防火墙端口转发操作手册<二>
二.网络环境
注:Linux网关服务器(防火墙)和客户机是公网,WEB服务器在内网
1. 使用虚拟机虚拟两台LINUX服务器,一台角色为防火墙,另一台角色为公网web服务器
防火墙需要虚拟出来两块网卡,eth0 : 218.29.30.31/24 , eth1: 192.168.1.1/24
Web服务器一块网卡eth0:192.168.1.6/24
2. 使用真实机做内网客户端,用一块真实网卡IP为218.29.30.29/24
3. web服务器上设置
[root@kingmacro /]#iptables –F
[root@kingmacro /]#service iptables save
[root@kingmacro /]#chkconfig httpd on
[root@kingmacro /]#service httpd start
[root@kingmacro /]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:50:9f:5c
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.6
NETMASK=255.255.255.0
4. 防火墙设置
[root@wanghong ~]# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1
[root@wanghong ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:cf:82:fe
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
IPADDR=218.29.30.31
NETMASK=255.255.255.0
[root@wanghong ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED=yes
ONBOOT=yes
BOOTPROTO=none
IPADDR=192.168.1.1
NETMASK=255.255.255.0
[root@wanghong ~]#service network restart
[root@wanghong ~]#vim /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
[root@wanghong ~]#sysctl -p
[root@wanghong ~]#iptables -t nat -A PREROUTING -i eth0 -d 218.29.30.31 -p tcp --dport 80 -j DNAT –to-destiantion 192.168.1.6
[root@wanghong ~]#iptables -t nat -L
5.防火墙测试
直接使客户端ping命令,ping防火墙服务器eth0可以正常通读,ping 端口eth1不能正常ping通 ,ping web服务器也是拼不通的(这些状况都属正常情况),因为在端口eth0上做了端口转发,也就是所有来自eth0 80端口的数据包全部直接转发给wed服务器192.168.1.6 (注:在此实验过程当中,web服务器需要加内部网关192.168.1.1)
使用浏览器访问web服务器,