内网的server 为HTTP,IP:10.0.0.85 linux防火墙FW有两个网卡,etho 192.168.122.11连接外网,eth1 10.0.0.250连接外网,拓扑如下:
在server上添加一条默认路由:
- [root@vm1 ~]# route add default gw 10.0.0.250
- 开启HTTP 注意将不用的网卡down掉
- ifconfig eth1(lo) down
FW临时添加网卡eth1:
- [root@vm1 ~]# ifconfig eth0 10.0.0.250 netmask 255.255.255.0 up
FW上开启内核IP转发:
- [root@vm1 ~]# cat /etc/sysctl.conf
- net.ipv4.ip_forward = 1
- [root@vm1 ~]# sysctl -p
- [root@vm1 ~]# iptables -F -t nat
- [root@vm1 ~]# iptables -X -t nat
- [root@vm1 ~]# iptables -Z -t nat
- [root@vm1 ~]# iptables -t nat -P PREROUTING ACCEPT
- [root@vm1 ~]# iptables -t nat -P POSTROUTING ACCEPT
- [root@vm1 ~]# iptables -t nat -P OUTPUT ACCEPT
- [root@vm1 ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.85
- [root@vm1 ~]# /etc/init.d/iptables save 保存
- iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- [root@vm1 ~]# /etc/init.d/iptables restart 重启
- [root@vm1 ~]# /etc/init.d/httpd start 开启HTTP
- Starting httpd:
这样在外网的92.168.122.1就可以通过访问192.168.122.11去访问WEB server了
如果是FTP SERVER那么还得做个SNAT,如:
- [root@vm1 ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.122.1
- [root@vm1 ~]# modprobe nf-nat-ftp
本文转自 369蓝宝 51CTO博客,原文链接:http://blog.51cto.com/3739387/1157971,如需转载请自行联系原作者
