thu Dec 1 20:50:43 2011 *filter :INPUT ACCEPT [143:12501] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [65:5328] COMMIT # Completed on Thu Dec 1 20:50:43 2011 # Generated by iptables-save v1.3.5 on Thu Dec 1 20:50:43 2011 *nat :PREROUTING ACCEPT [194:20708] :POSTROUTING ACCEPT [339:20864] :OUTPUT ACCEPT [342:21074] -A POSTROUTING -s 10.0.0.0/255.255.255.0 -j SNAT --to-source 192.168.51.119 COMMIT # Completed on Thu Dec 1 20:50:43 2011 # Generated by iptables-save v1.3.5 on Thu Dec 1 20:50:43 2011 *mangle :PREROUTING ACCEPT [2390:3079834] :INPUT ACCEPT [2331:3076427] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2571:3080063] :POSTROUTING ACCEPT [2602:3084461] COMMIT # Completed on Thu Dec 1 20:50:43 2011
备注
使iptables配置文件生效
iptables-restore < /etc/sysconfig/iptables