Table of contents
2. Deployment design of SNAT experiment
3. Specific experimental steps
The first step: do a good job in the virtual machine settings before the experiment
① Add network card, modify vmnet
②Modify ens33 as the intranet network card of the gateway server
③Modify the newly added network card ens36 (use whatever network card is added here)
②Download the http service and open it
Step 2: Gateway server settings agree to route forwarding
Use the Firefox browser of Linux to access directly through IP:
Step 4: SNAT Source Address Translation
Step 5: Visit again and check the web server log
SNAT is also called source address translation. Source address translation means that when the internal network address accesses externally, the internal network ip address that initiates the access is converted to a specified ip address (specific services and corresponding ports or port ranges can be specified), which can make use of reserved ip addresses in the internal network The host accesses the external network, that is, multiple hosts in the internal network can access the external network through a valid public network ip address
In the real environment, the private network can transmit the data packet to the server with the public network IP address through routing and forwarding, but the public network address cannot return the corresponding data packet to the user with the private network address. At this time, a medium is needed between the two, which is a gateway server established between the private network and the public network, and the data packets between them are processed accordingly. To complete the establishment of a connection between the private network IP and the public network IP
SNAT source address translation process:
- When a data packet is sent from the internal network to the public network, SNAT will convert the source address of the data packet from the private network IP to the public network IP
- When the corresponding data packet is sent from the public network to the intranet, the destination address of the data packet will be converted from the public network IP to the private network IP
- When multiple hosts on the intranet access the external network, SNAT will automatically assign ports during conversion, and different intranet hosts will be distinguished by port numbers
2. Deployment design of SNAT experiment
Use the SNAT strategy to encapsulate the client IP in the LAN as the external network IP of the gateway server, and access the http service of the web server
3. Specific experimental steps
The first step: do a good job in the virtual machine settings before the experiment
Here I have prepared three virtual machines to use them as clients, web servers and gateway servers in turn
1) Gateway server settings
① Add network card, modify vmnet
②Modify ens33 as the intranet network card of the gateway server
③Modify the newly added network card ens36 (use whatever network card is added here)
cp ifcfg-ens33 ifcfg-ens36
After the above operations are completed, restart the network card
2) Client settings simulation
3) Web server settings
① Configure the network card
②Download the http service and open it
yum install -y httpd
systemctl restart httpd
Step 2: Gateway server settings agree to route forwarding
#永久启用
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
#临时开启
echo 1 > /proc/sys/net/ipv4/ip_forward
或
sysctl -w net.ipv4.ip_forward=1
Step 3: Turn off the firewall and syslinux, and the client initially accesses the httpd service of the web server
Use the Firefox browser of Linux to access directly through IP:
View the http access log of the web server:
#追踪更新访问者访问httpd服务的日志
tail -f /var/log/httpd/access_log
This is the internal network and external network environment simulated by the virtual machine, which is somewhat different from the real environment. If it is in the real environment, the private network IP will not leave access traces on the public network server
At the same time: the ultimate goal of the experiment has not been achieved, and further SNAT source address translation is required
Step 4: SNAT Source Address Translation
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.73.0/24 -o ens36 -j SNAT --to 12.0.0.254