飘零的代码 piao2010 ’s blog

在学校用了两年多的代理上网（Linux+OpenVPN+Squid），由于代理服务器（个人猜测应该是位于校园网DMZ）和寝室属于不同网络，一直没办法实现NAT方式上网。下午尝试着在VPN接入服务器的基础上进行NAT测试，但是失败了，如果在正常的网络环境中应该是比较容易实现的。以下部分开始转载：（根据自己的理解添加了中文注释）

This tutorial shows how to set up network-address-translation (NAT) on a Linux system with iptables rules so that the system can act as a gateway and provide internet access to multiple hosts on a local network using a single public IP address. This is achieved by rewriting the source and/or destination addresses of IP packets as they pass through the NAT system.

Requirements:
CPU - PII or more
OS - Any Linux distribution
Software - Iptables
Network Interface Cards: 2 #需要双网卡，我这里以VPN的tun0当其中的内网网卡，不过失败了。

Here is my considerations:

Replace xx.xx.xx.xx with your WAN IP#公网IP

Replace yy.yy.yy.yy with your LAN IP#内网IP

(i.e. 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 as suggested by Mr. tzs)

WAN = eth0 with public IP xx.xx.xx.xx
LAN = eth1 with private IP yy.yy.yy.yy/ 255.255.0.0

Step by Step Procedure
Step #1. Add 2 Network cards to the Linux box

Step #2. Verify the Network cards, Wether they installed properly or not

ls /etc/sysconfig/network-scripts/ifcfg-eth* | wc -l

( The output should be “2″)

Step #3. Configure eth0 for Internet with a Public ( IP External network or Internet)

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=xx.xx.xx.xx
NETMASK=255.255.255.0 # Provided by the ISP
NETWORK=xx.xx.xx.0 # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1 # Provided by the ISP

Step #4. Configure eth1 for LAN with a Private IP (Internal private network)

cat /etc/sysconfig/network-scripts/ifcfg-eth1

BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0 # Specify based on your requirement
BROADCAST=”"
IPADDR=192.168.2.1 # Gateway of the LAN
NETWORK=192.168.0.0 # Optional
USERCTL=no
ONBOOT=yes

Step #5. Host Configuration (Optional)#这步是多余的，直接跳过

cat /etc/hosts

127.0.0.1 nat localhost.localdomain localhost

Step #6. Gateway Configuration

cat /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=nat
GATEWAY=xx.xx.xx.1 # Internet Gateway, provided by the ISP

Step #7. DNS Configuration

cat /etc/resolv.conf

nameserver 203.145.184.13 # Primary DNS Server provided by the ISP
nameserver 202.56.250.5 # Secondary DNS Server provided by the ISP

Step #8. NAT configuration with IP Tables

# Delete and flush. Default table is “filter”. Others like “nat” must be explicitly stated.

iptables –flush # Flush all the rules in filter and nat tables#如果本身有需要的filter表规则就不要清空了。

iptables –table nat –flush

iptables –delete-chain

# Delete all chains that are not in default filter and nat table

iptables –table nat –delete-chain

# Set up IP FORWARDing and Masquerading

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #最关键的步骤，实现SNAT

iptables -A FORWARD -i eth1 -j ACCEPT#允许来自eth1的数据转发
# Enables packet forwarding by kernel

echo 1 > /proc/sys/net/ipv4/ip_forward#这个只是临时有效，永久配置应该在/etc/sysctl.conf中实现

#Apply the configuration

service iptables restart

Step #9. Testing

# Ping the Gateway of the network from client system

ping 192.168.2.1

Try it on your client systems

ping google.com

Configuring PCs on the network (Clients)
? All PC’s on the private office network should set their “gateway” to be the local private network IP address of the Linux gateway computer.
? The DNS should be set to that of the ISP on the internet.
Windows ‘95, 2000, XP, Configuration:

? Select “Start” + Settings” + “Control Panel”
? Select the “Network” icon
? Select the tab “Configuration” and double click the component “TCP/IP” for the ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)
? Select the tabs:
o “Gateway”: Use the internal network IP address of the Linux box. (192.168.2.1)
o “DNS Configuration”: Use the IP addresses of the ISP Domain Name Servers. (Actual internet IP address)
o “IP Address”: The IP address (192.168.XXX.XXX - static) and netmask (typically 255.255.0.0 for a small local office network) of the PC can also be set here.

相关日志

• 用chkconfig管理Init脚本 (4)
• 基于Postfix+sasl+courier-imap+courier-authlib+clamav+slockd+amavisd邮件系统配置安装笔记(一) (3)
• 基于Linux的Subversion配置 (0)
• 什么是运维工程师？ (3)
• 下一代的入侵检测关键技术分析 (0)

Tags: iptables, Linux, nat

This entry was posted on 星期日, 1月 10th, 2010 at 19:25 and is filed under Linux. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.