內網的server 爲HTTP,IP:10.0.0.85 linux防火牆FW有兩個網卡,etho 192.168.122.11連接外網,eth1 10.0.0.250連接外網,拓撲如下:
在server上添加一條默認路由:
- [root@vm1 ~]# route add default gw 10.0.0.250
- 開啓HTTP 注意將不用的網卡down掉
- ifconfig eth1(lo) down
FW臨時添加網卡eth1:
- [root@vm1 ~]# ifconfig eth0 10.0.0.250 netmask 255.255.255.0 up
FW上開啓內核IP轉發:
- [root@vm1 ~]# cat /etc/sysctl.conf
- net.ipv4.ip_forward = 1
- [root@vm1 ~]# sysctl -p
- [root@vm1 ~]# iptables -F -t nat
- [root@vm1 ~]# iptables -X -t nat
- [root@vm1 ~]# iptables -Z -t nat
- [root@vm1 ~]# iptables -t nat -P PREROUTING ACCEPT
- [root@vm1 ~]# iptables -t nat -P POSTROUTING ACCEPT
- [root@vm1 ~]# iptables -t nat -P OUTPUT ACCEPT
- [root@vm1 ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.85
- [root@vm1 ~]# /etc/init.d/iptables save 保存
- iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- [root@vm1 ~]# /etc/init.d/iptables restart 重啓
- [root@vm1 ~]# /etc/init.d/httpd start 開啓HTTP
- Starting httpd:
這樣在外網的92.168.122.1就可以通過訪問192.168.122.11去訪問WEB server了
如果是FTP SERVER那麼還得做個SNAT,如:
- [root@vm1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.122.1
- [root@vm1 ~]# modprobe nf-nat-ftp