Differences

This shows you the differences between two versions of the page.

--- сервис_nat [2014/03/31 09:31]
val [Ubuntu (iptables)]
+++ сервис_nat [2024/04/23 14:00] (current)
val [nftables]
@@ Line 1: / Line 1: @@
 ====== Сервис NAT ======
+  * [[http://stackoff.ru/ip/|Определение внутреннего IP-адреса за NAT и VPN через WebRTC]]
 ===== Трансляция на основе адреса отправителя =====
-==== Ubuntu (iptables) ====
+==== Debian/Ubuntu (iptables) ====
 === Заполнение таблицы nat (eth1 - внешний интерфейс) ===
 <code>
-root@gate:~# apt-get install conntrack
+debian11# apt install iptables
+root@gate:~# apt install conntrack
 root@gate:~# cat nat.sh
@@ Line 26: / Line 29: @@
 root@gate:~# iptables -t nat -n -L -v --line-numbers
-root@gate:~# apt-get install netstat-nat
+root@gate:~# conntrack -L
-root@gate:~# netstat-nat -n
 </code>
-=== Сохранение состояния iptables ===
+=== Управление состоянием iptables ===
+== Вариант 1 ==
+== Сохранение состояния iptables ==
 <code>
 root@gate:~# iptables-save > /etc/iptables.rules
 </code>
-=== Восстановление состояния iptables ===
+== Восстановление состояния iptables ==
 <code>
 root@gate:~# iptables-restore < /etc/iptables.rules
 </code>
-=== Восстановление состояния iptables при загрузке ===
+== Восстановление состояния iptables при загрузке ==
 <code>
 root@gate:~# cat /etc/network/interfaces
@@ Line 52: / Line 57: @@
 </code>
+== Вариант 2 ==
+<code>
+# apt install iptables-persistent
+# netfilter-persistent save
+</code>
+==== nftables ====
+  * [[https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)|Performing Network Address Translation (NAT)]]
+  * https://wiki.debian.org/nftables
+<code>
+gate### apt install nftables
+gate# man nft
+gate# nft add table nat
+gate# nft 'add chain nat postrouting { type nat hook postrouting priority srcnat ; }'
+gate# nft add rule nat postrouting ip saddr 192.168.X.0/24 oif eth1 snat to 172.16.1.X
+gate# nft add rule nat postrouting ip saddr 192.168.100+X.0/24 oif eth1 snat to 172.16.1.X
+gate# nft list ruleset
+gate# nft flush ruleset
+gate# systemctl enable nftables.service --now
+gate# cat /etc/nftables.conf
+</code><code>
+...
+table ip nat {
+        chain postrouting {
+                type nat hook postrouting priority srcnat; policy accept;
+                ip saddr 192.168.100+X.0/24 oif "eth1" snat to 172.16.1.X
+        }
+}
+</code><code>
+gate# systemctl reload nftables.service
+</code>
+==== CentOS (firewalld) ====
+  * [[https://www.mjhall.org/centos-7-firewalld-nat-router.html|CentOS 7 firewalld NAT router]]
 ==== FreeBSD ====
@@ Line 67: / Line 118: @@
 pf_enable=yes
 </code><code>
-[gate:~] # /etc/rc.d/pf check
+[gate:~] # service pf check
-[gate:~] # /etc/rc.d/pf start
+[gate:~] # service pf start
 [gate:~] # pfctl -vs nat
@@ Line 76: / Line 127: @@
 ===== Трансляция портов сервисов =====
-==== Ubuntu (iptables) ====
+==== Debian/Ubuntu (iptables) ====
 <code>
@@ Line 89: / Line 140: @@
 iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 2222 -j DNAT --to-destination 192.168.X.10:22
-#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25
 iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 53 -j DNAT --to-destination 192.168.X.10:53
 iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53
-iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25
-iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 465 -j DNAT --to-destination 192.168.X.10:465
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 587 -j DNAT --to-destination 192.168.X.10:587
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5222 -j DNAT --to-destination 192.168.X.10:5222
 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 5060 -j DNAT --to-destination 192.168.X.10:5060
+#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5061 -j DNAT --to-destination 192.168.X.10:5061
 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp -m multiport --dport 10000:20000 -j DNAT --to-destination 192.168.X.10
 #iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 4569 -j DNAT --to-destination 192.168.X.10:4569
@@ Line 113: / Line 169: @@
 ext_if="em1"
 corp_net="192.168.X/24"
-pppoe_corp_net="192.168.100+X/24"
+#pppoe_corp_net="192.168.100+X/24"
 ssh_server="192.168.X.10"
@@ Line 146: / Line 202: @@
 [gate:/etc] # /etc/rc.d/pf reload
 </code>
+===== Поддержка протоколов приложений =====
+==== tftp ====
+  * [[https://unix.stackexchange.com/questions/579508/iptables-rules-to-forward-tftp-via-nat|iptables rules to forward tftp via NAT]]
 ===== Мониторинг соединений =====
@@ Line 170: / Line 233: @@
 [gate:~] # pfctl -F state
 </code>
 ===== Дополнительные материалы =====

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools