作者/来源:yixinu.com
栏目:运维/编程
日期:2012-05-14 06:43:16
NAT network address translation
example: 双网卡NAT服务器配置
eth0 : 连接外网 192.168.73.173
eth1: 连接内网 152.10.0.1
1、如果希望Linux 能够扮演一个router的角色 必须把ip forwarding 的功能打开
echo "1" > /proc/sys/net/ipv4/ip_forward
2、开启 router 后
iptables -t nat -A POSTROUTING -s 152.10.0.0/16 -o eth0 -j MASQUERADE
保存规则
/etc/init.d/iptables save
此时 /etc/sysconfig/iptables :
# Generated by iptables-save v1.4.7 on Thu May 10 22:02:57 2012 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 152.10.0.0/16 -o eth0 -j MASQUERADE COMMIT # Completed on Thu May 10 22:02:57 2012 # Generated by iptables-save v1.4.7 on Thu May 10 22:02:57 2012 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 69 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 3713 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 3713 -j ACCEPT COMMIT # Completed on Thu May 10 22:02:57 2012
声明:服务器已开启DHPC服务,配置为:
allow booting;
allow bootp;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 152.10.0.0 netmask 255.255.0.0 {
range 152.10.1.10 152.10.1.254;
option domain-name-servers 152.10.0.1;
option domain-name "server002.com";
option routers 152.10.0.1;
option broadcast-address 152.10.255.255;
default-lease-time 600;
max-lease-time 7200;
next-server 152.10.0.1;
filename "pxelinux.0";
}
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
3、在客户端 自动获取IP和DNS
完成后发现问题,依然上不了网,无法通过域名访问网站 ,但能用IP访问网站,说明NAT服务器已经成功,
问题在 DNS 服务器未开启。。
4、配置DNS服务器,并开启,配置文件如下:
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// 在没有注释掉这3行之前,依然不能通过DNS访问网站 ,不知道这3行有何作用
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "server002.com." IN {
type master;
file "server002.com";
};
include "/etc/named.rfc1912.zones";
5、重启服务 ,客户机可以能过域名访问网站了