Ini salah satu cara paling mudah dan cukup efisien jika kita ingin menggunakan SNAT dengan iptables. Dengan asumsi sebelumnya kita sudah tau dan mengerti apakah SNAT itu sendiri.
Lebih jelasnya kita bisa langsung mempraktekkannya. Syarat yang harus dipenuhi adalah kita harus membuat alamat IP alias terlebih dahulu. Sebagai contoh kita akan membuat SNAT pada mesin firewall dengan ketentuan sbb:
- Menggunakan satu alamat IP lokal (192.168.71.10) agar dikenali di internet sebagai alamat IP 97.158.253.26
- Menggunakan satu alamat network (192.168.71.0) agar dikenali di internet sebagai alamat IP 97.158.253.29. Berbeda dengan Masquerading.
contoh file snat.sh
#—————————————————————
# Load the NAT module
#
# Note: It is best to use the /etc/rc.local example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
modprobe iptable_nat
#—————————————————————
# Enable routing by modifying the ip_forward /proc filesystem file
#
# Note: It is best to use the /etc/sysctl.conf example in this
# chapter. This value will not be retained in the
# /etc/sysconfig/iptables file. Included only as a reminder.
#—————————————————————
echo 1 > /proc/sys/net/ipv4/ip_forward
#—————————————————————
# NAT ALL traffic:
###########
# REMEMBER to create aliases for all the internet IP addresses below
###########
#
# TO: FROM: MAP TO SERVER:
# 97.158.253.26 Anywhere 192.168.71.10 (1:1 NAT – Inbound)
# Anywhere 192.168.71.10 97.158.253.26 (1:1 NAT – Outbound)
# Anywhere 192.168.71.0/24 97.158.253.29 (FW IP)
#
# SNAT is used to NAT all other outbound connections initiated
# from the protected network to appear to come from
# IP address 97.158.253.29
#
# POSTROUTING:
# NATs source IP addresses. Frequently used to NAT connections from
# your home network to the Internet
#
# PREROUTING:
# NATs destination IP addresses. Frequently used to NAT
# connections from the Internet to your home network
#
# – Interface eth0 is the internet interface
# – Interface eth1 is the private network interface
#—————————————————————
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 -j DNAT –to-destination 192.168.71.10
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s 192.168.71.10 -o eth0 -j SNAT –to-source 97.158.253.26
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT -o eth0 –to-source 97.158.253.29
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.71.10 -m multiport –dport 80,443,22 /
-m state –state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
#############################################################
Semoga bermanfaat.
DIarsipkan di bawah: Lino
Mas..tutorialnya berguna nih buat saya..buka kans buat tanya jawab ga ?