This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_nat [2014/09/11 16:04] val [Сервис NAT] |
сервис_nat [2024/04/23 13:15] val [nftables] |
||
---|---|---|---|
Line 4: | Line 4: | ||
===== Трансляция на основе адреса отправителя ===== | ===== Трансляция на основе адреса отправителя ===== | ||
- | ==== Ubuntu (iptables) ==== | + | ==== Debian/Ubuntu (iptables) ==== |
=== Заполнение таблицы nat (eth1 - внешний интерфейс) === | === Заполнение таблицы nat (eth1 - внешний интерфейс) === | ||
<code> | <code> | ||
- | root@gate:~# apt-get install conntrack | + | debian11# apt install iptables |
+ | |||
+ | root@gate:~# apt install conntrack | ||
root@gate:~# cat nat.sh | root@gate:~# cat nat.sh | ||
Line 27: | Line 29: | ||
root@gate:~# iptables -t nat -n -L -v --line-numbers | root@gate:~# iptables -t nat -n -L -v --line-numbers | ||
- | root@gate:~# apt-get install netstat-nat | + | root@gate:~# conntrack -L |
- | + | ||
- | root@gate:~# netstat-nat -n | + | |
</code> | </code> | ||
- | === Сохранение состояния iptables === | + | === Управление состоянием iptables === |
+ | |||
+ | == Вариант 1 == | ||
+ | |||
+ | == Сохранение состояния iptables == | ||
<code> | <code> | ||
root@gate:~# iptables-save > /etc/iptables.rules | root@gate:~# iptables-save > /etc/iptables.rules | ||
</code> | </code> | ||
- | === Восстановление состояния iptables === | + | == Восстановление состояния iptables == |
<code> | <code> | ||
root@gate:~# iptables-restore < /etc/iptables.rules | root@gate:~# iptables-restore < /etc/iptables.rules | ||
</code> | </code> | ||
- | === Восстановление состояния iptables при загрузке === | + | == Восстановление состояния iptables при загрузке == |
<code> | <code> | ||
root@gate:~# cat /etc/network/interfaces | root@gate:~# cat /etc/network/interfaces | ||
Line 53: | Line 57: | ||
</code> | </code> | ||
+ | == Вариант 2 == | ||
+ | <code> | ||
+ | # apt install iptables-persistent | ||
+ | |||
+ | # netfilter-persistent save | ||
+ | </code> | ||
+ | |||
+ | ==== nftables ==== | ||
+ | |||
+ | * [[https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)|Performing Network Address Translation (NAT)]] | ||
+ | * https://wiki.debian.org/nftables | ||
+ | |||
+ | <code> | ||
+ | gate### apt install nftables | ||
+ | |||
+ | gate# nft add table nat | ||
+ | |||
+ | gate# nft add rule nat postrouting ip saddr 192.168.X.0/24 oif eth1 snat to 172.16.1.254 | ||
+ | |||
+ | gate# nft list ruleset | ||
+ | |||
+ | gate# file /etc/nftables.conf | ||
+ | |||
+ | gate# systemctl enable nftables.service | ||
+ | </code> | ||
+ | |||
+ | ==== CentOS (firewalld) ==== | ||
+ | |||
+ | * [[https://www.mjhall.org/centos-7-firewalld-nat-router.html|CentOS 7 firewalld NAT router]] | ||
==== FreeBSD ==== | ==== FreeBSD ==== | ||
Line 68: | Line 101: | ||
pf_enable=yes | pf_enable=yes | ||
</code><code> | </code><code> | ||
- | [gate:~] # /etc/rc.d/pf check | + | [gate:~] # service pf check |
- | [gate:~] # /etc/rc.d/pf start | + | [gate:~] # service pf start |
[gate:~] # pfctl -vs nat | [gate:~] # pfctl -vs nat | ||
Line 77: | Line 110: | ||
===== Трансляция портов сервисов ===== | ===== Трансляция портов сервисов ===== | ||
- | ==== Ubuntu (iptables) ==== | + | ==== Debian/Ubuntu (iptables) ==== |
<code> | <code> | ||
Line 90: | Line 123: | ||
iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 2222 -j DNAT --to-destination 192.168.X.10:22 | iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 2222 -j DNAT --to-destination 192.168.X.10:22 | ||
- | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25 | ||
iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 53 -j DNAT --to-destination 192.168.X.10:53 | iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 53 -j DNAT --to-destination 192.168.X.10:53 | ||
iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53 | iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53 | ||
- | iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80 | + | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25 |
- | iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143 | + | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 465 -j DNAT --to-destination 192.168.X.10:465 |
+ | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 587 -j DNAT --to-destination 192.168.X.10:587 | ||
+ | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143 | ||
+ | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80 | ||
+ | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5222 -j DNAT --to-destination 192.168.X.10:5222 | ||
- | #iptables -t nat -A PREROUTING -p tcp -s 192.168.100+X.0/24 --dport 80 -j REDIRECT --to-port 3128 | ||
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 5060 -j DNAT --to-destination 192.168.X.10:5060 | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 5060 -j DNAT --to-destination 192.168.X.10:5060 | ||
+ | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5061 -j DNAT --to-destination 192.168.X.10:5061 | ||
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp -m multiport --dport 10000:20000 -j DNAT --to-destination 192.168.X.10 | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp -m multiport --dport 10000:20000 -j DNAT --to-destination 192.168.X.10 | ||
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 4569 -j DNAT --to-destination 192.168.X.10:4569 | #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 4569 -j DNAT --to-destination 192.168.X.10:4569 | ||
Line 116: | Line 152: | ||
ext_if="em1" | ext_if="em1" | ||
corp_net="192.168.X/24" | corp_net="192.168.X/24" | ||
- | pppoe_corp_net="192.168.100+X/24" | + | #pppoe_corp_net="192.168.100+X/24" |
ssh_server="192.168.X.10" | ssh_server="192.168.X.10" | ||
Line 149: | Line 185: | ||
[gate:/etc] # /etc/rc.d/pf reload | [gate:/etc] # /etc/rc.d/pf reload | ||
</code> | </code> | ||
+ | |||
+ | ===== Поддержка протоколов приложений ===== | ||
+ | |||
+ | ==== tftp ==== | ||
+ | |||
+ | * [[https://unix.stackexchange.com/questions/579508/iptables-rules-to-forward-tftp-via-nat|iptables rules to forward tftp via NAT]] | ||
+ | |||
===== Мониторинг соединений ===== | ===== Мониторинг соединений ===== | ||
Line 173: | Line 216: | ||
[gate:~] # pfctl -F state | [gate:~] # pfctl -F state | ||
</code> | </code> | ||
+ | |||
+ | |||
+ | |||
===== Дополнительные материалы ===== | ===== Дополнительные материалы ===== | ||